System and method of protecting client computers

US 10,572,662 B2
Filed: 11/09/2018
Issued: 02/25/2020
Est. Priority Date: 11/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method for threat detection and response, the method comprising:

receiving, by a threat response computer from a threat detector running on a client computer in an enterprise computing network wherein the client computer is separate from the threat response computer, an event report identifying a suspicious communication over a network between the client computer and a network device other than the client computer;

automatically remotely activating, by the threat response computer, a data collector on the client computer, the data collector configured for searching potential indications of compromise (IOCs) on the client computer and sending data identifying the potential IOCs to the threat response computer for evaluation;

receiving, by the threat response computer from the data collector, the data identifying the potential IOCs on the client computer;

comparing, by the threat response computer, the potential IOCs on the client computer and IOCs in a database local to the threat response computer;

based at least in part on the comparing, determining, by the threat response computer, whether the potential IOCs on the client computer indicate evidence of malware on the client computer; and

responsive to the evidence of malware on the client computer, sending an instruction from the threat response computer to configure a firewall in the enterprise computing network.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.

Citations

20 Claims

1. A method for threat detection and response, the method comprising:
- receiving, by a threat response computer from a threat detector running on a client computer in an enterprise computing network wherein the client computer is separate from the threat response computer, an event report identifying a suspicious communication over a network between the client computer and a network device other than the client computer;
  
  automatically remotely activating, by the threat response computer, a data collector on the client computer, the data collector configured for searching potential indications of compromise (IOCs) on the client computer and sending data identifying the potential IOCs to the threat response computer for evaluation;
  
  receiving, by the threat response computer from the data collector, the data identifying the potential IOCs on the client computer;
  
  comparing, by the threat response computer, the potential IOCs on the client computer and IOCs in a database local to the threat response computer;
  
  based at least in part on the comparing, determining, by the threat response computer, whether the potential IOCs on the client computer indicate evidence of malware on the client computer; and
  
  responsive to the evidence of malware on the client computer, sending an instruction from the threat response computer to configure a firewall in the enterprise computing network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the IOCs in the database indicate evidence of actual malware or evidence of potential malware.
  - 3. The method according to claim 1, wherein the IOCs in the database are provided by multiple sources including anti-malware programs, a central database of IOCs, or a user of the threat response computer.
  - 4. The method according to claim 1, wherein sending an instruction from the threat response computer to configure a firewall in the enterprise computing network further comprises sending an instruction to the firewall to block or reroute the suspicious network communication.
  - 5. The method according to claim 1, further comprising:
    - responsive to the evidence of malware on the client computer, automatically commanding the firewall to add an Internet Protocol address of the network device to a blocked list maintained by the firewall, the automatically commanding being performed by the threat response computer.
  - 6. The method according to claim 1, further comprising:
    - responsive to the evidence of malware on the client computer, instructing the firewall to selectively block computers in the enterprise computing network from accessing an Internet Protocol address, a hostname, or a universal resource locator of the network device, the instructing being performed by the threat response computer.
  - 7. The method according to claim 6, wherein the instructing further comprises:
    - commanding the firewall to route access requests to the network device to the threat response computer, the commanding being performed by the threat response computer;
      
      providing, by the threat response computer, a test to the client computer to determine whether a human or an automated system is attempting to connect the client computer to the network device; and
      
      determining, by the threat response computer depending upon an outcome from the test, whether to allow or block the suspicious network communication.
  - 8. The method according to claim 1, further comprising:
    - receiving, by the threat response computer from a network based service, the IOCs or an instruction on how to respond to an IOC of the potential IOCs on the client computer.
  - 9. The method according to claim 1, further comprising:
    - presenting, by the threat response computer to a user through a user interface, the evidence of malware determined by the threat response computer;
      
      orresponsive to a request from the user, presenting, by the threat response computer to the user through the user interface, the potential IOCs found by the data collector on the client computer.
  - 10. The method according to claim 1, further comprising:
    - providing, by the threat response computer to a user through a user interface, data that allows the user to determine whether the event report is a false positive or an actual indication of malware.

11. A system for threat detection and response, the system comprising:
- a processor;
  
  a non-transitory computer-readable medium; and
  
  stored instructions translatable by the processor for;
  
  receiving, from a threat detector running on a client computer in an enterprise computing network wherein the client computer is separate from the threat response computer, an event report identifying a suspicious communication over a network between the client computer and a network device;
  
  automatically remotely activating a data collector on the client computer, the data collector configured for searching potential indications of compromise (IOCs) on the client computer and sending data identifying the potential IOCs to the system for evaluation;
  
  receiving, from the data collector, the data identifying the potential IOCs on the client computer;
  
  comparing the potential IOCs on the client computer and IOCs in a database local to the system;
  
  based at least in part on the comparing, determining whether the potential IOCs on the client computer indicate evidence of malware on the client computer; and
  
  responsive to the evidence of malware on the client computer, sending an instruction to configure a firewall in the enterprise computing network.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the IOCs in the database indicate evidence of actual malware or evidence of potential malware.
  - 13. The system of claim 11, wherein the IOCs in the database are provided by multiple sources including anti-malware programs, a central database of IOCs, or a user of the system.
  - 14. The system of claim 11, wherein sending an instruction to configure a firewall in the enterprise computing network further comprises sending an instruction to the firewall to block or reroute the suspicious network communication.
  - 15. The system of claim 11, wherein the stored instructions are further translatable by the processor for:
    - responsive to the evidence of malware on the client computer, automatically commanding the firewall to add an Internet Protocol address of the network device to a blocked list maintained by the firewall.
  - 16. The system of claim 11, wherein the stored instructions are further translatable by the processor for:
    - responsive to the evidence of malware on the client computer, instructing the firewall to selectively block computers in the enterprise computing network from accessing an Internet Protocol address, a hostname, or a universal resource locator of the network device.
  - 17. The system of claim 16, wherein the instructing further comprises:
    - commanding the firewall to route access requests to the network device to the system;
      
      providing a test to the client computer to determine whether a human or an automated system is attempting to connect the client computer to the network device; and
      
      determining, depending upon an outcome from the test, whether to allow or block the suspicious network communication.
  - 18. The system of claim 11, wherein the stored instructions are further translatable by the processor for:
    - receiving, from a network based service, the IOCs or an instruction on how to respond to an IOC of the potential IOCs on the client computer.
  - 19. The system of claim 11, wherein the stored instructions are further translatable by the processor for:
    - presenting, to a user through a user interface, the evidence of malware determined by the system;
      
      orresponsive to a request from the user, presenting, to the user through the user interface, the potential IOCs found by the data collector on the client computer.
  - 20. The system of claim 11, wherein the stored instructions are further translatable by the processor for:
    - providing, to a user through a user interface, data that allows the user to determine whether the event report is a false positive or an actual indication of malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Proofpoint Incorporated
Inventors
Tock, Theron D., Horn, Michael P.
Primary Examiner(s)
Sholeman, Abu S

Application Number

US16/186,200
Publication Number

US 20190080088A1
Time in Patent Office

473 Days
Field of Search

726 23, 726 25, 726 26
US Class Current
CPC Class Codes

G06F 21/56 Computer malware detection ...

H04L 2463/144 Detection or countermeasure...

System and method of protecting client computers

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of protecting client computers

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links