Using reputation to avoid false malware detections

US 10,616,269 B2
Filed: 09/20/2018
Issued: 04/07/2020
Est. Priority Date: 04/28/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an endpoint associated with an enterprise, the endpoint including a computing device comprising a memory and a processor, the endpoint executing a process from a file, and the endpoint configured to evaluate a local reputation of the file based at least in part on a certificate associated with a source of the file;

a gateway associated with the enterprise and coupled in a communicating relationship with the endpoint, the gateway configured to detect the process executing from the file on the endpoint and to request a global reputation of the file from a remote resource, the gateway further configured to enforce a network policy of the enterprise by detecting network traffic from the endpoint in violation of the network policy and providing a violation notification to the remote resource in response to the network traffic; and

a threat management facility associated with the enterprise and coupled in a communicating relationship with the gateway and the endpoint, the threat management facility configured to receive the request from the gateway and to determine a global reputation of the file, the threat management facility further configured to receive the local reputation from the endpoint and, in response to receipt of the violation notification, to respond by determining a remedial action for the file on the endpoint based upon the local reputation evaluated by the endpoint based at least in part on the certificate associated with the source of the file, the global reputation of the file determined by the threat management facility, and the violation notification from the gateway in response to the network traffic from the endpoint in violation of the network policy.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.

48 Citations

20 Claims

1. A system comprising:
- an endpoint associated with an enterprise, the endpoint including a computing device comprising a memory and a processor, the endpoint executing a process from a file, and the endpoint configured to evaluate a local reputation of the file based at least in part on a certificate associated with a source of the file;
  
  a gateway associated with the enterprise and coupled in a communicating relationship with the endpoint, the gateway configured to detect the process executing from the file on the endpoint and to request a global reputation of the file from a remote resource, the gateway further configured to enforce a network policy of the enterprise by detecting network traffic from the endpoint in violation of the network policy and providing a violation notification to the remote resource in response to the network traffic; and
  
  a threat management facility associated with the enterprise and coupled in a communicating relationship with the gateway and the endpoint, the threat management facility configured to receive the request from the gateway and to determine a global reputation of the file, the threat management facility further configured to receive the local reputation from the endpoint and, in response to receipt of the violation notification, to respond by determining a remedial action for the file on the endpoint based upon the local reputation evaluated by the endpoint based at least in part on the certificate associated with the source of the file, the global reputation of the file determined by the threat management facility, and the violation notification from the gateway in response to the network traffic from the endpoint in violation of the network policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, wherein evaluating the local reputation further includes using locally available attributes applied by a local whitelisting system.
  - 3. The system of claim 1, wherein evaluating the local reputation further includes locally evaluating a source of the file.
  - 4. The system of claim 1, wherein the violation includes a prohibited Uniform Resource Identifier in the network traffic from the endpoint.
  - 5. The system of claim 1, wherein the violation includes a prohibited domain in the network traffic from the endpoint.
  - 6. The system of claim 1, wherein the violation includes a command and control location for an advanced persistent threat in the network traffic from the endpoint.
  - 7. The system of claim 1, wherein the violation includes prohibited content in the network traffic from the endpoint.
  - 8. The system of claim 7, wherein the prohibited content includes command and control protocol traffic for an advanced persistent threat.
  - 9. The system of claim 1, wherein responding to the violation notification includes treating the endpoint as a compromised network asset includes quarantining the endpoint.
  - 10. The system of claim 1, wherein responding to the violation notification includes treating the endpoint as a compromised network asset includes blocking network access for a network.
  - 11. The system of claim 1, wherein the threat management facility is further configured to locate one or more other endpoints containing the file or the process.
  - 12. The system of claim 11, wherein the threat management facility is further configured to quarantine the one or more other endpoints.
  - 13. The system of claim 11, wherein the threat management facility is further configured to remove the file or the process from the one or more other endpoints.
  - 14. The system of claim 11, wherein the threat management facility is further configured to block network traffic for the one or more other endpoints.
  - 15. The system of claim 1, wherein evaluating the local reputation further includes evaluating a reputation of a data file used by the process.
  - 16. The system of claim 15, wherein evaluating the reputation of the data file includes one or more of evaluating a reputation of an origin of the data file, evaluating a reputation of an environment for the data file, evaluating a reputation of a user that created the data file, and evaluating a reputation of the process that is using the data file.
  - 17. The system of claim 1, wherein the threat management facility is further configured to respond to the violation notification from the gateway by conditionally treating the endpoint as a compromised network asset only when the local reputation is low and the global reputation is low or unknown.
  - 18. The system of claim 1, wherein the threat management facility is further configured to direct the endpoint to take the remedial action determined for the endpoint.

19. A network comprising:
- an endpoint associated with an enterprise, the endpoint including a computing device comprising a memory and a processor, the endpoint executing a process from a file, the process, during execution, opening a data file for manipulation, and the endpoint configured to evaluate a local reputation of the file based at least in part on a certificate associated with a source of the file and to evaluate the local reputation of the file further based on evaluating one or more of an origin of the data file, evaluating a reputation of an environment for the data file, evaluating a reputation of a user that created the data file, and evaluating a reputation of the process using the data file;
  
  a gateway associated with the enterprise and coupled in a communicating relationship with the endpoint, the gateway configured to detect the process executing from the file on the endpoint and to request a global reputation of the file from a remote resource, the gateway further configured to enforce a network policy of the enterprise by detecting network traffic from the endpoint in violation of the network policy and providing a violation notification to the remote resource in response to the network traffic; and
  
  a threat management facility associated with the enterprise and coupled in a communicating relationship with the gateway and the endpoint, the threat management facility configured to receive the request from the gateway and to determine a global reputation of the file, the threat management facility further configured to receive the local reputation from the endpoint and, in response to receipt of the violation notification, to respond by directing the endpoint to take a remedial action for the file based upon the local reputation evaluated by the endpoint based at least in part on the certificate associated with the source of the file, the global reputation of the file determined by the threat management facility, and the violation notification from the gateway in response to the network traffic from the endpoint in violation of the network policy.
- View Dependent Claims (20)
- - 20. The network of claim 19, wherein directing the endpoint to take the remedial action includes directing the endpoint to block use of low-reputation files on the endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Thomas, Andrew J.
Primary Examiner(s)
Feild, Lynn D
Assistant Examiner(s)
Lakhia, Viral S

Application Number

US16/137,218
Publication Number

US 20190036944A1
Time in Patent Office

565 Days
Field of Search

713150
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Using reputation to avoid false malware detections

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Using reputation to avoid false malware detections

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others