Agent assisted malicious application blocking in a network environment

US 10,645,115 B2
Filed: 02/07/2019
Issued: 05/05/2020
Est. Priority Date: 10/24/2013
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine readable storage medium encoded with instructions for blocking malware, wherein the instructions, when executed by a processor cause the processor to:

receive metadata of a process intercepted by an end host when attempting to access a network, wherein the metadata includes a hash of an application associated with the process and an endpoint reputation score of the application;

request a threat intelligence reputation score based on the hash of the application;

determine an action to be taken by the end host based, at least in part, on a policy and at least one of the threat intelligence reputation score and the endpoint reputation score; and

send a response indicating an action to be taken by the end host, wherein, if the action includes allowing a network session established by the process to continue, the end host is to monitor the network session to identify a module invoked by the application that indicates some degree of maliciousness based on the activities performed by the module for the application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are configured to receive metadata of a process intercepted on an end host when attempting to access a network. The metadata includes a hash of an application associated with the process and an endpoint reputation score of the application. Embodiments are configured to request a threat intelligence reputation score based on the hash of the application, to determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score, and to send a response indicating the action to be taken by the end host. Further embodiments request another threat intelligence reputation score based on another hash of a dynamic link library module loaded by the process on the end host, and the action is determined based, at least in part, on the other threat intelligence score.

424 Citations

20 Claims

1. At least one non-transitory machine readable storage medium encoded with instructions for blocking malware, wherein the instructions, when executed by a processor cause the processor to:
- receive metadata of a process intercepted by an end host when attempting to access a network, wherein the metadata includes a hash of an application associated with the process and an endpoint reputation score of the application;
  
  request a threat intelligence reputation score based on the hash of the application;
  
  determine an action to be taken by the end host based, at least in part, on a policy and at least one of the threat intelligence reputation score and the endpoint reputation score; and
  
  send a response indicating an action to be taken by the end host, wherein, if the action includes allowing a network session established by the process to continue, the end host is to monitor the network session to identify a module invoked by the application that indicates some degree of maliciousness based on the activities performed by the module for the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The at least one non-transitory machine readable storage medium of claim 1, wherein the action includes blocking the application on the end host based on the threat intelligence reputation score representing at least a certain degree of maliciousness.
  - 3. The at least one non-transitory machine readable storage medium of claim 2, wherein the instructions, when executed by the processor, further cause the processor to:
    - correlate a tuple of connection information with network traffic associated with a network session established by the process, wherein the metadata includes the tuple of connection information;
      
      determine whether a network security device is in-line or out-of-band with the end host; and
      
      block, at a network security device, the network traffic correlated to the tuple of connection information based on a determination that the network security device is in-line with the end host.
  - 4. The at least one non-transitory machine readable storage medium of claim 3, wherein the instructions, when executed by the processor, further cause the processor to:
    - notify the end host to block on-going network traffic of a network session established by the process based on a determination that the network security device is out-of-band.
  - 5. The at least one non-transitory machine readable storage medium of claim 1, wherein the action includes allowing a network session established by the process to continue based on determining the threat intelligence reputation score does not represent at least a certain degree of maliciousness.
  - 6. The at least one non-transitory machine readable storage medium of claim 1, wherein the instructions, when executed by the processor, further cause the processor to:
    - receive, from the end host, a second endpoint reputation score of the application;
      
      determine a second action to be taken by the end host based, at least in part, on a policy and the second endpoint reputation score; and
      
      send a second response indicating a second action to be taken by the end host.
  - 7. The at least one non-transitory machine readable storage medium of claim 6, wherein the second endpoint reputation score of the application is based, at least in part, on heuristic analysis of a dynamic link library (DLL) module invoked by the process.
  - 8. The at least one non-transitory machine readable storage medium of claim 7, wherein the second action includes blocking the DLL module when the second endpoint reputation score represents at least a certain degree of maliciousness.
  - 9. The at least one non-transitory machine readable storage medium of claim 1, wherein the instructions, when executed by the processor, further cause the processor to:
    - receive network traffic associated with a network session established by the process;
      
      detect malware in the network traffic;
      
      correlate a tuple of connection information with the network traffic containing the malware, wherein the metadata includes the tuple of connection information;
      
      determine a second action to be taken by the end host based, at least in part, on a policy; and
      
      send a second response indicating the second action to be taken by the end host.
  - 10. The at least one non-transitory machine readable storage medium of claim 9, wherein the tuple of connection information includes a source network address of the end host, a source port of the end host, a destination network address of a remote node of a network session established by the process, a destination port of the remote node, and a protocol of the network session.

11. An apparatus for blocking malware, the apparatus comprising:
- a hardware processor;
  
  a memory element; and
  
  an endpoint intelligence agent configured to run on the processor to;
  
  receive metadata of a process intercepted by an end host when attempting to access a network, wherein the metadata includes a hash of an application associated with the process and an endpoint reputation score of the application;
  
  request a threat intelligence reputation score based on the hash of the application;
  
  determine an action to be taken by the end host based, at least in part, on a policy and at least one of the threat intelligence reputation score and the endpoint reputation score; and
  
  send a response indicating an action to be taken by the end host, wherein, if the action includes allowing a network session established by the process to continue, the end host is to monitor the network session to identify a module invoked by the application that indicates some degree of maliciousness based on the activities performed by the module for the application.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus of claim 11, wherein the action includes blocking the application based on the threat intelligence reputation score representing at least a certain degree of maliciousness.
  - 13. The apparatus of claim 11, wherein the action includes allowing a network session established by the process to continue based on determining the threat intelligence reputation score does not represent at least a certain degree of maliciousness.
  - 14. The apparatus of claim 11, wherein the endpoint intelligence agent is further configured to run on the processor to:
    - correlate a tuple of connection information with network traffic associated with a network session established by the process, wherein the metadata includes the tuple of connection information;
      
      determine whether a network security device is in-line or out-of-band with the end host; and
      
      block, at a network security device, the network traffic correlated to the tuple of connection information based on a determination that the network security device is in-line with the end host.
  - 15. The apparatus of claim 14, wherein the endpoint intelligence agent is further configured to run on the processor to:
    - notify the end host to block on-going network traffic of a network session established by the process based on a determination that the network security device is out-of-band.
  - 16. The apparatus of claim 11, wherein the endpoint intelligence agent is further configured to run on the processor to:
    - receive network traffic associated with a network session established by the process;
      
      detect malware in the network traffic;
      
      correlate a tuple of connection information with the network traffic containing the malware, wherein the metadata includes the tuple of connection information;
      
      determine a second action to be taken by the end host based, at least in part, on a policy; and
      
      send a second response indicating the second action to be taken by the end host.

17. A method for blocking malware, the method comprising:
- receiving metadata of a process intercepted by an end host when attempting to access a network, wherein the metadata includes a hash of an application associated with the process and an endpoint reputation score of the application;
  
  requesting a threat intelligence reputation score based on the hash of the application;
  
  determining an action to be taken by the end host based, at least in part, on a policy and at least one of the threat intelligence reputation score and the endpoint reputation score; and
  
  sending a response indicating an action to be taken by the end host, wherein, if the action includes allowing a network session established by the process to continue, the end host is to monitor the network session to identify a module invoked by the application that indicates some degree of maliciousness based on the activities performed by the module for the application.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the action includes blocking the application based on the threat intelligence reputation score representing at least a certain degree of maliciousness.
  - 19. The method of claim 17, further comprising:
    - receiving, from the end host, a second endpoint reputation score of the application;
      
      determining a second action to be taken by the end host based, at least in part, on a policy and the second endpoint reputation score; and
      
      sending a second response indicating a second action to be taken by the end host.
  - 20. The method of claim 17, further comprising:
    - correlating a tuple of connection information with network traffic associated with a network session established by the process, wherein the metadata includes the tuple of connection information; and
      
      blocking, at a network security device, the network traffic correlated to the tuple of connection information based on a determination that the network security device is in-line with the end host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
C P, Chandan, Narasimhan, Srinivasan
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Wyszynski, Aubrey H

Application Number

US16/270,461
Publication Number

US 20190173891A1
Time in Patent Office

453 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Agent assisted malicious application blocking in a network environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

424 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Agent assisted malicious application blocking in a network environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

424 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links