Process-level control of encrypted content

US 10,650,154 B2
Filed: 02/12/2016
Issued: 05/12/2020
Est. Priority Date: 02/12/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for securing an endpoint against malicious activity, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:

encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files;

receiving, from one of a plurality of processes executing on the endpoint, a request to access one of the plurality of files;

decrypting the one of the plurality of files for the one of the plurality of processes with an extension to a file system of the endpoint that responsively applies rules for whether to allow or prohibit access to encrypted files within the file system on a process-by-process basis;

monitoring a security state of the one of the plurality of processes, wherein monitoring the security state of the one of the plurality of processes includes monitoring network traffic associated with the one of the plurality of processes;

if the security state of the one of the plurality of processes becomes a compromised state, performing the steps of maintaining access by the one of the plurality of processes to any open ones of the plurality of files, including the one of the plurality of files, prohibiting access by the one of the plurality of processes to other ones of the plurality of files, and initiating a remediation of the one of the plurality of processes by facilitating a restart of the one of the plurality of processes; and

if the remediation of the one of the plurality of processes is successful, restoring access by the one of the plurality of processes to the plurality of files.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Securing an endpoint against malicious activity includes encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files, receiving a request to access a file from a process executing on the endpoint, decrypting the file for the process, and monitoring a security state of the process. If the security state becomes a compromised state, a technique involves maintaining access to any open files (including the file decrypted for the process), prohibiting access to other files, and initiating a remediation of the process by facilitating a restart of the process. If the remediation is successful, access by the process to the plurality of files may be restored.

106 Citations

18 Claims

1. A computer program product for securing an endpoint against malicious activity, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:
- encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files;
  
  receiving, from one of a plurality of processes executing on the endpoint, a request to access one of the plurality of files;
  
  decrypting the one of the plurality of files for the one of the plurality of processes with an extension to a file system of the endpoint that responsively applies rules for whether to allow or prohibit access to encrypted files within the file system on a process-by-process basis;
  
  monitoring a security state of the one of the plurality of processes, wherein monitoring the security state of the one of the plurality of processes includes monitoring network traffic associated with the one of the plurality of processes;
  
  if the security state of the one of the plurality of processes becomes a compromised state, performing the steps of maintaining access by the one of the plurality of processes to any open ones of the plurality of files, including the one of the plurality of files, prohibiting access by the one of the plurality of processes to other ones of the plurality of files, and initiating a remediation of the one of the plurality of processes by facilitating a restart of the one of the plurality of processes; and
  
  if the remediation of the one of the plurality of processes is successful, restoring access by the one of the plurality of processes to the plurality of files.

2. A method comprising:
- encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files;
  
  receiving, from one of a plurality of processes executing on the endpoint, a request to access one of the plurality of files;
  
  decrypting the one of the plurality of files for the one of the plurality of processes with an extension to a file system of the endpoint that responsively applies rules for whether to allow or prohibit access to encrypted files within the file system on a process-by-process basis;
  
  monitoring a security state of the one of the plurality of processes, wherein monitoring the security state of the one of the plurality of processes includes monitoring network traffic associated with the one of the plurality of processes; and
  
  if the security state of the one of the plurality of processes becomes a compromised state, prohibiting access by the one of the plurality of processes to one or more of the plurality of files.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 3. The method of claim 2 further comprising, if the security state of the one of the plurality of processes becomes a compromised state, maintaining access by the one of the plurality of processes to one or more other ones of the plurality of files that are open when the security state becomes the compromised state.
  - 4. The method of claim 2 further comprising initiating a remediation of the one of the plurality of processes in response to the compromised state.
  - 5. The method of claim 2 wherein monitoring the security state of the one of the plurality of processes includes detecting the compromised state of the one of the plurality of processes based on at least one of a behavior of the one of the plurality of processes, a behavior of an associated process, and a behavior of the endpoint.
  - 6. The method of claim 2 wherein monitoring the security state of the one of the plurality of processes includes:
    - adding an application identifier to network traffic associated with the one of the plurality of processes, wherein the application identifier explicitly identifies an application associated with the one of the plurality of processes; and
      
      monitoring network traffic associated with the one of the plurality of processes at a gateway between the endpoint and a data network based on the application identifier.
  - 7. The method of claim 2 wherein monitoring the security state of the one of the plurality of processes includes generating a log of network requests by logging network requests and applications making the network requests.
  - 8. The method of claim 7 wherein monitoring the security state of the one of the plurality of processes includes:
    - storing an application identifier in the log of network requests, wherein the application identifier explicitly identifies an application associated with a source process for a network request; and
      
      monitoring network requests from the application at a gateway between the endpoint and a data network based on the application identifier.
  - 9. The method of claim 2 wherein monitoring the security state of the one of the plurality of processes includes monitoring observable behaviors for the one of the plurality of processes including one or more of file behavior by the one of the plurality of processes, persistence behavior by the one of the plurality of processes, inter-process communications to or from the one of the plurality of processes, and direct exploit detections.
  - 10. The method of claim 2 wherein monitoring the security state of the one of the plurality of processes includes locally monitoring the one of the plurality of processes with a file scanner that performs static analysis on at least one of a first file from which the one of the plurality of processes launches and one or more second files that gets loaded into the one of the plurality of processes.
  - 11. The method of claim 2 further comprising providing a notification to a user in a display of the endpoint, the notification indicating a required remediation step for the one of the plurality of processes to resolve the compromised state, and the notification informing the user that an application associated with the one of the plurality of processes cannot access additional files until the user completes the required remediation step.
  - 12. The method of claim 2 wherein receiving a request to access one of the files from the one of the plurality of processes includes receiving the request at a file system filter for a file system that manages the plurality of files.
  - 13. The method of claim 12 wherein decrypting the one of the files for the one of the plurality of processes includes accessing a cryptographic key for the plurality of files with the file system filter and applying the cryptographic key to decrypt the one of the files.
  - 14. The method of claim 13 wherein the file system filter is configured to respond to an indication of compromise for the endpoint by deleting key material stored on the endpoint and used by the file system filter to decrypt the plurality of files.
  - 15. The method of claim 12 wherein the file system filter operates transparently to a computing environment for the one of the plurality of processes.

16. A system comprising:
- an endpoint;
  
  a first memory on the endpoint storing a plurality of files, the plurality of files encrypted to prevent unauthorized access;
  
  a second memory on the endpoint storing key material for decrypting the plurality of files;
  
  a plurality of processes executing on the endpoint;
  
  a file system on the endpoint configured to manage access by the plurality of processes to the plurality of files, the file system configured to respond to a request from the one of the plurality of processes for one of the plurality of files by conditionally decrypting the one of the plurality of files based on a security state of the one of the plurality of processes, with an extension to the file system on the endpoint that responsively applies rules for whether to allow or prohibit access to encrypted files within the file system on a process-by-process basis; and
  
  a gateway coupled in a communicating relationship with the endpoint, the gateway configured to monitor the security state of the one of the plurality of processes based on network traffic associated with the one of the plurality of processes.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16 further comprising a threat management facility coupled in a communicating relationship with the endpoint, the threat management facility configured to remotely monitor the security state of the one of the plurality of processes based on indications of compromise received from the endpoint.
  - 18. The system of claim 16 wherein the file system is configured to conditionally decrypt the one of the files using an extension to an operating system of the endpoint including at least one of a file system filter and a mount point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ray, Kenneth D., Thomas, Andrew J., Merry, Anthony John, Schutz, Harald, Berger, Andreas, Shaw, John Edward Tyrone
Primary Examiner(s)
Getachew, Abiy

Application Number

US15/042,862
Publication Number

US 20170235966A1
Time in Patent Office

1,551 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

H04L 63/1408   by monitoring network traff...

Process-level control of encrypted content

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Process-level control of encrypted content

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links