Intrusion detection using a heartbeat
First Claim
Patent Images
1. A method comprising:
- receiving, at a gateway interposed between a second network and an endpoint in an enterprise network, a heartbeat from the endpoint in communication with the second network via the gateway, the heartbeat addressed to the gateway, the heartbeat including a signal communicated from the endpoint to the gateway, and the heartbeat containing cryptographically secured information including a security health status of the endpoint, the security health status based on monitoring, by a health monitor on the endpoint, software items executing on the endpoint, and the security health status indicating an uncompromised security health status when the endpoint is uncompromised;
detecting a change in the security health status included in the heartbeat at the gateway;
following detecting the change of the security health status included in the heartbeat at the gateway, receiving, by the gateway, network traffic other than the heartbeat from the endpoint, the network traffic addressed for forwarding by the gateway via the second network to a second destination address outside the gateway from the enterprise network; and
responding to the change of the security health status included in the heartbeat in combination with the network traffic received following the change, the response including blocking, by the gateway, the network traffic other than the heartbeat from the endpoint.
4 Assignments
0 Petitions
Accused Products
Abstract
A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.
48 Citations
19 Claims
-
1. A method comprising:
-
receiving, at a gateway interposed between a second network and an endpoint in an enterprise network, a heartbeat from the endpoint in communication with the second network via the gateway, the heartbeat addressed to the gateway, the heartbeat including a signal communicated from the endpoint to the gateway, and the heartbeat containing cryptographically secured information including a security health status of the endpoint, the security health status based on monitoring, by a health monitor on the endpoint, software items executing on the endpoint, and the security health status indicating an uncompromised security health status when the endpoint is uncompromised; detecting a change in the security health status included in the heartbeat at the gateway; following detecting the change of the security health status included in the heartbeat at the gateway, receiving, by the gateway, network traffic other than the heartbeat from the endpoint, the network traffic addressed for forwarding by the gateway via the second network to a second destination address outside the gateway from the enterprise network; and responding to the change of the security health status included in the heartbeat in combination with the network traffic received following the change, the response including blocking, by the gateway, the network traffic other than the heartbeat from the endpoint. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product comprising a non-transitory computer readable medium having stored thereon computer executable code that, when executing on one or more computing devices, cause the one or more computing devices to perform the steps of:
-
receiving, at a gateway interposed between a second network and an endpoint in an enterprise network, a heartbeat from the endpoint in communication with the second network via the gateway, the heartbeat addressed to the gateway, the heartbeat including a signal communicated from the endpoint to the gateway, and the heartbeat containing cryptographically secured information including a security health status of the endpoint, the security health status based on monitoring, by a health monitor on the endpoint, software items executing on the endpoint and the security health status indicating an uncompromised security health status when the endpoint is uncompromised; detecting, at the gateway, a change in the security health status included in the heartbeat; following detecting the change of the security health status included in the heartbeat at the gateway, receiving, by the gateway, network traffic other than the heartbeat from the endpoint, the network traffic addressed for forwarding by the gateway via the second network to a second destination address outside the gateway from the enterprise network; and responding to the change of the security health status included in the heartbeat in combination with the network traffic received following the change, the response including blocking, by the gateway, the network traffic other than the heartbeat from the endpoint. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
an endpoint in a first network, the endpoint including a first memory, and the endpoint configured to monitor software items executing on the endpoint and to create a heartbeat containing cryptographically secured information including a security health status of the endpoint, the security health status based on the software items executing on the endpoint and the security health status indicating an uncompromised security health status when the endpoint is uncompromised; and a gateway interposed between the endpoint in the first network and a second network, the gateway in communication with the endpoint over the first network, the endpoint in communication with the second network via the gateway, the gateway including a second memory configured to receive the heartbeat from the endpoint and to receive and forward network traffic, other than the heartbeat, from the endpoint to a destination address in the second network, and to detect a change in the security health status included in the heartbeat, the gateway further configured to initiate remedial action directed to the endpoint based on a combination of the detected change of the security health status included in the heartbeat and detection of network traffic, other than the heartbeat, following detection of the change of the security health status, the remedial action including blocking network traffic from the endpoint. - View Dependent Claims (18, 19)
-
Specification