Key throttling to mitigate unauthorized file access
First Claim
Patent Images
1. A computer program product for throttling access to encrypted files in response to potentially malicious activity, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- encrypting a plurality of files on an endpoint to provide a plurality of encrypted files that can be decrypted with a key;
providing a file system for accessing the plurality of files with one or more processes executing on the endpoint, wherein the file system includes a file system extension that functions to conditionally provide decryption of the encrypted files based on a current security state of the endpoint, the file system extension using the key to decrypt a requested one of the plurality of files in response to a request from one of the one or more processes for the requested one of the files;
monitoring access to the plurality of files by the one or more processes for a potential indication of compromise; and
limiting a rate at which the file system extension uses keys to decrypt the files when a pattern of access to the files indicates potentially malicious automated file access.
4 Assignments
0 Petitions
Accused Products
Abstract
A file system extension for an endpoint controls access to files by selectively decrypting files under certain conditions. Where a pattern of access to the files suggests malicious and/or automated file access activity, the file system extension may limit the rate of file access by regulating the rate at which decryption is provided to requesting processes.
96 Citations
19 Claims
-
1. A computer program product for throttling access to encrypted files in response to potentially malicious activity, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
encrypting a plurality of files on an endpoint to provide a plurality of encrypted files that can be decrypted with a key; providing a file system for accessing the plurality of files with one or more processes executing on the endpoint, wherein the file system includes a file system extension that functions to conditionally provide decryption of the encrypted files based on a current security state of the endpoint, the file system extension using the key to decrypt a requested one of the plurality of files in response to a request from one of the one or more processes for the requested one of the files; monitoring access to the plurality of files by the one or more processes for a potential indication of compromise; and limiting a rate at which the file system extension uses keys to decrypt the files when a pattern of access to the files indicates potentially malicious automated file access. - View Dependent Claims (2, 3)
-
-
4. A method comprising:
-
encrypting a plurality of files on an endpoint to provide a plurality of encrypted files that can be decrypted with a key; providing a file system for accessing the plurality of files with one or more processes executing on the endpoint, wherein the file system includes a file system extension that functions to conditionally provide decryption of the encrypted files based on a current security state of the endpoint, the file system extension using the key to decrypt a requested one of the plurality of files in response to a request from one of the one or more processes for the requested one of the files; monitoring access to the plurality of files by the one or more processes for a potential indication of compromise; and when an indication of compromise is detecting, limiting a rate at which the file system extension uses keys to decrypt the files. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system comprising:
-
an endpoint; a first memory on the endpoint storing a key; a second memory on the endpoint storing a plurality of encrypted files that can be decrypted by the key; a file system for accessing the plurality of files, the file system including a file system extension that functions to conditionally provide decryption of the encrypted files based on a current security state of the endpoint, the file system extension using the key to decrypt a requested one of the plurality of files in response to a request from a process executing on the endpoint; and a processor configured to monitor the endpoint for an indication of compromise, and, in response to the indication of compromise, to limit a rate at which the file system extension uses keys to decrypt the files.
-
Specification