Key throttling to mitigate unauthorized file access

US 10,681,078 B2
Filed: 06/10/2016
Issued: 06/09/2020
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for throttling access to encrypted files in response to potentially malicious activity, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:

encrypting a plurality of files on an endpoint to provide a plurality of encrypted files that can be decrypted with a key;

providing a file system for accessing the plurality of files with one or more processes executing on the endpoint, wherein the file system includes a file system extension that functions to conditionally provide decryption of the encrypted files based on a current security state of the endpoint, the file system extension using the key to decrypt a requested one of the plurality of files in response to a request from one of the one or more processes for the requested one of the files;

monitoring access to the plurality of files by the one or more processes for a potential indication of compromise; and

limiting a rate at which the file system extension uses keys to decrypt the files when a pattern of access to the files indicates potentially malicious automated file access.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A file system extension for an endpoint controls access to files by selectively decrypting files under certain conditions. Where a pattern of access to the files suggests malicious and/or automated file access activity, the file system extension may limit the rate of file access by regulating the rate at which decryption is provided to requesting processes.

96 Citations

View as Search Results

19 Claims

1. A computer program product for throttling access to encrypted files in response to potentially malicious activity, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- encrypting a plurality of files on an endpoint to provide a plurality of encrypted files that can be decrypted with a key;
  
  providing a file system for accessing the plurality of files with one or more processes executing on the endpoint, wherein the file system includes a file system extension that functions to conditionally provide decryption of the encrypted files based on a current security state of the endpoint, the file system extension using the key to decrypt a requested one of the plurality of files in response to a request from one of the one or more processes for the requested one of the files;
  
  monitoring access to the plurality of files by the one or more processes for a potential indication of compromise; and
  
  limiting a rate at which the file system extension uses keys to decrypt the files when a pattern of access to the files indicates potentially malicious automated file access.
- View Dependent Claims (2, 3)
- - 2. The computer program product of claim 1 further comprising code that performs the step of presenting an interactive user interface element in a display on the endpoint requesting a confirmation that a human user initiated an activity causing the pattern of access.
  - 3. The computer program product of claim 1 wherein the pattern of access to the files includes a communication of one or more of the plurality of files to a location remote from the endpoint.

4. A method comprising:
- encrypting a plurality of files on an endpoint to provide a plurality of encrypted files that can be decrypted with a key;
  
  providing a file system for accessing the plurality of files with one or more processes executing on the endpoint, wherein the file system includes a file system extension that functions to conditionally provide decryption of the encrypted files based on a current security state of the endpoint, the file system extension using the key to decrypt a requested one of the plurality of files in response to a request from one of the one or more processes for the requested one of the files;
  
  monitoring access to the plurality of files by the one or more processes for a potential indication of compromise; and
  
  when an indication of compromise is detecting, limiting a rate at which the file system extension uses keys to decrypt the files.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 5. The method of claim 4 wherein the indication of compromise includes a pattern of access to the files indicating potentially malicious automated file access.
  - 6. The method of claim 4 wherein the indication of compromise includes access to a number of files beyond a predetermined threshold within a predetermined time interval.
  - 7. The method of claim 6 wherein the predetermined threshold specifies a type of file.
  - 8. The method of claim 7 wherein the type of file includes an application type associated with one or more of the number of files.
  - 9. The method of claim 6 wherein the predetermined threshold specifies a number of types of files.
  - 10. The method of claim 6 wherein the predetermined threshold specifies an application requesting the number of files.
  - 11. The method of claim 6 wherein the predetermined threshold specifies an attribute of the number of files.
  - 12. The method of claim 11 wherein the attribute includes a business use or a sensitivity of a document.
  - 13. The method of claim 6 further comprising presenting a notification in a display on the endpoint about the indication of compromise.
  - 14. The method of claim 6 further comprising presenting an interactive user interface element in a display on the endpoint requesting a confirmation that a human user initiated an activity causing the indication of compromise.
  - 15. The method of claim 6 further comprising adjusting at least one of the predetermined threshold and the predetermined time interval according to a pattern of file access.
  - 16. The method of claim 4 wherein the indication of compromise is based on a rule for detecting automated behavior.
  - 17. The method of claim 4 wherein the indication of compromise is based on a detection of a removable storage drive coupled to the endpoint.
  - 18. The method of claim 4 further comprising providing an exception to the indication of compromise for a trusted process.

19. A system comprising:
- an endpoint;
  
  a first memory on the endpoint storing a key;
  
  a second memory on the endpoint storing a plurality of encrypted files that can be decrypted by the key;
  
  a file system for accessing the plurality of files, the file system including a file system extension that functions to conditionally provide decryption of the encrypted files based on a current security state of the endpoint, the file system extension using the key to decrypt a requested one of the plurality of files in response to a request from a process executing on the endpoint; and
  
  a processor configured to monitor the endpoint for an indication of compromise, and, in response to the indication of compromise, to limit a rate at which the file system extension uses keys to decrypt the files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Humphries, Russell, Ray, Kenneth D., Merry, Anthony John, Schutz, Harald
Primary Examiner(s)
Abyaneh, Ali S
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US15/179,447
Publication Number

US 20170359370A1
Time in Patent Office

1,460 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06F 2221/2125   Just-in-time application of...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Key throttling to mitigate unauthorized file access

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Key throttling to mitigate unauthorized file access

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others