SYSTEM AND METHOD OF PROTECTING CLIENT COMPUTERS

US 20150135317A1
Filed: 11/13/2013
Published: 05/14/2015
Est. Priority Date: 11/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method of providing security for a plurality of client computers, the method comprising:

receiving an event report identifying possible malware on a client computer;

receiving a set of data from the client computer;

automatically analyzing the set of data based on a set of known actual identifiers of compromise (IOCs) related to the possible malware;

updating the set of known actual identifiers of compromise; and

automatically re-analyzing the set of data based on the update.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.

Citations

20 Claims

1. A method of providing security for a plurality of client computers, the method comprising:
- receiving an event report identifying possible malware on a client computer;
  
  receiving a set of data from the client computer;
  
  automatically analyzing the set of data based on a set of known actual identifiers of compromise (IOCs) related to the possible malware;
  
  updating the set of known actual identifiers of compromise; and
  
  automatically re-analyzing the set of data based on the update.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein updating the set of known actual identifiers of compromise comprises adding a new set of known actual IOCs to the set of known actual IOCs.
  - 3. The method of claim 1, wherein the set of data is a first set of data, the client computer is a first client computer, the method further comprising receiving a second set of data from a second client computer, wherein updating the set of known actual identifiers of compromise comprises analyzing the second set of data and re-weighting known actual IOCs found in both the first set of data and the second set of data.
  - 4. The method of claim 3, wherein re-weighting a known actual IOC comprises changing a correlation value of the known actual IOC, wherein the correlation value is used to calculate a probability that the first client computer is infected based on the known actual IOCs in the first set of data.
  - 5. The method of claim 1 further comprising receiving a plurality of sets of data from a plurality of client computers, wherein updating the set of known actual identifiers of compromise comprises analyzing the plurality of sets of data and re-weighting known actual IOCs found in the plurality of sets of data received from the plurality of client computers.
  - 6. The method of claim 1, wherein the automatic re-analysis is performed only when the analysis determines that a particular malware related to the known actual IOCs is not proven to be present on the client computer.
  - 7. The method of claim 1, wherein the update is a first update and the re-analysis is a first re-analysis, the method further comprising:
    - repeatedly updating the set of known actual identifiers of compromise; and
      
      repeatedly automatically re-analyzing the set of data.

8. A machine readable medium storing a program which when executed by at least one processing unit provides security for a plurality of client computers, the program comprising sets of instructions for:
- receiving an event report identifying a possible infection of a client computer;
  
  receiving a set of data from the client computer;
  
  automatically analyzing the set of data based on a set of known actual identifiers of compromise (IOCs);
  
  updating the set of known actual identifiers of compromise; and
  
  automatically re-analyzing the set of data based on the update to the set of known actual identifiers of compromise.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The machine readable medium of claim 8, wherein updating the set of known actual identifiers of compromise comprises adding a new set of known actual IOCs to the set of known actual IOCs.
  - 10. The machine readable medium of claim 8, wherein the set of data is a first set of data, the client computer is a first client computer, the program further comprising a set of instructions for receiving a second set of data from the second client computer, wherein updating the set of known actual identifiers of compromise comprises analyzing the second set of data and re-weighting known actual IOCs also found in the first set of data.
  - 11. The machine readable medium of claim 10, wherein re-weighting a known actual IOC comprises changing a correlation value of the known actual IOC, wherein the correlation value is used to calculate a probability that a client computer is infected based on known actual IOCs found in a set of data of the client computer.
  - 12. The machine readable medium of claim 11, wherein the re-weighting of the identifier increases the correlation value when the second set of data is determined as indicating malware, wherein increasing the correlation value increases the calculated probability that the first client computer is infected.
  - 13. The machine readable medium of claim 11, wherein the re-weighting of the identifier decreases the correlation value when the second set of data is determined as not indicating malware, wherein decreasing the correlation value decreases the calculated probability that the first client computer is infected.
  - 14. The machine readable medium of claim 8, wherein the program further comprises a set of instructions for receiving a plurality of sets of data from a plurality of client computers, wherein updating the set of known actual identifiers of compromise comprises analyzing the plurality of sets of data and re-weighting known actual IOCs found in the plurality of sets of data received from the plurality of client computers.
  - 15. The machine readable medium of claim 8, wherein the update is a first update and the re-analysis is a first re-analysis, the program further comprising sets of instructions for:
    - repeatedly updating the set of known actual identifiers of compromise; and
      
      repeatedly automatically re-analyzing the set of data.

16. A device comprising at least one processing unit and a machine readable medium storing a program which when executed by the processing unit provides security for a plurality of client computers, the program comprising sets of instructions for:
- receiving an event report identifying a possible infection of a client computer;
  
  receiving a set of data from the client computer;
  
  automatically analyzing the set of data based on a set of known actual identifiers of compromise (IOCs);
  
  updating the set of known actual identifiers of compromise; and
  
  automatically re-analyzing the set of data based on the update to the set of known actual identifiers of compromise.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The device of claim 16, wherein the program further comprises sets of instructions for:
    - before re-analyzing the set of data, determining whether the set of data is obsolete; and
      
      re-analyzing the set of data only when the set of data is not obsolete.
  - 18. The device of claim 17, wherein the set of data is obsolete when it was received more than a threshold time before updating the set of known actual identifiers of compromise.
  - 19. The device of claim 17, wherein the set of data is obsolete when the client computer has been re-imaged before updating the set of known actual identifiers of compromise.
  - 20. The device of claim 16, wherein the event report is received from a threat detection program not running on the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
NetCitadel, Inc. (Proofpoint Incorporated)
Inventors
Tock, Theron D., Horn, Michael P.

Granted Patent

US 10,223,530 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56 Computer malware detection ...

H04L 2463/144 Detection or countermeasure...

SYSTEM AND METHOD OF PROTECTING CLIENT COMPUTERS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD OF PROTECTING CLIENT COMPUTERS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links