INTRUSION DETECTION USING A HEARTBEAT

US 20150312268A1
Filed: 04/28/2014
Published: 10/29/2015
Est. Priority Date: 04/28/2014
Status: Active Grant

First Claim

Patent Images

1. A method of operating a gateway comprising:

monitoring a heartbeat of an endpoint at the gateway, the heartbeat including a periodic signal from the endpoint to the gateway to indicate a status of the endpoint;

detecting an interruption of the heartbeat;

detecting network traffic from the endpoint; and

responding to a combination of the interruption and the network traffic by treating the endpoint as a compromised network asset.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.

112 Citations

View as Search Results

27 Claims

1. A method of operating a gateway comprising:
- monitoring a heartbeat of an endpoint at the gateway, the heartbeat including a periodic signal from the endpoint to the gateway to indicate a status of the endpoint;
  
  detecting an interruption of the heartbeat;
  
  detecting network traffic from the endpoint; and
  
  responding to a combination of the interruption and the network traffic by treating the endpoint as a compromised network asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 21, 22, 23, 24)
- - 2. The method of claim 1 wherein the heartbeat includes a secure heartbeat.
  - 3. The method of claim 1 wherein the heartbeat includes a cryptographically secured heartbeat.
  - 4. The method of claim 1 wherein the heartbeat is cryptographically signed to facilitate authentication.
  - 5. The method of claim 1 wherein the heartbeat includes at least one item unique to the endpoint.
  - 6. The method of claim 1 wherein the interruption includes an omission of the periodic signal.
  - 7. The method of claim 1 wherein the interruption includes an authentication failure in the periodic signal.
  - 8. The method of claim 1 wherein the interruption includes an error in the periodic signal.
  - 9. The method of claim 1 wherein the interruption includes a predetermined interval without the periodic signal.
  - 10. The method of claim 1 wherein treating the endpoint as a compromised network asset includes quarantining the endpoint.
  - 11. The method of claim 1 wherein treating the endpoint as a compromised network asset includes blocking network access for the endpoint.
  - 12. The method of claim 1 wherein the network traffic includes suspicious network traffic.
  - 21. The method of claim 1 wherein the heartbeat encodes status information related to the health of the endpoint.
  - 22. The method of claim 1 wherein the interruption includes an absence of a measurement of system health signed into the heartbeat.
  - 23. The method of claim 22 wherein the measurement includes a version of an update.
  - 24. The method of claim 22 wherein the measurement includes a currency of an update.

13. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on a gateway in an enterprise, performs the steps of:
- monitoring a heartbeat of an endpoint at the gateway, the heartbeat including a periodic signal from the endpoint to the gateway to indicate a status of the endpoint;
  
  detecting an interruption of the heartbeat;
  
  detecting network traffic from the endpoint; and
  
  responding to a combination of the interruption and the network traffic by treating the endpoint as a compromised network asset.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 25, 26, 27)
- - 14. The computer program product of claim 13 wherein the heartbeat includes a secure heartbeat.
  - 15. The computer program product of claim 13 wherein the heartbeat includes a cryptographically secured heartbeat.
  - 16. The computer program product of claim 13 wherein the heartbeat is cryptographically signed to facilitate authentication.
  - 17. The computer program product of claim 13 wherein the heartbeat includes at least one item unique to the endpoint.
  - 18. The computer program product of claim 13 wherein the interruption includes an omission of the periodic signal for a predetermined interval.
  - 19. The computer program product of claim 13 wherein the interruption includes an authentication failure in the periodic signal.
  - 25. The computer program product of claim 13 wherein the interruption includes an error in the periodic signal.
  - 26. The computer program product of claim 13 wherein the interruption includes a predetermined interval without the periodic signal.
  - 27. The computer program product of claim 13 wherein the interruption includes an absence of a measurement of system health signed into the heartbeat.

20. A system comprising:
- an endpoint configured to periodically create a heartbeat including a status information for the endpoint and cryptographically secured by the endpoint in a manner that can be authenticated with reference to a trusted third party;
  
  a gateway coupled in a communicating relationship with the endpoint, the gateway configured to receive the heartbeat and to verify a status of the endpoint based upon the heartbeat, the gateway further configured to initiate remedial action directed to the endpoint when the heartbeat is not received over a predetermined interval.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ray, Kenneth D.

Granted Patent

US 9,917,851 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

INTRUSION DETECTION USING A HEARTBEAT

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

INTRUSION DETECTION USING A HEARTBEAT

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links