INTRUSION DETECTION USING A HEARTBEAT
First Claim
1. A method of operating a gateway comprising:
- monitoring a heartbeat of an endpoint at the gateway, the heartbeat including a periodic signal from the endpoint to the gateway to indicate a status of the endpoint;
detecting an interruption of the heartbeat;
detecting network traffic from the endpoint; and
responding to a combination of the interruption and the network traffic by treating the endpoint as a compromised network asset.
4 Assignments
0 Petitions
Accused Products
Abstract
A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.
112 Citations
27 Claims
-
1. A method of operating a gateway comprising:
-
monitoring a heartbeat of an endpoint at the gateway, the heartbeat including a periodic signal from the endpoint to the gateway to indicate a status of the endpoint; detecting an interruption of the heartbeat; detecting network traffic from the endpoint; and responding to a combination of the interruption and the network traffic by treating the endpoint as a compromised network asset. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 21, 22, 23, 24)
-
-
13. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on a gateway in an enterprise, performs the steps of:
-
monitoring a heartbeat of an endpoint at the gateway, the heartbeat including a periodic signal from the endpoint to the gateway to indicate a status of the endpoint; detecting an interruption of the heartbeat; detecting network traffic from the endpoint; and responding to a combination of the interruption and the network traffic by treating the endpoint as a compromised network asset. - View Dependent Claims (14, 15, 16, 17, 18, 19, 25, 26, 27)
-
-
20. A system comprising:
-
an endpoint configured to periodically create a heartbeat including a status information for the endpoint and cryptographically secured by the endpoint in a manner that can be authenticated with reference to a trusted third party; a gateway coupled in a communicating relationship with the endpoint, the gateway configured to receive the heartbeat and to verify a status of the endpoint based upon the heartbeat, the gateway further configured to initiate remedial action directed to the endpoint when the heartbeat is not received over a predetermined interval.
-
Specification