THREAT DETECTION USING ENDPOINT VARIANCE
First Claim
1. A method comprising:
- selecting a metric that objectively and quantitatively characterizes an endpoint property;
monitoring a change in the metric on a group of endpoints over time;
creating a model that evaluates whether a new value for the metric at a point in time is within a range of expected values for the metric at the point in time;
instrumenting an endpoint to detect a current value for the metric at a current time;
applying the model to determine whether the current value is within the range of expected values for the metric at the current time; and
reporting an indication of compromise for the endpoint when the current value is not within the range of expected values for the metric at the current time.
4 Assignments
0 Petitions
Accused Products
Abstract
Threat detection is improved by monitoring variations in observable events and correlating these variations to malicious activity. The disclosed techniques can be usefully employed with any attribute or other metric that can be instrumented on an endpoint and tracked over time including observable events such as changes to files, data, software configurations, operating systems, and so forth. Correlations may be based on historical data for a particular machine, or a group of machines such as similarly configured endpoints. Similar inferences of malicious activity can be based on the nature of a variation, including specific patterns of variation known to be associated with malware and any other unexpected patterns that deviate from normal behavior. Embodiments described herein use variations in, e.g., server software updates or URL cache hits on an endpoint, but the techniques are more generally applicable to any endpoint attribute that varies in a manner correlated with malicious activity.
-
Citations
20 Claims
-
1. A method comprising:
-
selecting a metric that objectively and quantitatively characterizes an endpoint property; monitoring a change in the metric on a group of endpoints over time; creating a model that evaluates whether a new value for the metric at a point in time is within a range of expected values for the metric at the point in time; instrumenting an endpoint to detect a current value for the metric at a current time; applying the model to determine whether the current value is within the range of expected values for the metric at the current time; and reporting an indication of compromise for the endpoint when the current value is not within the range of expected values for the metric at the current time. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
selecting a metric that objectively and quantitatively characterizes an endpoint property; monitoring a change in the metric on a group of endpoints over time; creating a model that evaluates whether a new value for the metric at a point in time is within a range of expected values for the metric at the point in time; instrumenting an endpoint to detect a current value for the metric at a current time; applying the model to determine whether the current value is within the range of expected values for the metric at the current time; and reporting an indication of compromise for the endpoint when the current value is not within the range of expected values for the metric at the current time. - View Dependent Claims (17, 18, 19)
-
-
20. An endpoint comprising:
-
a network interface coupling the endpoint in a communicating relationship with a data network; a memory storing a value for a metric that objectively and quantitatively characterizes an endpoint property, along with a model that evaluates whether a new value for the metric at a point in time is within a range of expected values for the metric at the point in time; and a processor configured to detect a current value for the metric at a current time, to apply the model to determine whether the current value is within the range of expected values for the metric at the current time, and to report an indication of compromise through the network interface to a remote threat management facility when the current value is not within the range of expected values for the metric at the current time.
-
Specification