THREAT DETECTION USING REPUTATION DATA

US 20160350531A1
Filed: 08/12/2016
Published: 12/01/2016
Est. Priority Date: 12/15/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

maintaining reputation data in a memory on each of a plurality of devices, the reputation data including a reputation score and a time to live for each of a plurality of executables;

updating the reputation data on each of the plurality of devices using reputation scores from a remote threat management facility to add new entries for new executables accessed by the respective device and using the time to live to expire existing entries from the reputation data;

monitoring, with the remote threat management facility, each one of the plurality of devices to detect, based on the reputation data on each of the devices, a variance in access to one or more of the plurality of executables relative to access to the one or more of the plurality of executables on each other one of the plurality of devices;

triggering an indication of compromise based on the variance; and

for the device corresponding to detected variance in access to one or more of the plurality of executables, initiating a remedial action in response to the indication of compromise.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Threat detection is improved by monitoring variations in observable events and correlating these variations to malicious activity. The disclosed techniques can be usefully employed with any attribute or other metric that can be instrumented on an endpoint and tracked over time including observable events such as changes to files, data, software configurations, operating systems, and so forth. Correlations may be based on historical data for a particular machine, or a group of machines such as similarly configured endpoints. Similar inferences of malicious activity can be based on the nature of a variation, including specific patterns of variation known to be associated with malware and any other unexpected patterns that deviate from normal behavior. Embodiments described herein use variations in, e.g., server software updates or URL cache hits on an endpoint, but the techniques are more generally applicable to any endpoint attribute that varies in a manner correlated with malicious activity.

13 Citations

View as Search Results

20 Claims

1. A method comprising:
- maintaining reputation data in a memory on each of a plurality of devices, the reputation data including a reputation score and a time to live for each of a plurality of executables;
  
  updating the reputation data on each of the plurality of devices using reputation scores from a remote threat management facility to add new entries for new executables accessed by the respective device and using the time to live to expire existing entries from the reputation data;
  
  monitoring, with the remote threat management facility, each one of the plurality of devices to detect, based on the reputation data on each of the devices, a variance in access to one or more of the plurality of executables relative to access to the one or more of the plurality of executables on each other one of the plurality of devices;
  
  triggering an indication of compromise based on the variance; and
  
  for the device corresponding to detected variance in access to one or more of the plurality of executables, initiating a remedial action in response to the indication of compromise.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the reputation score and the time to live for each of the plurality of executables includes a reputation score and a time to live for a file.
  - 3. The method of claim 1, wherein the variance includes a deviation in average reputation.
  - 4. The method of claim 1, wherein the variance includes a deviation in average time to live.
  - 5. The method of claim 1, wherein the reputation score depends on popularity.
  - 6. The method of claim 1, wherein the reputation score depends on frequency of requests.
  - 7. The method of claim 1, wherein the reputation score depends on historically determined trust.
  - 8. The method of claim 1, wherein the time to live depends on reputation.
  - 9. The method of claim 1, wherein at least one of the plurality of devices includes a web server.
  - 10. The method of claim 1, wherein at least one of the plurality of devices includes an endpoint.
  - 11. The method of claim 1, wherein at least one of the plurality of devices includes a mobile device.

12. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- maintaining reputation data in a memory on each of a plurality of devices, the reputation data including a reputation score and a time to live for each of a plurality of executables;
  
  updating the reputation data on each of the plurality of devices using reputation scores from a remote threat management facility to add new entries for new executables accessed by the respective device and using the time to live to expire existing entries from the reputation data;
  
  monitoring, with the remote threat management facility, each one of the plurality of devices to detect, based on the reputation data on each of the devices, a variance in access to one or more of the plurality of executables relative to access to the one or more of the plurality of executables on each other one of the plurality of devices;
  
  triggering an indication of compromise based on the variance; and
  
  for the device corresponding to detected variance in access to one or more of the plurality of executables, initiating a remedial action in response to the indication of compromise.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The computer program product of claim 12, wherein the reputation score and the time to live for each of the plurality of executables includes a reputation score and a time to live for a file.
  - 14. The computer program product of claim 12, wherein the variance includes a deviation in average reputation.
  - 15. The computer program product of claim 12, wherein the variance includes a deviation in average time to live.
  - 16. The computer program product of claim 12, further comprising responding to the variance with a remedial action for the device storing the reputation data.

17. A system comprising:
- a remote threat management facility configured to manage threats to an enterprise; and
  
  a plurality of devices associated with the enterprise, each of the plurality of devices having a memory and a processor, the memory storing reputation data including a reputation score and a time to live for each of a plurality of executables, and the processor configured to update the reputation data on each of the plurality of devices using reputation scores from the remote threat management facility to modify the reputation data, wherein the remote threat management facility is further configured to monitor the reputation data of each one of the plurality of devices to detect a variance in access to one or more of the plurality of executables relative to access to the one or more of the plurality of executables on each other one of the plurality of devices.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the processor is further configured to update the reputation data on each of the plurality of devices using reputation scores from the remote threat management facility to add new entries for new executables accessed by the respective device and using the time to live to expire existing entries from the reputation data.
  - 19. The system of claim 17, wherein the reputation score and the time to live for each of the plurality of executables includes a reputation score and a time to live for a file.
  - 20. The system of claim 17, wherein the plurality of devices includes one or more of a web server, an endpoint, and a mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Harris, Mark D., Ray, Kenneth D.

Granted Patent

US 9,740,859 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/02   for separating internal fro...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

H04L 67/568   Storing data temporarily at...

THREAT DETECTION USING REPUTATION DATA

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

THREAT DETECTION USING REPUTATION DATA

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links