ENDPOINT MALWARE DETECTION USING AN EVENT GRAPH

US 20180276379A1
Filed: 03/19/2018
Published: 09/27/2018
Est. Priority Date: 04/15/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of:

instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint;

selecting a set of logical locations from the plurality of logical locations;

recording a sequence of events causally relating the number of computing objects at the set of logical locations;

creating an event graph based on the sequence of events;

applying a malware detection rule to the event graph to identify a compromised security state of the endpoint;

when the malware detection rule in the event graph identifies the compromised security state of the endpoint, traversing the event graph forward to identify one or more other ones of the number of computing objects affected by the compromised security state; and

remediating one or more of the identified one or more other ones of the number of computing objects affected by the compromised security state.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files, and patterns within this event graph can be used to detect the presence of malware on the endpoint. The underlying recording process may be dynamically adjusted in order to vary the amount and location of recording as the security state of the endpoint changes over time.

51 Citations

View as Search Results

20 Claims

1. A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of:
- instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint;
  
  selecting a set of logical locations from the plurality of logical locations;
  
  recording a sequence of events causally relating the number of computing objects at the set of logical locations;
  
  creating an event graph based on the sequence of events;
  
  applying a malware detection rule to the event graph to identify a compromised security state of the endpoint;
  
  when the malware detection rule in the event graph identifies the compromised security state of the endpoint, traversing the event graph forward to identify one or more other ones of the number of computing objects affected by the compromised security state; and
  
  remediating one or more of the identified one or more other ones of the number of computing objects affected by the compromised security state.

2. A method for malware detection comprising:
- instrumenting an endpoint to monitor a number of causal relationships among a number of computing objects at a first set of logical locations within a computing environment related to the endpoint;
  
  recording a sequence of events causally relating the number of computing objects at the first set of logical locations;
  
  creating an event graph based on the sequence of events;
  
  applying a malware detection rule to the event graph to identify a compromised security state of the endpoint; and
  
  when the malware detection rule in the event graph identifies the compromised security state of the endpoint, traversing the event graph forward to identify one or more other ones of the number of computing objects affected by the compromised security state.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 3. The method of claim 2, wherein traversing the event graph forward includes traversing the event graph forward from a cause of the compromised security state.
  - 4. The method of claim 2, further comprising remediating the one or more other ones of the number of computing objects affected by the compromised security state.
  - 5. The method of claim 2, wherein the first set of logical locations includes one or more logical locations exposed to an external environment.
  - 6. The method of claim 2, further comprising selecting a second set of logical locations different from the first set of logical locations in response to an observed event graph for the sequence of events.
  - 7. The method of claim 2, further comprising adding one or more logical locations to the first set of logical locations in response to a detected increase in security risk.
  - 8. The method of claim 2, further comprising removing one or more logical locations from the first set of logical locations in response to a detected decrease in security risk.
  - 9. The method of claim 2, further comprising filtering one or more of the events in the sequence of events according to reputation.
  - 10. The method of claim 2, wherein the first set of logical locations includes at least one endpoint separate from the endpoint.
  - 11. The method of claim 2, wherein the first set of logical locations includes at least one programming interface to a human interface device.
  - 12. The method of claim 2, further comprising identifying one of the number of computing objects as a cause of the compromised security state and remediating the one of the number of computing objects.
  - 13. The method of claim 2, wherein the number of causal relationships include a data flow.
  - 14. The method of claim 2, wherein the number of causal relationships include a control flow.
  - 15. The method of claim 2, wherein the number of causal relationships include a network flow.
  - 16. The method of claim 2, wherein the number of computing objects include one or more types of computing objects selected from a group consisting of a data file, a process, an application, a registry entry, a network address, and a peripheral device.
  - 17. The method of claim 2, wherein a number of events within the sequence of events are preserved for a predetermined time window, and further wherein the predetermined time window has a different duration for at least two different types of computing objects.

18. An endpoint comprising:
- a network interface;
  
  a memory; and
  
  a processor configured by computer executable code stored in the memory to detect malware by performing the steps of instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a set of logical locations within a computing environment related to the endpoint, creating an event graph based on a sequence of events causally relating the number of computing objects at the set of logical locations, applying a malware detection rule in the event graph to identify a compromised security state of the endpoint, and when the malware detection rule identifies the compromised security state of the endpoint, traversing the event graph forward to identify one or more other ones of the number of computing objects affected by the compromised security state.
- View Dependent Claims (19, 20)
- - 19. The endpoint of claim 18, wherein traversing the event graph forward includes traversing the event graph forward from a cause of the compromised security state.
  - 20. The endpoint of claim 18, wherein the processor is further configured to adjust the set of logical locations by adding a new logical location, removing an existing logical location, or changing a level of filtering at one of the set of logical locations according to a security state of the endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ladnai, Beata, Harris, Mark David, Thomas, Andrew J., Smith, Andrew G. P., Humphries, Russell

Granted Patent

US 10,489,588 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

G06F 8/65   Updates security arrangemen...

ENDPOINT MALWARE DETECTION USING AN EVENT GRAPH

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

ENDPOINT MALWARE DETECTION USING AN EVENT GRAPH

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others