SYSTEMS AND METHODS FOR USING ATTRIBUTE DATA FOR SYSTEM PROTECTION AND SECURITY AWARENESS TRAINING

US 20190034623A1
Filed: 07/27/2018
Published: 01/31/2019
Est. Priority Date: 07/31/2017
Status: Active Grant

First Claim

Patent Images

1. A method for creating attribute data for a file of an application, the method comprising:

(a) registering, by a service executing on a device, a driver into an operating system of the device to monitor processes, the driver configured to receive notifications from the operating system of processes started or terminated on the device;

(b) executing, an attribute data writer on the device, the attribute data writer in communication with the driver to receive notifications from the driver of processes started on the device;

(c) receiving, by the attribute data writer, a process id from the driver for a process of an application detected by the driver as starting on the device;

(d) injecting, by an injector program launched by the attribute data writer, an attribute data writer library into the process of the application corresponding to the process id;

(e) classifying, by the attribute data writer library, the application into a class of a plurality of classes; and

(f) causing, by the attribute data writer library, the application to create attribute data corresponding to the class responsive to a file being one of created or opened by the application.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure describes a system for saving metadata on files and using attribute data files inside a computing system to enhance the ability to provide user interfaces based on actions associated with non-executable attachments like text and document files from untrusted emails, to block execution of potentially harmful executable object downloads and files based on geographic location, and to a create a prompt for users to decide whether to continue execution of potentially harmful executable object downloads and files. The system also records user behavior on reactions to suspicious applications and documents by transmitting a set of attribute data in an attribute data file corresponding to suspicious applications or documents to a server. The system interrupts execution of actions related to untrusted phishing emails in order to give users a choice on whether to proceed with actions.

Citations

20 Claims

1. A method for creating attribute data for a file of an application, the method comprising:
- (a) registering, by a service executing on a device, a driver into an operating system of the device to monitor processes, the driver configured to receive notifications from the operating system of processes started or terminated on the device;
  
  (b) executing, an attribute data writer on the device, the attribute data writer in communication with the driver to receive notifications from the driver of processes started on the device;
  
  (c) receiving, by the attribute data writer, a process id from the driver for a process of an application detected by the driver as starting on the device;
  
  (d) injecting, by an injector program launched by the attribute data writer, an attribute data writer library into the process of the application corresponding to the process id;
  
  (e) classifying, by the attribute data writer library, the application into a class of a plurality of classes; and
  
  (f) causing, by the attribute data writer library, the application to create attribute data corresponding to the class responsive to a file being one of created or opened by the application.
- View Dependent Claims (2, 3, 4, 7, 8, 9, 10, 11, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein (b) further comprises executing, by the service, the attribute data writer responsive to a user being logged in.
  - 3. The method of claim 1, wherein (c) further comprises receiving, by the attribute data writer, a second process id corresponding to a parent process.
  - 4. The method of claim 1, further comprising determining, by the attribute data writer, if one of the path or name of the file, determined from the process is, is in a list of applications to be monitored by the attribute data writer.
  - 7. The method of claim 1, wherein (e) further comprises obtaining, by the attribute data write library, information on the injected application and classifying, based on the information, the application into the class of the plurality of classes comprising an email client, a word processor, a web browser, a portable document format reader or writer.
  - 8. The method of claim 1, further comprising causing, by the attribute data writer library, the data to be stored to one of a master file table or an alternate data stream.
  - 9. The method of claim 1, further comprising:
    - identifying an attribute data file of a second file being one of opened or created by the application;
      
      identifying from one or more attribute data values in the attribute data file a class of the application; and
      
      identifying from one or more attribute data values in the attribute data file a non-system initiator application of the application.
  - 10. The method of claim 9, further comprising determining that the second file is suspicious based on the one or more attribute data values.
  - 11. The method of claim 10, further comprising displaying, responsive to the determination, a prompt that the second file is suspicious.
  - 13. The method of claim 1, wherein the attribute data file comprises one of a master file table or an alternate data stream.
  - 14. The method of claim 1, further comprising preventing, by the document filter, opening of the file.
  - 15. The method of claim 1, wherein the set of attribute data identifies a domain of where the files was created and application of the one or more rules determines that the domain of the client device is different than the domain identified in the set of attribute data.
  - 16. The method of claim 1, wherein the set of attribute data identifies a user that created the file and application of the one or more rules determines that the user logged into the client device is different than the user identified in the set of attribute data.

5. The method of claim 5, further comprising determining, by the attribute data writer responsive to the file being in the list of applications to be monitored, a type of architecture of the application.

6. The method of claim 6, wherein (d) further comprises launching, by the attribute data writer, a version of the injector program corresponding to the type of architecture.

12. A method for alerting of access to a file based on attribute data, the method comprising:
- (a) intercepting, by a document filter injected into an application executing on a client device, a call of the application to open a file(b) identifying, by the document filter, using a name of the file, an attribute data file of the file;
  
  (c) accessing, by the document filter, a set of attribute data and corresponding values from the attribute data file;
  
  (d) identifying, by the document filter, one or more rules to be applied to the set of attribute data to determine whether or not to open the file;
  
  (e) applying, by the document filter, the one or more rules to values of the set of attribute data;
  
  (f) determining, responsive to the application of the one or more rules, not to open the file; and
  
  (g) displaying prompt, identifying one or more reasons for not opening the file.

17. A method for alerting of a launch of a suspicious application, the method comprising:
- (a) resolving, by a process filter service executing on a client device, name of an executable file of the application based on a process id of a launched application;
  
  (b) identifying, by the process filter service using a name of the file, an attribute data file of the application;
  
  (c) accessing, by the process filter service, a set of attribute data and corresponding values from the attribute data file;
  
  (d) identifying, by the process filter service, one or more rules to be applied to the set of attribute data to determine whether or not the launched application is suspicious;
  
  (e) applying, by the process filter service, the one or more rules to values of the set of attribute data;
  
  (f) determining, responsive to the application of the one or more rules, that the launched application is suspicious; and
  
  (g) displaying a prompt, responsive to the determination, identifying that the launched application is suspicious.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising preventing, by the process filter service, the launched application from continuing to execute.
  - 19. The method of claim 17, further comprising displaying with the prompt a user interface element for a user to select whether to terminate or continue to execute the launched application and responsive to the selection the process filter service terminating or continuing to allow the launched application to execute.
  - 20. The method of claim 17, further comprising identifying from the attribute data file of the application one or more of the following attribute data:
    - domain name, user name, subnet, machine unique id, time zone and a source tag marking if copied from an external storage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KnowBe4, Inc.
Original Assignee
KnowBe4, Inc.
Inventors
Lowry, Bret, Repuspolo, Gauvin

Granted Patent

US 10,657,248 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3409   for performance assessment

G06F 11/3438   monitoring of user actions ...

G06F 16/1734   Details of monitoring file ...

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

G06F 21/552   involving long-term monitor...

G06F 21/565   by checking file integrity

G06F 2201/865   Monitoring of software

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/1483   service impersonation, e.g....

SYSTEMS AND METHODS FOR USING ATTRIBUTE DATA FOR SYSTEM PROTECTION AND SECURITY AWARENESS TRAINING

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR USING ATTRIBUTE DATA FOR SYSTEM PROTECTION AND SECURITY AWARENESS TRAINING

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links