Advanced persistent threat detection
First Claim
Patent Images
1. A system for threat detection, comprising:
- a gateway in an enterprise, the gateway configured to detect a request for network traffic from an endpoint in the enterprise, the request including a destination address and the request containing a violation of a network policy for the enterprise, the gateway further configured to identify the endpoint that originated the request, and to query the endpoint to access a log of network requests from processes executing on the endpoint to determine a source process on the endpoint that generated the request on the endpoint, the gateway further configured to map the source process to one or more files on the endpoint; and
a threat management facility for managing the enterprise, the threat management facility coupled in a communicating relationship with the gateway, and the threat management facility configured to locate one or more other endpoints associated with the enterprise that contain the one or more files mapped to the source process, and to remediate the one or more other endpoints with respect to the the one or more files.
4 Assignments
0 Petitions
Accused Products
Abstract
A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.
-
Citations
15 Claims
-
1. A system for threat detection, comprising:
-
a gateway in an enterprise, the gateway configured to detect a request for network traffic from an endpoint in the enterprise, the request including a destination address and the request containing a violation of a network policy for the enterprise, the gateway further configured to identify the endpoint that originated the request, and to query the endpoint to access a log of network requests from processes executing on the endpoint to determine a source process on the endpoint that generated the request on the endpoint, the gateway further configured to map the source process to one or more files on the endpoint; and a threat management facility for managing the enterprise, the threat management facility coupled in a communicating relationship with the gateway, and the threat management facility configured to locate one or more other endpoints associated with the enterprise that contain the one or more files mapped to the source process, and to remediate the one or more other endpoints with respect to the the one or more files. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeSophos Limited (Sophos Group Ltd.)
-
Original AssigneeSophos Limited (Sophos Group Ltd.)
-
InventorsThomas, Andrew J.
-
Primary Examiner(s)Zecher, Dede
-
Assistant Examiner(s)LAKHIA, VIRAL S
-
Application NumberUS14/263,955Publication NumberTime in Patent Office806 DaysField of Search726/11, 726/22, 726/23, 707/169, 713180-183US Class Current1/1CPC Class CodesH04L 2463/146 Tracing the source of attacksH04L 43/10 Active monitoring, e.g. hea...H04L 63/0227 Filtering policies mail mes...H04L 63/1416 Event detection, e.g. attac...H04L 63/145 the attack involving the pr...H04L 63/20 for managing network securi...H04L 65/1033 Signalling gateways
