Threat detection using URL cache hits
First Claim
1. A method comprising:
- maintaining a uniform resource locator (URL) cache on each of a plurality of devices, the URL cache including a reputation score and a time to live for each of a plurality of URLs;
updating the URL cache on each of the plurality of devices using reputation scores from a remote threat management facility to add new entries for new URL traffic to the URL cache and using the time to live to expire existing entries from the URL cache;
monitoring the URL cache of each one of the plurality of devices with the remote threat management facility to detect a variance in one of the URL caches relative to each other one of the URL caches;
triggering an indication of compromise based on the variance; and
initiating a remedial action for the device storing the one of the URL caches in response to the indication of compromise.
4 Assignments
0 Petitions
Accused Products
Abstract
Threat detection is improved by monitoring variations in observable events and correlating these variations to malicious activity. The disclosed techniques can be usefully employed with any attribute or other metric that can be instrumented on an endpoint and tracked over time including observable events such as changes to files, data, software configurations, operating systems, and so forth. Correlations may be based on historical data for a particular machine, or a group of machines such as similarly configured endpoints. Similar inferences of malicious activity can be based on the nature of a variation, including specific patterns of variation known to be associated with malware and any other unexpected patterns that deviate from normal behavior. Embodiments described herein use variations in, e.g., server software updates or URL cache hits on an endpoint, but the techniques are more generally applicable to any endpoint attribute that varies in a manner correlated with malicious activity.
54 Citations
20 Claims
-
1. A method comprising:
-
maintaining a uniform resource locator (URL) cache on each of a plurality of devices, the URL cache including a reputation score and a time to live for each of a plurality of URLs; updating the URL cache on each of the plurality of devices using reputation scores from a remote threat management facility to add new entries for new URL traffic to the URL cache and using the time to live to expire existing entries from the URL cache; monitoring the URL cache of each one of the plurality of devices with the remote threat management facility to detect a variance in one of the URL caches relative to each other one of the URL caches; triggering an indication of compromise based on the variance; and initiating a remedial action for the device storing the one of the URL caches in response to the indication of compromise. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
maintaining a uniform resource locator (URL) cache on each of a plurality of devices, the URL cache including a reputation score and a time to live for each of a plurality of URLs; updating the URL cache on each of the plurality of devices using reputation scores from a remote threat management facility to add new entries for new URL traffic to the URL cache and using the time to live to expire existing entries from the URL cache; monitoring the URL cache of each one of the plurality of devices with the remote threat management facility to detect a variance in one of the URL caches relative to each other one of the URL caches; triggering an indication of compromise based on the variance; and initiating a remedial action for the device storing the one of the URL caches in response to the indication of compromise. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A system comprising:
-
a remote threat management facility configured to manage threats to an enterprise; and a plurality of devices associated with the enterprise, each of the plurality of devices having a memory and a processor, the memory storing a uniform resource locator (URL) cache including a reputation score and a time to live for each of a plurality of URLs, and the processor configured to update the URL cache on each of the plurality of devices using reputation scores from the remote threat management facility to add new entries for new URL traffic to the URL cache and using the time to live to expire existing entries from the URL cache; wherein the remote threat management facility is further configured to monitor the URL cache of each one of the plurality of devices to detect a variance in one of the URL caches relative to each other one of the URL caches, to generate an indication of compromise based on the variance, and to initiate a remedial action for the device storing the one of the URL caches based on the indication of compromise. - View Dependent Claims (19, 20)
-
Specification