Threat detection using endpoint variance

US 9,571,512 B2
Filed: 12/15/2014
Issued: 02/14/2017
Est. Priority Date: 12/15/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

selecting a metric that objectively and quantitatively characterizes an endpoint property, the metric representing changes made to files on the endpoint;

monitoring a change in the metric on a group of endpoints over time;

creating a model that evaluates whether a new value for the metric at a point in time is within a range of expected values for the metric at the point in time, the model including a statistical model based on a variance that characterizes a range of expected values, and a periodicity that characterizes a change in the range of expected values over time;

instrumenting an endpoint to detect a current value for the metric at a current time;

applying the model to determine whether the current value is within the range of expected values for the metric at the current time; and

implementing a remedial action for the endpoint when the current value is not within the range of expected values for the metric at the current time.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Threat detection is improved by monitoring variations in observable events and correlating these variations to malicious activity. The disclosed techniques can be usefully employed with any attribute or other metric that can be instrumented on an endpoint and tracked over time including observable events such as changes to files, data, software configurations, operating systems, and so forth. Correlations may be based on historical data for a particular machine, or a group of machines such as similarly configured endpoints. Similar inferences of malicious activity can be based on the nature of a variation, including specific patterns of variation known to be associated with malware and any other unexpected patterns that deviate from normal behavior. Embodiments described herein use variations in, e.g., server software updates or URL cache hits on an endpoint, but the techniques are more generally applicable to any endpoint attribute that varies in a manner correlated with malicious activity.

Citations

18 Claims

1. A method comprising:
- selecting a metric that objectively and quantitatively characterizes an endpoint property, the metric representing changes made to files on the endpoint;
  
  monitoring a change in the metric on a group of endpoints over time;
  
  creating a model that evaluates whether a new value for the metric at a point in time is within a range of expected values for the metric at the point in time, the model including a statistical model based on a variance that characterizes a range of expected values, and a periodicity that characterizes a change in the range of expected values over time;
  
  instrumenting an endpoint to detect a current value for the metric at a current time;
  
  applying the model to determine whether the current value is within the range of expected values for the metric at the current time; and
  
  implementing a remedial action for the endpoint when the current value is not within the range of expected values for the metric at the current time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein the group of endpoints includes two or more endpoints.
  - 3. The method of claim 1 wherein the endpoint belongs to the group of endpoints.
  - 4. The method of claim 1 further comprising, when the current value is within the range of expected values, detecting a new current value for the metric and applying the model to the new current value for the metric.
  - 5. The method of claim 1 wherein monitoring the change in the metric over time includes acquiring historical data for the endpoint.
  - 6. The method of claim 1 wherein monitoring the change in the metric over time includes monitoring behavior for a plurality of endpoints in an enterprise.
  - 7. The method of claim 1 wherein the model includes a Bayesian model having a Bayesian probability that provides a threshold for determining the range of expected values.
  - 8. The method of claim 1 wherein the model includes a frequency domain model.
  - 9. The method of claim 1 further comprising selecting and modeling a plurality of metrics and using the plurality of metrics to detect the indication of compromise.
  - 10. The method of claim 1 wherein the periodicity is daily, weekly, or annually.
  - 11. The method of claim 1 wherein the metric measures Uniform Resource Locators addressed by the endpoint.
  - 12. The method of claim 1 wherein the metric measures files accessed by the endpoint.
  - 13. The method of claim 1 wherein the metric measures updates to executables on the endpoint.

14. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- selecting a metric that objectively and quantitatively characterizes an endpoint property, the metric representing changes made to files on the endpoint;
  
  monitoring a change in the metric on a group of endpoints over time;
  
  creating a model that evaluates whether a new value for the metric at a point in time is within a range of expected values for the metric at the point in time, the model including a statistical model based on a variance that characterizes a range of expected values, and a periodicity that characterizes a change in the range of expected values over time;
  
  instrumenting an endpoint to detect a current value for the metric at a current time;
  
  applying the model to determine whether the current value is within the range of expected values for the metric at the current time; and
  
  implementing a remedial action for the endpoint when the current value is not within the range of expected values for the metric at the current time.
- View Dependent Claims (15, 16, 17)
- - 15. The computer program product of claim 14 further comprising code that performs the step of, when the current value is within the range of expected values, detecting a new current value for the metric and applying the model to the new current value for the metric.
  - 16. The computer program product of claim 14 wherein the model includes one or more of a Bayesian model and a frequency domain model.
  - 17. The computer program product of claim 14 further comprising code that performs the step of selecting and modeling a plurality of metrics and using the plurality of metrics to detect the indication of compromise.

18. An endpoint comprising:
- a network interface coupling the endpoint in a communicating relationship with a data network;
  
  a memory storing a value for a metric that objectively and quantitatively characterizes an endpoint property, along with a model that evaluates whether a new value for the metric at a point in time is within a range of expected values for the metric at the point in time, the metric representing changes made to files on the endpoint, the model including a statistical model based on a variance that characterizes a range of expected values, and the model including a periodicity that characterizes a change in the range of expected values over time; and
  
  a processor configured to detect a current value for the metric at a current time, to apply the model to determine whether the current value is within the range of expected values for the metric at the current time, and to report an indication of compromise through the network interface to a remote threat management facility when the current value is not within the range of expected values for the metric at the current time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ray, Kenneth D., Harris, Mark D., Reed, Simon Neil, Watkiss, Neil Robert Tyndale, Thomas, Andrew J.
Primary Examiner(s)
CHANG, KENNETH W

Application Number

US14/570,188
Publication Number

US 20160173509A1
Time in Patent Office

792 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Threat detection using endpoint variance

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Threat detection using endpoint variance

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links