Threat detection using endpoint variance
First Claim
1. A method comprising:
- selecting a metric that objectively and quantitatively characterizes an endpoint property, the metric representing changes made to files on the endpoint;
monitoring a change in the metric on a group of endpoints over time;
creating a model that evaluates whether a new value for the metric at a point in time is within a range of expected values for the metric at the point in time, the model including a statistical model based on a variance that characterizes a range of expected values, and a periodicity that characterizes a change in the range of expected values over time;
instrumenting an endpoint to detect a current value for the metric at a current time;
applying the model to determine whether the current value is within the range of expected values for the metric at the current time; and
implementing a remedial action for the endpoint when the current value is not within the range of expected values for the metric at the current time.
4 Assignments
0 Petitions
Accused Products
Abstract
Threat detection is improved by monitoring variations in observable events and correlating these variations to malicious activity. The disclosed techniques can be usefully employed with any attribute or other metric that can be instrumented on an endpoint and tracked over time including observable events such as changes to files, data, software configurations, operating systems, and so forth. Correlations may be based on historical data for a particular machine, or a group of machines such as similarly configured endpoints. Similar inferences of malicious activity can be based on the nature of a variation, including specific patterns of variation known to be associated with malware and any other unexpected patterns that deviate from normal behavior. Embodiments described herein use variations in, e.g., server software updates or URL cache hits on an endpoint, but the techniques are more generally applicable to any endpoint attribute that varies in a manner correlated with malicious activity.
-
Citations
18 Claims
-
1. A method comprising:
-
selecting a metric that objectively and quantitatively characterizes an endpoint property, the metric representing changes made to files on the endpoint; monitoring a change in the metric on a group of endpoints over time; creating a model that evaluates whether a new value for the metric at a point in time is within a range of expected values for the metric at the point in time, the model including a statistical model based on a variance that characterizes a range of expected values, and a periodicity that characterizes a change in the range of expected values over time; instrumenting an endpoint to detect a current value for the metric at a current time; applying the model to determine whether the current value is within the range of expected values for the metric at the current time; and implementing a remedial action for the endpoint when the current value is not within the range of expected values for the metric at the current time. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
selecting a metric that objectively and quantitatively characterizes an endpoint property, the metric representing changes made to files on the endpoint; monitoring a change in the metric on a group of endpoints over time; creating a model that evaluates whether a new value for the metric at a point in time is within a range of expected values for the metric at the point in time, the model including a statistical model based on a variance that characterizes a range of expected values, and a periodicity that characterizes a change in the range of expected values over time; instrumenting an endpoint to detect a current value for the metric at a current time; applying the model to determine whether the current value is within the range of expected values for the metric at the current time; and implementing a remedial action for the endpoint when the current value is not within the range of expected values for the metric at the current time. - View Dependent Claims (15, 16, 17)
-
-
18. An endpoint comprising:
-
a network interface coupling the endpoint in a communicating relationship with a data network; a memory storing a value for a metric that objectively and quantitatively characterizes an endpoint property, along with a model that evaluates whether a new value for the metric at a point in time is within a range of expected values for the metric at the point in time, the metric representing changes made to files on the endpoint, the model including a statistical model based on a variance that characterizes a range of expected values, and the model including a periodicity that characterizes a change in the range of expected values over time; and a processor configured to detect a current value for the metric at a current time, to apply the model to determine whether the current value is within the range of expected values for the metric at the current time, and to report an indication of compromise through the network interface to a remote threat management facility when the current value is not within the range of expected values for the metric at the current time.
-
Specification