Agent assisted malicious application blocking in a network environment

US 9,578,052 B2
Filed: 10/24/2013
Issued: 02/21/2017
Est. Priority Date: 10/24/2013
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine readable storage medium encoded with instructions for blocking malware, wherein the instructions, when executed by at least one processor, cause the processor to:

receive metadata of a process intercepted on an end host when attempting to access a network, wherein the metadata includes a hash of an application associated with the process and an endpoint reputation score of the application, the endpoint reputation score assigned by the end host to the application to indicate a degree of maliciousness of the application determined by the end host;

request a threat intelligence reputation score based on the hash of the application;

determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score; and

send a response to the end host indicating the action to be taken by the end host, wherein, if the action includes allowing a network session established by the process to continue, the end host is to monitor the network session to identify any dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are configured to receive metadata of a process intercepted on an end host when attempting to access a network. The metadata includes a hash of an application associated with the process and an endpoint reputation score of the application. Embodiments are configured to request a threat intelligence reputation score based on the hash of the application, to determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score, and to send a response indicating the action to be taken by the end host. Further embodiments request another threat intelligence reputation score based on another hash of a dynamic link library module loaded by the process on the end host, and the action is determined based, at least in part, on the other threat intelligence score.

475 Citations

25 Claims

1. At least one non-transitory machine readable storage medium encoded with instructions for blocking malware, wherein the instructions, when executed by at least one processor, cause the processor to:
- receive metadata of a process intercepted on an end host when attempting to access a network, wherein the metadata includes a hash of an application associated with the process and an endpoint reputation score of the application, the endpoint reputation score assigned by the end host to the application to indicate a degree of maliciousness of the application determined by the end host;
  
  request a threat intelligence reputation score based on the hash of the application;
  
  determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score; and
  
  send a response to the end host indicating the action to be taken by the end host, wherein, if the action includes allowing a network session established by the process to continue, the end host is to monitor the network session to identify any dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The at least one non-transitory machine readable storage medium of claim 1, wherein the action includes blocking the application when the threat intelligence reputation score represents at least a certain degree of maliciousness.
  - 3. The at least one non-transitory machine readable storage medium of claim 2, wherein the instructions, when executed by the at least one processor when the action includes blocking the application, further cause the processor to:
    - correlate a tuple of connection information with network traffic associated with the network session established by the process, wherein the metadata includes the tuple of connection information; and
      
      if the network security device is in-line with the end host, block, on the network security device, the network traffic correlated to the tuple of connection information.
  - 4. The at least one non-transitory machine readable storage medium of claim 2, wherein the instructions, when executed by the at least one processor when the action includes blocking the application, further cause the processor to:
    - if the network security device is out-of-band, notify the end host to block ongoing network traffic of the network session established by the process.
  - 5. The at least one non-transitory machine readable storage medium of claim 4, wherein the end host is notified to block the on-going network traffic by the response indicating the action to be taken.
  - 6. The at least one non-transitory machine readable storage medium of claim 1, wherein the action includes allowing the network session established by the process to continue when the threat intelligence reputation score does not represent at least a certain degree of maliciousness.
  - 7. The at least one non-transitory machine readable storage medium of claim 6, wherein the instructions, when executed by the at least one processor, further cause the processor to:
    - receive a second endpoint reputation score from the end host based, at least in part, on the end host identifying one or more DLLs invoked by the application that do not perform appropriate activities for the application;
      
      determine a second action to be taken by the end host based, at least in part, on one or more other policies and the second endpoint reputation score; and
      
      send a second response indicating the second action to be taken by the end host.
  - 8. The at least one non-transitory machine readable storage medium of claim 7, wherein the second endpoint reputation score is determined based on a heuristic analysis of one or more dynamic link library modules invoked by the process.
  - 9. The at least one non-transitory machine readable storage medium of claim 8, wherein the second action includes one of blocking the application and blocking at least one of the one or more dynamic link library modules when the second endpoint reputation score represents at least a certain degree of maliciousness.
  - 10. The at least one non-transitory machine readable storage medium of claim 6, wherein the instructions, when executed by the at least one processor, further cause the processor to:
    - receive network traffic associated with the network session;
      
      detect malware in the network traffic;
      
      correlate a tuple of connection information with the network traffic containing the malware, wherein the metadata includes the tuple of connection information;
      
      determine a second action to be taken by the end host based, at least in part, on one or more other policies; and
      
      send a second response indicating the second action to be taken by the end host.
  - 11. The at least one non-transitory machine readable storage medium of claim 10, wherein the second action includes blocking the application.
  - 12. The at least one non-transitory machine readable storage medium of claim 1, wherein the metadata further includes a tuple of connection information, the tuple of connection information including a source network address of the end host, a source port of the end host, a destination network address of a destination node of the network session, a destination port of the destination node, and a protocol of the network session.
  - 13. The at least one non-transitory machine readable storage medium of claim 1, wherein the metadata further includes one or more of a file name of the application, a file path of the application, application reputation information, dynamic link library reputation information, a system identifier, a user identifier, and a domain.
  - 14. The at least one non-transitory machine readable storage medium of claim 13, wherein at least some of the metadata is provided for display on a user interface.
  - 15. The at least one non-transitory machine readable storage medium of claim 1, wherein the instructions, when executed by the at least one processor, further cause the processor to:
    - request another threat intelligence reputation score based on another hash of a dynamic link library module loaded by the process on the end host, wherein the action is determined based, at least in part, on the other threat intelligence reputation score.
  - 16. The at least one non-transitory machine readable storage medium of claim 15, wherein the action includes blocking the dynamic link library module if the threat intelligence reputation score represents at least a certain degree of maliciousness.
  - 17. The at least one non-transitory machine readable storage medium of claim 1, wherein, when the threat intelligence reputation score is unavailable, the action to be taken by the end host is determined based on the one or more policies and the endpoint reputation score.
  - 18. The at least one non-transitory machine readable storage medium of claim 1, wherein the instructions, when executed by the at least one processor, further cause the processor to:
    - compare a threshold limit of the one or more policies to the threat intelligence reputation score to determine the action to be taken.
  - 19. The at least one non-transitory machine readable storage medium of claim 1, wherein the end host is one of a plurality of virtual personalized desktops running on a virtual device infrastructure server.

20. An apparatus for blocking malware, the apparatus comprising:
- at least one memory element;
  
  at least one processor coupled to the at least one memory element;
  
  an endpoint intelligence server running on the at least one processor, wherein the endpoint intelligence server is configured to;
  
  receive metadata of a process intercepted on an end host when attempting to access a network, wherein the metadata includes a hash of an application associated with the process and an endpoint reputation score of the application, the endpoint reputation score assigned by the end host to the application to indicate a degree of maliciousness of the application determined by the end host;
  
  request a threat intelligence reputation score based on the hash of the application;
  
  determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score; and
  
  send a response to the end host indicating the action to be taken by the end host, wherein, if the action includes allowing a network session established by the process to continue, the end host is to monitor the network session to identify any dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application.
- View Dependent Claims (21, 22, 23)
- - 21. The apparatus of claim 20, wherein the action includes allowing the network session established by the process to continue when the threat intelligence reputation score does not represent at least a certain degree of maliciousness.
  - 22. The apparatus of claim 21, wherein the endpoint intelligence agent is further configured to:
    - receive a second endpoint reputation score from the end host based, at least in part, on the end host identifying one or more DLLs invoked by the application that do not perform appropriate activities for the application;
      
      determine a second action to be taken by the end host based, at least in part, on one or more other policies and the second endpoint reputation score; and
      
      send a second response indicating the second action to be taken by the end host.
  - 23. The apparatus of claim 22, wherein the second endpoint reputation score is determined based on a heuristic analysis of one or more dynamic link library modules invoked by the process.

24. A method for blocking malware, the method comprising:
- receiving metadata of a process intercepted by at least one processor of an end host when attempting to access a network, wherein the metadata includes a hash of an application associated with the process and an endpoint reputation score of the application, the endpoint reputation score assigned by the end host to the application to indicate a degree of maliciousness of the application determined by the end host;
  
  requesting a threat intelligence reputation score based on the hash of the application;
  
  determining, by one or more processors of a network security device, an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score; and
  
  sending a response to the end host indicating the action to be taken by the end host, wherein, if the action includes allowing a network session established by the process to continue, the end host is to monitor the network session to identify any dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application.
- View Dependent Claims (25)
- - 25. The method of claim 24, wherein, when the threat intelligence reputation score is unavailable, the action to be taken by the end host is determined based on the one or more policies and the endpoint reputation score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
CP, Chandan, Narasimhan, Srinivasan
Primary Examiner(s)
Tabor, Amare F
Assistant Examiner(s)
WYSZYNSKI, AUBREY H

Application Number

US14/127,395
Publication Number

US 20150121449A1
Time in Patent Office

1,216 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Agent assisted malicious application blocking in a network environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

475 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Agent assisted malicious application blocking in a network environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

475 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links