Advanced persistent threat detection

US 9,654,489 B2
Filed: 07/11/2016
Issued: 05/16/2017
Est. Priority Date: 04/28/2014
Status: Active Grant

First Claim

Patent Images

1. A system for threat detection, comprising:

a gateway in an enterprise, the gateway including a memory, and the gateway configured to detect a request for network traffic from an endpoint in the enterprise, the request including a destination address and the request containing a violation of a network policy for the enterprise, the gateway further configured to identify the endpoint that originated the request, and to query the endpoint to determine a source process executing on the endpoint that generated the request, the gateway further configured to map the source process to one or more files on the endpoint; and

a threat management facility for managing the enterprise, the threat management facility coupled in a communicating relationship with the gateway, and the threat management facility configured to locate one or more other endpoints associated with the enterprise that contain the one or more files, and to remediate the one or more other endpoints with respect to the one or more files.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.

Citations

20 Claims

1. A system for threat detection, comprising:
- a gateway in an enterprise, the gateway including a memory, and the gateway configured to detect a request for network traffic from an endpoint in the enterprise, the request including a destination address and the request containing a violation of a network policy for the enterprise, the gateway further configured to identify the endpoint that originated the request, and to query the endpoint to determine a source process executing on the endpoint that generated the request, the gateway further configured to map the source process to one or more files on the endpoint; and
  
  a threat management facility for managing the enterprise, the threat management facility coupled in a communicating relationship with the gateway, and the threat management facility configured to locate one or more other endpoints associated with the enterprise that contain the one or more files, and to remediate the one or more other endpoints with respect to the one or more files.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1 wherein the violation includes a prohibited Uniform Resource Identifier in the destination address.
  - 3. The system of claim 1 wherein the violation includes a prohibited domain in the destination address.
  - 4. The system of claim 1 wherein the violation includes prohibited content in the request.
  - 5. The system of claim 1 wherein the threat management facility is configured to remediate the one or more other endpoints by quarantining the one or more other endpoints.
  - 6. The system of claim 1 wherein the threat management facility is configured to remediate the one or more other endpoints by quarantining the source process on each of the one or more other endpoints.
  - 7. The system of claim 1 wherein the threat management facility is configured to remediate the one or more other endpoints by terminating the source process on each of the one or more other endpoints.
  - 8. The system of claim 1 wherein the threat management facility is configured to remediate the one or more other endpoints by removing the one or more files on each of the one or more other endpoints.
  - 9. The system of claim 1 wherein the threat management facility is configured to remediate the one or more other endpoints by blocking network traffic for the one or more other endpoints.
  - 10. The system of claim 1 wherein the threat management facility is configured to remediate the one or more other endpoints by blocking access to the destination address by the one or more other endpoints.
  - 11. The system of claim 1 wherein the violation includes command and control protocol traffic for an advanced persistent threat.
  - 12. The system of claim 1 wherein the violation includes a command and control location for an advanced persistent threat in the destination.
  - 13. The system of claim 1 wherein the gateway is configured to identify the endpoint based on a machine ID for the endpoint within a heartbeat received at the gateway from the endpoint.
  - 14. The system of claim 13 wherein the heartbeat is a secure heartbeat.
  - 15. The system of claim 1 wherein the gateway is configured to determine the source process by querying a list maintained on the endpoint of network requests from processes executing on the endpoint for entries corresponding to a time of the request.

16. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices in an enterprise managed by a threat management facility, performs the steps of:
- detecting a request for network traffic at a gateway associated with the enterprise, the request including a destination address and the request containing a violation of a network policy for the enterprise;
  
  identifying an endpoint coupled to the gateway that originated the request;
  
  querying the endpoint from the gateway to determine a source process on the endpoint that generated the request;
  
  mapping the source process to one or more files on the endpoint;
  
  locating one or more other endpoints managed by the threat management facility that contain the one or more files; and
  
  remediating the one or more other endpoints.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product of claim 16 wherein the violation includes a prohibited Uniform Resource Identifier in the destination address.
  - 18. The computer program product of claim 16 wherein the violation includes prohibited content in the request.
  - 19. The computer program product of claim 16 wherein the violation includes command and control protocol traffic for an advanced persistent threat.
  - 20. The computer program product of claim 16 wherein the gateway is configured to identify the endpoint based on a machine ID for the endpoint within a heartbeat received at the gateway from the endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Thomas, Andrew J.
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US15/206,988
Publication Number

US 20160323303A1
Time in Patent Office

309 Days
Field of Search

726 7- 11, 713166, 370392
US Class Current
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04L 65/1033   Signalling gateways

Advanced persistent threat detection

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Advanced persistent threat detection

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links