Intrusion detection using a heartbeat
First Claim
1. A method of operating a gateway for an enterprise network, the method comprising:
- receiving, at a gateway logically or physically interposed between an endpoint in the enterprise network and a second network, the enterprise network separate from the second network and the gateway configured to pass network traffic between the enterprise network and the second network, a heartbeat from the endpoint associated with the enterprise network, the heartbeat addressed to the gateway, the heartbeat including a signal communicated periodically from the endpoint to the gateway, and the heartbeat containing cryptographically secured information including at least information to indicate a security health status of the endpoint and identifying information that identifies the endpoint providing the heartbeat to the gateway independently from a source address for the heartbeat;
detecting an interruption of the heartbeat at the gateway based upon an error in or omission of an expected heartbeat;
following detecting the interruption of the heartbeat at the gateway, receiving, by the gateway, network traffic other than the heartbeat from the endpoint, the network traffic addressed for forwarding by the gateway via the second network to a second destination address outside the gateway from the enterprise network; and
responding to the interruption of the heartbeat in combination with the network traffic received following the interruption by treating the endpoint as a compromised network asset and blocking network traffic from the endpoint.
4 Assignments
0 Petitions
Accused Products
Abstract
A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.
34 Citations
22 Claims
-
1. A method of operating a gateway for an enterprise network, the method comprising:
-
receiving, at a gateway logically or physically interposed between an endpoint in the enterprise network and a second network, the enterprise network separate from the second network and the gateway configured to pass network traffic between the enterprise network and the second network, a heartbeat from the endpoint associated with the enterprise network, the heartbeat addressed to the gateway, the heartbeat including a signal communicated periodically from the endpoint to the gateway, and the heartbeat containing cryptographically secured information including at least information to indicate a security health status of the endpoint and identifying information that identifies the endpoint providing the heartbeat to the gateway independently from a source address for the heartbeat; detecting an interruption of the heartbeat at the gateway based upon an error in or omission of an expected heartbeat; following detecting the interruption of the heartbeat at the gateway, receiving, by the gateway, network traffic other than the heartbeat from the endpoint, the network traffic addressed for forwarding by the gateway via the second network to a second destination address outside the gateway from the enterprise network; and responding to the interruption of the heartbeat in combination with the network traffic received following the interruption by treating the endpoint as a compromised network asset and blocking network traffic from the endpoint. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on a gateway, performs the steps of:
-
receiving, by the gateway logically or physically interposed between an endpoint in a first network and a second network, the first network separate from the second network and the gateway configured to pass network traffic between the first network and the second network, a heartbeat from the endpoint associated with the first network, the heartbeat addressed to the gateway, the heartbeat including a signal communicated periodically from the endpoint to the gateway, and the heartbeat containing cryptographically secured information including at least information to indicate a security health status of the endpoint and identifying information that identifies the endpoint providing the heartbeat to the gateway independently from a source address for the heartbeat; detecting an interruption of the heartbeat at the gateway based upon an error in or omission of an expected heartbeat; following detecting the interruption of the heartbeat at the gateway, receiving, by the gateway, network traffic other than the heartbeat from the endpoint, the network traffic addressed for forwarding by the gateway via the second network to a second destination address outside the gateway from the first network; and responding to the interruption of the heartbeat and in combination with the network traffic received following the interruption by treating the endpoint as a compromised network asset and blocking network traffic from the endpoint. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A system comprising:
-
an endpoint in a first network, the endpoint comprising a memory and a processor executing instructions from the memory, the processor of the endpoint configured by computer executable code stored in the memory to periodically create a heartbeat containing cryptographically secured information including at least information to indicate a security health status of the endpoint and identifying information that identifies the endpoint providing the heartbeat independently from a source address for the heartbeat; and a gateway logically or physically interposed between the endpoint in the first network and a second network, the first network separate from the second network and the gateway configured to pass network traffic between the first network and the second network, the gateway comprising a processor and a memory, the gateway coupled in a communicating relationship with the endpoint over the first network, the gateway configured to receive the heartbeat from the endpoint and to receive and forward network traffic, other than the heartbeat, from the endpoint to a destination address in the second network outside of the gateway from the first network, and to verify a status of the endpoint based upon the heartbeat and the network traffic other than the heartbeat, the gateway further configured to initiate remedial action directed to the endpoint based on a combination of an interruption in the heartbeat based upon an error in omission of an expected heartbeat and detection of network traffic, other than the heartbeat, following detection of the interruption in the heartbeat, the remedial action including blocking network traffic from the endpoint.
-
Specification