Intrusion detection using a heartbeat

US 9,917,851 B2
Filed: 04/28/2014
Issued: 03/13/2018
Est. Priority Date: 04/28/2014
Status: Active Grant

First Claim

Patent Images

1. A method of operating a gateway for an enterprise network, the method comprising:

receiving, at a gateway logically or physically interposed between an endpoint in the enterprise network and a second network, the enterprise network separate from the second network and the gateway configured to pass network traffic between the enterprise network and the second network, a heartbeat from the endpoint associated with the enterprise network, the heartbeat addressed to the gateway, the heartbeat including a signal communicated periodically from the endpoint to the gateway, and the heartbeat containing cryptographically secured information including at least information to indicate a security health status of the endpoint and identifying information that identifies the endpoint providing the heartbeat to the gateway independently from a source address for the heartbeat;

detecting an interruption of the heartbeat at the gateway based upon an error in or omission of an expected heartbeat;

following detecting the interruption of the heartbeat at the gateway, receiving, by the gateway, network traffic other than the heartbeat from the endpoint, the network traffic addressed for forwarding by the gateway via the second network to a second destination address outside the gateway from the enterprise network; and

responding to the interruption of the heartbeat in combination with the network traffic received following the interruption by treating the endpoint as a compromised network asset and blocking network traffic from the endpoint.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.

34 Citations

View as Search Results

22 Claims

1. A method of operating a gateway for an enterprise network, the method comprising:
- receiving, at a gateway logically or physically interposed between an endpoint in the enterprise network and a second network, the enterprise network separate from the second network and the gateway configured to pass network traffic between the enterprise network and the second network, a heartbeat from the endpoint associated with the enterprise network, the heartbeat addressed to the gateway, the heartbeat including a signal communicated periodically from the endpoint to the gateway, and the heartbeat containing cryptographically secured information including at least information to indicate a security health status of the endpoint and identifying information that identifies the endpoint providing the heartbeat to the gateway independently from a source address for the heartbeat;
  
  detecting an interruption of the heartbeat at the gateway based upon an error in or omission of an expected heartbeat;
  
  following detecting the interruption of the heartbeat at the gateway, receiving, by the gateway, network traffic other than the heartbeat from the endpoint, the network traffic addressed for forwarding by the gateway via the second network to a second destination address outside the gateway from the enterprise network; and
  
  responding to the interruption of the heartbeat in combination with the network traffic received following the interruption by treating the endpoint as a compromised network asset and blocking network traffic from the endpoint.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein the heartbeat is cryptographically signed to facilitate authentication.
  - 3. The method of claim 1 wherein the heartbeat includes at least one item unique to the endpoint.
  - 4. The method of claim 1 wherein the interruption includes an omission of the periodic signal.
  - 5. The method of claim 1 wherein the interruption includes an authentication failure in the periodic signal.
  - 6. The method of claim 1 wherein the interruption includes an error in the periodic signal.
  - 7. The method of claim 1 wherein the interruption includes a predetermined interval without the periodic signal.
  - 8. The method of claim 1 wherein treating the endpoint as a compromised network asset includes quarantining the endpoint.
  - 9. The method of claim 1 wherein the network traffic includes suspicious network traffic.
  - 10. The method of claim 1 wherein the heartbeat encodes status information related to the health of the endpoint.
  - 11. The method of claim 1 wherein the interruption includes an absence of a measurement of system health signed into the heartbeat.
  - 12. The method of claim 11 wherein the measurement includes a version of an update.
  - 13. The method of claim 11 wherein the measurement includes a currency of an update.

14. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on a gateway, performs the steps of:
- receiving, by the gateway logically or physically interposed between an endpoint in a first network and a second network, the first network separate from the second network and the gateway configured to pass network traffic between the first network and the second network, a heartbeat from the endpoint associated with the first network, the heartbeat addressed to the gateway, the heartbeat including a signal communicated periodically from the endpoint to the gateway, and the heartbeat containing cryptographically secured information including at least information to indicate a security health status of the endpoint and identifying information that identifies the endpoint providing the heartbeat to the gateway independently from a source address for the heartbeat;
  
  detecting an interruption of the heartbeat at the gateway based upon an error in or omission of an expected heartbeat;
  
  following detecting the interruption of the heartbeat at the gateway, receiving, by the gateway, network traffic other than the heartbeat from the endpoint, the network traffic addressed for forwarding by the gateway via the second network to a second destination address outside the gateway from the first network; and
  
  responding to the interruption of the heartbeat and in combination with the network traffic received following the interruption by treating the endpoint as a compromised network asset and blocking network traffic from the endpoint.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The computer program product of claim 14 wherein the heartbeat is cryptographically signed to facilitate authentication.
  - 16. The computer program product of claim 14 wherein the heartbeat includes at least one item unique to the endpoint.
  - 17. The computer program product of claim 14 wherein the interruption includes an omission of the periodic signal for a predetermined interval.
  - 18. The computer program product of claim 14 wherein the interruption includes an authentication failure in the periodic signal.
  - 19. The computer program product of claim 14 wherein the interruption includes an error in the periodic signal.
  - 20. The computer program product of claim 14 wherein the interruption includes a predetermined interval without the periodic signal.
  - 21. The computer program product of claim 14 wherein the interruption includes an absence of a measurement of system health signed into the heartbeat.

22. A system comprising:
- an endpoint in a first network, the endpoint comprising a memory and a processor executing instructions from the memory, the processor of the endpoint configured by computer executable code stored in the memory to periodically create a heartbeat containing cryptographically secured information including at least information to indicate a security health status of the endpoint and identifying information that identifies the endpoint providing the heartbeat independently from a source address for the heartbeat; and
  
  a gateway logically or physically interposed between the endpoint in the first network and a second network, the first network separate from the second network and the gateway configured to pass network traffic between the first network and the second network, the gateway comprising a processor and a memory, the gateway coupled in a communicating relationship with the endpoint over the first network, the gateway configured to receive the heartbeat from the endpoint and to receive and forward network traffic, other than the heartbeat, from the endpoint to a destination address in the second network outside of the gateway from the first network, and to verify a status of the endpoint based upon the heartbeat and the network traffic other than the heartbeat, the gateway further configured to initiate remedial action directed to the endpoint based on a combination of an interruption in the heartbeat based upon an error in omission of an expected heartbeat and detection of network traffic, other than the heartbeat, following detection of the interruption in the heartbeat, the remedial action including blocking network traffic from the endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ray, Kenneth D.
Primary Examiner(s)
Zaidi, Syed
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US14/263,966
Publication Number

US 20150312268A1
Time in Patent Office

1,415 Days
Field of Search

726 2, 726 7, 726 11, 726 22, 726 24, 713153, 370466, 455567
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Intrusion detection using a heartbeat

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection using a heartbeat

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links