Endpoint malware detection using an event graph

US 9,928,366 B2
Filed: 04/11/2017
Issued: 03/27/2018
Est. Priority Date: 04/15/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of:

instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint, wherein the number of causal relationships include at least one of a data flow, a control flow, or a network flow;

selecting a set of logical locations from the plurality of logical locations;

recording a sequence of events causally relating the number of computing objects at the set of logical locations;

creating an event graph based on the sequence of events;

applying a malware detection rule to the event graph; and

remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files, and patterns within this event graph can be used to detect the presence of malware on the endpoint. The underlying recording process may be dynamically adjusted in order to vary the amount and location of recording as the security state of the endpoint changes over time.

Citations

26 Claims

1. A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of:
- instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint, wherein the number of causal relationships include at least one of a data flow, a control flow, or a network flow;
  
  selecting a set of logical locations from the plurality of logical locations;
  
  recording a sequence of events causally relating the number of computing objects at the set of logical locations;
  
  creating an event graph based on the sequence of events;
  
  applying a malware detection rule to the event graph; and
  
  remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state.

2. A method for malware detection comprising:
- instrumenting a first endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the first endpoint, wherein the number of causal relationships include at least one of a data flow, a control flow, or a network flow;
  
  selecting a first set of logical locations from the plurality of logical locations;
  
  recording a sequence of events causally relating the number of computing objects at the first set of logical locations;
  
  creating an event graph based on the sequence of events;
  
  applying a malware detection rule to the event graph; and
  
  remediating the first endpoint when the malware detection rule and the event graph indicate a compromised security state.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 3. The method of claim 2, wherein selecting the first set of logical locations includes selecting a group from the plurality of logical locations based on exposure to an external environment.
  - 4. The method of claim 2, wherein selecting the first set of logical locations includes selecting a group from the plurality of logical locations based on reputation.
  - 5. The method of claim 4, further comprising excluding at least one of the plurality of logical locations associated with a known, good process.
  - 6. The method of claim 2, further comprising selecting a second set of logical locations different from the first set of logical locations in response to an observed event graph for the sequence of events.
  - 7. The method of claim 2, further comprising adding one or more of the plurality of logical locations to the first set of logical locations in response to a detected increase in security risk.
  - 8. The method of claim 2, further comprising removing one of the plurality of logical locations from the first set of logical locations in response to a detected decrease in security risk.
  - 9. The method of claim 2, further comprising filtering one or more of the events in the sequence of events according to reputation.
  - 10. The method of claim 2, wherein the plurality of logical locations includes at least one endpoint separate from the first endpoint.
  - 11. The method of claim 2, wherein the plurality of logical locations includes at least one programming interface to a human interface device.
  - 12. The method of claim 2, further comprising identifying one of the computing objects as a cause of the compromised security state and remediating the one of the computing objects.
  - 13. The method of claim 2, further comprising traversing the event graph forward from the cause to identify one or more other ones of the computing objects affected by the cause.
  - 14. The method of claim 2, wherein the number of causal relationships include a data flow.
  - 15. The method of claim 2, wherein the number of causal relationships include a control flow.
  - 16. The method of claim 2, wherein the number of causal relationships include a network flow.
  - 17. The method of claim 2, wherein the one or more computing objects include one or more types of computing objects selected from a group consisting of a data file, a process, an application, a registry entry, a network address, and a peripheral device.
  - 18. The method of claim 2, wherein a number of events within the sequence of events are preserved for a predetermined time window, and further wherein the predetermined time window has a different duration for at least two different types of computing objects.

19. An endpoint comprising:
- a network interface;
  
  a memory; and
  
  a processor configured by computer executable code stored in the memory to detect malware by performing the steps of instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint, wherein the number of causal relationships include at least one of a data flow, a control flow, or a network flow, selecting a first set of logical locations from the plurality of logical locations, recording a sequence of events causally relating the number of computing objects at the first set of logical locations, creating an event graph based on the sequence of events, applying a malware detection rule to the event graph, and remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The endpoint of claim 19, wherein the processor is further configured to adjust the first set of logical locations by adding a new logical location, removing an existing logical location, or changing a level of filtering at one of the first set of logical locations according to a security state of the endpoint.
  - 21. The endpoint of claim 19, wherein selecting the first set of logical locations from the plurality of logical locations includes selecting a group from the plurality of logical locations based on exposure to an external environment.
  - 22. The endpoint of claim 19, wherein selecting the first set of logical locations from the plurality of logical locations includes selecting a group from the plurality of logical locations based on reputation.
  - 23. The endpoint of claim 22, wherein selecting the group from the plurality of logical locations based on reputation includes excluding at least one of the plurality of logical locations associated with a known, good process.
  - 24. The endpoint of claim 19, wherein the number of causal relationships include a data flow.
  - 25. The endpoint of claim 19, wherein the number of causal relationships include a control flow.
  - 26. The endpoint of claim 19, wherein the number of causal relationships include a network flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ladnai, Beata, Harris, Mark David, Thomas, Andrew J., Smith, Andrew G. P., Humphries, Russell
Primary Examiner(s)
Smithers, Matthew

Application Number

US15/484,830
Publication Number

US 20170300690A1
Time in Patent Office

350 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

G06F 8/65   Updates security arrangemen...

Endpoint malware detection using an event graph

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Endpoint malware detection using an event graph

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links