Endpoint malware detection using an event graph
First Claim
Patent Images
1. A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of:
- instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint, wherein the number of causal relationships include at least one of a data flow, a control flow, or a network flow;
selecting a set of logical locations from the plurality of logical locations;
recording a sequence of events causally relating the number of computing objects at the set of logical locations;
creating an event graph based on the sequence of events;
applying a malware detection rule to the event graph; and
remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state.
5 Assignments
0 Petitions
Accused Products
Abstract
A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files, and patterns within this event graph can be used to detect the presence of malware on the endpoint. The underlying recording process may be dynamically adjusted in order to vary the amount and location of recording as the security state of the endpoint changes over time.
-
Citations
26 Claims
-
1. A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of:
-
instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint, wherein the number of causal relationships include at least one of a data flow, a control flow, or a network flow; selecting a set of logical locations from the plurality of logical locations; recording a sequence of events causally relating the number of computing objects at the set of logical locations; creating an event graph based on the sequence of events; applying a malware detection rule to the event graph; and remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state.
-
-
2. A method for malware detection comprising:
-
instrumenting a first endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the first endpoint, wherein the number of causal relationships include at least one of a data flow, a control flow, or a network flow; selecting a first set of logical locations from the plurality of logical locations; recording a sequence of events causally relating the number of computing objects at the first set of logical locations; creating an event graph based on the sequence of events; applying a malware detection rule to the event graph; and remediating the first endpoint when the malware detection rule and the event graph indicate a compromised security state. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An endpoint comprising:
-
a network interface; a memory; and a processor configured by computer executable code stored in the memory to detect malware by performing the steps of instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint, wherein the number of causal relationships include at least one of a data flow, a control flow, or a network flow, selecting a first set of logical locations from the plurality of logical locations, recording a sequence of events causally relating the number of computing objects at the first set of logical locations, creating an event graph based on the sequence of events, applying a malware detection rule to the event graph, and remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
Specification