Labeling computing objects for improved threat detection

US 9,967,282 B2
Filed: 09/14/2014
Issued: 05/08/2018
Est. Priority Date: 09/14/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

processing a first object on an endpoint, the first object from a location external to the endpoint;

in response to a first observed action, coloring the first object with a descriptor of a context for the first observed action by persistently associating the descriptor with the first object, the context including one or more attributes selected for a relevance to threat detection, including at least one attribute identifying the first object as exposed to external data;

at a second object internal to the endpoint, inheriting the descriptor when the second object is a target of an action by the first object;

applying a rule dependent on the descriptor, including the at least one attribute identifying the first object as exposed to external data, in response to a second observed action of the second object to detect a reportable event based in part on an exposure of the second object to the external data; and

transmitting information to a threat management facility about the reportable event, the information including a description of the reportable event and the second object along with the descriptor of the context.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.

54 Citations

View as Search Results

14 Claims

1. A method comprising:
- processing a first object on an endpoint, the first object from a location external to the endpoint;
  
  in response to a first observed action, coloring the first object with a descriptor of a context for the first observed action by persistently associating the descriptor with the first object, the context including one or more attributes selected for a relevance to threat detection, including at least one attribute identifying the first object as exposed to external data;
  
  at a second object internal to the endpoint, inheriting the descriptor when the second object is a target of an action by the first object;
  
  applying a rule dependent on the descriptor, including the at least one attribute identifying the first object as exposed to external data, in response to a second observed action of the second object to detect a reportable event based in part on an exposure of the second object to the external data; and
  
  transmitting information to a threat management facility about the reportable event, the information including a description of the reportable event and the second object along with the descriptor of the context.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the first observed action and the second observed action are the same action.
  - 3. The method of claim 1 wherein the first object includes at least one of a process, a function, an executable, a dynamic linked library, a script, a file, a data structure, a URL, and data.
  - 4. The method of claim 1 wherein the context includes one or more of a reputation of the first object, an inferred behavior of the first object, a source of the first object, and a type of the first object.
  - 5. The method of claim 1 wherein the descriptor includes a reputation of the first object.
  - 6. The method of claim 1 wherein the descriptor includes a reputation selected from a group consisting of good, bad, and unknown.
  - 7. The method of claim 1 wherein the descriptor includes a reputation selected from a group consisting of in or out.
  - 8. The method of claim 1 wherein the first observed action includes a behavior of the first object and the descriptor is inferred based on the behavior.
  - 9. The method of claim 8 wherein the context includes a type of the first object.
  - 10. The method of claim 1 wherein the first object includes data, and wherein the descriptor includes an ownership of the first object including one or more of private and corporate.
  - 11. The method of claim 1 wherein the descriptor includes information about a network resource requested in the first observed action.
  - 12. The method of claim 1 wherein the descriptor includes information about access to an unprotected object requested in the first observed action.

13. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- processing a first object on an endpoint, the first object from a location external to the endpoint;
  
  in response to a first observed action, coloring the first object with a descriptor of a context for the first observed action by persistently associating the descriptor with the first object, the context including one or more attributes selected for a relevance to threat detection, including at least one attribute identifying the first object as exposed to external data;
  
  at a second object internal to the endpoint, inheriting the descriptor when the second object is a target of an action by the first object;
  
  applying a rule dependent on the descriptor, including the at least one attribute identifying the first object as exposed to external data, in response to a second observed action of the second object to detect a reportable event based in part on an exposure of the second object to the external data; and
  
  transmitting information to a threat management facility about the reportable event, the information including a description of the reportable event and the second object along with the descriptor of the context.

14. A system comprising:
- a threat management facility configured to manage threats to an enterprise; and
  
  an endpoint of the enterprise having a processor and a memory, the memory storing a first object and a second object, and the processor configured to process the first object, the first object from a location external to the endpoint, to color the first object, in response to a first observed action, with a descriptor of a context for the first observed action by persistently associating the descriptor with the first object, the context including one or more attributes selected for a relevance to threat detection, including at least one attribute identifying the first object as exposed to external data, to inherit, at the second object internal to the endpoint, the descriptor when the second object is a target of an action by the first object, to apply a rule dependent on the descriptor, including the at least one attribute identifying the first object as exposed to external data, in response to a second observed action of the second object to detect a reportable event based in part on an exposure of the second object to the external data, and to transmit information to the threat management facility about the reportable event, the information including a description of the reportable event and the second object along with the descriptor of the context.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Thomas, Andrew J., Harris, Mark D., Reed, Simon Neil, Watkiss, Neil Robert Tyndale, Ray, Kenneth D.
Primary Examiner(s)
DUONG, HIEN LUONGVAN

Application Number

US14/485,759
Publication Number

US 20160080417A1
Time in Patent Office

1,332 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Labeling computing objects for improved threat detection

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Labeling computing objects for improved threat detection

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links