Normalized indications of compromise
First Claim
1. A method comprising:
- detecting an action on an endpoint;
normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint, thereby providing a normalized action;
creating an observation for the normalized action using a predetermined schema that organizes the observation into a first identifier of an object associated with the action, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection;
collecting a plurality of observations for the endpoint and a relationship among the plurality of observations, wherein one of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater granularity than provided by the hardware and software platform of the endpoint, the greater granularity including at least one attribute provided by a source other than the hardware and software platform; and
applying a rule to identify a reportable event based on the plurality of observations and the relationship.
4 Assignments
0 Petitions
Accused Products
Abstract
Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted untrusted processes or corporate private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.
-
Citations
20 Claims
-
1. A method comprising:
-
detecting an action on an endpoint; normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint, thereby providing a normalized action; creating an observation for the normalized action using a predetermined schema that organizes the observation into a first identifier of an object associated with the action, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection; collecting a plurality of observations for the endpoint and a relationship among the plurality of observations, wherein one of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater granularity than provided by the hardware and software platform of the endpoint, the greater granularity including at least one attribute provided by a source other than the hardware and software platform; and applying a rule to identify a reportable event based on the plurality of observations and the relationship. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer program product comprising a non-transitory computer readable medium bearing computer executable code that, when executing on one or more computing devices, performs the steps of:
-
detecting an action on an endpoint; normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint, thereby providing a normalized action; creating an observation for the normalized action using a predetermined schema that organizes the observation into a first identifier of an object associated with the action, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection; collecting a plurality of observations for the endpoint and a relationship among the plurality of observations, wherein one of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater granularity than provided by the hardware and software platform of the endpoint, the greater granularity including at least one attribute provided by a source other than the hardware and software platform; and applying a rule to identify a reportable event based on the plurality of observations and the relationship. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A system comprising:
-
a threat management facility configured to manage threats to an enterprise; and an endpoint of the enterprise having a processor and a memory, the memory storing an object associated with an action, and the processor configured to detect the action, to normalize the action into a normalized action expressed independently from a hardware and software platform of the endpoint thereby providing a normalized action, to create an observation for the normalized action using a predetermined schema that organizes the observation into a first identifier of the object, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection, to collect a plurality of observations for the endpoint and a relationship among the plurality of observations, and to apply a rule to identify a reportable event based on the plurality of observations and the relationship, wherein one of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater granularity including at least one attribute provided by a source other than the hardware and software platform.
-
Specification