Normalized indications of compromise

US 9,967,283 B2
Filed: 09/14/2014
Issued: 05/08/2018
Est. Priority Date: 09/14/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting an action on an endpoint;

normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint, thereby providing a normalized action;

creating an observation for the normalized action using a predetermined schema that organizes the observation into a first identifier of an object associated with the action, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection;

collecting a plurality of observations for the endpoint and a relationship among the plurality of observations, wherein one of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater granularity than provided by the hardware and software platform of the endpoint, the greater granularity including at least one attribute provided by a source other than the hardware and software platform; and

applying a rule to identify a reportable event based on the plurality of observations and the relationship.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted untrusted processes or corporate private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.

Citations

20 Claims

1. A method comprising:
- detecting an action on an endpoint;
  
  normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint, thereby providing a normalized action;
  
  creating an observation for the normalized action using a predetermined schema that organizes the observation into a first identifier of an object associated with the action, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection;
  
  collecting a plurality of observations for the endpoint and a relationship among the plurality of observations, wherein one of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater granularity than provided by the hardware and software platform of the endpoint, the greater granularity including at least one attribute provided by a source other than the hardware and software platform; and
  
  applying a rule to identify a reportable event based on the plurality of observations and the relationship.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein the relationship among at least two of the plurality of observations is defined by a first normalized action associated with a first object and a second object that receives the first normalized action.
  - 3. The method of claim 2 wherein the second object includes one or more additional normalized actions each having an additional object thereof.
  - 4. The method of claim 1 wherein one of the plurality of observations has a time-to-live that provides an amount of time after which the one of the plurality of observations expires.
  - 5. The method of claim 1 wherein the observation includes one or more other normalized actions each having a child object depending therefrom.
  - 6. The method of claim 1 wherein the object includes a normalized object expressed in a manner independent from the hardware and software of the endpoint.
  - 7. The method of claim 1 wherein the descriptor includes a reputation of the object.
  - 8. The method of claim 1 wherein the descriptor includes static threat detection data for the object.
  - 9. The method of claim 8 wherein the static threat detection data includes one or more of a hash of the object, a signature of the object, and a file size of the object.
  - 10. The method of claim 8 wherein the static threat detection data includes a reference to a data repository of threat detection information.
  - 11. The method of claim 10 wherein the data repository is on the endpoint.
  - 12. The method of claim 10 wherein the data repository is outside of the endpoint.
  - 13. The method of claim 1 wherein at least one of the descriptor or the first identifier of the object includes a name of the object as provided by the object.
  - 14. The method of claim 1 wherein the object includes one or more of a process, a function, an executable, a dynamic linked library, a script, a file, a data structure, a URL, and data.

15. A computer program product comprising a non-transitory computer readable medium bearing computer executable code that, when executing on one or more computing devices, performs the steps of:
- detecting an action on an endpoint;
  
  normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint, thereby providing a normalized action;
  
  creating an observation for the normalized action using a predetermined schema that organizes the observation into a first identifier of an object associated with the action, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection;
  
  collecting a plurality of observations for the endpoint and a relationship among the plurality of observations, wherein one of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater granularity than provided by the hardware and software platform of the endpoint, the greater granularity including at least one attribute provided by a source other than the hardware and software platform; and
  
  applying a rule to identify a reportable event based on the plurality of observations and the relationship.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer program product of claim 15 wherein the relationship among at least two of the plurality of observations is defined by a first normalized action associated with a first object and a second object that receives the first normalized action.
  - 17. The computer program product of claim 16 wherein the second object includes one or more additional normalized actions each having an additional object thereof.
  - 18. The computer program product of claim 15 wherein one of the plurality of observations has a time-to-live that provides an amount of time after which the one of the plurality of observations expires.
  - 19. The computer program product of claim 15 wherein the observation includes one or more other normalized actions each having a child object depending therefrom.

20. A system comprising:
- a threat management facility configured to manage threats to an enterprise; and
  
  an endpoint of the enterprise having a processor and a memory, the memory storing an object associated with an action, and the processor configured to detect the action, to normalize the action into a normalized action expressed independently from a hardware and software platform of the endpoint thereby providing a normalized action, to create an observation for the normalized action using a predetermined schema that organizes the observation into a first identifier of the object, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection, to collect a plurality of observations for the endpoint and a relationship among the plurality of observations, and to apply a rule to identify a reportable event based on the plurality of observations and the relationship, wherein one of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater granularity including at least one attribute provided by a source other than the hardware and software platform.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ray, Kenneth D., Cook, Robert W., Thomas, Andrew J., Samosseiko, Dmitri, Harris, Mark D.
Primary Examiner(s)
DUONG, HIEN LUONGVAN

Application Number

US14/485,762
Publication Number

US 20160080418A1
Time in Patent Office

1,332 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Normalized indications of compromise

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Normalized indications of compromise

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links