Agent assisted malicious application blocking in a network environment

US 10,205,743 B2
Filed: 01/05/2017
Issued: 02/12/2019
Est. Priority Date: 10/24/2013
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine readable storage medium encoded with instructions for blocking malware, wherein the instructions, when executed by at least one processor cause the processor to:

intercept, on an end host, an attempt to access a network by a process;

determine, by the end host, an endpoint reputation score of an application associated with the process, wherein the endpoint reputation score indicates a degree of maliciousness of the application;

send metadata associated with the process to a network security device, wherein the metadata includes a hash of the application, a tuple of connection information, and the endpoint reputation score; and

receive a response indicating an action to be taken, wherein the action is determined based, at least in part, on one or more policies and at least one of a threat intelligence reputation score and the endpoint reputation score, and wherein, if the action includes allowing a network session established by the process to continue, monitor, by the end host, the network session to identify a dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are configured to receive metadata of a process intercepted on an end host when attempting to access a network. The metadata includes a hash of an application associated with the process and an endpoint reputation score of the application. Embodiments are configured to request a threat intelligence reputation score based on the hash of the application, to determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score, and to send a response indicating the action to be taken by the end host. Further embodiments request another threat intelligence reputation score based on another hash of a dynamic link library module loaded by the process on the end host, and the action is determined based, at least in part, on the other threat intelligence score.

428 Citations

24 Claims

1. At least one non-transitory machine readable storage medium encoded with instructions for blocking malware, wherein the instructions, when executed by at least one processor cause the processor to:
- intercept, on an end host, an attempt to access a network by a process;
  
  determine, by the end host, an endpoint reputation score of an application associated with the process, wherein the endpoint reputation score indicates a degree of maliciousness of the application;
  
  send metadata associated with the process to a network security device, wherein the metadata includes a hash of the application, a tuple of connection information, and the endpoint reputation score; and
  
  receive a response indicating an action to be taken, wherein the action is determined based, at least in part, on one or more policies and at least one of a threat intelligence reputation score and the endpoint reputation score, and wherein, if the action includes allowing a network session established by the process to continue, monitor, by the end host, the network session to identify a dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The at least one non-transitory machine readable storage medium of claim 1, wherein the action includes blocking the application on the end host based on the threat intelligence reputation score representing at least a certain degree of maliciousness.
  - 3. The at least one non-transitory machine readable storage medium of claim 2, wherein the instructions, when executed by the processor, further cause the processor to:
    - create a rule on the end host to implement the action.
  - 4. The at least one non-transitory machine readable storage medium of claim 3, wherein the rule is implemented to prevent the application from being executed on the end host.
  - 5. The at least one non-transitory machine readable storage medium of claim 2, wherein the application is blocked on the end host based on the network security device being out-of-band.
  - 6. The at least one non-transitory machine readable storage medium of claim 1, wherein the action includes allowing a network session established by the process to continue based on determining the threat intelligence reputation score does not represent at least a certain degree of maliciousness.
  - 7. The at least one non-transitory machine readable storage medium of claim 6, wherein the instructions, when executed by the at least one processor, further cause the processor to:
    - determine, by the end host, a second endpoint reputation score of the application based, at least in part, on heuristic analysis of a dynamic link library (DLL) module invoked by the process; and
      
      send the second endpoint reputation score to the network security device.
  - 8. The at least one non-transitory machine readable storage medium of claim 7, wherein the instructions, when executed by the at least one processor, further cause the processor to:
    - receive a second response indicating a second action to block, on the end host, at least one of the application and the DLL module when the second endpoint reputation score represents at least a certain degree of maliciousness; and
      
      create a rule on the end host according to the second action.
  - 9. The at least one non-transitory machine readable storage medium of claim 7, wherein the instructions, when executed by the at least one processor, further cause the processor to:
    - determine a second action to be taken by the end host based, at least in part, on one or more local host policies and the second endpoint reputation score;
      
      create a rule on the end host according to the second action; and
      
      send, to network security device, the second endpoint reputation score and second action information indicating the second action to be taken by the end host.
  - 10. The at least one non-transitory machine readable storage medium of claim 1, wherein the instructions when executed further cause the processor to:
    - receive a second response from the network security device indicating a second action to take on the end host, wherein the second action includes blocking the application based on the network security device detecting malware in network traffic associated with a network session established by the process; and
      
      create a rule on the end host according to the second action.
  - 11. The at least one non-transitory machine readable storage medium of claim 1, wherein the tuple of connection information includes a source network address of the end host, a source port of the end host, a destination network address of a remote node of a network session established by the process, a destination port of the remote node, and a protocol of the network session.
  - 12. The at least one non-transitory machine readable storage medium of claim 1, wherein the metadata further includes at least one of a filename of the application, a file path of the application, application reputation information, dynamic link library reputation information, a system identifier, a user identifier, and a domain.
  - 13. The at least one non-transitory machine readable storage medium of claim 1, wherein the metadata further includes the threat intelligence reputation score if the threat intelligence reputation score was previously received based on a prior attempt to access the network by another process associated with the application.
  - 14. The at least one non-transitory machine readable storage medium of claim 1, wherein the end host is one of a plurality of virtual personalized desktops running on a virtual device infrastructure server.

15. An apparatus for blocking malware, the apparatus comprising:
- at least one processor coupled to at least one memory element;
  
  an endpoint intelligence agent configured to run on the at least one processor to;
  
  intercept an attempt to access a network by a process;
  
  determine an endpoint reputation score of an application associated with the process, wherein the endpoint reputation score indicates a degree of maliciousness of the application;
  
  send metadata associated with the process to a network security device, wherein the metadata includes a hash of the application and the endpoint reputation score; and
  
  receive a response indicating an action to be taken, wherein the action is determined based, at least in part, on one or more policies and at least one of a threat intelligence reputation score and the endpoint reputation score, and wherein, if the action includes allowing a network session established by the process to continue, monitor, by the end host, the network session to identify a dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the action includes blocking the application on the apparatus based on the threat intelligence reputation score representing at least a certain degree of maliciousness.
  - 17. The apparatus of claim 15, wherein the action includes allowing a network session established by the process to continue based on determining the threat intelligence reputation score does not represent at least a certain degree of maliciousness.
  - 18. The apparatus of claim 17, wherein the endpoint intelligence agent is further configured to run on the at least one processor to:
    - determine a second endpoint reputation score of the application based, at least in part, on heuristic analysis of a dynamic link library (DLL) module invoked by the process; and
      
      send the second endpoint reputation score to the network security device.
  - 19. The apparatus of claim 18, wherein the endpoint intelligence agent is further configured to run on the at least one processor to:
    - receive a second response from the network security device indicating a second action to take on the apparatus, the second action including blocking at least one of the application and the dynamic link library module based on the second endpoint reputation score representing at least the certain degree of maliciousness; and
      
      create a rule on the apparatus according to the second action.
  - 20. The apparatus of claim 15, wherein the endpoint intelligence agent is further configured to run on the at least one processor to:
    - take another action based on determining a dynamic link library (DLL) invoked by the application indicates a certain degree of maliciousness.

21. A method for blocking malware, the method comprising:
- intercepting, on an end host, an attempt to access a network by a process on the end host;
  
  determining, by the end host, an endpoint reputation score of an application associated with the process, wherein the endpoint reputation score indicates a degree of maliciousness of the application;
  
  sending metadata associated with the network access attempt to a network security device, wherein the metadata includes a hash of the application and the endpoint reputation score; and
  
  receiving a response indicating an action to be taken, wherein the action is determined based, at least in part, on one or more policies and at least one of a threat intelligence reputation score and the endpoint reputation score, and wherein, if the action includes allowing a network session established by the process to continue, monitor, by the end host, the network session to identify a dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application.
- View Dependent Claims (22)
- - 22. The method of claim 21, wherein the action includes blocking the application on the end host based on the threat intelligence reputation score representing at least a certain degree of maliciousness.

23. A system for blocking malware, the system comprising:
- first logic at least partially including hardware logic on an end host, the first logic to;
  
  intercept an attempt to access a network by a process running on the end host;
  
  determine, by the end host, an endpoint reputation score of an application associated with the process, wherein the endpoint reputation score indicates a degree of maliciousness of the application; and
  
  send metadata associated with the network access attempt to a network security device, the metadata including a hash of the application and the endpoint reputation score; and
  
  second logic on the network security device, the second logic to;
  
  request a threat intelligence reputation score based on the hash of the application;
  
  determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score, and wherein, if the action includes allowing a network session established by the process to continue, monitor, by the end host, the network session to identify a dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application; and
  
  send a response to the end host, the response indicating the action to be taken.
- View Dependent Claims (24)
- - 24. The system of claim 23, wherein the first logic is to:
    - take another action based on determining a dynamic link library (DLL) invoked by the application indicates a certain degree of maliciousness.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Cp, Chandan, Narasimhan, Srinivasan
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Wyszynski, Aubrey H

Application Number

US15/399,091
Publication Number

US 20170118228A1
Time in Patent Office

768 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Agent assisted malicious application blocking in a network environment

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

428 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Agent assisted malicious application blocking in a network environment

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

428 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links