GB2563340A8 - Labeling computing objects for improved threat detection - Google Patents

Labeling computing objects for improved threat detection

Info

Publication number
GB2563340A8
GB2563340A8 GB1811133.6A GB201811133A GB2563340A8 GB 2563340 A8 GB2563340 A8 GB 2563340A8 GB 201811133 A GB201811133 A GB 201811133A GB 2563340 A8 GB2563340 A8 GB 2563340A8
Authority
GB
United Kingdom
Prior art keywords
descriptor
threat detection
context
computing objects
action
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1811133.6A
Other versions
GB2563340B (en
GB201811133D0 (en
GB2563340A (en
Inventor
D Ray Kenneth
Neil Reed Simon
D Harris Mark
Robert Tyndale Watkiss Neil
J Thomas Andrew
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sophos Ltd
Original Assignee
Sophos Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US14/485,762 external-priority patent/US9967283B2/en
Priority claimed from US14/485,774 external-priority patent/US9537841B2/en
Priority claimed from US14/485,759 external-priority patent/US9967282B2/en
Priority claimed from US14/485,782 external-priority patent/US10122687B2/en
Priority claimed from US14/485,769 external-priority patent/US9965627B2/en
Priority claimed from US14/485,765 external-priority patent/US10965711B2/en
Priority claimed from US14/485,771 external-priority patent/US9992228B2/en
Priority claimed from US14/485,790 external-priority patent/US9967264B2/en
Application filed by Sophos Ltd filed Critical Sophos Ltd
Publication of GB201811133D0 publication Critical patent/GB201811133D0/en
Publication of GB2563340A publication Critical patent/GB2563340A/en
Publication of GB2563340A8 publication Critical patent/GB2563340A8/en
Application granted granted Critical
Publication of GB2563340B publication Critical patent/GB2563340B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

Threat detection in a network, involving processing a first object on an endpoint, the first object from a location external to the endpoint; in response to a first observed action, colouring the object with a descriptor of a context for the first observed action by persistently associating the descriptor with the first object, the context including at least one attribute identifying the first object as exposed to external data; inheriting the descriptor at a second object when the second object is the target of an action by the first object ; applying a rule dependent on the descriptor in response to a second observed action of the second object to detect a reportable event based in part on an exposure of the second object to the external data; and transmitting information including a description of the reportable event and the second object along with the descriptor of the context to a threat management facility.
GB1811133.6A 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection Active GB2563340B (en)

Applications Claiming Priority (9)

Application Number Priority Date Filing Date Title
US14/485,774 US9537841B2 (en) 2014-09-14 2014-09-14 Key management for compromised enterprise endpoints
US14/485,790 US9967264B2 (en) 2014-09-14 2014-09-14 Threat detection using a time-based cache of reputation information on an enterprise endpoint
US14/485,769 US9965627B2 (en) 2014-09-14 2014-09-14 Labeling objects on an endpoint for encryption management
US14/485,771 US9992228B2 (en) 2014-09-14 2014-09-14 Using indications of compromise for reputation based network security
US14/485,765 US10965711B2 (en) 2014-09-14 2014-09-14 Data behavioral tracking
US14/485,782 US10122687B2 (en) 2014-09-14 2014-09-14 Firewall techniques for colored objects on endpoints
US14/485,762 US9967283B2 (en) 2014-09-14 2014-09-14 Normalized indications of compromise
US14/485,759 US9967282B2 (en) 2014-09-14 2014-09-14 Labeling computing objects for improved threat detection
GB1804873.6A GB2558811B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection

Publications (4)

Publication Number Publication Date
GB201811133D0 GB201811133D0 (en) 2018-08-22
GB2563340A GB2563340A (en) 2018-12-12
GB2563340A8 true GB2563340A8 (en) 2019-03-27
GB2563340B GB2563340B (en) 2019-07-03

Family

ID=55458378

Family Applications (9)

Application Number Title Priority Date Filing Date
GB1705948.6A Active GB2545621B8 (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1815249.6A Active GB2564589B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1715899.9A Active GB2552632B8 (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1804902.3A Active GB2558812B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1811133.6A Active GB2563340B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1820350.5A Active GB2565735B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1811123.7A Active GB2560861B8 (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1804873.6A Active GB2558811B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1820349.7A Active GB2565734B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection

Family Applications Before (4)

Application Number Title Priority Date Filing Date
GB1705948.6A Active GB2545621B8 (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1815249.6A Active GB2564589B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1715899.9A Active GB2552632B8 (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1804902.3A Active GB2558812B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection

Family Applications After (4)

Application Number Title Priority Date Filing Date
GB1820350.5A Active GB2565735B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1811123.7A Active GB2560861B8 (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1804873.6A Active GB2558811B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1820349.7A Active GB2565734B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection

Country Status (2)

Country Link
GB (9) GB2545621B8 (en)
WO (1) WO2016038397A1 (en)

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9992228B2 (en) 2014-09-14 2018-06-05 Sophos Limited Using indications of compromise for reputation based network security
US9537841B2 (en) 2014-09-14 2017-01-03 Sophos Limited Key management for compromised enterprise endpoints
US9967283B2 (en) 2014-09-14 2018-05-08 Sophos Limited Normalized indications of compromise
US10122687B2 (en) 2014-09-14 2018-11-06 Sophos Limited Firewall techniques for colored objects on endpoints
US9967264B2 (en) 2014-09-14 2018-05-08 Sophos Limited Threat detection using a time-based cache of reputation information on an enterprise endpoint
US10965711B2 (en) 2014-09-14 2021-03-30 Sophos Limited Data behavioral tracking
US9965627B2 (en) 2014-09-14 2018-05-08 Sophos Limited Labeling objects on an endpoint for encryption management
US9967282B2 (en) 2014-09-14 2018-05-08 Sophos Limited Labeling computing objects for improved threat detection
US10628597B2 (en) 2016-04-14 2020-04-21 Sophos Limited Just-in-time encryption
US10686827B2 (en) 2016-04-14 2020-06-16 Sophos Limited Intermediate encryption for exposed content
US10791097B2 (en) 2016-04-14 2020-09-29 Sophos Limited Portable encryption format
US9984248B2 (en) 2016-02-12 2018-05-29 Sophos Limited Behavioral-based control of access to encrypted content by a process
US10263966B2 (en) 2016-04-14 2019-04-16 Sophos Limited Perimeter enforcement of encryption rules
US10650154B2 (en) 2016-02-12 2020-05-12 Sophos Limited Process-level control of encrypted content
GB2552438B8 (en) * 2016-02-12 2021-12-08 Sophos Ltd Encryption techniques
US10681078B2 (en) 2016-06-10 2020-06-09 Sophos Limited Key throttling to mitigate unauthorized file access
US10938781B2 (en) 2016-04-22 2021-03-02 Sophos Limited Secure labeling of network flows
US11102238B2 (en) 2016-04-22 2021-08-24 Sophos Limited Detecting triggering events for distributed denial of service attacks
US10986109B2 (en) 2016-04-22 2021-04-20 Sophos Limited Local proxy detection
US11277416B2 (en) * 2016-04-22 2022-03-15 Sophos Limited Labeling network flows according to source applications
US11165797B2 (en) 2016-04-22 2021-11-02 Sophos Limited Detecting endpoint compromise based on network usage history
GB2551983B (en) 2016-06-30 2020-03-04 Sophos Ltd Perimeter encryption
US10848501B2 (en) * 2016-12-30 2020-11-24 Microsoft Technology Licensing, Llc Real time pivoting on data to model governance properties
US11483326B2 (en) 2019-08-30 2022-10-25 Palo Alto Networks, Inc. Context informed abnormal endpoint behavior detection
CN114430335A (en) * 2021-12-16 2022-05-03 奇安信科技集团股份有限公司 Web fingerprint matching method and device

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7921284B1 (en) * 2001-12-12 2011-04-05 Gary Mark Kinghorn Method and system for protecting electronic data in enterprise environment
US7552472B2 (en) * 2002-12-19 2009-06-23 International Business Machines Corporation Developing and assuring policy documents through a process of refinement and classification
US7324108B2 (en) * 2003-03-12 2008-01-29 International Business Machines Corporation Monitoring events in a computer network
US20080141376A1 (en) * 2006-10-24 2008-06-12 Pc Tools Technology Pty Ltd. Determining maliciousness of software
US9367680B2 (en) * 2008-10-21 2016-06-14 Lookout, Inc. System and method for mobile communication device application advisement
US8607340B2 (en) * 2009-07-21 2013-12-10 Sophos Limited Host intrusion prevention system using software and user behavior analysis
US9038168B2 (en) * 2009-11-20 2015-05-19 Microsoft Technology Licensing, Llc Controlling resource access based on resource properties
US9407603B2 (en) * 2010-06-25 2016-08-02 Salesforce.Com, Inc. Methods and systems for providing context-based outbound processing application firewalls
US8875286B2 (en) * 2010-12-01 2014-10-28 Cisco Technology, Inc. Method and apparatus for detecting malicious software using machine learning techniques
US8042186B1 (en) * 2011-04-28 2011-10-18 Kaspersky Lab Zao System and method for detection of complex malware
US9106680B2 (en) * 2011-06-27 2015-08-11 Mcafee, Inc. System and method for protocol fingerprinting and reputation correlation
US8931043B2 (en) * 2012-04-10 2015-01-06 Mcafee Inc. System and method for determining and using local reputations of users and hosts to protect information in a network environment
US9092616B2 (en) * 2012-05-01 2015-07-28 Taasera, Inc. Systems and methods for threat identification and remediation
IL219597A0 (en) * 2012-05-03 2012-10-31 Syndrome X Ltd Malicious threat detection, malicious threat prevention, and a learning systems and methods for malicious threat detection and prevention
US8832848B1 (en) * 2012-07-26 2014-09-09 Symantec Corporation Systems and methods for content-aware access control
US9104864B2 (en) * 2012-10-24 2015-08-11 Sophos Limited Threat detection through the accumulated detection of threat characteristics
US9355172B2 (en) * 2013-01-10 2016-05-31 Accenture Global Services Limited Data trend analysis
US9104865B2 (en) * 2013-08-29 2015-08-11 International Business Machines Corporation Threat condition management
US9578052B2 (en) * 2013-10-24 2017-02-21 Mcafee, Inc. Agent assisted malicious application blocking in a network environment

Also Published As

Publication number Publication date
GB2565735A (en) 2019-02-20
GB201820350D0 (en) 2019-01-30
GB201815249D0 (en) 2018-10-31
GB2565734A (en) 2019-02-20
GB2558811A (en) 2018-07-18
WO2016038397A1 (en) 2016-03-17
GB2552632B (en) 2018-05-09
GB2545621B8 (en) 2021-11-03
GB2545621A (en) 2017-06-21
GB2558811B (en) 2019-03-27
GB2563340B (en) 2019-07-03
GB2545621B (en) 2018-03-28
GB2558812A8 (en) 2018-09-05
GB2560861B8 (en) 2019-02-06
GB201804873D0 (en) 2018-05-09
GB201705948D0 (en) 2017-05-31
GB201715899D0 (en) 2017-11-15
GB2558812A (en) 2018-07-18
GB2558812B (en) 2019-03-27
GB2564589B (en) 2019-07-03
GB201804902D0 (en) 2018-05-09
GB2560861A8 (en) 2019-02-06
GB201820349D0 (en) 2019-01-30
GB2552632A (en) 2018-01-31
GB2565735B (en) 2019-05-29
GB2560861B (en) 2018-12-26
GB2552632B8 (en) 2021-11-03
GB2565734B (en) 2019-05-29
GB201811123D0 (en) 2018-08-22
GB2560861A (en) 2018-09-26
GB201811133D0 (en) 2018-08-22
GB2564589A (en) 2019-01-16
GB2563340A (en) 2018-12-12

Similar Documents

Publication Publication Date Title
GB2563340A8 (en) Labeling computing objects for improved threat detection
PH12020550701A1 (en) Asset management method and apparatus, and electronic device
WO2015112275A3 (en) Determing data associated with proximate computing devices
PH12019501311A1 (en) Blockchain-based commodity claim method and apparatus, and electronic device
RU2017134371A (en) MANAGEMENT OF OBLIGATIONS AND REQUESTS REMOVED FROM COMMUNICATION AND CONTENT
SG10201901732UA (en) Sensitive information processing method, device, server and security determination system
MX2018008104A (en) Identifying entities using a deep-learning model.
PH12016500350A1 (en) Image processing apparatus and image processing method
GB2499519B (en) User presence detection and event discovery
EP4242892A3 (en) Code pointer authentication for hardware flow control
BR112017017222A2 (en) environmental scenario condition detection
WO2015127472A3 (en) Systems and methods for malware detection and mitigation
GB201204006D0 (en) Point of interest database maintenance system
IL226747B (en) System and method for malware detection learning
MX2018002741A (en) Method and apparatus for determining volumetric data of a predetermined anatomical feature.
MX2016013222A (en) Fault handling method, device and system based on network function virtualization.
MX2015011167A (en) Apparatus and method for processing multiple open apis.
WO2018075388A3 (en) Improved logistical management system
MX343875B (en) Method and system for determining image similarity.
SG11201804033RA (en) Information recommendation method and apparatus
NO20171576A1 (en) Enhancing oilfield operations with cognitive computing
SG10201810036QA (en) Processing queries containing a union-type operation
IN2013CH06086A (en)
MY186664A (en) Multimedia file management method, electronic device, and graphical user interface
PH12016500612A1 (en) Relevance based visual media item modification