GB2551972B - Endpoint malware detection using an event graph - Google Patents

Description

ENDPOINT MALWARE DETECTION USING AN EVENT GRAPH

TECHNICAL FIELD

[0001] This application relates to malware detection, and more particularly totechniques for identifying malware using an event graph.

BACKGROUND

[0002] As malware becomes more sophisticated, it has become increasingly difficultto distinguish malicious computing activity from other computer processes and user activity.There remains a need for improved techniques for detecting malware on endpoints in anenterprise network.

SUMMARY

Various aspects of the present invention are defined in the independent claims.Some preferred features are defined in the dependent claims.

[0003] A data recorder stores endpoint activity on an ongoing basis as sequences ofevents that causally relate computer objects such as processes and files, and patterns withinthis event graph can be used to detect the presence of malware on the endpoint. Theunderlying recording process may be dynamically adjusted in order to vary the amount andlocation of recording as the security state of the endpoint changes over time.

BRIEF DESCRIPTION OF THE FIGURES

[0004] The foregoing and other objects, features and advantages of the devices,systems, and methods described herein will be apparent from the following description ofparticular embodiments thereof, as illustrated in the accompanying drawings. The drawingsare not necessarily to scale, emphasis instead being placed upon illustrating the principles ofthe devices, systems, and methods described herein.

[0005] Fig. 1 illustrates an environment for threat management.

[0006] Fig. 2 illustrates a computer system.

[0007] Fig. 3 illustrates a system for forensic analysis for computer processes.

[0008] Fig. 4 is a flowchart of a method for forensic analysis for computer processes.

[0009] Fig. 5 illustrates an event graph.

[0010] Fig. 6 shows a method for malware detection using an event graph.

DETAILED DESCRIPTION

[0011] Embodiments will now be described with reference to the accompanying figures,in which preferred embodiments are shown. The foregoing may, however, be embodied in manydifferent forms and should not be construed as limited to the illustrated embodiments set forthherein.

[0012] All documents mentioned herein are hereby incorporated by reference in theirentirety. References to items in the singular should be understood to include items in the plural,and vice versa, unless explicitly stated otherwise or clear from the context. Grammaticalconjunctions are intended to express any and all disjunctive and conjunctive combinations ofconjoined clauses, sentences, words, and the like, unless otherwise stated or clear from thecontext. Thus, the term “or” should generally be understood to mean “and/or” and so forth.

[0013] Recitation of ranges of values herein are not intended to be limiting, referringinstead individually to any and all values falling within the range, unless otherwise indicatedherein, and each separate value within such a range is incorporated into the specification as if itwere individually recited herein. The words “about,” “approximately,” or the like, whenaccompanying a numerical value, are to be construed as indicating a deviation as would beappreciated by one of ordinary skill in the art to operate satisfactorily for an intended purpose.Ranges of values and/or numeric values are provided herein as examples only, and do notconstitute a limitation on the scope of the described embodiments. The use of any and allexamples, or exemplary language (“e.g.,” “such as,” or the like) provided herein, is intendedmerely to better illuminate the embodiments and does not pose a limitation on the scope of theembodiments or the claims. No language in the specification should be construed as indicatingany unclaimed element as essential to the practice of the embodiments.

[0014] In the following description, it is understood that terms such as “first,” “second,”“third,” “above,” “below,” and the like, are words of convenience and are not to be constmed aslimiting terms unless expressly state otherwise.

[0015] Fig. 1 illustrates an environment for threat management. Specifically, Fig. 1depicts a block diagram of a threat management system providing protection to an enterpriseagainst a plurality of threats—a context in which the following techniques may usefully bedeployed. One aspect relates to corporate policy management and implementation through aunified threat management facility 100. As will be explained in more detail below, a threat management facility 100 may be used to protect computer assets from many threats, bothcomputer-generated threats and user-generated threats. The threat management facility 100 maybe multi-dimensional in that it may be designed to protect corporate assets from a variety ofthreats and it may be adapted to learn about threats in one dimension (e.g. worm detection) andapply the knowledge in another dimension (e.g. spam detection). Policy management is one ofthe dimensions for which the threat management facility can provide a control capability. Acorporation or other entity may institute a policy that prevents certain people (e.g. employees,groups of employees, types of employees, guest of the corporation, etc.) from accessing certaintypes of computer programs. For example, the corporation may elect to prevent its accountingdepartment from using a particular version of an instant messaging service or all such services.In this example, the policy management facility 112 may be used to update the policies of allcorporate computing assets with a proper policy control facility or it may update a select few. Byusing the threat management facility 100 to facilitate the setting, updating and control of suchpolicies the corporation only needs to be concerned with keeping the threat management facility100 up to date on such policies. The threat management facility 100 may take care of updatingall of the other corporate computing assets.

[0016] It should be understood that the threat management facility 100 may providemultiple services, and policy management may be offered as one of the services. We will nowturn to a description of certain capabilities and components of the threat management system100.

[0017] Over recent years, malware has become a major problem across the Internet 154.From both a technical perspective and a user perspective, the categorization of a specific threattype, whether as virus, worm, spam, phishing exploration, spy ware, adware, or the like, isbecoming reduced in significance. The threat, no matter how it is categorized, may need to bestopped at various points of a networked computing environment, such as one of an enterprisefacility 102, including at one or more laptops, desktops, servers, gateways, communication ports,handheld or mobile devices, firewalls, and the like. Similarly, there may be less and less benefitto the user in having different solutions for known and unknown threats. As such, a consolidatedthreat management facility 100 may need to apply a similar set of technologies and capabilitiesfor all threats. In certain embodiments, the threat management facility 100 may provide a singleagent on the desktop, and a single scan of any suspect file. This approach may eliminate theinevitable overlaps and gaps in protection caused by treating viruses and spyware as separate problems, while simultaneously simplifying administration and minimizing desktop load. As thenumber and range of types of threats has increased, so may have the level of connectivityavailable to all IT users. This may have led to a rapid increase in the speed at which threats maymove. Today, an unprotected PC connected to the Internet 154 may be infected quickly (perhapswithin 10 minutes) which may require acceleration for the delivery of threat protection. Whereonce monthly updates may have been sufficient, the threat management facility 100 mayautomatically and seamlessly update its product set against spam and virus threats quickly, forinstance, every five minutes, every minute, continuously, or the like. Analysis and testing may beincreasingly automated, and also may be performed more frequently; for instance, it may becompleted in 15 minutes, and may do so without compromising quality. The threat managementfacility 100 may also extend techniques that may have been developed for virus and malwareprotection, and provide them to enterprise facility 102 network administrators to better controltheir environments. In addition to stopping malicious code, the threat management facility 100may provide policy management that may be able to control legitimate applications, such asVoIP, instant messaging, peer-to-peer file-sharing, and the like, that may undermine productivityand network performance within the enterprise facility 102.

[0018] The threat management facility 100 may provide an enterprise facility 102protection from computer-based malware, including viruses, spyware, adware, Trojans,intrusion, spam, policy abuse, uncontrolled access, and the like, where the enterprise facility 102may be any entity with a networked computer-based infrastructure. In an embodiment, Fig. 1may depict a block diagram of the threat management facility 100 providing protection to anenterprise against a plurality of threats. The enterprise facility 102 may be corporate,commercial, educational, governmental, or the like, and the enterprise facility’s 102 computernetwork may be distributed amongst a plurality of facilities, and in a plurality of geographicallocations, and may include administration 134, a firewall 138A, an appliance 140A, server 142A,network devices 148A-B, clients 144A-D, such as protected by computer security facilities 152,and the like. It will be understood that any reference herein to client facilities may include theclients 144A-D shown in Fig. 1 and vice-versa. The threat management facility 100 may includea plurality of functions, such as security management facility 122, policy management facility112, update facility 120, definitions facility 114, network access rules facility 124, remedialaction facility 128, detection techniques facility 130, testing facility 118, threat research facility132, and the like. In embodiments, the threat protection provided by the threat management facility 100 may extend beyond the network boundaries of the enterprise facility 102 to includeclients 144D (or client facilities) that have moved into network connectivity not directlyassociated or controlled by the enterprise facility 102. Threats to client facilities may come froma plurality of sources, such as from network threats 104, physical proximity threats 110,secondary location threats 108, and the like. Clients 144A-D may be protected from threats evenwhen the client 144A-D is not located in association with the enterprise 102, such as when aclient 144E-F moves in and out of the enterprise facility 102, for example when interfacing withan unprotected server 142C through the Internet 154, when a client 144F is moving into asecondary location threat 108 such as interfacing with components 140B, 142B, 148C, 148D thatare not protected, and the like. In embodiments, the threat management facility 100 may providean enterprise facility 102 protection from a plurality of threats to multiplatform computerresources in a plurality of locations and network configurations, with an integrated systemapproach.

[0019] In embodiments, the threat management facility 100 may be provided as a stand-alone solution. In other embodiments, the threat management facility 100 may be integrated intoa third-party product. An application programming interface (e.g. a source code interface) maybe provided such that the threat management facility 100 may be integrated. For instance, thethreat management facility 100 may be stand-alone in that it provides direct threat protection toan enterprise or computer resource, where protection is subscribed to directly 100. Alternatively,the threat management facility 100 may offer protection indirectly, through a third-party product,where an enterprise may subscribe to services through the third-party product, and threatprotection to the enterprise may be provided by the threat management facility 100 through thethird-party product.

[0020] The security management facility 122 may include a plurality of elements thatprovide protection from malware to enterprise facility 102 computer resources, includingendpoint security and control, email security and control, web security and control, reputation-based filtering, control of unauthorized users, control of guest and non-compliant computers, andthe like. The security management facility 122 may be a software application that may providemalicious code and malicious application protection to a client facility computing resource. Thesecurity management facility 122 may have the ability to scan the client facility files formalicious code, remove or quarantine certain applications and files, prevent certain actions,perform remedial actions and perform other security measures. In embodiments, scanning the client facility may include scanning some or all of the files stored to the client facility on aperiodic basis, scanning an application when the application is executed, scanning files as thefiles are transmitted to or from the client facility, or the like. The scanning of the applicationsand files may be performed to detect known malicious code or known unwanted applications. Inan embodiment, new malicious code and unwanted applications may be continually developedand distributed, and updates to the known code database may be provided on a periodic basis, ona demand basis, on an alert basis, or the like.

[0021] The security management facility 122 may provide email security and control,where security management may help to eliminate spam, viruses, spy ware and phishing, controlof email content, and the like. The security management facility’s 122 email security and controlmay protect against inbound and outbound threats, protect email infrastructure, prevent dataleakage, provide spam filtering, and the like. In an embodiment, security management facility122 may provide for web security and control, where security management may help to detect orblock viruses, spyware, malware, unwanted applications, help control web browsing, and thelike, which may provide comprehensive web access control enabling safe, productive webbrowsing. Web security and control may provide Internet use policies, reporting on suspectdevices, security and content filtering, active monitoring of network traffic, URI filtering, andthe like. In an embodiment, the security management facility 122 may provide for networkaccess control, which may provide control over network connections. Network control may stopunauthorized, guest, or non-compliant systems from accessing networks, and may controlnetwork traffic that may not be bypassed from the client level. In addition, network accesscontrol may control access to virtual private networks (VPN), where VPNs may be acommunications network tunneled through another network, establishing a logical connectionacting as a virtual network. In embodiments, a VPN may be treated in the same manner as aphysical network.

[0022] The security management facility 122 may provide host intrusion preventionthrough behavioral based protection, which may guard against unknown threats by analyzingbehavior before software code executes. Behavioral based protection may monitor code when itruns and intervene if the code is deemed to be suspicious or malicious. Advantages of behavioralbased protection over runtime protection may include code being prevented from running.Whereas runtime protection may only interrupt code that has already partly executed, behavioral protection can identify malicious code at the gateway or on the file servers and delete the codebefore it can reach endpoint computers and the like.

[0023] The security management facility 122 may provide reputation filtering, whichmay target or identify sources of known malware. For instance, reputation filtering may includelists ofURIs of known sources of malware or known suspicious IP addresses, or domains, sayfor spam, that when detected may invoke an action by the threat management facility 100, suchas dropping them immediately. By dropping the source before any interaction can initiate,potential threat sources may be thwarted before any exchange of data can be made.

[0024] In embodiments, information may be sent from the enterprise back to a thirdparty, a vendor, or the like, which may lead to improved performance of the threat managementfacility 100. For example, the types, times, and number of virus interactions that a clientexperiences may provide useful information for the preventions of future virus threats. This typeof feedback may be useful for any aspect of threat detection. Feedback of information may alsobe associated with behaviors of individuals within the enterprise, such as being associated withmost common violations of policy, network access, unauthorized application loading,unauthorized external device use, and the like. In embodiments, this type of informationfeedback may enable the evaluation or profiling of client actions that are violations of policy thatmay provide a predictive model for the improvement of enterprise policies.

[0025] The security management facility 122 may support overall security of theenterprise facility 102 network or set of enterprise facility 102 networks, e.g., by providingupdates of malicious code information to the enterprise facility 102 network and associated clientfacilities. The updates may include a planned update, an update in reaction to a threat notice, anupdate in reaction to a request for an update, an update based on a search of known maliciouscode information, or the like. The administration facility 134 may provide control over thesecurity management facility 122 when updates are performed. The updates may beautomatically transmitted without an administration facility’s 134 direct control, manuallytransmitted by the administration facility 134, or otherwise distributed. The security managementfacility 122 may manage the receipt of malicious code descriptions from a provider, distributionof the malicious code descriptions to enterprise facility 102 networks, distribution of themalicious code descriptions to client facilities, and so forth.

[0026] The threat management facility 100 may provide a policy management facility112 that may be able to block non-malicious applications, such as VoIP, instant messaging, peer- to-peer file-sharing, and the like, that may undermine productivity and network performancewithin the enterprise facility 102. The policy management facility 112 may be a set of rules orpolicies that may indicate enterprise facility 102 access permissions for the client facility, such asaccess permissions associated with the network, applications, external computer devices, and thelike. The policy management facility 112 may include a database, a text file, a combination ofdatabases and text files, or the like. In an embodiment, a policy database may be a block list, ablack list, an allowed list, a white list, or the like that may provide a list of enterprise facility 102external network locations/applications that may or may not be accessed by the client facility.The policy management facility 112 may include rules that may be interpreted with respect to anenterprise facility 102 network access request to determine if the request should be allowed. Therules may provide a generic rule for the type of access that may be granted. The rules may berelated to the policies of an enterprise facility 102 for access rights for the enterprise facility’s102 client facility. For example, there may be a rule that does not permit access to sportingwebsites. When a website is requested by the client facility, a security facility may access therules within a policy facility to determine if the requested access is related to a sporting website.In an embodiment, the security facility may analyze the requested website to determine if thewebsite matches with any of the policy facility rules.

[0027] The policy management facility 112 may be similar to the security managementfacility 122 but with the addition of enterprise facility 102 wide access rules and policies thatmay be distributed to maintain control of client facility access to enterprise facility 102 networkresources. The policies may be defined for application type, subset of application capabilities,organization hierarchy, computer facility type, user type, network location, time of day,connection type, or the like. Policies may be maintained by the administration facility 134,through the threat management facility 100, in association with a third party, or the like. Forexample, a policy may restrict IM activity to only support personnel for communicating withcustomers. This may allow communication for departments requiring access, but may maintainthe network bandwidth for other activities by restricting the use of IM to only the personnel thatneed access to instant messaging (IM) in support of the enterprise facility 102. In anembodiment, the policy management facility 112 may be a stand-alone application, may be partof the network server facility 142, may be part of the enterprise facility 102 network, may be partof the client facility, or the like.

[0028] The threat management facility 100 may provide configuration management,which may be similar to policy management, but may specifically examine the configuration setof applications, operating systems, hardware, and the like, and manage changes to theirconfigurations. Assessment of a configuration may be made against a standard configurationpolicy, detection of configuration changes, remediation of improper configuration, application ofnew configurations, and the like. An enterprise may keep a set of standard configuration rulesand policies which may represent the desired state of the device. For example, a client firewallmay be running and installed, but in the disabled state, where remediation may be to enable thefirewall. In another example, the enterprise may set a rule that disallows the use of USB disks,and sends a configuration change to all clients, which turns off USB drive access via a registry.

[0029] The threat management facility 100 may also provide for the removal ofapplications that potentially interfere with the operation of the threat management facility 100,such as competitor products that may also be attempting similar threat management functions.The removal of such products may be initiated automatically whenever such products aredetected. In the case where such applications are services are provided indirectly through a third-party product, the application may be suspended until action is taken to remove or disable thethird-party product’s protection facility.

[0030] Threat management against a quickly evolving malware environment may requiretimely updates, and thus an update management facility 120 may be provided by the threatmanagement facility 100. In addition, a policy management facility 112 may also require updatemanagement (e.g., as provided by the update facility 120 herein described). The updatemanagement for the security facility 122 and policy management facility 112 may be provideddirectly by the threat management facility 100, such as by a hosted system or in conjunction withthe administration facility 134. In embodiments, the threat management facility 100 may providefor patch management, where a patch may be an update to an operating system, an application, asystem tool, or the like, where one of the reasons for the patch is to reduce vulnerability tothreats.

[0031] The security facility 122 and policy management facility 112 may pushinformation to the enterprise facility 102 network and/or client facility. The enterprise facility102 network and/or client facility may also or instead pull information from the security facility122 and policy management facility 112 network server facilities 142, or there may be acombination of pushing and pulling of information between the security facility 122 and the policy management facility 112 network servers 142, enterprise facility 102 network, and clientfacilities, or the like. For example, the enterprise facility 102 network and/or client facility maypull information from the security facility 122 and policy management facility 112 networkserver facility 142 may request the information using the security facility 122 and policymanagement facility 112 update module; the request may be based on a certain time period, by acertain time, by a date, on demand, or the like. In another example, the security facility 122 andpolicy management facility 112 network servers 142 may push the information to the enterprisefacility’s 102 network and/or client facility by providing notification that there are updatesavailable for download and then transmitting the information. The combination of the securitymanagement 122 network server facility 142 and security update module may functionsubstantially the same as the policy management facility 112 network server and policy updatemodule by providing information to the enterprise facility 102 network and the client facility in apush or pull method. In an embodiment, the policy management facility 112 and the securityfacility 122 management update modules may work in concert to provide information to theenterprise facility’s 102 network and/or client facility for control of application execution. In anembodiment, the policy update module and security update module may be combined into asingle update module.

[0032] As threats are identified and characterized, the threat management facility 100may create definition updates that may be used to allow the threat management facility 100 todetect and remediate the latest malicious software, unwanted applications, configuration andpolicy changes, and the like. The threat definition facility 114 may contain threat identificationupdates, also referred to as definition files. A definition file may be a virus identity file that mayinclude definitions of known or potential malicious code. The virus identity (IDE) definition filesmay provide information that may identify malicious code within files, applications, or the like.The definition files may be accessed by security management facility 122 when scanning files orapplications within the client facility for the determination of malicious code that may be withinthe file or application. The definition files may contain a number of commands, definitions, orinstructions, to be parsed and acted upon, or the like. In embodiments, the client facility may beupdated with new definition files periodically to provide the client facility with the most recentmalicious code definitions; the updating may be performed on a set time period, may be updatedon demand from the client facility, may be updated on demand from the network, may beupdated on a received malicious code alert, or the like. In an embodiment, the client facility may request an update to the definition files from an update facility 120 within the network, mayrequest updated definition files from a computing facility external to the network, updateddefinition files may be provided to the client facility 114 from within the network, definition filesmay be provided to the client facility from an external computing facility from an externalnetwork, or the like.

[0033] A definition management facility 114 may provide timely updates of definitionfiles information to the network, client facilities, and the like. New and altered malicious codeand malicious applications may be continually created and distributed to networks worldwide.The definition files that maintain the definitions of the malicious code and malicious applicationinformation for the protection of the networks and client facilities may need continual updatingto provide continual defense of the network and client facility from the malicious code andmalicious applications. The definition files management may provide for automatic and manualmethods of updating the definition files. In embodiments, the network may receive definitionfiles and distribute the definition files to the network client facilities, the client facilities mayreceive the definition files directly, or the network and client facilities may both receive thedefinition files, or the like. In an embodiment, the definition files may be updated on a fixedperiodic basis, on demand by the network and/or the client facility, as a result of an alert of anew malicious code or malicious application, or the like. In an embodiment, the definition filesmay be released as a supplemental file to an existing definition files to provide for rapid updatingof the definition files.

[0034] In a similar manner, the security management facility 122 may be used to scan anoutgoing file and verify that the outgoing file is permitted to be transmitted per the enterprisefacility 102 rules and policies. By checking outgoing files, the security management facility 122may be able discover malicious code infected files that were not detected as incoming files as aresult of the client facility having been updated with either new definition files or policymanagement facility 112 information. The definition files may discover the malicious codeinfected file by having received updates of developing malicious code from the administrationfacility 134, updates from a definition files provider, or the like. The policy management facility112 may discover the malicious code infected file by having received new updates from theadministration facility 134, from a rules provider, or the like.

[0035] The threat management facility 100 may provide controlled access to theenterprise facility 102 networks. For instance, a manager of the enterprise facility 102 may want to restrict access to certain applications, networks, files, printers, servers, databases, or the like.In addition, the manager of the enterprise facility 102 may want to restrict user access based oncertain criteria, such as the user’s location, usage history, need to know, job position, connectiontype, time of day, method of authentication, client-system configuration, or the like. Networkaccess rules may be developed for the enterprise facility 102, or pre-packaged by a supplier, andmanaged by the threat management facility 100 in conjunction with the administration facility134.

[0036] A network access rules facility 124 may be responsible for determining if a clientfacility application should be granted access to a requested network location. The networklocation may be on the same network as the facility or may be on another network. In anembodiment, the network access rules facility 124 may verify access rights for client facilitiesfrom within the network or may verify access rights of computer facilities from externalnetworks. When network access for a client facility is denied, the network access rules facility124 may send an information file to the client facility containing. For example, the informationsent by the network access rules facility 124 may be a data file. The data file may contain anumber of commands, definitions, instructions, or the like to be parsed and acted upon throughthe remedial action facility 128, or the like. The information sent by the network access facilityrules facility 124 may be a command or command file that the remedial action facility 128 mayaccess and take action upon.

[0037] The network access rules facility 124 may include databases such as a block list, ablack list, an allowed list, a white list, an unacceptable network site database, an acceptablenetwork site database, a network site reputation database, or the like of network access locationsthat may or may not be accessed by the client facility. Additionally, the network access rulesfacility 124 may incorporate rule evaluation; the rule evaluation may parse network accessrequests and apply the parsed information to network access rules. The network access rulefacility 124 may have a generic set of rules that may be in support of an enterprise facility’s 102network access policies, such as denying access to certain types of websites, controlling instantmessenger accesses, or the like. Rule evaluation may include regular expression rule evaluation,or other rule evaluation method for interpreting the network access request and comparing theinterpretation to the established rules for network access. In an embodiment, the network accessrules facility 124 may receive a rules evaluation request from the network access control andmay return the rules evaluation to the network access control.

[0038] Similar to the threat definitions facility 114, the network access rule facility 124may provide updated rules and policies to the enterprise facility 102. The network access rulesfacility 124 may be maintained by the network administration facility 134, using network accessrules facility 124 management. In an embodiment, the network administration facility 134 maybe able to maintain a set of access rules manually by adding rules, changing rules, deleting rules,or the like. Additionally, the administration facility 134 may retrieve predefined rule sets from aremote provider of a set of rules to be applied to an entire enterprise facility 102. The networkadministration facility 134 may be able to modify the predefined rules as needed for a particularenterprise facility 102 using the network access rules management facility 124.

[0039] When a threat or policy violation is detected by the threat management facility100, the threat management facility 100 may perform or initiate a remedial action facility 128.Remedial action may take a plurality of forms, such as terminating or modifying an ongoingprocess or interaction, sending a warning to a client or administration facility 134 of an ongoingprocess or interaction, executing a program or application to remediate against a threat orviolation, record interactions for subsequent evaluation, or the like. Remedial action may beassociated with an application that responds to information that a client facility network accessrequest has been denied. In an embodiment, when the data file is received, remedial action mayparse the data file, interpret the various aspects of the data file, and act on the parsed data fileinformation to determine actions to be taken on an application requesting access to a deniednetwork location. In an embodiment, when the data file is received, remedial action may accessthe threat definitions to parse the data file and determine an action to be taken on an applicationrequesting access to a denied network location. In an embodiment, the information received fromthe facility may be a command or a command file. The remedial action facility may carry out anycommands that are received or parsed from a data file from the facility without performing anyinterpretation of the commands. In an embodiment, the remedial action facility may interact withthe received information and may perform various actions on a client requesting access to adenied network location. The action may be one or more of continuing to block all requests to adenied network location, a malicious code scan on the application, a malicious code scan on theclient facility, quarantine of the application, terminating the application, isolation of theapplication, isolation of the client facility to a location within the network that restricts networkaccess, blocking a network access port from a client facility, reporting the application to anadministration facility 134, or the like.

[0040] Remedial action may be provided as a result of a detection of a threat or violation.The detection techniques facility 130 may include monitoring the enterprise facility 102 networkor endpoint devices, such as by monitoring streaming data through the gateway, across thenetwork, through routers and hubs, and the like. The detection techniques facility 130 mayinclude monitoring activity and stored files on computing facilities, such as on server facilities142, desktop computers, laptop computers, other mobile computing devices, and the like.Detection techniques, such as scanning a computer’s stored files, may provide the capability ofchecking files for stored threats, either in the active or passive state. Detection techniques, suchas streaming file management, may provide the capability of checking files received at thenetwork, gateway facility, client facility, and the like. This may provide the capability of notallowing a streaming file or portions of the streaming file containing malicious code fromentering the client facility, gateway facility, or network. In an embodiment, the streaming filemay be broken into blocks of information, and a plurality of virus identities may be used tocheck each of the blocks of information for malicious code. In an embodiment, any blocks thatare not determined to be clear of malicious code may not be delivered to the client facility,gateway facility, or network.

[0041] Verifying that the threat management facility 100 is detecting threats andviolations to established policy, may require the ability to test the system, either at the systemlevel or for a particular computing component. The testing facility 118 may allow theadministration facility 134 to coordinate the testing of the security configurations of clientfacility computing facilities on a network. The administration facility 134 may be able to sendtest files to a set of client facility computing facilities to test the ability of the client facility todetermine acceptability of the test file. After the test file has been transmitted, a recordingfacility may record the actions taken by the client facility in reaction to the test file. Therecording facility may aggregate the testing information from the client facility and report thetesting information to the administration facility 134. The administration facility 134 may be ableto determine the level of preparedness of the client facility computing facilities by the reportedinformation. Remedial action may be taken for any of the client facility computing facilities asdetermined by the administration facility 134; remedial action may be taken by theadministration facility 134 or by the user of the client facility.

[0042] The threat research facility 132 may provide a continuously ongoing effort tomaintain the threat protection capabilities of the threat management facility 100 in light of continuous generation of new or evolved forms of malware. Threat research may includeresearchers and analysts working on known and emerging malware, such as viruses, rootkits aspy ware, as well as other computer threats such as phishing, spam, scams, and the like. Inembodiments, through threat research, the threat management facility 100 may be able to provideswift, global responses to the latest threats.

[0043] The threat management facility 100 may provide threat protection to theenterprise facility 102, where the enterprise facility 102 may include a plurality of networkedcomponents, such as client facility, server facility 142, administration facility 134, firewall 138,gateway, hubs and routers 148, threat management appliance 140, desktop users, mobile users,and the like. In embodiments, it may be the endpoint computer security facility 152, located on acomputer’s desktop, which may provide threat protection to a user, and associated enterprisefacility 102. In embodiments, the term endpoint may refer to a computer system that may sourcedata, receive data, evaluate data, buffer data, or the like (such as a user’s desktop computer as anendpoint computer), a firewall as a data evaluation endpoint computer system, a laptop as amobile endpoint computer, a personal digital assistant or tablet as a hand-held endpointcomputer, a mobile phone as an endpoint computer, or the like. In embodiments, endpoint mayrefer to a source or destination for data, including such components where the destination ischaracterized by an evaluation point for data, and where the data may be sent to a subsequentdestination after evaluation. The endpoint computer security facility 152 may be an applicationloaded onto the computer platform or computer support component, where the application mayaccommodate the plurality of computer platforms and/or functional requirements of thecomponent. For instance, a client facility computer may be one of a plurality of computerplatforms, such as Windows, Macintosh, Linux, and the like, where the endpoint computersecurity facility 152 may be adapted to the specific platform, while maintaining a uniformproduct and product services across platforms. Additionally, components may have differentfunctions to serve within the enterprise facility’s 102 networked computer-based infrastructure.For instance, computer support components provided as hubs and routers 148, server facility142, firewalls 138, and the like, may require unique security application software to protect theirportion of the system infrastructure, while providing an element in an integrated threatmanagement system that extends out beyond the threat management facility 100 to incorporateall computer resources under its protection.

[0044] The enterprise facility 102 may include a plurality of client facility computingplatforms on which the endpoint computer security facility 152 is adapted. A client facilitycomputing platform may be a computer system that is able to access a service on anothercomputer, such as a server facility 142, via a network. This client facility server facility 142model may apply to a plurality of networked applications, such as a client facility connecting toan enterprise facility 102 application server facility 142, a web browser client facility connectingto a web server facility 142, an e-mail client facility retrieving e-mail from an Internet 154service provider’s mail storage servers 142, and the like. In embodiments, traditional large clientfacility applications may be switched to websites, which may increase the browser’s role as aclient facility. Clients 144 may be classified as a function of the extent to which they performtheir own processing. For instance, client facilities are sometimes classified as a fat client facilityor thin client facility. The fat client facility, also known as a thick client facility or rich clientfacility, may be a client facility that performs the bulk of data processing operations itself, anddoes not necessarily rely on the server facility 142. The fat client facility may be most commonin the form of a personal computer, where the personal computer may operate independent ofany server facility 142. Programming environments for fat clients 144 may include CURI,Delphi, Droplets, lava, Win32, XI1, and the like. Thin clients 144 may offer minimal processingcapabilities, for instance, the thin client facility may primarily provide a graphical user interfaceprovided by an application server facility 142, which may perform the bulk of any required dataprocessing. Programming environments for thin clients 144 may include IavaScript/ΑΙΑΧ, ASP,ISP, Ruby on Rails, Python’s Django, PHP, and the like. The client facility may also be a mix ofthe two, such as processing data locally, but relying on a server facility 142 for data storage. As aresult, this hybrid client facility may provide benefits from both the fat client facility type, suchas multimedia support and high performance, and the thin client facility type, such as highmanageability and flexibility. In embodiments, the threat management facility 100, andassociated endpoint computer security facility 152, may provide seamless threat protection to theplurality of clients 144, and client facility types, across the enterprise facility 102.

[0045] The enterprise facility 102 may include a plurality of server facilities 142, such asapplication servers, communications servers, file servers, database servers, proxy servers, mailservers, fax servers, game servers, web servers, and the like. A server facility 142, which mayalso be referred to as a server facility 142 application, server facility 142 operating system,server facility 142 computer, or the like, may be an application program or operating system that accepts client facility connections in order to service requests from clients 144. The serverfacility 142 application may run on the same computer as the client facility using it, or the serverfacility 142 and the client facility may be running on different computers and communicatingacross the network. Server facility 142 applications may be divided among server facility 142computers, with the dividing depending upon the workload. For instance, under light loadconditions all server facility 142 applications may run on a single computer and under heavyload conditions a single server facility 142 application may run on multiple computers. Inembodiments, the threat management facility 100 may provide threat protection to serverfacilities 142 within the enterprise facility 102 as load conditions and application changes aremade.

[0046] A server facility 142 may also be an appliance facility 140, where the appliancefacility 140 provides specific services onto the network. Though the appliance facility 140 is aserver facility 142 computer, that may be loaded with a server facility 142 operating system andserver facility 142 application, the enterprise facility 102 user may not need to configure it, as theconfiguration may have been performed by a third party. In an embodiment, an enterprise facility102 appliance may be a server facility 142 appliance that has been configured and adapted foruse with the threat management facility 100, and located within the facilities of the enterprisefacility 102. The enterprise facility’s 102 threat management appliance may enable the enterprisefacility 102 to administer an on-site local managed threat protection configuration, where theadministration facility 134 may access the threat resources through an interface, such as a webportal. In an alternate embodiment, the enterprise facility 102 may be managed remotely from athird party, vendor, or the like, without an appliance facility 140 located within the enterprisefacility 102. In this instance, the appliance functionality may be a shared hardware productbetween pluralities of enterprises 102. In embodiments, the appliance facility 140 may be locatedat the enterprise facility 102, where the enterprise facility 102 maintains a degree of control. Inembodiments, a hosted service may be provided, where the appliance 140 may still be an on-siteblack box to the enterprise facility 102, physically placed there because of infrastructurerequirements, but managed by a third party, vendor, or the like.

[0047] Simple server facility 142 appliances may also be utilized across the enterprisefacility’s 102 network infrastructure, such as switches, routers, wireless routers, hubs androuters, gateways, print servers, net modems, and the like. These simple server facilityappliances may not require configuration by the enterprise facility 102, but may require protection from threats via an endpoint computer security facility 152. These appliances mayprovide interconnection services within the enterprise facility 102 network, and therefore mayadvance the spread of a threat if not properly protected.

[0048] A client facility may be protected from threats from within the enterprise facility102 network using a personal firewall, which may be a hardware firewall, software firewall, orcombination of these, that controls network traffic to and from a client. The personal firewallmay permit or deny communications based on a security policy. Personal firewalls may bedesigned for use by end-users, which may result in protection for only the computer on whichit’s installed. Personal firewalls may be able to control network traffic by providing promptseach time a connection is attempted and adapting security policy accordingly. Personal firewallsmay also provide some level of intrusion detection, which may allow the software to terminate orblock connectivity where it suspects an intrusion is being attempted. Other features that may beprovided by a personal firewall may include alerts about outgoing connection attempts, controlof program access to networks, hiding the client from port scans by not responding to unsolicitednetwork traffic, monitoring of applications that may be listening for incoming connections,monitoring and regulation of incoming and outgoing network traffic, prevention of unwantednetwork traffic from installed applications, reporting applications that make connection attempts,reporting destination servers with which applications may be attempting communications, andthe like. In embodiments, the personal firewall may be provided by the threat managementfacility 100.

[0049] Another important component that may be protected by an endpoint computersecurity facility 152 is a network firewall facility 138, which may be a hardware or softwaredevice that may be configured to permit, deny, or proxy data through a computer network thathas different levels of trust in its source of data. For instance, an internal enterprise facility 102network may have a high level of trust, because the source of all data has been sourced fromwithin the enterprise facility 102. An example of a low level of trust is the Internet 154, becausethe source of data may be unknown. A zone with an intermediate trust level, situated between theInternet 154 and a trusted internal network, may be referred to as a “perimeter network.” Sincefirewall facilities 138 represent boundaries between threat levels, the endpoint computer securityfacility 152 associated with the firewall facility 138 may provide resources that may control theflow of threats at this enterprise facility 102 network entry point. Firewall facilities 138, andassociated endpoint computer security facility 152, may also be associated with a network node that may be equipped for interfacing between networks that use different protocols. Inembodiments, the endpoint computer security facility 152 may provide threat protection in aplurality of network infrastructure locations, such as at the enterprise facility 102 network entrypoint, e.g., the firewall facility 138 or gateway; at the server facility 142; at distribution pointswithin the network, e.g., the hubs and routers 148; at the desktop of client facility computers; andthe like. In embodiments, the most effective location for threat detection may be at the user’scomputer desktop endpoint computer security facility 152.

[0050] The interface between the threat management facility 100 and the enterprisefacility 102, and through the appliance facility 140 to embedded endpoint computer securityfacilities, may include a set of tools that may be the same for all enterprise implementations, butallow each enterprise to implement different controls. In embodiments, these controls mayinclude both automatic actions and managed actions. Automatic actions may include downloadsof the endpoint computer security facility 152 to components of the enterprise facility 102,downloads of updates to existing endpoint computer security facilities of the enterprise facility102, uploaded network interaction requests from enterprise facility 102 components to the threatmanagement facility 100, and the like. In embodiments, automatic interactions between theenterprise facility 102 and the threat management facility 100 may be configured by the threatmanagement facility 100 and an administration facility 134 in the enterprise facility 102. Theadministration facility 134 may configure policy rules that determine interactions, such asdeveloping rules for accessing applications, as in who is authorized and when applications maybe used; establishing rules for ethical behavior and activities; rules governing the use ofentertainment software such as games, or personal use software such as IM and VoIP; rules fordetermining access to enterprise facility 102 computing resources, including authentication,levels of access, risk assessment, and usage history tracking; rules for when an action is notallowed, such as whether an action is completely deigned or just modified in its execution; andthe like. The administration facility 134 may also establish license management, which in turnmay further determine interactions associated with a licensed application. In embodiments,interactions between the threat management facility 100 and the enterprise facility 102 mayprovide threat protection to the enterprise facility 102 by managing the flow of network data intoand out of the enterprise facility 102 through automatic actions that may be configured by thethreat management facility 100 or the administration facility 134.

[0051] Client facilities within the enterprise facility 102 may be connected to theenterprise facility 102 network by way of wired network facilities 148A or wireless networkfacilities 148B. Client facilities connected to the enterprise facility 102 network via a wiredfacility 148A or wireless facility 148B may receive similar protection, as both connection typesare ultimately connected to the same enterprise facility 102 network, with the same endpointcomputer security facility 152, and the same threat protected enterprise facility 102 environment.Mobile wireless facility clients 144B-F, because of their ability to connect to any wireless148B,D network access point, may connect to the Internet 154 outside the enterprise facility 102,and therefore outside the threat-protected environment of the enterprise facility 102. In thisinstance the mobile client facility (e.g., the clients 144 B-F), if not for the presence of theendpoint computer security facility 152 may experience a malware attack or perform actionscounter to enterprise facility 102 established policies. In addition, there may be a plurality ofways for the threat management facility 100 to protect the out-of-enterprise facility 102 mobileclient facility (e.g., the clients 144 D-F) that has an embedded endpoint computer securityfacility 152, such as by providing URI filtering in personal routers, using a web appliance as aDNS proxy, or the like. Mobile client facilities that are components of the enterprise facility 102but temporarily outside connectivity with the enterprise facility 102 network may be providedwith the same threat protection and policy control as client facilities inside the enterprise facility102. In addition, mobile the client facilities may receive the same interactions to and from thethreat management facility 100 as client facilities inside the enterprise facility 102, where themobile client facilities may be considered a virtual extension of the enterprise facility 102,receiving all the same services via their embedded endpoint computer security facility 152.

[0052] Interactions between the threat management facility 100 and the components ofthe enterprise facility 102, including mobile client facility extensions of the enterprise facility102, may ultimately be connected through the Internet 154. Threat management facility 100downloads and upgrades to the enterprise facility 102 may be passed from the firewallednetworks of the threat management facility 100 through to the endpoint computer securityfacility 152 equipped components of the enterprise facility 102. In turn the endpoint computersecurity facility 152 components of the enterprise facility 102 may upload policy and accessrequests back across the Internet 154 and through to the threat management facility 100. TheInternet 154 however, is also the path through which threats may be transmitted from theirsource. These network threats 104 may include threats from a plurality of sources, including without limitation, websites, e-mail, IM, VoIP, application software, and the like. These threatsmay attempt to attack a mobile enterprise client facility (e.g., the clients 144B-F) equipped withan endpoint computer security facility 152, but in embodiments, as long as the mobile clientfacility is embedded with an endpoint computer security facility 152, as described above, threatsmay have no better success than if the mobile client facility were inside the enterprise facility102.

[0053] However, if the mobile client facility were to attempt to connect into anunprotected connection point, such as at a secondary location 108 that is not a part of theenterprise facility 102, the mobile client facility may be required to request network interactionsthrough the threat management facility 100, where contacting the threat management facility 100may be performed prior to any other network action. In embodiments, the client facility’s 144endpoint computer security facility 152 may manage actions in unprotected networkenvironments such as when the client facility (e.g., client 144F) is in a secondary location 108 orconnecting wirelessly to a non-enterprise facility 102 wireless Internet connection, where theendpoint computer security facility 152 may dictate what actions are allowed, blocked, modified,or the like. For instance, if the client facility’s 144 endpoint computer security facility 152 isunable to establish a secured connection to the threat management facility 100, the endpointcomputer security facility 152 may inform the user of such, and recommend that the connectionnot be made. In the instance when the user chooses to connect despite the recommendation, theendpoint computer security facility 152 may perform specific actions during or after theunprotected connection is made, including running scans during the connection period, runningscans after the connection is terminated, storing interactions for subsequent threat and policyevaluation, contacting the threat management facility 100 upon first instance of a securedconnection for further actions and or scanning, restricting access to network and local resources,or the like. In embodiments, the endpoint computer security facility 152 may perform specificactions to remediate possible threat incursions or policy violations during or after the unprotectedconnection.

[0054] The secondary location 108 may have no endpoint computer security facilities152 as a part of its computer components, such as its firewalls 138B, servers 142B, clients 144G,hubs and routers 148C-D, and the like. As a result, the computer components of the secondarylocation 108 may be open to threat attacks, and become potential sources of threats, as well asany mobile enterprise facility clients 144B-F that may be connected to the secondary location’s 108 network. In this instance, these computer components may now unknowingly spread a threatto other components connected to the network.

[0055] Some threats may not come directly from the Internet 154, such as from non-enterprise facility controlled mobile devices that are physically brought into the enterprisefacility 102 and connected to the enterprise facility 102 client facilities. The connection may bemade from direct connection with the enterprise facility’s 102 client facility, such as through aUSB port, or in physical proximity with the enterprise facility’s 102 client facility such that awireless facility connection can be established, such as through a Bluetooth connection. Thesephysical proximity threats 110 may be another mobile computing device, a portable memorystorage device, a mobile communications device, or the like, such as CDs and DVDs, memorysticks, flash drives, external hard drives, cell phones, PDAs, MP3 players, digital cameras, point-to-point devices, digital picture frames, digital pens, navigation devices, tablets, appliances, andthe like. A physical proximity threat 110 may have been previously infiltrated by network threatswhile connected to an unprotected network connection outside the enterprise facility 102, andwhen connected to the enterprise facility 102 client facility, pose a threat. Because of theirmobile nature, physical proximity threats 110 may infiltrate computing resources in any location,such as being physically brought into the enterprise facility 102 site, connected to an enterprisefacility 102 client facility while that client facility is mobile, plugged into an unprotected clientfacility at a secondary location 108, and the like. A mobile device, once connected to anunprotected computer resource, may become a physical proximity threat 110. In embodiments,the endpoint computer security facility 152 may provide enterprise facility 102 computingresources with threat protection against physical proximity threats 110, for instance, throughscanning the device prior to allowing data transfers, through security validation certificates,through establishing a safe zone within the enterprise facility 102 computing resource to transferdata into for evaluation, and the like.

[0056] Having provided an overall context for threat detection, the description now turnsto a brief discussion of an example of a computer system that may be used for any of the entitiesand facilities described above.

[0057] Fig. 2 illustrates a computer system. In general, the computer system 200 mayinclude a computing device 210 connected to a network 202, e.g., through an external device204. The computing device 210 may be or include any type of network endpoint or endpoints asdescribed herein, e.g., with reference to Fig. 1 above. For example, the computing device 210 may include a desktop computer workstation. The computing device 210 may also or instead beany device suitable for interacting with other devices over a network 202, such as a laptopcomputer, a desktop computer, a personal digital assistant, a tablet, a mobile phone, a television,a set top box, a wearable computer, and the like. The computing device 210 may also or insteadinclude a server such as any of the servers described herein.

[0058] The computing device 210 may be used for any of the entities described in thethreat management environment described above with reference to Fig. 1. For example, thecomputing device 210 may be part of or may include a client an enterprise facility, a threatmanagement facility, or any of the other facilities or computing devices described therein. Incertain aspects, the computing device 210 may be implemented using hardware or a combinationof software and hardware. The computing device 210 may be a standalone device, a deviceintegrated into another entity or device, a platform distributed across multiple entities, or avirtualized device executing in a virtualization environment.

[0059] The network 202 may include any network described above, e.g., data network(s)or internetwork(s) suitable for communicating data and control information among participantsin the computer system 200. This may include public networks such as the Internet, privatenetworks, and telecommunications networks such as the Public Switched Telephone Network orcellular networks using third generation cellular technology (e.g., 3G or IMT-2000), fourthgeneration cellular technology (e.g., 4G, LTE. MT-Advanced, E-UTRA, etc.) or WiMax-Advanced (IEEE 802.16m)) and/or other technologies, as well as any of a variety of corporatearea, metropolitan area, campus or other local area networks or enterprise networks, along withany switches, routers, hubs, gateways, and the like that might be used to carry data amongparticipants in the computer system 200. The network 202 may also include a combination ofdata networks, and need not be limited to a strictly public or private network.

[0060] The external device 204 may be any computer or other remote resource thatconnects to the computing device 210 through the network 202. This may include threatmanagement resources such as any of those contemplated above, gateways or other networkdevices, remote servers or the like containing content requested by the computing device 210, anetwork storage device or resource, a device hosting malicious content, or any other resource ordevice that might connect to the computing device 210 through the network 202.

[0061] In general, the computing device 210 may include a processor 212, a memory214, a network interface 216, a data store 218, and one or more input/output interfaces 220. The computing device 210 may further include or be in communication with peripherals 222 andother external input/output devices that might connect to the input/output interfaces 220.

[0062] The processor 212 may be any processor or other processing circuitry capable ofprocessing instructions for execution within the computing device 210 or computer system 200.The processor 212 may include a single-threaded processor, a multi-threaded processor, a multi-core processor and so forth. The processor 212 may be capable of processing instructions storedin the memory 214 or the data store 218.

[0063] The memory 214 may store information within the computing device 210. Thememory 214 may include any volatile or non-volatile memory or other computer-readablemedium, including without limitation a Random Access Memory (RAM), a flash memory, aRead Only Memory (ROM), a Programmable Read-only Memory (PROM), an Erasable PROM(EPROM), registers, and so forth. The memory 214 may store program instructions, programdata, executables, and other software and data useful for controlling operation of the computingdevice 210 and configuring the computing device 210 to perform functions for a user. Thememory 214 may include a number of different stages and types of memory for different aspectsof operation of the computing device 210. For example, a processor may include on-boardmemory and/or cache for faster access to certain data or instructions, and a separate, mainmemory or the like may be included to expand memory capacity as desired. All such memorytypes may be a part of the memory 214 as contemplated herein.

[0064] The memory 214 may, in general, include a non-volatile computer readablemedium containing computer code that, when executed by the computing device 210 creates anexecution environment for a computer program in question, e.g., code that constitutes processorfirmware, a protocol stack, a database management system, an operating system, or acombination of the foregoing, and that performs some or all of the steps set forth in the variousflow charts and other algorithmic descriptions set forth herein. While a single memory 214 isdepicted, it will be understood that any number of memories may be usefully incorporated intothe computing device 210. For example, a first memory may provide non-volatile storage such asa disk drive for permanent or long-term storage of files and code even when the computingdevice 210 is powered down. A second memory such as a random access memory may providevolatile (but higher speed) memory for storing instructions and data for executing processes. Athird memory may be used to improve performance by providing higher speed memoryphysically adjacent to the processor 212 for registers, caching and so forth.

[0065] The network interface 216 may include any hardware and/or software forconnecting the computing device 210 in a communicating relationship with other resourcesthrough the network 202. This may include remote resources accessible through the Internet, aswell as local resources available using short range communications protocols using, e.g.,physical connections (e.g., Ethernet), radio frequency communications (e.g., WiFi), opticalcommunications, (e.g., fiber optics, infrared, or the like), ultrasonic communications, or anycombination of these or other media that might be used to carry data between the computingdevice 210 and other devices. The network interface 216 may, for example, include a router, amodem, a network card, an infrared transceiver, a radio frequency (RF) transceiver, a near fieldcommunications interface, a radio-frequency identification (RFID) tag reader, or any other datareading or writing resource or the like.

[0066] More generally, the network interface 216 may include any combination ofhardware and software suitable for coupling the components of the computing device 210 toother computing or communications resources. By way of example and not limitation, this mayinclude electronics for a wired or wireless Ethernet connection operating according to the IEEE802.11 standard (or any variation thereof), or any other short or long range wireless networkingcomponents or the like. This may include hardware for short range data communications such asBluetooth or an infrared transceiver, which may be used to couple to other local devices, or toconnect to a local area network or the like that is in turn coupled to a data network 202 such asthe Internet. This may also or instead include hardware/software for a WiMax connection or acellular network connection (using, e.g., CDMA, GSM, LTE, or any other suitable protocol orcombination of protocols). The network interface 216 may be included as part of the input/outputdevices 220 or vice-versa.

[0067] The data store 218 may be any internal memory store providing a computer-readable medium such as a disk drive, an optical drive, a magnetic drive, a flash drive, or otherdevice capable of providing mass storage for the computing device 210. The data store 218 maystore computer readable instructions, data structures, program modules, and other data for thecomputing device 210 or computer system 200 in a non-volatile form for subsequent retrievaland use. For example, the data store 218 may store without limitation one or more of theoperating system, application programs, program data, databases, files, and other programmodules or other software objects and the like.

[0068] The input/output interface 220 may support input from and output to other devicesthat might couple to the computing device 210. This may, for example, include serial ports (e.g.,RS-232 ports), universal serial bus (USB) ports, optical ports, Ethernet ports, telephone ports,audio jacks, component audio/video inputs, HDMI ports, and so forth, any of which might beused to form wired connections to other local devices. This may also or instead include aninfrared interface, RF interface, magnetic card reader, or other input/output system for couplingin a communicating relationship with other local devices. It will be understood that, while thenetwork interface 216 for network communications is described separately from the input/outputinterface 220 for local device communications, these two interfaces may be the same, or mayshare functionality, such as where a USB port is used to attach to a WiFi accessory, or where anEthernet connection is used to couple to a local network attached storage.

[0069] A peripheral 222 may include any device used to provide information to orreceive information from the computing device 200. This may include human input/output (RO)devices such as a keyboard, a mouse, a mouse pad, a track ball, a joystick, a microphone, a footpedal, a camera, a touch screen, a scanner, or other device that might be employed by the user230 to provide input to the computing device 210. This may also or instead include a display, aspeaker, a printer, a projector, a headset or any other audiovisual device for presentinginformation to a user. The peripheral 222 may also or instead include a digital signal processingdevice, an actuator, or other device to support control or communication to other devices orcomponents. Other VO devices suitable for use as a peripheral 222 include haptic devices, three-dimensional rendering systems, augmented-reality displays, and so forth. In one aspect, theperipheral 222 may serve as the network interface 216, such as with a USB device configured toprovide communications via short range (e.g., BlueTooth, WiFi, Infrared, RF, or the like) or longrange (e.g., cellular data or WiMax) communications protocols. In another aspect, the peripheral222 may provide a device to augment operation of the computing device 210, such as a globalpositioning system (GPS) device, a security dongle, or the like. In another aspect, the peripheralmay be a storage device such as a flash card, USB drive, or other solid state device, or an opticaldrive, a magnetic drive, a disk drive, or other device or combination of devices suitable for bulkstorage. More generally, any device or combination of devices suitable for use with thecomputing device 200 may be used as a peripheral 222 as contemplated herein.

[0070] Other hardware 226 may be incorporated into the computing device 200 such as aco-processor, a digital signal processing system, a math co-processor, a graphics engine, a video driver, and so forth. The other hardware 226 may also or instead include expanded input/outputports, extra memory, additional drives (e.g., a DVD drive or other accessory), and so forth.

[0071] A bus 232 or combination of busses may serve as an electromechanical platformfor interconnecting components of the computing device 200 such as the processor 212, memory214, network interface 216, other hardware 226, data store 218, and input/output interface. Asshown in the figure, each of the components of the computing device 210 may be interconnectedusing a system bus 232 or other communication mechanism for communicating information.

[0072] Methods and systems described herein may be realized using the processor 212 ofthe computer system 200 to execute one or more sequences of instructions contained in thememory 214 to perform predetermined tasks. In embodiments, the computing device 200 may bedeployed as a number of parallel processors synchronized to execute code together for improvedperformance, or the computing device 200 may be realized in a virtualized environment wheresoftware on a hypervisor or other virtualization management facility emulates components of thecomputing device 200 as appropriate to reproduce some or all of the functions of a hardwareinstantiation of the computing device 200.

[0073] Described herein are techniques for forensic analysis of computer processes.These forensic analysis techniques may use any of the components or systems described withreference to the figures above. For example, the techniques for forensic analysis for computerprocesses may be implemented by the threat management facility 100 described with referenceto Fig. 1, e.g., for one or more endpoints included on an enterprise facility 102. Also, the forensicanalysis techniques may utilize any of the features of the threat management facility 100described with reference to Fig. 1, e.g., the detection techniques 130. The techniques for forensicanalysis for computer processes may also or instead be used for a computing device 210 asdescribed with reference to Fig. 2 above.

[0074] Forensic analysis for computer processes may include a root cause analysis—e.g.,determining and analyzing an origin or root cause of a piece of malware. Techniques mayinclude monitoring activity for one or more endpoints and recording the activity in a datarecorder or the like. The data recorder may include a database or data store. The data recordermay act as a rolling buffer, e.g., storing a large amount of data for predetermined time windowsbefore overwriting old data with new data. The data recorder may collect information aboutdevice activity, such as file creations, process creations, registry changes, memory injections,and so forth. In an aspect, when a beacon or trigger event is detected (e.g., an event pertinent to computer or network security), information from the data recorder may be analyzed (e.g., startingat the trigger event) to determine a root cause and to determine affected computing objects.Existing compromise detection techniques such as host intrusion prevention, malicious trafficdetection, uniform resource locator (URL) blocking, file-based detection, and so on, may be usedto detect the beacon or trigger event. In this manner, techniques for forensic analysis forcomputer processes may be combined with other malware and compromise prevention, detection,analysis, and remediation techniques such as any as described herein. An event graph may begenerated showing connected events that are causally related to the detected event, e.g., based onone or more rules. Based on an analysis of these causally related events, the root cause of adetected event can be determined, and affected events going forward from the root cause cansimilarly be identified.

[0075] Fig. 3 illustrates a system for forensic analysis for computer processes. The system 300 includes an endpoint 310. The endpoint 310 contains, for example, a data recorder 320, amonitoring facility 330, and any number of objects 312 and events 314. An analysis facility 340may be coupled in a communicating relationship with the endpoint 310 over a data network 350such as any of the networks described above. It will be appreciated that, while illustrated ascomponents of the endpoint 310, certain components of the system 300 such as the data recorder320 and the monitoring facility 330 and the analysis facility may also or instead be realized asremote services instantiated on a virtual appliance, a public or private cloud, or the like, any ofwhich may be coupled to the endpoint 310 through the data network 350 or anothercommunication channel (not shown). Each of the components of the system 300 may beconfigured with suitable programming and configuration to participate in the various forensictechniques, threat detection techniques, and security management techniques contemplatedherein.

[0076] The endpoint 310 may be any of the endpoints described herein, e.g., a computing device in an enterprise network, or any other device or network asset that might join orparticipate in an enterprise or otherwise operate on an enterprise network. This may, for example,include a server, a client device such as a desktop computer or a mobile computing device (e.g., alaptop computer or a tablet), a cellular phone, a smart phone, or other computing device suitablefor participating in the system 300 or in an enterprise.

[0077] In general, the endpoint 310 may include any number of computing objects 312, which may for example, be processes executed by one or more processors or other processingcircuitry, files or data stored in memory, or any other computing objects described herein. While the term object has a number of specific meanings in the art, and in particular in object-orientedprogramming, it will be understood that the term ‘object’ as used herein is intended to besignificantly broader, and may include any data, process, file or combination of these includingwithout limitation any process, application, executable, script, dynamic linked library (DLL),file, data, database, data source, data structure, function, resource locator (e.g., uniform resourcelocator (URL) or other uniform resource identifier (URI)), or the like that might be resident onthe endpoint 310 and manipulated by the endpoint 310 or another component of the system 300or other systems described elsewhere herein. The object 312 may also or instead include aremote resource, such as a resource identified in a URL. That is, while the object 312 in thefigure is depicted as residing on the endpoint 310, an object 312 may also reside elsewhere in thesystem 300, and may be specified for example with a link, pointer, or reference that is locallystored on the endpoint 310.

[0078] The object 312 may be an item that is performing an action or causing an event314, or the object 312 may be an item that is receiving the action or is the result of an event 314(e.g., the object 312 may be an item in the system 300 being acted upon by an event 314 oranother object 312). In general, an event 314 as contemplated herein may be any data flow,execution flow, control flow, network flow, or other similar action or event that might causallyrelate objects 312 to one another. Where the object 312 is data or includes data, the object 312may be encrypted or otherwise protected, or the object 312 may be unencrypted or otherwiseunprotected. The object 312 may be a process or other computing object that performs an action,which may include a single event 314 or a collection or sequence of events 314 taken by aprocess. The object 312 may also or instead include an item such as a file or lines of code thatare executable to perform such actions. The object 312 may also or instead include a computingcomponent upon which an action is taken, e.g., a system setting (e.g., a registry key or the like), adata file, a URL, and so forth. The object 312 may exhibit a behavior such as an interaction withanother object or a component of the system 300.

[0079] Objects 312 may be described in terms of persistence. The object 312 may, forexample, be a part of a process, and remain persistent as long as that process is alive. The object312 may instead be persistent across an endpoint 310 and remain persistent as long as anendpoint 310 is active or alive. The object 312 may instead be a global object having persistenceoutside of an endpoint 310, such as a URL or a data store. In other words, the object 312 may bea persistent object with persistence outside of the endpoint 310.

[0080] Although many if not most objects 312 will typically be benign objects forming anormal part of the computing environment for an operating endpoint 310, an object 312 maycontain software associated with an advanced persistent threat (APT) or other malware thatresides partially or entirely on the endpoint 310. This associated software may have reached theendpoint 310 in a variety of ways, and may have been placed manually or automatically on theendpoint 310 by a malicious source. It will be understood that the associated software may takeany number of forms and have any number of components. For example, the associated softwaremay include an executable file that can execute independently, or the associated software may bea macro, plug-in, or the like that executes within another application. Similarly, the associatedsoftware may manifest as one or more processes or threads executing on the endpoint 310.Further, the associated software may install from a file on the endpoint 310 (or a file remote fromthe endpoint 310), and the associated software may create one or more files such as data files orthe like while executing. Associated software should be understood to generally include all suchfiles and processes except where a specific file or process is more specifically noted.

[0081] An event 314 may include an action, a behavior, an interaction, and so forth. Theevent 314 may be generated by or otherwise related to an object 312. For example, the event 314may be associated with a file and include an action such as a read, a write, an open, a move, acopy, a delete, and so forth. The event 314 may also or instead include an inter-processcommunication, e.g., a create, a handle, a debug, a remote injection, and so forth. The event 314may also or instead include a network action such as accessing an Internet Protocol (IP) addressor URL.

[0082] The data recorder 320 may monitor and record activity related to the objects 312and events 314 occurring on the endpoint 310. The activity of the endpoint 310 may be stored ina data log 322 or the like on the data recorder 320, which may be stored locally on the endpoint310 (as depicted) or remotely at a threat management resource, or some combination of these,such as where the data log 322 is periodically transmitted to a remote facility for archiving oranalysis. The data recorder 320 may continuously record any activity occurring on the endpoint310 for predetermined periods of time before overwriting previously recorded data. Thus, thedata log 322 may include a continuous data feed of events 314. When an event 314 is detectedthat is a beacon or trigger event (such as a file detection, a malicious traffic detection, or thelike), the data log 322 may be saved and transmitted to an analysis facility 340 or the like foranalysis, e.g., to determine a root cause of the beacon or trigger event. The data log 322 may be used to create an event graph or other snapshot of the activity on the endpoint 310, e.g., for aperiod of time surrounding a beacon or trigger event. The beacon or trigger event may bedetected locally by the monitoring facility 330, or remotely by a remote threat managementfacility or the like, or some combination of these.

[0083] While illustrated on the endpoint 310, it will be understood that the data recorder320 may also or instead be implemented at a remote location such as a threat managementfacility or other enterprise network security resource, or some combination of these. The datarecorder 320 may be provisioned on the same or a different device than a data store in which datais stored. The data recorder 320 may be configured to record data as efficiently as possible so asto minimize impact on the endpoint 310.

[0084] The monitoring facility 330 may work in conjunction with the data recorder 320to instrument the endpoint 310 so that any observable events 314 by or involving various objects312 can be monitored and recorded. It will be appreciated that various filtering rules andtechniques may be used to synopsize, summarize, filter, compress or otherwise processinformation captured by the data recorder 320 to help ensure that relevant information iscaptured while maintaining practical limits on the amount of information that is gathered.

[0085] A security product 332 may execute on the endpoint 310 to detect a security eventon the endpoint 310, which may act as the beacon or trigger event for the system 300. Thesecurity product 332 may use techniques such as signature-based and behavioral-based malwaredetection including without limitation one or more of host intrusion prevention, malicious trafficdetection, URL blocking, file-based detection, and so forth.

[0086] The beacon or trigger event on the endpoint 310 may be a fully qualified (e.g.,definitive) detection of a compromise or other malicious activity. In another aspect, the beaconor trigger event on the endpoint 310 may be a suspicious behavior that is suspicious but notconfirmed as malicious. For example, the beacon or trigger event on the endpoint 310 may signalan unusual behavior that is known to commonly appear concurrently with the detection ofmalware. In an aspect, when the beacon or trigger event is a suspicious behavior, the data log322 may be analyzed differently than when the beacon or trigger event is a confirmed maliciousbehavior. For example, the data log 322 may be sent to a different component of the system 300through the network, e.g., to a different analysis facility 340.

[0087] The monitoring facility 330 may be disposed remotely from the endpoint 310 oranalysis facility 340. The monitoring facility 330 may be included on one or more of the endpoint 310 or analysis facility 340. In an aspect, the monitoring facility 330 and the analysisfacility 340 included in the same component.

[0088] The analysis facility 340 may analyze the data log 322, e.g., as part of a root causeanalysis and to identify objects 312 compromised by the root cause. To this end, the analysisfacility 340 may utilize one or more rules 342 for applying to the data included in the data log322 to determine a root cause of a beacon or trigger event such as a suspected or actual securitycompromise on the endpoint 310. The analysis facility 340 may reside locally on the endpoint310 (e.g., be a part of, embedded within, or locally coupled to the endpoint 310). The analysisfacility 340 may be an external facility, or it may reside in a virtual appliance (e.g., which couldbe run by a protected set of systems on their own network systems), a private cloud, a publiccloud, and so forth. The analysis facility 340 may store locally-derived threat information for usein subsequent identification, remediation, or other similar activity. The analysis facility 340 mayalso or instead receive threat information from a third party source such as any public, private,educational, or other organization that gathers information on network threats and providesanalysis and threat detection information for use by others. This third party information may, forexample, be used to improve detection rules or other forensic analysis that might be performedon information in the data log 322.

[0089] The analysis facility 340 may create an event graph. In general, the event graphmay represent information in the data log 322 in a graph where objects 312 are nodes and events314 are edges connecting the nodes to one another based on causal or other relationships asgenerally contemplated herein. The event graph may be used by the analysis facility 340 or othercomponent(s) of the system 300 as part of a root cause analysis and to identify objects 312compromised by the root cause. The event graph may also or instead be displayed to a user of thesystem 300 or endpoint 310, e.g., using an interactive user interface or the like.

[0090] The system 300 may advantageously use the data log 322 to configure andinitialize an analysis in a sandboxed or otherwise isolated environment where the execution ofthe recorded activity related to a detected security event is allowed to run. That is, rather thanuploading a complete image of an endpoint 310 using conventional techniques, the data log 322may include only a series of events/processes related to the detected event that may be uploadedfor execution/analysis. The analysis may thus include executing this series of events/processes inthe same order to determine a threat level for the endpoint 310.

[0091] The data log 322 may include data from a single endpoint 310, or from a numberof endpoints 310, for example where one endpoint 310 accesses a service or a file on anotherendpoint. This advantageously facilitates tracking or detection of potentially malicious activitythat spans multiple devices, particularly where the behavior on a single endpoint does not appearmalicious. Thus, the monitoring facility 330 may monitor activity from an endpoint 310exclusively, or use the full context of activity from all protected endpoints 310, or somecombination of these. Similarly, the event graph generated from the data log 322 may includeactivity from one endpoint 310 exclusively, or use the full context of activity from all protectedendpoints 310, or some combination of these. Data logs 322 and event graphs may also orinstead be stored for future analyses, e.g., for comparing to future data logs and event graphs.

[0092] Similarly, the events may include human interactions such as keyboard strokes,mouse clicks or other input and output to human interface devices and hardware. This usefullypermits discrimination within causal chains among events initiated by processes executing on adevice and events that are initiated or controlled by a human user that is present on the endpoint.

[0093] Fig. 4 is a flowchart of a method for forensic analysis for computer processes. Themethod 400 may be implemented by any of the systems described above or otherwise herein.The method 400 may be used as part of a root cause analysis, e.g., for determining a root causeof malware on an endpoint, and for identifying computing objects affected by malware, e.g.,computing objects causally related to the root cause.

[0094] As shown in step 402, the method 400 may include monitoring events on adevice, such as a first endpoint. The events may be any as described herein, e.g., eventsassociated with computing objects on the endpoint. The computing objects may, for exampleinclude a data file, a process, an application, a registry entry, a network address, a peripheraldevice, or any of the other computing objects described herein. For example, in an aspect, thecomputing objects may include one or more network addresses specified at any suitable level ofabstraction or according to any suitable protocol such as a uniform resource locator (URL), anInternet Protocol (IP) address, and a domain name, and may include any or a portion ofassociated path information or the like that might be associated therewith. The computing objectsmay also or instead include a peripheral device such as a universal serial bus (USB) memory, acamera, a printer, a memory card, a removable bulk storage device, a keyboard, a mouse, a trackpad, a printer, a scanner, a cellular phone, or any other input or output device that might usefullybe connected to an endpoint, a server, a mobile device, and so forth. Events may include information or messages from a threat management facility, firewall, network device, and so on,for example, that may be resident on or in communication with an endpoint. For example, athreat management facility may identify a potential or actual threat, and this may be treated as anevent.

[0095] In an aspect, monitoring events on a first endpoint may include instrumenting afirst endpoint to monitor a number of causal relationships among a number of computing objects.For example, a monitoring facility or other monitoring component (e.g., a component disposedon the first endpoint or otherwise in communication with the first endpoint), may be configuredto detect computing objects and to monitor events on the first endpoint that associate thecomputing objects in a number of causal relationships. Thus, a processor and a memory disposedon the endpoint may be configured to monitor events on the endpoint. A remote server may alsoor instead be configured to monitor events on the endpoint, for example, to create a data log ascontemplated herein.

[0096] Implementations may also or instead include monitoring events on multipleendpoints, e.g., endpoints included in an enterprise network or the like. Thus, in an aspect, theone or more computing objects include at least one or more computing object(s) on a deviceother than the first endpoint, such as a second endpoint in the enterprise network. The devicemay also or instead include a server configured to provide remote resources to other endpoints,network devices, firewalls, gateways, routers, wireless access points, mobile devices, and soforth.

[0097] The causal relationships monitored by the system may include dependencies thatform a link or an association between computing objects or events. Useful causal relationshipsmay include a data flow, e.g., linking computing objects based on the flow of data from onecomputing object to another computing object. The causal relationships may also or insteadinclude a control flow. For example, a first computer program may generate a first event thattriggers a second computer program to trigger a second event, thereby creating a causalrelationship between the first computer program and the second computer program (and possiblya causal relationship between the first event and the second event). In yet another aspect, thecausal relationships may include a network flow. For example, a computing object may access aURL or other remote resource or location and receive data. In this example, there may be acausal relationship between one or more of the computing object, the URL, and the data. It willbe understood that the term “causal relationship” and the like is intended to cover a wide range of relationships between computing objects that might be formed by events, and unless explicitlystated to the contrary or otherwise clear from the text, the causal relationships may includeanything that can link or associate multiple computing objects (of the same type or differenttypes), e.g., in a directional manner, directly or indirectly.

[0098] As shown in step 404, the method 400 may include recording events such as anyof the events described above that occur on the endpoint. Thus each event detected duringmonitoring may be recorded, e.g., by a data recorder or other component, to provide a data logincluding a sequence of events causally relating the number of computing objects. As describedabove, the data recorder may be configured to record events that occur on the endpoint, or eventsthat occur on a plurality of endpoints. The data recorder may be locally disposed on the endpointor otherwise in communication with the endpoint. The data recorder may also or instead beassociated with a monitoring facility or an analysis facility such as any of those described above.The data recorder may record a sequence of events causally relating a number of computingobjects on one or more endpoints in a data log or the like disposed in a memory.

[0099] A number of events within the sequence of events may be preserved for apredetermined time window. For example, in an aspect, a data recorder or the like may record allactivity on an endpoint in a rolling buffer that overwrites data that is older than thepredetermined time window. This may be true regardless of the types of computing objectsassociated with the sequence of events. In another aspect, the predetermined time window mayhave a different duration for different types of computing objects (e.g., for at least two types ofcomputing objects). By way of example, when the computing objects include one or morenetwork addresses, the sequence of events may be preserved for a longer predetermined timewindow relative to a sequence of events associated with data files, or vice-versa. Similarly, whenthe computing objects include one or more peripheral devices such as USB memories, thesequence of events may be preserved for longer predetermined time window relative to asequence of events associated with applications, or vice-versa. In implementations, thepredetermined time window for which the sequence of events is preserved may be based on thelikelihood of a security event originating from a certain type of computing object. For example,the reputation of a computing object (e.g., an application) or a machine state may be used fordetermining the duration of the predetermined time window for which the sequence of events ispreserved. Further, the predetermined time window for which the sequence of events ispreserved may be determined by a color of a computing object or event, e.g., as described in U.S.

Pat. App. No. 14/485,759 filed on September 14, 2014, which is incorporated by reference hereinin its entirety. In an aspect, the time window for which the sequence of events is preserved maybe variable or adjustable. For example, a user or administrator using a user interface or the likemay adjust the time window for which the sequence of events is preserved, e.g., based oncomputing object type or otherwise. For example, one or more first event types may be recordedwith a first time window and one or more second event types may be recorded with a secondtime window.

[00100] In an aspect, the data recorder or the like may record only certain activity on anendpoint, e.g., activity associated with predetermined computing objects. The activity may bepreserved for a predetermined amount of time dependent upon the specific computing object towhich the activity is associated. In this manner, and by way of example, the data recorder or thelike may include a record of data for one week for applications, for three months for files, fortwo weeks for registry entries, and so forth. It will be understood that these timeframes areprovided by way of example and not of limitation.

[00101] In general, data may be continuously recorded, periodically recorded, or somecombination of these. Furthermore, data may be cached, stored, deleted or transmitted to aremote processing facility in any suitable manner consistent with appropriate use of local andremote resources, and the utility or potential utility of information that is being recorded. In oneaspect, data may be periodically deleted or otherwise removed from the data recorder, such asafter a security event has been detected and addressed as described below. A new data log maythen be created for recording subsequent events on the one or more endpoints.

[00102] As shown in step 406, the method 400 may include evaluating one or moreevents that occur on the endpoint. The evaluation of the one or more events may include theapplication of one or more security rules to determine whether the one or more events indicate orsuggest a security event such as a security compromise event, a data exposure, a malwaredetection, or the like. Thus, the evaluation of the one or more events may lead to the detection ofa security event. While illustrated as a separate step, this step 406 may be performedconcurrently with or in sequence with the monitoring step 402 discussed above.

[00103] The security event may be any beacon or trigger event, such as any of thosediscussed herein. The security event may include an event that is related to network security,computer security, data security, data leakage, data exposure, or any other actual or potentialsecurity issue. The security event may also or instead include other events of interest that are not directly related to computer/network security where, for example, they are useful for otherwiseauditing or monitoring machines or characterizing device behavior. Thus the security event maybe any event general related to operation of a computer, and does not necessarily include anactual security compromise event. However, in implementations, the security event may includean actual compromise to a network, an endpoint, or a computer system such as the detection ofmalware or any other threat detection. For example, the security event may be a securitycompromise event related to a specific threat, e.g., an event related to computer-based malwareincluding without limitation a virus, spyware, adware, a Trojan, an intrusion, an advancedpersistent threat, spam, a policy abuse, an uncontrolled access, and so forth.

[00104] Detecting the security event may include detecting a security compromise byapplying a static analysis to software objects on the first endpoint. For example, each softwareobject may be individually analyzed for its compliance with a security policy or the like usingsignatures or other objective characteristics. It will be understood that while static analysisprovides one useful form of evaluation for compliance with the security policy or the like, othertechniques may also or instead be employed, e.g., a behavioral analysis, a sandbox execution,network traffic analysis, and so forth.

[00105] Detecting the security event may also or instead include detecting a securitycompromise by applying dynamic or behavioral analysis to code executing on the first endpoint,or to specific computing objects (e.g., processes) on the endpoint. For example, events that canwarrant triggering the detection of the security event may include a process that loads aparticular file that is known to be malicious, or a process that accesses a known malicious IPaddress, and the like.

[00106] In an aspect, detecting the security event may include detecting a hardwarechange or other state changes. Detecting the security event may also or instead include detectinga potential data leakage.

[00107] As discussed herein, a security policy may be used to detect a security event.This may include, for example, whitelists or blacklists of known computing objects and events,or reputations and signatures thereof. For example, a security policy may include rules that allowcomputing objects and events that are provided by a known, trusted source (e.g., a trusted user,endpoint, network, company, vendor, and so forth). The rules may be more complex, forexample, where originating from a trusted source is only one factor in determining whether to whitelist computing objects and events. In general, the security policy may include any suitablerules, logic, prioritizing, etc., as desired to detect a security event.

[00108] Although referred to herein in terms of ‘security,’ one skilled in the art willrecognize that a security policy may also or instead include other types of policies. For example,a security policy may include a corporate or network policy having a list of approved computingobjects and events, where computing objects and events outside of this list may not necessarilybe security risks, but are otherwise unwanted in the network. Thus, the security policy mayintend to detect malware and the like, while also detecting other types of unwanted computingobjects and events that do not qualify as malware.

[00109] More generally, any technique or combination of techniques suitable forevaluating endpoint activity for the detection of actual or potential security compromises may beused to detect security events as contemplated herein.

[00110] As shown in step 408, if a security event is not detected, the method 400 mayreturn to step 402 where monitoring can continue. As further shown in step 408, if a securityevent is detected, a root cause analysis or the like may be performed to identify a source of thesecurity event as further described below. That is, detecting a security event associated with oneof the number of computing objects may trigger further analysis of other causally relatedcomputing objects on an endpoint (or in certain cases, remote from an endpoint) to identify acause of the security event, as distinguished from the symptom that generated the beacon ortrigger for the analysis.

[00111] As shown in step 410, the method 400 may include generating an event graph.The event graph may be generated in response to detecting the security event, e.g., using the datalog from the data recorder. The event graph may be generated at the same time as or as part ofcreating the data log. The event graph may include the sequence of events causally relating thenumber of computing objects, and more specifically, the sequence of events and computerobjects causally associated with the object(s) that triggered the detected security event.

[00112] As discussed herein, the event graph may be generated based on a data log ofevents and computer objects stored by a data recorder during operation of the endpoint. Inparticular the data recorder may provide a dump of logged activities, which may be causallyassociated into a graph for analysis, navigation, display and so forth. Any useful portion of thedata log may be used. For example, the data recorder may provide event data for a window oftime before, after or surrounding the detected security event. The data log may be filtered, e.g., when the data is written to the data log (for example, by aging events as described above) orwhen the event graph is generated, or some combination of these. A variety of filteringtechniques may be usefully employed. For example, certain types of objects or events may beremoved from an event graph for specific trigger events, or certain groups of events may becondensed into a single event, such as all normal activity that occurs when a user logs into anendpoint. Similarly, computing objects that are too remote, either within the event graph ortimewise, may be pruned and removed, particularly if they have a known, low diagnosticsignificance. Thus the event graph may be filtered and condensed in a variety of manners toobtain a useful snapshot of events optimized for root cause analytics. Filtering of the data may bedependent upon the type of security event that is detected. Filtering of the data may adjust thelevel of detail included in the event graph based on memory limits, user parameters, securityevent type, or any other object metrics or inputs. In an aspect, the data is filtered based onreputation or the like, e.g., of computing objects included therein. For example, if an applicationhas a good reputation, the application may not include a high level of detail associated therewithin a filtered version of the data log.

[00113] In one aspect, the event graph may be generated based on a data log from anumber of different endpoints and thus may represent a causal chain of data from variousdifferent endpoints. This approach advantageously permits an analysis using data that spansmultiple endpoints or other network devices within a single data structure or package, thuspermitting identification of a root cause even when an attack employs a complex, multi-hopapproach to network assets that might otherwise evade detection. Event graphs may also orinstead be generated separately for different endpoints and presented to a user or analyticalsystem as separate, discrete entities. Event graphs for endpoints may be compared with oneanother, e.g., as part of the root cause analysis. For example, by analyzing and comparing similarevent graphs or event graphs sharing similar computing objects or events, a heuristic approachmay be developed for identifying suspicious events and computing objects for one or moreendpoints. Similarly, event graphs for different endpoints in the same network enterprise may becompared or combined, e.g., where two or more endpoints have been exposed to a security eventor threat. For example, event graphs for similar time periods of two or more endpoints may beascertained and analyzed.

[00114] In an aspect, cross-correlating between different data logs or event graphs maybe utilized in a root cause analysis. For example, if the same security event or root cause is identified on different endpoints, the endpoints may be flagged for review or remediation. Thistype of analysis may be used on different endpoints throughout a network.

[00115] Implementations may include a number of different event graphs stored in adata store that can be used together to detect, prevent, or determine the root causes for suspiciousactivity or other activity of interest, e.g., a security event. As discussed herein, the event graphsmay be filtered before being stored in the data store, which can remove system activity that is notof interest in such analyses. The event graphs may be searchable, e.g., for analysis of eventgraphs including similar computing objects or events. The event graphs may also or instead belinked to one another, e.g., event graphs including similar computing objects or events. Theevent graphs may be presented to a user on a user interface or the like, e.g., an interactive userinterface that allows a user to see similar or related event graphs, search the event graphs, linkbetween event graphs, and so forth.

[00116] An event graph may use a conventional structure of nodes (computing objects)and events (edges) to represent causal relationships among computing objects. This permits theuse of a wide range of graph-based techniques to assist in analysis of the context leading up to adetected event. At the same time, numerous other data structures, computer representations, andvisual representations of such interrelated objects and events are also known in the art, any ofwhich may be employed as an event graph as contemplated herein, provided that enoughdescriptive data about the context of an endpoint is captured to facilitate the various types ofanalysis and response contemplated herein.

[00117] As shown in step 412, the method 400 may include, in response to detecting thesecurity event, traversing the event graph based on the sequence of events in a reverse order fromthe one of the computing objects associated with the security event to one or more precedingones of the computing objects. In general, the reverse order is a causally reverse order. Forexample where a network flow, data flow or control flow has a direction from one computingobject to another computing object, the reverse order will follow this flow or causal link from thereceiving computing object backward toward the source computing object. However, this mayalso or instead include a chronological flow, such as in a complex event graph where the time ofreceipt for two different inputs from two different sources is relevant. In general, a review ofeach of the preceding computing objects may be conducted by working backward from thecomputing object associated with the security event, e.g., to determine a root cause of the security event. In an aspect, this may include a static analysis of each of the preceding computingobjects, or a dynamic analysis of object and event interactions, or some combination of these.

[00118] As shown in step 414, the method 400 may include applying one or more rulesto the computing objects preceding the security event. For example, the method 400 may includeapplying a cause identification rule to the preceding ones of the computing objects and the causalrelationships while traversing the event graph in order to identify one of the computing objects asa cause of the security event. In general, the root cause analysis may attempt to identify a patternin the event graph using cause identification rules to identify one of the computing objects (or agroup of the computing objects and events) as a root cause of the security event.

[00119] The cause identification rule may associate the cause with one or more commonmalware entry points. For example, common entry points include a word processing application,an electronic mail application, a spreadsheet application, a browser, or a universal serial bus(USB) drive that is attached to an endpoint, and any of these computing objects, whenencountered in an event graph, may be identified as a root cause. For example, when traversingthe event graph in a reverse order from the security event, if the analysis identifies an electronicmail application that opened an attachment, this may be identified as the root cause because thisis often a source of compromised security on an endpoint. Similarly, when traversing the eventgraph in a reverse order from the security event, if the analysis identifies a USB drive, or anunsecure or unencrypted USB drive, from which a file was opened, this may be identified as alikely cause of the security event. In one aspect, multiple candidate root causes may be identifiedusing the cause identification rules, and a final selection may be based on other contextualinformation such as reputation, source, etc.

[00120] Security events may also or instead be caused by a certain combination ofevents or combinations of events and computing objects. For example, in an aspect, the causeidentification rule may associate the cause of the security event with a combination that includesa first process invoking a second process and providing data to the second process. As usedherein, invoking may be interpreted broadly, e.g., where any two processes share data through anintermediate file, or narrowly, e.g., where a first process specifically spawns the second processas a child process. More generally, invoking a process as used herein is intended to broadlyinclude any causal relationship between to processes including, e.g., spawning a process,hijacking a process (e.g., seizing control of an existing process through thread injection, processhollowing, and the like), remotely launching a process over a network, instrumenting a service in the operating system, and the like. A cause identification rule may specify a particular type ofinvocation relationship between two processes, or multiple types of invocation, or anyrelationship between two processes. Providing data from a first process to a second process mayinclude creating a file for use by the second process. For example, the cause of a security eventmay include a first process that writes a file and then takes control of a second process that readsdata from the file so that the first process and the second process share data through the file.

[00121] Another example of a security event may include a known non-maliciousapplication (e.g., a commonplace word processing application) launching a command line script,which may be identified as a cause of a security event. The activity underlying events that aregenerated may not necessarily be malicious, but they could lead to security events or other eventsof interest to be further analyzed. Thus in one aspect, a cause identification rule may flag thisbehavior as a root cause of a security event, or as an event that is otherwise of diagnostic interest.

[00122] As shown in step 416, the method 400 may include traversing the event graphforward from an identified or presumed cause of the security event to identify one or more otherones of the computing objects affected by the cause. In this manner, an analysis of each of thecomputing objects in the event graph may be conducted by working forward from the root causeto other causally dependent computing objects that might be compromised or otherwise affectedby the root cause. This may include labeling or otherwise identifying the potentiallycompromised objects, e.g. for remediation or further analysis. A pruning step may also beemployed, e.g. where any computing objects that are not causally dependent on the root cause insome way are removed from the event graph.

[00123] As shown in step 418, the method 400 may include remediating one or morecomputing objects affected by the cause of the security event. Remediation may include deletingcomputing objects from the endpoint, or otherwise remediating the endpoint(s) using computersecurity techniques such as any described herein. In another aspect, the identification of the rootcause may be used to create new detection rules capable of detecting a security event at a point intime (or causation) closer to the root cause within the event graph. Other remediation steps mayinclude forwarding the event graph, or a filtered and pruned event graph, to a remote facility foranalysis. This data may usefully provide a map for identifying sources of malware, or forensuring thorough remediation by identifying all of the potentially compromised computingobjects that should be examined after the compromise has been addressed.

[00124] Fig. 5 illustrates a graphical depiction of a portion of an example event graph500. The event graph 500 may include a sequence of computing objects causally related by anumber of events, and which provide a description of computing activity on one or moreendpoints. The event graph 500 may be generated, for example, when a security event 502 isdetected on an endpoint, and may be based on a data log or similar records obtained by an eventdata recorder during operation of the endpoint. The event graph 500 may be used to determine aroot cause 504 of the security event 502 as generally described above. The event graph 500 mayalso or instead be continuously generated to serve as, or be a part of, the data log obtained by thedata recorder. In any case, an event graph 500, or a portion of an event graph 500 in a windowbefore or around the time of a security event, may be obtained and analyzed after a security event502 occurs to assist in determining its root cause 504. The event graph 500 depicted in the figureis provided by way of example only, and it will be understood that many other forms andcontents for event graphs 500 are also or instead possible. It also will be understood that whilethe figure illustrates a graphical depiction of an event graph 500, the event graph 500 may bestored in any suitable data structure or combination of data structures suitable for capturing thechain of events and objects in a manner that preserves causal relationships for use in forensicsand malware detection as contemplated herein.

[00125] By way of example, the event graph 500 depicted in the figure begins with acomputing object that is a USB device 512, which may be connected to an endpoint. Where theUSB device 512 includes a directory or file system, the USB device 512 may be mounted oraccessed by a file system on an endpoint to read contents. The USB device 512 may be detected513 and contents of the USB device 512 may be opened 514, e.g., by a user of the endpoint orautomatically by the endpoint in response to detection of the USB device 512. The USB device512 may include one or more files and applications, e.g., a first file 516, a second file 518, and afirst application 520. The first file 516 may be associated with a first event 522 and the secondfile may be associated with a second event 524. The first application 520 may access one or morefiles on the endpoint, e.g., the third file 526 shown in the figure. The first application 520 mayalso or instead perform one or more actions 528, such as accessing a URL 530. Accessing theURL 530 may download or run a second application 532 on the endpoint, which in turn accessesone or more files (e.g., the fourth file 534 shown in the figure) or is associated with other events(e.g., the third event 536 shown in the figure).

[00126] In the example provided by the event graph 500 depicted in the figure, thedetected security event 502 may include the action 528 associated with the first application 520,e.g., accessing the URL 530. By way of example, the URL 530 may be a known malicious URLor a URL or network address otherwise associated with malware. The URL 530 may also orinstead include a blacklisted network address that although not associated with malware may beprohibited by a security policy of the endpoint or enterprise network in which the endpoint is aparticipant. The URL 530 may have a determined reputation or an unknown reputation. Thus,accessing the URL 530 can be detected through known computing security techniques.

[00127] In response to detecting the security event 502, the event graph 500 may betraversed in a reverse order from a computing object associated with the security event 502 basedon the sequence of events included in the event graph 500. For example, traversing backwardfrom the action 528 leads to at least the first application 520 and the USB device 512. As part ofa root cause analysis, one or more cause identification rules may be applied to one or more of thepreceding computing objects having a causal relationship with the detected security event 502, orto each computing object having a causal relationship to another computing object in thesequence of events preceding the detected security event 502. For example, other computingobjects and events may be tangentially associated with causally related computing objects whentraversing the event graph 500 in a reverse order—such as the first file 516, the second file 518,the third file 525, the first event 522, and the second event 524 depicted in the figure. In anaspect, the one or more cause identification rules are applied to computing objects preceding thedetected security event 502 until a cause of the security event 502 is identified.

[00128] In the example shown in the figure, the USB device 512 may be identified asthe root cause 504 of the security event 502. In other words, the USB device 512 was the sourceof the application (the first application 520) that initiated the security event 502 (the action 528of accessing the potentially malicious or otherwise unwanted URL 530).

[00129] The event graph 500 may similarly be traversed going forward from one ormore of the root cause 504 or the security event 502 to identify one or more other computingobjects affected by the root cause 504 or the security event 502. For example, the first file 516and the second 518 potentially may be corrupted because the USB device 512 included maliciouscontent. Similarly, any related actions performed after the security event 502 such as anyperformed by the second application 532 may be corrupted. Further testing or remediation techniques may be applied to any of the computing objects affected by the root cause 504 or thesecurity event 502.

[00130] The event graph 500 may include one or more computing objects or events thatare not located on a path between the security event 502 and the root cause 504. Thesecomputing objects or events may be filtered or ‘pruned’ from the event graph 500 whenperforming a root cause analysis or an analysis to identify other computing objects affected bythe root cause 504 or the security event 502. For example, computing objects or events that maybe pruned from the event graph 500 may include the USB drive 510 and the USB device beingdetected 513.

[00131] It will be appreciated that the event graph 500 depicted in Fig. 5 is anabstracted, simplified version of actual nodes and events on an endpoint for demonstration.Numerous other nodes and edges will be present in a working computing environment. Forexample, when a USB device is coupled to an endpoint, the new hardware will first be detected,and then the endpoint may search for suitable drivers and, where appropriate, present a userinquiry of how the new hardware should be handled. A user may then apply a file system to viewcontents of the USB device and select a file to open or execute as desired, or an autorun.exe orsimilar file may be present on the USB device that begins to execute automatically when theUSB device is inserted. All of these operations may require multiple operating system calls, filesystem accesses, hardware abstraction layer interaction, and so forth, all of which may bediscretely represented within the event graph 500, or abstracted up to a single event or object asappropriate. Thus it will be appreciated that the event graph 500 depicted in the drawing isintended to serve as an illustrative example only, and not to express or imply a particular level ofabstraction that is necessary or useful for root cause identification as contemplated herein.

[00132] The event graph 500 may be created or analyzed using rules that define one ormore relationships between events and computing objects. The C Language IntegratedProduction System (CLIPS) is a public domain software tool intended for building expertsystems, and may be suitably adapted for analysis of a graph such as the event graph 500 toidentify patterns and otherwise apply rules for analysis thereof. While other tools andprogramming environments may also or instead be employed, CLIPS can support a forward andreverse chaining inference engine suitable for a large amount of input data with a relatively smallset of inference rules. Using CLIPS, a feed of new data can trigger a new inference, which maybe suitable for dynamic solutions to root cause investigations.

[00133] An event graph such as the event graph 500 shown in the figure may includeany number of nodes and edges, where computing objects are represented by nodes and eventsare represented by edges that mark the causal or otherwise directional relationships betweencomputing objects such as data flows, control flows, network flows and so forth. Whileprocesses or files are common forms of nodes that might appear in such a graph, any othercomputing object such as an IP address, a registry key, a domain name, a uniform resourcelocator, a command line input or other object may also or instead be designated to be a node inan event graph as contemplated herein. Similarly, while an edge may be formed by an IPconnection, a file read, a file write, a process invocation (parent, child, etc.), a process path, athread injection, a registry write, a domain name service query, a uniform resource locator accessand so forth other edges may be designated. As described above, when a security event isdetected, the source of the security event may serve as a starting point within the event graph500, which may then be traversed backward to identify a root cause using any number of suitablecause identification rules. The event graph 500 may then usefully be traversed forward from thatroot cause to identify other computing objects that are potentially tainted by the root cause sothat a more complete remediation can be performed.

[00134] Using the systems and methods described herein may provide for advantageoussandboxing techniques. For example, the sequence of events included in a data recorder or eventgraph may be executed within a sandbox or the like in a similar manner as the sequence of eventsoccurred on the endpoint where a security event was detected. This may be accomplishedwithout replicating the entire action sequence of events on the endpoint, e.g., using only apredetermined time window or a predetermined sequence of events. In this manner, informationfrom the data recorder may be used to replicate the actual order of events and processes that wereinvolved in a security event. This may increase the likelihood of a sample detonating in a usefulmanner for analyses.

[00135] Fig. 6 shows a method for malware detection using an event graph. Once a rootcause has been identified as described above, the event graph proximal to the root cause can beused to detect malware based on the emergence of a similar or identical event graph duringmalware monitoring. This potentially facilitates earlier detection by permitting detection basedon the root cause pattern rather than the (subsequent) beacon that initially triggered the search fora root cause during forensic analysis. In addition, monitoring may be adapted to a currentsecurity context, e.g., by adding more monitoring points or decreasing filtering (e.g., to gather more data at each point) when the security state worsens or there is a perceived increase insecurity risk. In general, the computing objects, events, event graph, and the like described belowmay be any of those described above with respect to root cause identification, with thecharacteristics of the root cause applied for prospective malware detection instead of or inaddition to retroactive, forensic root cause analysis.

[00136] As shown in step 602, the method 600 may include instrumenting an endpointto monitor a number of causal relationships among computing objects at a plurality of logicallocations within a computing environment related to the endpoint. Instrumentation may use anysuitable techniques for recording data as contemplated herein. The computing objects may ingeneral be any hardware or software computing object such as a data file, a database record, adatabase, a directory, a file system, a file system path, a process, an application, an operatingsystem, a registry or registry entry, a network address, a network path, a peripheral device, aphysical device (e.g., a disk drive, optical drive, communications or network interface, keyboard,mouse, sensor, camera, microphone, etc.), and so forth. In general, the logical locations may beany corresponding locations of diagnostic interest that might be accessed or used by thecomputing objects within the computing environment, such as hardware/device interfaces, devicedrivers, a file system and/or directory, memory (e.g., RAM, cache, processor registers), operatingsystem interfaces, application programming interfaces, network communication ports orinterfaces, and any data sources of interest such as credential stores, system registries, systemconfiguration files, and so forth. In one aspect, this may include logical locations separate fromthe endpoint, such as locations on a second physical endpoint separate from the first endpoint, ora web site, file server, mail server, or other remote resource. By extending instrumentationbeyond the individual endpoint, malicious software movements can be tracked throughout anetwork or from one device to another in order to improve malware detections and the like. Thelogical locations may also or instead include a programmatic interface to a human interfacedevice such as a mouse, keyboard, sensor, camera, microphone, or other input/output device. Thelogical locations may also or instead include peripherals or other devices attached to andcommunicating with the endpoint such as USB memory devices, flash drives, and so forth.

[00137] Monitoring may be performed at various levels of granularity. For example,monitoring may include monitoring of specific memory locations or file locations that arepotentially of interest, such as by monitoring reads and/or writes to specific file names, specificdirectories, and so forth. In another aspect, the instrumentation may be configured for variable monitoring. For example, where a high risk state is detected, filtering may be decreased so that,e.g., a file system or other resource is monitored more aggressively and additional events arecaptured. This heightened monitoring may be continued for a predetermined window, or until thehigh-risk state has passed, or indefinitely or until the occurrence of some specific event.

[00138] More generally, the instrumentation contemplated herein may include anyinstrumentation suitable for monitoring causal relationships among computing objects at logicallocations within a computing environment for an endpoint. The computing environment may beconfined to the computing environment on a particular endpoint such as the hardware andsoftware associated with that endpoint. The computing environment may more generally includeany computing environment related to the endpoint, and may be extended to include otherendpoints, remote computing resources such as websites, web servers, file servers, devices suchas printers, copiers, watches, televisions, appliances, and so forth. More generally, any otherlocation or resource that might provide logical locations useful for monitoring and diagnosticpurposes may be included in the computing environment. In one aspect, this may include otherendpoints within a local area network or enterprise network used by the endpoint, such as whereanother endpoint in the enterprise network sends commands or data to the endpoint or receivescommands or data from the endpoint. In general, the instrumentation may include predeterminedinstrumentation of specific logical locations. That is, the endpoint may be configured to providecausal information from specific logical locations, any of which may then be controllablyselected for observation after an initial configuration. In another aspect, instrumentation mayinclude dynamic instrumentation that is deployed as needed or desired for endpoint monitoring.Thus for example, where a new registry entry is created or a new file is downloaded, thatcomputing object may be monitored prospectively as a new logical location on the endpoint untilit can be determined that the new computing object is safe.

[00139] As shown in step 604, the method 600 may include selecting a set of logicallocations from the plurality of logical locations. This may include adding one or more of theplurality of logical locations to the first set of logical locations in response to a detected increasein security risk. This may also or instead include removing one of the plurality of logicallocations from the first set of logical locations in response to a detected decrease in security risk.More generally, this may include adapting the monitored locations according to a security stateof the endpoint so that more or less computing resources can be used as necessary or appropriateaccording to the current state of risk.

[00140] In another aspect, selecting logical locations may include adapting themonitoring based on observed properties of objects within a computing environment. Forexample, computing objects such as files or processes may be explicitly labelled withinformation about reputation, exposure to external networks, usage history, security status, andso forth. One useful system for labeling objects in this manner is described by way of example incommonly-owned U.S. App. No. 15/179,547, entitled “Network Security” and filed on June 10,2016, the entire content of which is hereby incorporated by reference. Without limiting thegenerality of that disclosure, numerous techniques are described for labeling processes, files, andother computing objects with useful information for malware detection, reputation-basedprocessing, and so forth. These and other techniques may be usefully employed to labelcomputing objects in any manner useful for evaluating a security state of an endpoint (or specificcomputing objects on the endpoint), and for using this security state to adapt the monitoringprocesses contemplated herein.

[00141] For example, each file, process, or other object may be labelled according towhether the object has been exposed to an external network or resource. In this manner, objectsthat have remained isolated on the endpoint can be distinguished from objects that have beenexposed outside of the endpoint (and that are thus potentially at risk for infection or othermalicious activity). Where exposure of computing objects is explicitly tracked, selecting a set oflogical locations may include selecting a group from the plurality of logical locations based onexposure to an external environment, e.g., where the exposure implies a greater degree ofsecurity risk. Similarly, these techniques may be used to label computing objects according toreputation, which permits the use of a local or remotely managed reputation database to labelcomputing objects according to their own inherent reputation (e.g., good, bad, low, unknown,etc.) or according to the reputation of other computing objects that a computing object has beenexposed to, or some combination of these. In this case, selecting a set of logical locations mayinclude selecting a group from the plurality of logical locations based on a reputation, such as areputation of one of the computing objects, or a reputation of a group of computing objects. Ingeneral, reputation-based evaluations may be done at any suitable level of granularity orcomplexity. For example, where a known and good reputation process is being used, theselection may include excluding one of the plurality of logical locations associated with theknown, good process. This may also or instead include adding locations associated withprocesses of unknown reputation, or increasing the number of locations or level of monitoring when an inconsistency is detected between a reputation of a first process and a reputation of asecond process calling or invoking the first process. More generally, where reputationinformation is available for computing objects on an endpoint, any inconsistencies betweenreputations of computing objects that are causally linked in an event graph, or any otherreputation information that might be available for the computing objects, may be usefullyemployed to adapt monitoring as contemplated herein.

[00142] The reputation of computing objects may include a score (or other label,indication, weighting, and the like) of one or more of its prevalence, its provenance, and itspedigree. The prevalence of a computing object may include how the computing object has beenseen on other machines or systems. The provenance of a computing object may include itsorigin, e.g., where it came from, who created or signed it, and the like. The pedigree of acomputing object may allow for identification of the creator of the computing object. Forexample, the pedigree may be based on the public key of the certificate that signed software(e.g., typically the first intermediate certificate). For URLs, this may be based on the signed SSLserver certificate. For software, this may be based on the signed packet that contains the software(if present). Providence and prevalence may be uncovered by checking on the public key of thecertificate in question, and known good computing objects (or reputations or attributes thereof,e.g., certificates) may be hard coded into a list for future lookup.

[00143] As shown in step 606, the method 600 may include recording a sequence ofevents causally relating the number of computing objects at the set of logical locations selectedin step 604. In general, this may include recording any of the events described herein. This mayalso or instead include filtering the recorded events more or less aggressively according to asecurity state or other information. For example, this may include filtering one or more of theevents in the sequence of events according to a reputation, such as by excluding events that arerelated to a known good process, or increasing data collection or sensitivity for events that arerelated to unknown or low reputation computing objects.

[00144] In one aspect, some or all of the events may have an aging or durationparameter such as a time to live. This permits appropriate aging of events according to theirshort-term or long-term diagnostic significance. For example, in lateral movement malwareexploit, one endpoint may try to log in to another endpoint using a series of login attempts withdifferent credentials. To detect this type of attempted lateral movement, it may be useful to retainall login attempts for a relatively short period of time in order to see if a number of similar login attempts occur within a short time period. However, after the passage of some time, any suchfailed login attempts might be discounted in significance, and aged out of the current eventgraph using a suitable time to live or other time constant. Thus, a number of events within thesequence of events may be preserved for a predetermined time window. The predeterminedtime window may have a different duration for at least two of the types of computing objectscontemplated herein, which may be useful where events for different computing objects (e.g.,remote resources, local files, processes, and the like) provide information with differing long-term or short-term value.

[00145] As shown in step 608, the method 600 includes creating an event graph basedon the sequence of events. The event graph may be continuously created and updated by a datarecorder—that is, the data recorder may store the event graph as its native data loggingformat—or the event graph may be created on demand from a structured or unstructured datalog at discrete moments, e.g., in response to a request for an event graph from the datarecorder. Thus, in one aspect, the data recorder may function to continuously obtain data froma variety of sources or locations in addition to the locations that have been selected formonitoring. While this additional data logging may require additional computing resources tocapture information beyond selecting monitoring points as well as additional storage, theadditional data may also advantageously permit retroactive reconstruction of malicious causalchains if potential malware has been detected. Thus, in one aspect, a data recorder may recordadditional data from instrumentation points outside the scope of the logical locations that arecurrently explicitly being monitored. The data recorder may have a prioritized list of logicallocations, and may record additional data based on the prioritized list of logical locations.[00146] As described herein, the event graph may generally associate a number ofcomputing objects to one another through events that establish causal relationships. The causalrelationships include at least one of a data flow, a control flow, or a network flow.

[00147] As shown in step 610, the method includes evaluating a security state of theendpoint. This includes evaluating the security state of the endpoint based on the event graphby applying a malware detection rule to the event graph. This may provide useful diagnosticinformation by comparing the current event graph to one or more graphs for root causes thathave been identified as described above, or by comparing the current event graph to other patterns of events that show a causal relationship among computing objectsthat is suggestive or indicative of malicious activity.

[00148] It will be appreciated that other techniques may also or instead be employed toevaluate the security state of the endpoint, such as signature-based malware detection, behavioralmalware detection, or any other techniques known in the art to be useful for detecting thepresence of malware on an endpoint. These techniques may provide additional information thatmay be useful for a general evaluation of the security state of the endpoint, which may be usedinstead of or in addition to event-based techniques to evaluate the security state of an endpointand to inform other event-based monitoring steps.

[00149] As shown in step 612, the method 600 may include adjusting the set of logicallocations according to the security state of the endpoint. In general, this may include adding anew logical location or removing an existing logical location. Thus, this may generally includeselecting a second set of logical locations different from the first plurality of logical locations inresponse to an observed event graph for the sequence of events. This may also or instead includechanging a level of filtering at one of the set of logical locations according to the security state ofthe endpoint. In another aspect, any of the selection criteria described above for use with aninitial selection of monitoring locations (e.g., in step 604) may also or instead be employed ascriteria for adding, removing, or filtering logical locations in order to adjust the monitoring inresponse to a security state. It will also be understood that, while the event graph may generallyprovide useful information about the security state of the endpoint, other information may also orinstead be used to evaluate the security state and modify the monitoring process accordingly. Forexample, the monitoring may be adjusted based on a detection of malware obtained from anothersource such as an antivirus scanner or the like, or the monitoring may be adjusted based onexposure to external resources, reputation information, or any other information that might beavailable for processes, files, and the like as contemplated herein.

[00150] As shown in step 614, the method 600 may include remediating the endpointwhen the security state is compromised, for example, when a combination of a malwaredetection rule and the event graph indicate a compromised security state. This may include anysuitable form of remediation. For example, where evaluating the security state includesidentifying one of the computing objects (or a group of the computing objects) as a cause of acompromised security state, the method 600 may include remediating that one of the computingobjects. Remediation may also or instead include traversing the event graph forward from the cause to identify one or more other ones of the computer objects affected by the cause, any ofwhich may be similarly remediated.

[00151] Numerous remediation techniques are known in the art and may be usefullyemployed to remediate an endpoint, or one or more computing objects on an endpoint, ascontemplated herein. This may for example include quarantining or isolating the endpoint toprevent interactions with other devices on a network. This may also or instead include deployingmalware removal tools to the endpoint, or launching a malware removal tool that is already onthe endpoint, to remove malware that has been detected. This may also include intermediatesteps such as terminating processes, deleting logs, clearing caches, or any other steps orcombination of steps suitable for removing malicious software from the endpoint and/orrestoring the endpoint to an uninfected state. This may include notifying an administrator or user.This may include reporting a health state that indicates compromise, for example, as part of aheartbeat health report.

[00152] According to the foregoing, there is also contemplated herein an endpoint thatuses an adaptive event graph for malware detection. In general, the endpoint may include anetwork interface, a memory, and a processor. The processor may be configured by computerexecutable code stored in the memory to detect malware by performing the steps ofinstrumenting the endpoint to monitor a number of causal relationships among a number ofcomputing objects at a plurality of logical locations within a computing environment related tothe endpoint, selecting a first set of logical locations from the plurality of logical locations,recording a sequence of events causally relating the number of computing objects at the first setof logical locations, creating an event graph based on the sequence of events, applying a malwaredetection rule to the event graph, and remediating the endpoint when the malware detection ruleand the event graph indicate a compromised security state. The processor may be furtherconfigured to adjust the set of logical locations by adding a new logical location, removing anexisting logical location, or changing a level of filtering at one of the set of logical locationsaccording to a security state of the endpoint.

[00153] The above systems, devices, methods, processes, and the like may be realized inhardware, software, or any combination of these suitable for a particular application. Thehardware may include a general-purpose computer and/or dedicated computing device. Thisincludes realization in one or more microprocessors, microcontrollers, embeddedmicrocontrollers, programmable digital signal processors or other programmable devices or processing circuitry, along with internal and/or external memory. This may also, or instead,include one or more application specific integrated circuits, programmable gate arrays,programmable array logic components, or any other device or devices that may be configured toprocess electronic signals. It will further be appreciated that a realization of the processes ordevices described above may include computer-executable code created using a structuredprogramming language such as C, an object oriented programming language such as C++, or anyother high-level or low-level programming language (including assembly languages, hardwaredescription languages, and database programming languages and technologies) that may bestored, compiled or interpreted to run on one of the above devices, as well as heterogeneouscombinations of processors, processor architectures, or combinations of different hardware andsoftware. In another aspect, the methods may be embodied in systems that perform the stepsthereof, and may be distributed across devices in a number of ways. At the same time, processingmay be distributed across devices such as the various systems described above, or all of thefunctionality may be integrated into a dedicated, standalone device or other hardware. In anotheraspect, means for performing the steps associated with the processes described above mayinclude any of the hardware and/or software described above. All such permutations andcombinations are intended to fall within the scope of the present disclosure.

[00154] Embodiments disclosed herein may include computer program productscomprising computer-executable code or computer-usable code that, when executing on one ormore computing devices, performs any and/or all of the steps thereof. The code may be stored ina non-transitory fashion in a computer memory, which may be a memory from which theprogram executes (such as random access memory associated with a processor), or a storagedevice such as a disk drive, flash memory or any other optical, electromagnetic, magnetic,infrared or other device or combination of devices. In another aspect, any of the systems andmethods described above may be embodied in any suitable transmission or propagation mediumcarrying computer-executable code and/or any inputs or outputs from same.

[00155] The method steps of the implementations described herein are intended toinclude any suitable method of causing such method steps to be performed, consistent with thepatentability of the following claims, unless a different meaning is expressly provided orotherwise clear from the context. So for example performing the step of X includes any suitablemethod for causing another party such as a remote user, a remote processing resource (e.g., aserver or cloud computer) or a machine to perform the step of X. Similarly, performing steps X, Y and Ζ may include any method of directing or controlling any combination of such otherindividuals or resources to perform steps X, Y and Z to obtain the benefit of such steps. Thusmethod steps of the implementations described herein are intended to include any suitablemethod of causing one or more other parties or entities to perform the steps, consistent with thepatentability of the following claims, unless a different meaning is expressly provided orotherwise clear from the context. Such parties or entities need not be under the direction orcontrol of any other party or entity, and need not be located within a particular jurisdiction.

[00156] It will be appreciated that the methods and systems described above are set forthby way of example and not of limitation. Absent an explicit indication to the contrary, thedisclosed steps may be modified, supplemented, omitted, and/or re-ordered without departingfrom the scope of this disclosure. Numerous variations, additions, omissions, and othermodifications will be apparent to one of ordinary skill in the art. In addition, the order orpresentation of method steps in the description and drawings above is not intended to require thisorder of performing the recited steps unless a particular order is expressly required or otherwiseclear from the context. Thus, while particular embodiments have been shown and described, itwill be apparent to those skilled in the art that various changes and modifications in form anddetails may be made therein without departing from the spirit and scope of this disclosure and areintended to form a part of the invention as defined by the following claims, which are to beinterpreted in the broadest sense allowable by law.

Claims (17)

1. A computer program product for detecting malware on an endpoint in anenterprise network, the computer program product comprising computer executable codeembodied in a non-transitory computer readable medium that, when executing on theendpoint, performs the steps of: instrumenting the endpoint to monitor a number of causal relationships among anumber of computing objects at a plurality of logical locations within a computingenvironment related to the endpoint, wherein the number of causal relationships includeat least one of a data flow, a control flow, or a network flow; selecting a set of logical locations from the plurality of logical locations;recording a sequence of events causally relating the number of computing objectsat the set of logical locations; creating an event graph based on the sequence of events; applying a malware detection rule to the event graph; andremediating the endpoint when the malware detection rule and the event graphindicate a compromised security state.

2. A method for malware detection comprising: instrumenting a first endpoint to monitor a number of causal relationships amonga number of computing objects at a plurality of logical locations within a computingenvironment related to the first endpoint, wherein the number of causal relationshipsinclude at least one of a data flow, a control flow, or a network flow; selecting a first set of logical locations from the plurality of logical locations;recording a sequence of events causally relating the number of computing objectsat the first set of logical locations; creating an event graph based on the sequence of events; applying a malware detection rule to the event graph; andremediating the first endpoint when the malware detection rule and the eventgraph indicate a compromised security state.

3. The method of claim 2, wherein selecting the first set of logical locations includesselecting a group from the plurality of logical locations based on exposure to an externalenvironment.

4. The method of claim 2, wherein selecting the first set of logical locations includesselecting a group from the plurality of logical locations based on reputation.

5. The method of claim 4, further comprising excluding at least one of the pluralityof logical locations associated with a known, good process.

6. The method of claim 2, further comprising selecting a second set of logicallocations different from the first set of logical locations in response to an observed eventgraph for the sequence of events.

7. The method of claim 2, further comprising adding one or more of the plurality oflogical locations to the first set of logical locations in response to a detected increase insecurity risk.

8. The method of claim 2, further comprising removing one of the plurality oflogical locations from the first set of logical locations in response to a detected decreasein security risk.

9. The method of claim 2, further comprising filtering one or more of the events inthe sequence of events according to reputation.

10. The method of claim 2, wherein the plurality of logical locations includes at leastone endpoint separate from the first endpoint.

11. The method of claim 2, wherein the plurality of logical locations includes at leastone programming interface to a human interface device.

12. The method of claim 2, further comprising identifying one of the computingobjects as a cause of the compromised security state and remediating the one of thecomputing objects.

13. The method of claim 2, further comprising traversing the event graph forwardfrom the cause to identify one or more other ones of the computing objects affected bythe cause.

14. The method of claim 2, wherein the one or more computing objects include one ormore types of computing objects selected from a group consisting of a data file, aprocess, an application, a registry entry, a network address, and a peripheral device.

15. The method of claim 2, wherein a number of events within the sequence of eventsare preserved for a predetermined time window, and further wherein the predeterminedtime window has a different duration for at least two different types of computingobjects.

16. An endpoint comprising: a network interface; a memory; and a processor configured by computer executable code stored in the memory todetect malware by performing the steps of instrumenting the endpoint to monitor anumber of causal relationships among a number of computing objects at a plurality oflogical locations within a computing environment related to the endpoint, wherein thenumber of causal relationships include at least one of a data flow, a control flow, or anetwork flow, selecting a first set of logical locations from the plurality of logicallocations, recording a sequence of events causally relating the number of computingobjects at the first set of logical locations, creating an event graph based on the sequenceof events, applying a malware detection rule to the event graph, and remediating theendpoint when the malware detection rule and the event graph indicate a compromisedsecurity state.

17. The endpoint of claim 16, wherein the processor is further configured to adjust thefirst set of logical locations by adding a new logical location, removing an existinglogical location, or changing a level of filtering at one of the first set of logical locationsaccording to a security state of the endpoint.