GB2563340A8 - Labeling computing objects for improved threat detection - Google Patents

Labeling computing objects for improved threat detection

Info

Publication number
GB2563340A8
GB2563340A8 GB1811133.6A GB201811133A GB2563340A8 GB 2563340 A8 GB2563340 A8 GB 2563340A8 GB 201811133 A GB201811133 A GB 201811133A GB 2563340 A8 GB2563340 A8 GB 2563340A8
Authority
GB
United Kingdom
Prior art keywords
descriptor
threat detection
context
computing objects
action
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1811133.6A
Other versions
GB201811133D0 (en
GB2563340B (en
GB2563340A (en
Inventor
D Ray Kenneth
Neil Reed Simon
D Harris Mark
Robert Tyndale Watkiss Neil
J Thomas Andrew
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sophos Ltd
Original Assignee
Sophos Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US14/485,771 external-priority patent/US9992228B2/en
Priority claimed from US14/485,774 external-priority patent/US9537841B2/en
Priority claimed from US14/485,782 external-priority patent/US10122687B2/en
Priority claimed from US14/485,762 external-priority patent/US9967283B2/en
Priority claimed from US14/485,769 external-priority patent/US9965627B2/en
Priority claimed from US14/485,790 external-priority patent/US9967264B2/en
Priority claimed from US14/485,759 external-priority patent/US9967282B2/en
Priority claimed from US14/485,765 external-priority patent/US10965711B2/en
Application filed by Sophos Ltd filed Critical Sophos Ltd
Publication of GB201811133D0 publication Critical patent/GB201811133D0/en
Publication of GB2563340A publication Critical patent/GB2563340A/en
Publication of GB2563340A8 publication Critical patent/GB2563340A8/en
Application granted granted Critical
Publication of GB2563340B publication Critical patent/GB2563340B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Bioethics (AREA)
  • General Business, Economics & Management (AREA)
  • Business, Economics & Management (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Burglar Alarm Systems (AREA)
  • Storage Device Security (AREA)
  • Devices Affording Protection Of Roads Or Walls For Sound Insulation (AREA)
  • User Interface Of Digital Computer (AREA)
  • Alarm Systems (AREA)

Abstract

Threat detection in a network, involving processing a first object on an endpoint, the first object from a location external to the endpoint; in response to a first observed action, colouring the object with a descriptor of a context for the first observed action by persistently associating the descriptor with the first object, the context including at least one attribute identifying the first object as exposed to external data; inheriting the descriptor at a second object when the second object is the target of an action by the first object ; applying a rule dependent on the descriptor in response to a second observed action of the second object to detect a reportable event based in part on an exposure of the second object to the external data; and transmitting information including a description of the reportable event and the second object along with the descriptor of the context to a threat management facility.
GB1811133.6A 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection Active GB2563340B (en)

Applications Claiming Priority (9)

Application Number Priority Date Filing Date Title
US14/485,774 US9537841B2 (en) 2014-09-14 2014-09-14 Key management for compromised enterprise endpoints
US14/485,765 US10965711B2 (en) 2014-09-14 2014-09-14 Data behavioral tracking
US14/485,769 US9965627B2 (en) 2014-09-14 2014-09-14 Labeling objects on an endpoint for encryption management
US14/485,759 US9967282B2 (en) 2014-09-14 2014-09-14 Labeling computing objects for improved threat detection
US14/485,790 US9967264B2 (en) 2014-09-14 2014-09-14 Threat detection using a time-based cache of reputation information on an enterprise endpoint
US14/485,762 US9967283B2 (en) 2014-09-14 2014-09-14 Normalized indications of compromise
US14/485,771 US9992228B2 (en) 2014-09-14 2014-09-14 Using indications of compromise for reputation based network security
US14/485,782 US10122687B2 (en) 2014-09-14 2014-09-14 Firewall techniques for colored objects on endpoints
GB1804873.6A GB2558811B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection

Publications (4)

Publication Number Publication Date
GB201811133D0 GB201811133D0 (en) 2018-08-22
GB2563340A GB2563340A (en) 2018-12-12
GB2563340A8 true GB2563340A8 (en) 2019-03-27
GB2563340B GB2563340B (en) 2019-07-03

Family

ID=55458378

Family Applications (9)

Application Number Title Priority Date Filing Date
GB1804873.6A Active GB2558811B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1811133.6A Active GB2563340B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1820349.7A Active GB2565734B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1820350.5A Active GB2565735B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1815249.6A Active GB2564589B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1804902.3A Active GB2558812B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1705948.6A Active GB2545621B8 (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1811123.7A Active GB2560861B8 (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1715899.9A Active GB2552632B8 (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GB1804873.6A Active GB2558811B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection

Family Applications After (7)

Application Number Title Priority Date Filing Date
GB1820349.7A Active GB2565734B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1820350.5A Active GB2565735B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1815249.6A Active GB2564589B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1804902.3A Active GB2558812B (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1705948.6A Active GB2545621B8 (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1811123.7A Active GB2560861B8 (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection
GB1715899.9A Active GB2552632B8 (en) 2014-09-14 2015-09-14 Labeling computing objects for improved threat detection

Country Status (2)

Country Link
GB (9) GB2558811B (en)
WO (1) WO2016038397A1 (en)

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9537841B2 (en) 2014-09-14 2017-01-03 Sophos Limited Key management for compromised enterprise endpoints
US9967283B2 (en) 2014-09-14 2018-05-08 Sophos Limited Normalized indications of compromise
US9967264B2 (en) 2014-09-14 2018-05-08 Sophos Limited Threat detection using a time-based cache of reputation information on an enterprise endpoint
US10122687B2 (en) 2014-09-14 2018-11-06 Sophos Limited Firewall techniques for colored objects on endpoints
US9992228B2 (en) 2014-09-14 2018-06-05 Sophos Limited Using indications of compromise for reputation based network security
US10965711B2 (en) 2014-09-14 2021-03-30 Sophos Limited Data behavioral tracking
US9967282B2 (en) 2014-09-14 2018-05-08 Sophos Limited Labeling computing objects for improved threat detection
US9965627B2 (en) 2014-09-14 2018-05-08 Sophos Limited Labeling objects on an endpoint for encryption management
US10628597B2 (en) 2016-04-14 2020-04-21 Sophos Limited Just-in-time encryption
US10263966B2 (en) 2016-04-14 2019-04-16 Sophos Limited Perimeter enforcement of encryption rules
US10650154B2 (en) 2016-02-12 2020-05-12 Sophos Limited Process-level control of encrypted content
AU2016392715B2 (en) * 2016-02-12 2020-07-23 Sophos Limited Encryption techniques
US10686827B2 (en) 2016-04-14 2020-06-16 Sophos Limited Intermediate encryption for exposed content
US10791097B2 (en) 2016-04-14 2020-09-29 Sophos Limited Portable encryption format
US10681078B2 (en) 2016-06-10 2020-06-09 Sophos Limited Key throttling to mitigate unauthorized file access
US9984248B2 (en) 2016-02-12 2018-05-29 Sophos Limited Behavioral-based control of access to encrypted content by a process
US10986109B2 (en) 2016-04-22 2021-04-20 Sophos Limited Local proxy detection
US10938781B2 (en) 2016-04-22 2021-03-02 Sophos Limited Secure labeling of network flows
US11102238B2 (en) 2016-04-22 2021-08-24 Sophos Limited Detecting triggering events for distributed denial of service attacks
US11165797B2 (en) 2016-04-22 2021-11-02 Sophos Limited Detecting endpoint compromise based on network usage history
US11277416B2 (en) 2016-04-22 2022-03-15 Sophos Limited Labeling network flows according to source applications
US12021831B2 (en) 2016-06-10 2024-06-25 Sophos Limited Network security
GB2551983B (en) 2016-06-30 2020-03-04 Sophos Ltd Perimeter encryption
US10848501B2 (en) * 2016-12-30 2020-11-24 Microsoft Technology Licensing, Llc Real time pivoting on data to model governance properties
US10911479B2 (en) * 2018-08-06 2021-02-02 Microsoft Technology Licensing, Llc Real-time mitigations for unfamiliar threat scenarios
US11483326B2 (en) 2019-08-30 2022-10-25 Palo Alto Networks, Inc. Context informed abnormal endpoint behavior detection
CN114430335A (en) * 2021-12-16 2022-05-03 奇安信科技集团股份有限公司 Web fingerprint matching method and device

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7921284B1 (en) * 2001-12-12 2011-04-05 Gary Mark Kinghorn Method and system for protecting electronic data in enterprise environment
US7552472B2 (en) * 2002-12-19 2009-06-23 International Business Machines Corporation Developing and assuring policy documents through a process of refinement and classification
US7324108B2 (en) * 2003-03-12 2008-01-29 International Business Machines Corporation Monitoring events in a computer network
US20080141376A1 (en) * 2006-10-24 2008-06-12 Pc Tools Technology Pty Ltd. Determining maliciousness of software
US9367680B2 (en) * 2008-10-21 2016-06-14 Lookout, Inc. System and method for mobile communication device application advisement
US8607340B2 (en) * 2009-07-21 2013-12-10 Sophos Limited Host intrusion prevention system using software and user behavior analysis
US9038168B2 (en) * 2009-11-20 2015-05-19 Microsoft Technology Licensing, Llc Controlling resource access based on resource properties
US9407603B2 (en) * 2010-06-25 2016-08-02 Salesforce.Com, Inc. Methods and systems for providing context-based outbound processing application firewalls
US8875286B2 (en) * 2010-12-01 2014-10-28 Cisco Technology, Inc. Method and apparatus for detecting malicious software using machine learning techniques
US8042186B1 (en) * 2011-04-28 2011-10-18 Kaspersky Lab Zao System and method for detection of complex malware
US9106680B2 (en) * 2011-06-27 2015-08-11 Mcafee, Inc. System and method for protocol fingerprinting and reputation correlation
US8931043B2 (en) * 2012-04-10 2015-01-06 Mcafee Inc. System and method for determining and using local reputations of users and hosts to protect information in a network environment
US9092616B2 (en) * 2012-05-01 2015-07-28 Taasera, Inc. Systems and methods for threat identification and remediation
IL219597A0 (en) * 2012-05-03 2012-10-31 Syndrome X Ltd Malicious threat detection, malicious threat prevention, and a learning systems and methods for malicious threat detection and prevention
US8832848B1 (en) * 2012-07-26 2014-09-09 Symantec Corporation Systems and methods for content-aware access control
US9104864B2 (en) * 2012-10-24 2015-08-11 Sophos Limited Threat detection through the accumulated detection of threat characteristics
US9355172B2 (en) * 2013-01-10 2016-05-31 Accenture Global Services Limited Data trend analysis
US9104865B2 (en) * 2013-08-29 2015-08-11 International Business Machines Corporation Threat condition management
WO2015060857A1 (en) * 2013-10-24 2015-04-30 Mcafee, Inc. Agent assisted malicious application blocking in a network environment

Also Published As

Publication number Publication date
GB2545621A (en) 2017-06-21
GB2552632A (en) 2018-01-31
GB2560861B (en) 2018-12-26
GB201715899D0 (en) 2017-11-15
GB201811133D0 (en) 2018-08-22
GB2565734B (en) 2019-05-29
GB2560861B8 (en) 2019-02-06
GB201804873D0 (en) 2018-05-09
WO2016038397A1 (en) 2016-03-17
GB2560861A8 (en) 2019-02-06
GB2558811B (en) 2019-03-27
GB201811123D0 (en) 2018-08-22
GB2545621B8 (en) 2021-11-03
GB2565734A (en) 2019-02-20
GB201705948D0 (en) 2017-05-31
GB201804902D0 (en) 2018-05-09
GB2558812A (en) 2018-07-18
GB2552632B (en) 2018-05-09
GB2565735A (en) 2019-02-20
GB2545621B (en) 2018-03-28
GB201820350D0 (en) 2019-01-30
GB2564589A (en) 2019-01-16
GB2558811A (en) 2018-07-18
GB201815249D0 (en) 2018-10-31
GB2552632B8 (en) 2021-11-03
GB2560861A (en) 2018-09-26
GB2563340B (en) 2019-07-03
GB2558812B (en) 2019-03-27
GB2564589B (en) 2019-07-03
GB2558812A8 (en) 2018-09-05
GB2565735B (en) 2019-05-29
GB201820349D0 (en) 2019-01-30
GB2563340A (en) 2018-12-12

Similar Documents

Publication Publication Date Title
GB2563340A8 (en) Labeling computing objects for improved threat detection
PH12020550701A1 (en) Asset management method and apparatus, and electronic device
WO2015112275A3 (en) Determing data associated with proximate computing devices
PH12019501311A1 (en) Blockchain-based commodity claim method and apparatus, and electronic device
BR112019003706A8 (en) DATA PROCESSING METHOD AND DATA PROCESSING APPARATUS
SG10201901732UA (en) Sensitive information processing method, device, server and security determination system
MX369426B (en) Image processing apparatus and image processing method.
EP4242892A3 (en) Code pointer authentication for hardware flow control
GB2499519B (en) User presence detection and event discovery
BR112017017222A2 (en) environmental scenario condition detection
WO2015127472A3 (en) Systems and methods for malware detection and mitigation
JP2017520824A5 (en)
IL226747B (en) System and method for malware detection learning
MX2018002741A (en) Method and apparatus for determining volumetric data of a predetermined anatomical feature.
MX2016013222A (en) Fault handling method, device and system based on network function virtualization.
MX2015011167A (en) Apparatus and method for processing multiple open apis.
MX343875B (en) Method and system for determining image similarity.
NO20171576A1 (en) Enhancing oilfield operations with cognitive computing
SG11201804033RA (en) Information recommendation method and apparatus
IN2013CH06086A (en)
SG10201810036QA (en) Processing queries containing a union-type operation
PH12016500612A1 (en) Relevance based visual media item modification
MY186664A (en) Multimedia file management method, electronic device, and graphical user interface
MX2017015263A (en) Security check system and method.
MY200899A (en) Permission Management And Resource Control Method And Apparatus