GB2589988A - Locally securing endpoints in an enterprise network using remote network resources - Google Patents

Locally securing endpoints in an enterprise network using remote network resources Download PDF

Info

Publication number
GB2589988A
GB2589988A GB2018976.7A GB202018976A GB2589988A GB 2589988 A GB2589988 A GB 2589988A GB 202018976 A GB202018976 A GB 202018976A GB 2589988 A GB2589988 A GB 2589988A
Authority
GB
United Kingdom
Prior art keywords
state
hooking
endpoint
security agent
hook
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB2018976.7A
Other versions
GB202018976D0 (en
GB2589988B (en
Inventor
Robert Tyndale Watkiss Neil
Marcus Kenning Emile
David Harris Mark
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sophos Ltd
Original Assignee
Sophos Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US15/970,814 external-priority patent/US10594717B2/en
Priority claimed from US15/970,825 external-priority patent/US10728269B2/en
Application filed by Sophos Ltd filed Critical Sophos Ltd
Publication of GB202018976D0 publication Critical patent/GB202018976D0/en
Publication of GB2589988A publication Critical patent/GB2589988A/en
Application granted granted Critical
Publication of GB2589988B publication Critical patent/GB2589988B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Technology Law (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A variety of techniques are employed to locally secure endpoints in the context of an enterprise network and remote network resources. For example, a threat management facility that remotely stores global reputation information for network content can be used in combination with a recognition engine such as a machine learning classifier that is locally deployed on endpoints within an enterprise network. Additionally, or alternatively, a security agent conditionally hooks a process for malware monitoring based on a persistent hook state for the process that may be stored, for example, in a process cache. When a process launches in a backoff state indicating that the process previously crashed after hooking, the security agent may further conditionally hook the process based on a reputation of the process or any other relevant contextual information.

Claims (41)

1. A computer program product comprising computer executable code that, when executing on an endpoint, performs the steps of: intercepting a request for content from a browser executing on an endpoint, the request including a Uniform Resource Locator that identifies a recipient for the request on a data network; applying a machine learning classifier locally on the endpoint to estimate a risk associated with the Uniform Resource Locator; transmitting a lookup request for the Uniform Resource Locator from the endpoint to a remote threat management facility; determining a timeout for a response from the remote threat management facility to the lookup request based on the risk determined by the machine learning classifier, the timeout providing a window of limited duration for receiving the response at the endpoint; when the response is received within the window provided by the timeout, processing the request for content according to the response from the remote threat management facility; and when the response is not received within the window provided by the timeout, processing the request for content using a default local rule on the endpoint.
2. The computer program product of claim 1 wherein processing the request for content includes blocking retrieval of the content.
3. The computer program product of any preceding claim wherein processing the request for content includes scanning the content for malware.
4. The computer program product of any preceding claim wherein processing the request for content includes executing the content.
5. A method comprising: monitoring network communications of an endpoint with a resource identified by a network address; applying a recognition engine locally on the endpoint to estimate a risk associated with the network communications; and modifying a security parameter on the endpoint in response to the risk associated with the network communications.
6. The method of claim 5 wherein the risk includes a threat level.
7. The method of claim 5 or 6 wherein the risk includes a malware presence.
8. The method of any of claims 5 to 7 wherein the risk includes a reputation of the network address.
9. The method of any of claims 5 to 8 wherein the network address includes an Internet Protocol address.
10. The method of any of claims 5 to 9 wherein the network address includes a Uniform Resource Locator.
11. The method of any of claims 5 to 10 wherein the network communications include a request for content from the network address.
12. The method of any of claims 5 to 11 wherein modifying the security parameter includes modifying a timeout for a remote request to a threat management facility for information about the network address.
13. The method of any of claims 5 to 12 wherein the network communications include content retrieved from the network address.
14. The method of claim 13 wherein modifying the security parameter includes modifying at least one of a data rate of retrieval of the content, an amount of the content to scan for malware, and a security policy for the endpoint.
15. The method of claim 13 wherein modifying the security parameter includes at least one of selecting a sandbox to execute the content, specifying a scanning aggressiveness, and modifying a handling of the content.
16. The method of any of claims 5 to 16 wherein the recognition engine includes a machine learning classifier.
17. A system comprising: an endpoint security agent executing on an endpoint in an enterprise network, the endpoint security agent including a recognition engine for evaluating riskiness of a network address, and the endpoint security agent configured to determine a risk value for network communications of the endpoint containing the network address using the recognition engine, and to transmit the risk value and a security request for the network address to a remote resource for evaluation; and a threat management facility for the enterprise network, the threat management facility coupled in a communicating relationship with the endpoint and the threat management facility configured to respond to the security request based on the risk value.
18. The system of claim 17 wherein the threat management facility is configured to prioritize a response to the endpoint relative to one or more other requests from one or more other endpoints based upon the risk value.
19. The system of any of claims 17 to 18 wherein the network communications include content retrieved from the network address, and wherein the threat management facility adjusts a scanning of the content based on the risk value.
20. The system of claim 19 wherein the threat management facility is configured to adjust the scanning by adjusting an amount of the content that is scanned.
21. The system of claim 19 wherein the threat management facility is configured to adjust the scanning by adjusting a size of a library used to identify malware.
22. A computer program product comprising computer executable code that, when executing on one or more computing devices, performs the steps of: executing a security agent on an endpoint, the security agent including at least one antimalware component configured to hook and monitor processes executing on the endpoint for malware; detecting a launch of a process on the endpoint; checking a process cache on the endpoint for a hooking state for the process, the hooking state identifying a hooking behavior for the security agent into the process; when the process cache identifies the hooking state, conditionally hooking the process with the security agent according to the hooking state; when the process cache does not identify the hooking state, setting the hooking state in the process cache to a backoff state, and: if the process executes without crashing within a predetermined interval determined by the backoff state, then hooking the process with the security agent, and if the process crashes within the predetermined interval, upon detecting the backoff state in the process cache, setting the hooking state to a no hook state in order to prevent further attempts to hook the process with the security agent.
23. The computer program product of claim 22 further comprising, if the process crashes within the predetermined interval, setting the hooking state to the no hook state only if the process has a high reputation.
24. The computer program product of claim 22 or 23 wherein the hooking state is one of no state, the no hook state, the backoff state, and a hook state.
25. The computer program product of claim 24 wherein the no hook state indicates that the process should not be hooked by the security agent.
26. The computer program product of claim 24 wherein the hook state indicates that the process should be hooked by the security agent.
27. The computer program product of claim 24 wherein the backoff state indicates that the process is being monitored for proper execution after hooking with the security agent.
28. The computer program product of any of claims 22 to 27 wherein the process cache is a cryptographically secure cache stored in a kernel for the endpoint.
29. A method comprising: executing a security agent on an endpoint; detecting a launch of a process on the endpoint; determining a hooking state for the process that identifies a hooking behavior for the security agent into the process; if a hooking state is determined, conditionally hooking the process with the security agent according to the hooking state; if no hooking state is determined performing the steps of: hooking the process with the security agent; setting the hooking state to a backoff state; waiting a predetermined interval; and setting the hooking state to a hook state.
30. The method of claim 29 further comprising, if the process recovers from a crash in the backoff state, conditionally setting the backoff state to no hook only if the process has a high reputation.
31. The method of claim 29 or 30 further comprising, if the process recovers from a crash in the backoff state, evaluating a reputation of the process to determine whether the process can be safely executed within hooking by the security agent.
32. The method of claim 31 wherein evaluating the reputation of the process includes retrieving reputation information for the process from a remote threat management facility.
33. The method of any of claims 29 to 32 wherein the hooking state is at least one of no state, the backoff state, the hook state, and a no hook state.
34. The method of claim 29 wherein conditionally hooking the process includes hooking the process with the security agent when the hooking state is the hook state.
35. The method of claim 29 wherein conditionally hooking the process includes not hooking the process with the security agent when the hooking state is a no hook state.
36. The method of claim 29 wherein determining the hooking state includes looking up the hooking state for the process in a process cache.
37. The method of claim 36 wherein looking up the hooking state includes retrieving the hooking state from the process cache based on a hash of the process.
38. The method of claim 36 further comprising storing the process cache in a kernel for the endpoint.
39. The method of claim 38 further comprising cryptographically securing the process cache.
40. The method of claim 39 wherein the security agent includes an antimalware program configured to hook a number of processes executing on the endpoint and monitor the number of processes for malicious activity.
41. An endpoint comprising: a processor; a memory; a process cache stored in the memory; a process executing on the processor based on instructions in the memory; and a security agent executing on the processor based on instructions in the memory, the security agent configured to hook the process with the security agent when the process launches with a hook state in the process cache, to not hook the process with the security agent when the process launches with a hook state in the process cache, and to conditionally hook the process based on a reputation of the process when the process launches with a backoff state in the process cache.
GB2018976.7A 2018-05-03 2019-04-30 Locally securing endpoints in an enterprise network using remote network resources Active GB2589988B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US15/970,814 US10594717B2 (en) 2018-05-03 2018-05-03 Context-dependent timeout for remote security services
US15/970,825 US10728269B2 (en) 2018-05-03 2018-05-03 Method for conditionally hooking endpoint processes with a security agent
PCT/GB2019/051191 WO2019211592A1 (en) 2018-05-03 2019-04-30 Locally securing endpoints in an enterprise network using remote network resources

Publications (3)

Publication Number Publication Date
GB202018976D0 GB202018976D0 (en) 2021-01-13
GB2589988A true GB2589988A (en) 2021-06-16
GB2589988B GB2589988B (en) 2021-12-01

Family

ID=66397260

Family Applications (1)

Application Number Title Priority Date Filing Date
GB2018976.7A Active GB2589988B (en) 2018-05-03 2019-04-30 Locally securing endpoints in an enterprise network using remote network resources

Country Status (2)

Country Link
GB (1) GB2589988B (en)
WO (1) WO2019211592A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10728269B2 (en) 2018-05-03 2020-07-28 Sophos Limited Method for conditionally hooking endpoint processes with a security agent
US10594717B2 (en) 2018-05-03 2020-03-17 Sophos Limited Context-dependent timeout for remote security services
WO2021160499A1 (en) * 2020-02-13 2021-08-19 Telefonaktiebolaget Lm Ericsson (Publ) Security automation system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150033341A1 (en) * 2013-07-24 2015-01-29 Webroot Inc. System and method to detect threats to computer based devices and systems
US20150312267A1 (en) * 2014-04-28 2015-10-29 Sophos Limited Using reputation to avoid false malware detections
US20170324709A1 (en) * 2016-01-04 2017-11-09 Centripetal Networks, Inc. Efficient Packet Capture for Cyber Threat Analysis

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150033341A1 (en) * 2013-07-24 2015-01-29 Webroot Inc. System and method to detect threats to computer based devices and systems
US20150312267A1 (en) * 2014-04-28 2015-10-29 Sophos Limited Using reputation to avoid false malware detections
US20170324709A1 (en) * 2016-01-04 2017-11-09 Centripetal Networks, Inc. Efficient Packet Capture for Cyber Threat Analysis

Also Published As

Publication number Publication date
GB202018976D0 (en) 2021-01-13
WO2019211592A1 (en) 2019-11-07
GB2589988B (en) 2021-12-01

Similar Documents

Publication Publication Date Title
US10335738B1 (en) System and method for detecting time-bomb malware
US11277423B2 (en) Anomaly-based malicious-behavior detection
EP3502943B1 (en) Method and system for generating cognitive security intelligence for detecting and preventing malwares
US7865956B1 (en) Method and apparatus for predicting the incidence of a virus
US9251343B1 (en) Detecting bootkits resident on compromised computers
US9973531B1 (en) Shellcode detection
US10534915B2 (en) System for virtual patching security vulnerabilities in software containers
GB2588745A (en) Deferred malware scanning
US8272059B2 (en) System and method for identification and blocking of malicious code for web browser script engines
US7231637B1 (en) Security and software testing of pre-release anti-virus updates on client and transmitting the results to the server
US20160191547A1 (en) Zero-Day Rotating Guest Image Profile
US10462160B2 (en) Method and system for identifying uncorrelated suspicious events during an attack
US20160285914A1 (en) Exploit detection system
EP2701092A1 (en) Method for identifying malicious executables
CN101826139B (en) Method and device for detecting Trojan in non-executable file
US20100095379A1 (en) Method and apparatus for detecting malicious code in an information handling system
GB2589988A (en) Locally securing endpoints in an enterprise network using remote network resources
EP2860657A1 (en) Determining a security status of potentially malicious files
US11443032B2 (en) Stack pivot exploit detection and mitigation
WO2017107896A1 (en) Document protection method and device
EP3531329A1 (en) Anomaly-based-malicious-behavior detection
WO2015081791A1 (en) Method and apparatus for scanning and removing kernel-level malware
US8819655B1 (en) Systems and methods for computer program update protection
JP6714112B2 (en) Mitigating malicious behavior associated with graphical user interface elements
US10423789B2 (en) Identification of suspicious system processes