GB2592132A - Enterprise network threat detection - Google Patents

Enterprise network threat detection Download PDF

Info

Publication number
GB2592132A
GB2592132A GB2103617.3A GB202103617A GB2592132A GB 2592132 A GB2592132 A GB 2592132A GB 202103617 A GB202103617 A GB 202103617A GB 2592132 A GB2592132 A GB 2592132A
Authority
GB
United Kingdom
Prior art keywords
threat
endpoint
file
event stream
model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB2103617.3A
Other versions
GB202103617D0 (en
GB2592132B (en
Inventor
Humphries Russell
J Thomas Andrew
Daniel Saxe Joshua
Neil Reed Simon
D Ray Kenneth
H Levy Joseph
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sophos Ltd
Original Assignee
Sophos Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US16/128,984 external-priority patent/US10938838B2/en
Application filed by Sophos Ltd filed Critical Sophos Ltd
Priority to GB2216902.3A priority Critical patent/GB2614426B/en
Publication of GB202103617D0 publication Critical patent/GB202103617D0/en
Publication of GB2592132A publication Critical patent/GB2592132A/en
Application granted granted Critical
Publication of GB2592132B publication Critical patent/GB2592132B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/20Ensemble learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/01Dynamic search techniques; Heuristics; Dynamic trees; Branch-and-bound
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/02Knowledge representation; Symbolic representation
    • G06N5/022Knowledge engineering; Knowledge acquisition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/04Inference or reasoning models
    • G06N5/046Forward inferencing; Production systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0639Performance analysis of employees; Performance analysis of enterprise or organisation operations
    • G06Q10/06395Quality analysis or management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

In a threat management platform, a number of endpoints log events in an event data recorder. A local agent filters this data and feeds a filtered data stream to a central threat management facility. The central threat management facility can locally or globally tune filtering by local agents based on the current data stream, and can query local event data recorders for additional information where necessary or helpful in threat detection or forensic analysis. The central threat management facility also stores and deploys a number of security tools such as a web-based user interface supported by machine learning models to identify potential threats requiring human intervention and other models to provide human-readable context for evaluating potential threats.

Claims (140)

CLAIMS:
1. A computer program product comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: providing a training set including threat samples that are known to be safe and known to be malicious; tagging each one of the threat samples with one or more tags that identify corresponding, observed behavior; training a first machine learning model to identify malicious code in the training set based on the one or more tags; training a second machine learning model to identify malicious code in the training set based on a corresponding file path for each of the threat samples; training a third machine learning model to identify malicious code in the training set based on one or more Uniform Resource Locators contained in each of the threat samples; creating an integrative model that evaluates a probability that an unknown threat sample is malicious based on a combination of the first machine learning model, the second machine learning model and the third machine learning model; and conditionally presenting a new threat sample for human intervention when the probability calculated by the integrative model identifies the new threat sample as an intermediate threat that fails to fall within a first predetermined threshold of likely safe or within a second predetermined threshold of likely malicious.
2. The computer program product of claim 1 further comprising code that performs the step of displaying a plurality of intermediate threats, each failing to fall within the first predetermined threshold and the second predetermined threshold, in a user interface, the plurality of intermediate threats ranked according to likelihood of threat.
3. The computer program product of claim 2 wherein the plurality of intermediate threats are ranked according to a combination of likelihood of threat and estimated business value.
4. The computer program product of claim 2 wherein the user interface includes one or more controls for receiving a manual threat evaluation for one of the plurality of intermediate threats from a user.
5. A method comprising: creating an integrative model that evaluates a potential threat by a threat sample based on a combination of a first model configured to identify malicious code based on behavioral tags, a second model configured to identify malicious code based on an executable file path, and a third model configured to identify malicious code based on a Uniform Resource Locator within the threat sample; configuring a threat management facility to identify a new threat sample as an intermediate threat when the new threat sample is not within a predetermined confidence level of safe code or malicious code according to the integrative model; and providing a user interface for presenting the new threat sample with the intermediate threat for human evaluation.
6. The method of claim 5 wherein the user interface presents the new threat sample in a list of a number of intermediate threats detected on an endpoint ranked according to a likelihood of threat.
7. The method of claim 5 wherein the user interface presents the new threat sample in a list of a number of intermediate threats detected in an enterprise network ranked according to a likelihood of threat.
8. The method of claim 7 wherein the list is ranked according to a combination of a likelihood of threat and an estimated business value of one or more files associated with each one of the number of intermediate threats.
9. The method of claim 5 wherein the first model includes a machine learning model trained to identify code with malicious behavior using a training set including threat samples that are known to be safe and known to be malicious.
10. The method of claim 5 wherein the second model includes a machine learning model trained to identify potentially malicious code based on a file path using a training set including threat samples that are known to be safe and known to be malicious.
11. The method of claim 5 wherein the third model includes a machine learning model trained to identify potentially malicious code based on a Uniform Resource Locator associated with the threat sample using a training set including threat samples that are known to be safe and known to be malicious.
12. The method of claim 5 wherein the integrative model evaluates the potential threat based at least in part on a context for the threat sample.
13. The method of claim 12 wherein the context includes a reputation for the threat sample.
14. The method of claim 12 wherein the context includes a user executing a process associated with the threat sample.
15. The method of claim 12 wherein the context includes one or more files accessed by the threat sample.
16. The method of claim 5 wherein the user interface includes one or more tools for remediating a threat associated with the threat sample.
17. The method of claim 5 wherein the user interface includes one or more tools for receiving a user evaluation of the threat sample.
18. A system comprising: a memory storing an integrative model configured to evaluate a potential threat by a threat sample based on a combination of a first model configured to identify malicious code based on behavioral tags, a second model configured to identify malicious code based on an executable file path, and a third model configured to identify malicious code based on a Uniform Resource Locator within the threat sample; a threat management facility configured to apply the integrative model to a new threat sample and to identify a new threat sample as an intermediate threat; and a web server configured to display the intermediate threat in a user interface on an endpoint for evaluation.
19. The system of claim 18 wherein the web server is configured to present additional contextual information for the intermediate threat to a user through the user interface.
20. The system of claim 18 wherein the web server is configured to receive an evaluation of the intermediate threat from a user through the user interface.
21. A computer program product comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: providing a model for evaluating a likelihood that a threat sample is at least one of safe or malicious based on a training set of known threat samples; identifying a new threat sample as an intermediate threat that is not within a predetermined likelihood of being malicious or safe according to the model; identifying one or more relevant features of the new threat sample associated with an inference of malicious code using a random forest over human-interpretable features of the training set of known threat samples; identifying similar threat samples including one or more safe threat samples similar to the new threat sample and one or more malicious threat samples similar to the new threat sample based on a k-nearest neighbor algorithm; presenting a description of the new threat sample, the one or more relevant features, and the similar threat samples in a user interface; and receiving user input through the user interface categorizing the new threat sample as safe, unsafe, or undetermined.
22. The computer program product of claim 21 wherein the similar threat samples include a list of safe threat samples ranked based on similarity to the new threat sample according to the k- nearest neighbor algorithm.
23. The computer program product of claim 21 wherein the similar threat samples include a list of malicious threat samples ranked based on similarity to the new threat sample according to the k-nearest neighbor algorithm.
24. The computer program product of claim 21 wherein the model includes an integrative model that evaluates a potential threat by a threat sample based on a combination of a first model configured to identify malicious code based on behavioral tags, a second model configured to identify malicious code based on an executable file path, and a third model configured to identify malicious code based on a Uniform Resource Locator within the threat sample.
25. A method comprising: providing a model for evaluating a likelihood that a threat sample is at least one of safe or malicious based on a training set of known threat samples; identifying a new threat sample as an intermediate threat that is not within a predetermined likelihood of being malicious or safe according to the model; identifying supplemental information relevant to evaluation of the new threat sample, the supplemental information including relevant features of the new threat sample contributing to an inference of malicious code; and augmenting a description of the new threat sample in a user interface with the supplemental information, the user interface configured to receive a user input categorizing the new threat sample as safe, unsafe or undetermined.
26. The method of claim 25 wherein the model includes an integrative model that evaluates a potential threat by a threat sample based on a combination of a first model configured to identify malicious code based on behavioral tags, a second model configured to identify malicious code based on an executable file path, and a third model configured to identify malicious code based on a Uniform Resource Locator within the threat sample.
27. The method of claim 26 wherein providing the model includes training a machine learning model to identify malicious code in a training set including threat samples that are known to be safe and known to be malicious.
28. The method of claim 25 wherein identifying supplemental information includes identifying one or more features using a random forest over human-interpretable features associated with an inference of malicious code.
29. The method of claim 25 wherein identifying supplemental information includes identifying similar threat samples known to be safe or malicious.
30. The method of claim 29 wherein identifying similar threat samples includes identifying one or more safe threat samples most similar to the new threat sample based on a k-nearest neighbor algorithm.
31. The method of claim 29 wherein identifying similar threat sample includes identifying one or more malicious threat samples most similar to the new threat sample based on a k-nearest neighbor algorithm.
32. The method of claim 29 further comprising displaying a list of the similar threat samples ranked according to similarity to the new threat sample.
33. The method of claim 29 further comprising augmenting the description of the new threat sample with a reputation of the new threat sample.
34. The method of claim 29 further comprising augmenting the description of the new threat sample with a suspiciousness score based on a genetic analysis of features of the new threat sample.
35. The method of claim 29 further comprising augmenting the description of the new threat sample with contextual information.
36. The method of claim 25 further comprising receiving a user input through the user interface characterizing the new threat sample as safe, unsafe or undetermined.
37. The method of claim 25 wherein the user interface is further configured to receive user input to adjust filtering of an event stream from an endpoint that provided the new threat sample.
38. A system comprising: a memory storing a first model for evaluating a likelihood that a threat sample is at least one of safe or malicious, a second model characterizing a manner in which a number of human- interpretable features contribute to an evaluation of suspiciousness of a file, and a third model for evaluating similarity of threat samples; and a threat management facility including a processor configured to apply the first model to identify a new threat sample as an intermediate threat when the new threat sample is not within a predetermined likelihood of being malicious or safe according to the first model; and a web server configured to present a user interface including a description of the intermediate threat, augmented by one or more features of the intermediate threat identified with the second model and one or more similar threat samples identified with the third model, the web server further configured to receive input from a user through the user interface disposing of the intermediate threat.
39. The system of claim 38 wherein disposing of the intermediate threat includes remediating the intermediate threat.
40. The system of claim 38 wherein disposing of the intermediate threat includes characterizing the intermediate threat as safe, unsafe or undetermined.
41. A computer program product comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: instrumenting an endpoint with a local agent to detect a plurality of types of changes to a plurality of computing objects; creating an event stream from the local agent including each type of change to each of the plurality of computing objects detected on the endpoint; storing the event stream in a data recorder on the endpoint; processing the event stream with a filter at the endpoint to provide a filtered event stream including a subset of the types of changes to a subset of the plurality of computing objects; transmitting the filtered event stream to a threat management facility; processing the filtered event stream at the threat management facility to evaluate a security state of the endpoint; and in response to a predetermined security state detected by the threat management facility, transmitting an adjustment to the endpoint for at least one of the types of changes or computing objects used by the filter to process the event stream.
42. The computer program product of claim 41 wherein the plurality of computing objects includes a number of files.
43. The computer program product of claim 41 wherein the plurality of computing objects includes a number of processes.
44. The computer program product of claim 41 wherein the plurality of computing objects includes a number of executables.
45. The computer program product of claim 41 wherein the plurality of computing objects includes at least one of an electronic communication, a registry of system settings, and a secure kernel cache.
46. A method comprising: receiving a filtered event stream from an endpoint at a threat management facility for an enterprise network, the filtered event stream including a subset of types of changes to a subset of computing objects from a plurality of types of changes to a plurality of computing objects monitored by a data recorder on the endpoint; processing the filtered event stream at the threat management facility to evaluate a security state of the endpoint; and in response to a predetermined change in the security state of the endpoint, transmitting an adjustment to a filter used by the endpoint to select which of the plurality of types of changes to the plurality of computing objects the data recorder reports in the filtered event stream.
47. The method of claim 46 wherein the subset of computing objects includes one or more of a file, an executable, a process, a database, and a message.
48. The method of claim 46 wherein the types of changes include at least one of a file read, a file write, a file copy, a file encrypt, a file decrypt, a network communication, a registry update, a software installation, a change in permissions, and a query to a remote resource.
49. The method of claim 46 further comprising correlating the filtered event stream to a malware event on the endpoint and searching for the malware event on one or more other endpoints coupled to the enterprise network based on a pattern of events in the filtered event stream.
50. The method of claim 46 further comprising storing the filtered event stream at the threat management facility.
51. The method of claim 46 further comprising storing an unfiltered event stream on the data recorder at the endpoint, the unfiltered event stream including additional ones of the plurality of types of changes to the plurality of computing objects.
52. The method of claim 46 further comprising storing an unfiltered event stream on the data recorder at the endpoint, the unfiltered event stream including one or more of the plurality of types of changes to additional ones of the plurality of computing objects.
53. The method of claim 46 wherein processing the filtered event stream includes searching for potential malicious activity on the endpoint.
54. The method of claim 46 wherein processing the filtered event stream includes searching for a security exposure on the endpoint.
55. The method of claim 46 further comprising, when the filtered event stream shows that the security state of the endpoint is compromised, initiating a remedial action.
56. The method of claim 46 wherein processing the filtered event stream includes securely verifying a status of the endpoint.
57. The method of claim 46 wherein the adjustment includes a change to the subset of types of changes included in the filtered event stream.
58. The method of claim 46 wherein the adjustment includes a change to the subset of computing objects included in the filtered event stream.
59. A system comprising: an endpoint executing a data recorder to store an event stream including a plurality of types of changes to a plurality of computing objects detected on the endpoint, the endpoint further executing a local agent to process the event stream with a filter into a filtered event stream including a subset of the plurality of types of changes to a subset of the plurality of computing objects, the local agent further configured to communicate the filtered event stream to a remote resource over a data network; and a threat management facility configured to receive the filtered event stream from the endpoint and to process the filtered event stream to evaluate a security state of the endpoint, the threat management facility further configured to respond to a predetermined change in the security state by transmitting an adjustment to the endpoint for at least one of the types of changes or computing objects used by the filter to process the event stream.
60. The system of claim 59 wherein the threat management facility is further configured to initiate a remediation of the endpoint when the security state of the endpoint is compromised.
61. A computer program product comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: instrumenting an endpoint with a local agent to detect a plurality of types of changes to a plurality of computing objects; creating an event stream with the local agent including each type of change to each type of computing object detected on the endpoint; storing the event stream in a data recorder on the endpoint; processing the event stream with a filter at the endpoint to provide a filtered event stream including a subset of the types of changes to a subset of the computing objects; transmitting the filtered event stream to a threat management facility; processing the filtered event stream at the threat management facility to evaluate a security state of the endpoint; and in response to a predetermined security state detected by the threat management facility, requesting additional event data from the data recorder for at least one of other ones of the types of changes than the subset of the types of changes or other ones of the plurality of computing objects than the subset of the computing objects.
62. The computer program product of claim 61 wherein the plurality of computing objects includes a number of files.
63. The computer program product of claim 61 wherein the plurality of computing objects includes a number of processes.
64. The computer program product of claim 61 wherein the plurality of computing objects includes a number of executables.
65. The computer program product of claim 61 wherein the plurality of computing objects includes at least one of an electronic communication, a registry of system settings, and a secure kernel cache.
66. A method comprising: receiving a filtered event stream from an endpoint at a threat management facility for an enterprise network, the filtered event stream including a subset of types of changes to a subset of computing objects from a plurality of types of changes to a plurality of computing objects monitored by a data recorder on the endpoint; processing the filtered event stream at the threat management facility to evaluate a security state of the endpoint; and in response to a predetermined change in the security state of the endpoint, transmitting a request from the threat management facility to the endpoint for additional event data from the data recorder.
67. The method of claim 66 wherein the subset of computing objects includes one or more of a file, an executable, a process, a database, and a message.
68. The method of claim 66 wherein the subset of types of changes include at least one of a file read, a file write, a file copy, a file encrypt, a file decrypt, a network communication, a registry update, a software installation, a change in permissions, and a query to a remote resource.
69. The method of claim 66 further comprising correlating the filtered event stream to a malware event on the endpoint and searching for the malware event on one or more other endpoints coupled to the enterprise network based on a pattern of events in the filtered event stream.
70. The method of claim 66 further comprising storing the filtered event stream at the threat management facility.
71. The method of claim 66 further comprising storing an unfiltered event stream on the data recorder at the endpoint, the unfiltered event stream including additional ones of the plurality of types of changes to the plurality of computing objects.
72. The method of claim 66 further comprising storing an unfiltered event stream on the data recorder at the endpoint, the unfiltered event stream including one or more of the plurality of types of changes to additional ones of the plurality of computing objects.
73. The method of claim 66 wherein processing the filtered event stream includes searching for potential malicious activity on the endpoint.
74. The method of claim 66 wherein processing the filtered event stream includes searching for a security exposure on the endpoint.
75. The method of claim 66 further comprising, when the filtered event stream shows that the security state of the endpoint is compromised, initiating a remedial action.
76. The method of claim 66 wherein processing the filtered event stream includes securely verifying a status of the endpoint.
77. The method of claim 66 wherein the request from the threat management facility includes a request for all event data in an unfiltered event stream stored by the data recorder over a predetermined time window.
78. The method of claim 66 wherein the predetermined change in the security state of the endpoint includes an increased likelihood of malicious activity associated with the endpoint.
79. A system comprising: an endpoint executing a data recorder to store an event stream of event data including a plurality of types of changes to a plurality of computing objects detected on the endpoint, the endpoint further executing a local agent configured to process the event stream with a filter into a filtered event stream including a subset of the plurality of types of changes to a subset of the plurality of computing objects, the local agent further configured to communicate the filtered event stream to a remote resource over a data network; and a threat management facility configured to receive the filtered event stream from the endpoint and to process the filtered event stream to evaluate a security state of the endpoint, the threat management facility further configured to respond to a predetermined change in the security state by transmitting a request to the endpoint for additional event data stored by the data recorder.
80. The system of claim 79 wherein the threat management facility is further configured to initiate a remediation of the endpoint when the security state of the endpoint is compromised.
81. A system comprising: an enterprise network; an endpoint coupled to the enterprise network, the endpoint having a data recorder that stores an event stream of event data for computing objects, a filter for creating a filtered event stream with a subset of event data from the event stream, and a query interface for receiving queries to the data recorder from a remote resource, the endpoint further including a local security agent configured to detect malware on the endpoint based on event data stored by the data recorder, and further configured to communicate the filtered event stream over the enterprise network; and a threat management facility coupled in a communicating relationship with the endpoint and a plurality of other endpoints through the enterprise network, the threat management facility configured to receive the filtered event stream from the endpoint, detect malware on the endpoint based on the filtered event stream, and remediate the endpoint when malware is detected, the threat management facility further configured to modify security functions within the enterprise network based on a security state of the endpoint.
82. The system of claim 81 wherein the threat management facility is configured to adjust reporting of event data through the filter in response to a change in the filtered event stream received from the endpoint.
83. The system of claim 82 wherein the threat management facility is configured to adjust reporting of event data through the filter when the filtered event stream indicates a compromised security state of the endpoint.
84. The system of claim 81 wherein the threat management facility is configured to adjust reporting of event data from one or more other endpoints in response to a change in the filtered event stream received from the endpoint.
85. The system of claim 81 wherein the threat management facility is configured to adjust reporting of event data through the filter when the filtered event stream indicates a compromised security state of the endpoint.
86. The system of claim 81 wherein the threat management facility is configured to request additional data from the data recorder when the filtered event stream indicates a compromised security state of the endpoint.
87. The system of claim 81 wherein the threat management facility is configured to request additional data from the data recorder when a security agent of the endpoint reports a security compromise independently from the filtered event stream.
88. The system of claim 81 wherein the data recorder records one or more events from a kernel driver.
89. The system of claim 81 wherein the data recorder records at least one change to a registry of system settings for the endpoint.
90. The system of claim 81 wherein the threat management facility is configured to adjust handling of network traffic at a gateway to the enterprise network in response to a predetermined change in the filtered event stream.
91. The system of claim 90 wherein the threat management facility includes a machine learning model for identifying potentially malicious activity on the endpoint based on the filtered event stream.
92. The system of claim 81 wherein the endpoint includes a server.
93. The system of claim 81 wherein the endpoint includes a firewall for the enterprise network.
94. The system of claim 81 wherein the endpoint includes a gateway for the enterprise network.
95. The system of claim 81 wherein the endpoint is coupled to the enterprise network through a virtual private network.
96. The system of claim 81 wherein the endpoint is coupled to the enterprise network through a wireless network.
97. The system of claim 81 wherein the threat management facility is configured to detect potentially malicious activity based on a plurality of filtered event streams from a plurality of endpoints.
98. The system of claim 81 wherein the endpoint is configured to periodically transmit a snapshot of aggregated, unfiltered data from the data recorder to the threat management facility for remote storage.
99. The system of claim 98 wherein the data recorder is configured to delete records in the data recorder corresponding to the snapshot in order to free memory for additional recording.
100. The system of claim 81 wherein the threat management facility is configured to detect malware on the endpoint based on the filtered event stream and additional context for the endpoint.
101. A computer program product comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: providing a valuation model for automatically estimating a business value of a file; creating an integrative model that evaluates a potential threat by a threat sample based on a combination of a first model configured to identify malicious code based on behavioral tags, a second model configured to identify malicious code based on an executable file path, and a third model configured to identify malicious code based on a Uniform Resource Locator within the threat sample; configuring a threat management facility to evaluate new threat samples on endpoints within an enterprise network according to the integrative model; identifying one or more intermediate threats by any of the new threat samples that are not within a predetermined confidence level of safe code or malicious code according to the integrative model; providing a user interface for presenting the one or more intermediate threats to a user for human evaluation; and ranking the one or more intermediate threats for presentation within the user interface based on a combination of a likelihood of maliciousness determined according to the integrative model and an estimated business value of associated files determined according to the valuation model.
102. The computer program product of claim 101 wherein providing the valuation model includes training a machine learning algorithm to estimate the business value based on a training set of files each having a known business value.
103. The computer program product of claim 101 wherein the valuation model estimates value based on file location.
104. The computer program product of claim 101 wherein the valuation model estimates value based on an access control list.
105. The computer program product of claim 101 wherein the valuation model estimates value based on content.
106. A method comprising: identifying one or more intermediate threats to an enterprise network with an integrative model, the one or more intermediate threats including one or more computing objects with an objective score from the integrative model that are not within a predetermined confidence level of a safe score or a malicious score; estimating a business value associated with each of the one or more intermediate threats with a valuation model; and presenting a list of the one or more intermediate threats in a user interface, the list ranked according to a combination of the objective score and the business value.
107. The method of claim 106 wherein providing the valuation model includes training a machine learning algorithm to estimate the business value based on a training set of files each having a known business value.
108. The method of claim 106 wherein the valuation model estimates value based on file location.
109. The method of claim 106 wherein the valuation model estimates value based on an access control list.
110. The method of claim 106 wherein the valuation model estimates value based on content.
111. The method of claim 106 wherein the valuation model estimates value based on one or more of encryption status, file type, file usage history, file creation date, file modification date, and file author.
112. The method of claim 106 further comprising receiving a user-initiated remedial action for one of the intermediate threats in the user interface.
113. The method of claim 106 further comprising receiving a user risk assessment for one of the intermediate threats in the user interface.
114. The method of claim 106 further comprising remediating a risk to a high business value computing object in response to a user input in the user interface.
115. The method of claim 106 wherein the integrative model evaluates a potential threat by computer objects based on one or more of file behavior, file signature, file path and Uniform Resource Locator.
116. The method of claim 106 wherein the integrative model includes one or more machine learning models trained to recognize potentially malicious code based on a training set of known safe and known unsafe threat samples.
117. The method of claim 106 wherein the one or more computing objects include at least one of a process, an executable and a file.
118. The method of claim 106 wherein the one or more computing objects include at least one of a registry of system settings and a secure kernel cache of process information.
119. A system comprising: a memory storing an integrative model and a valuation model, the integrative model configured to evaluate a potential threat by a threat sample based on a combination of a first model configured to identify malicious code based on behavioral tags, a second model configured to identify malicious code based on an executable file path, and a third model configured to identify malicious code based on a Uniform Resource Locator within the threat sample, and the valuation model configured to estimate a business impact of the potential threat based on an estimated business value of one or more files associated with the threat sample; a threat management facility configured to apply the integrative model to new threat samples and to identify intermediate threats that are not within a predetermined likelihood of being safe or unsafe; and a web server configured to display a list of intermediate threats in a user interface, wherein the list of intermediate threats is ranked according to a combination of a first score from the integrative model and a second score from the valuation model.
120. The system of claim 119 wherein the threat management facility is configured to remediate a risk to an endpoint in response to a user input received through the user interface.
121. A computer program product comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: identifying a file within an enterprise network with a hash of the file; monitoring activity within the enterprise network to obtain a record of activities for one or more instances of the file, the record including a history of execution for the file and a number of locations of the file within the enterprise network; storing the record in a database; detecting a suspicious activity associated with the file, the suspicious activity indicating a reputation of the file between safe and malicious; presenting an identifier of the file to an analyst in a user interface, the user interface configured to present a list of suspicious files to the analyst and support investigation of the file by the analyst using the database; receiving a disposition of the file as malicious or non-malicious; and in response to the disposition, removing the file from the list of suspicious files.
122. The computer program product of claim 121 further comprising code that performs the step of, when the analyst disposes of the file by indicating that the file is malicious, remediating a first location of execution of the file in the history of execution.
123. The computer program product of claim 121 further comprising code that performs the step of, when the analyst disposes of the file by indicating that the file is malicious, remediating each of the number of locations of the file stored in the record.
124. The computer program product of claim 121 wherein the number of locations include a machine and a path for each of the one or more instances of the file.
125. The computer program product of claim 121 wherein the history of execution includes a time and place of a first execution of the file in the enterprise network.
126. The computer program product of claim 121 wherein the record includes one or more network connections associated with the file.
127. The computer program product of claim 126 wherein the one or more network connections include at least one connection created by a process executing from the file.
128. The computer program product of claim 126 wherein the one or more network connections include at least one connection used to transfer the file to a location within the enterprise network.
129. The computer program product of claim 121 further comprising code that performs the step of aging the record out of the database after a predetermined interval.
130. The computer program product of claim 121 further comprising code that performs the step of returning the file to the list of suspicious files upon a detection of a second suspicious activity by the file occurring after the disposition.
131. The computer program product of claim 130 further comprising code that performs the step of presenting a history of dispositions and one or more associated analysts in the user interface.
132. The computer program product of claim 121 further comprising code that performs the step of receiving an override of the disposition by a second analyst.
133. A method comprising: identifying a file within an enterprise network; monitoring activity within the enterprise network to obtain a record of activities for the file, the record including a history of execution for the file and a number of locations of the file within the enterprise network; detecting a suspicious activity associated with the file; presenting an identifier of the file to an analyst in a user interface, the user interface configured to present a list of suspicious files to the analyst and support investigation of the file by presenting the history of execution and the number of locations of the file to the analyst; receiving a disposition of the file as malicious or non-malicious; and in response to the disposition, removing the file from the list of suspicious files.
134. The method of claim 133 wherein the number of locations include a machine and a path for each instance of the file.
135. The method of claim 133 wherein the history of execution includes a time and place of a first execution of the file in the enterprise network.
136. The method of claim 133 further comprising monitoring one or more network connections associated with the file.
137. The method of claim 133 further comprising aging the record out of a database of monitored files after a predetermined interval.
138. The method of claim 133 further comprising returning the file to the list of suspicious files upon detection of a second suspicious activity by the file occurring after the disposition.
139. The method of claim 133 further comprising receiving an override of the disposition by a second analyst.
140. A system comprising: a plurality of compute instances; an enterprise network coupling the plurality of compute instances in a communicating relationship; and a threat management facility for the enterprise network, the threat management facility including a processor and a memory storing code that, when executing on the processor, performs the steps of identifying a file within the enterprise network, monitoring activity within the enterprise network to obtain a record of activities for the file, the record including a history of execution for the file and a number of locations of the file within the enterprise network, detecting a suspicious activity associated with the file, presenting an identifier of the file to an analyst in a user interface, the user interface configured to present a list of suspicious files to the analyst and support investigation of the file by presenting the history of execution and the number of locations of the file to the analyst, receiving a disposition of the file as malicious or non-malicious, and in response to the disposition, removing the file from the list of suspicious files.
GB2103617.3A 2018-08-31 2019-08-13 Enterprise network threat detection Active GB2592132B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB2216902.3A GB2614426B (en) 2018-08-31 2019-08-13 Enterprise network threat detection

Applications Claiming Priority (9)

Application Number Priority Date Filing Date Title
US201862726174P 2018-08-31 2018-08-31
US16/128,984 US10938838B2 (en) 2018-08-31 2018-09-12 Computer augmented threat evaluation
US16/129,113 US11297073B2 (en) 2018-08-31 2018-09-12 Forensic query of local event streams in an enterprise network
US16/129,183 US10938839B2 (en) 2018-08-31 2018-09-12 Threat detection with business impact scoring
US16/129,087 US20200076833A1 (en) 2018-08-31 2018-09-12 Dynamic filtering of endpoint event streams
US16/128,953 US11552962B2 (en) 2018-08-31 2018-09-12 Computer assisted identification of intermediate level threats
US16/129,143 US10972485B2 (en) 2018-08-31 2018-09-12 Enterprise network threat detection
US201962874758P 2019-07-16 2019-07-16
PCT/US2019/046316 WO2020046575A1 (en) 2018-08-31 2019-08-13 Enterprise network threat detection

Publications (3)

Publication Number Publication Date
GB202103617D0 GB202103617D0 (en) 2021-04-28
GB2592132A true GB2592132A (en) 2021-08-18
GB2592132B GB2592132B (en) 2023-01-04

Family

ID=69643045

Family Applications (2)

Application Number Title Priority Date Filing Date
GB2103617.3A Active GB2592132B (en) 2018-08-31 2019-08-13 Enterprise network threat detection
GB2216902.3A Active GB2614426B (en) 2018-08-31 2019-08-13 Enterprise network threat detection

Family Applications After (1)

Application Number Title Priority Date Filing Date
GB2216902.3A Active GB2614426B (en) 2018-08-31 2019-08-13 Enterprise network threat detection

Country Status (2)

Country Link
GB (2) GB2592132B (en)
WO (1) WO2020046575A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021188604A1 (en) * 2020-03-17 2021-09-23 Centerboard, Llc Digital file forensic accounting and management system
CN113537262A (en) * 2020-04-20 2021-10-22 深信服科技股份有限公司 Data analysis method, device, equipment and readable storage medium
CN111786950B (en) * 2020-05-28 2023-10-27 中国平安财产保险股份有限公司 Network security monitoring method, device, equipment and medium based on situation awareness
US20230229782A1 (en) * 2022-01-19 2023-07-20 Dell Products L.P. Automatically performing varied security scans on distributed files using machine learning techniques

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170063896A1 (en) * 2015-08-31 2017-03-02 Splunk Inc. Network Security System
WO2018086544A1 (en) * 2016-11-11 2018-05-17 腾讯科技(深圳)有限公司 Security protection method and device, and computer storage medium
US20180203998A1 (en) * 2017-01-19 2018-07-19 Cylance Inc. Advanced malware classification
US20180219888A1 (en) * 2017-01-30 2018-08-02 Splunk Inc. Graph-Based Network Security Threat Detection Across Time and Entities

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101794116B1 (en) * 2013-03-18 2017-11-06 더 트러스티스 오브 컬럼비아 유니버시티 인 더 시티 오브 뉴욕 Unsupervised detection of anomalous processes using hardware features
US9727726B1 (en) * 2013-12-19 2017-08-08 Amazon Technologies, Inc. Intrusion detection using bus snooping
US9774613B2 (en) * 2014-12-15 2017-09-26 Sophos Limited Server drift monitoring
US9419989B2 (en) * 2014-12-15 2016-08-16 Sophos Limited Threat detection using URL cache hits
US9934378B1 (en) * 2015-04-21 2018-04-03 Symantec Corporation Systems and methods for filtering log files
US9690938B1 (en) * 2015-08-05 2017-06-27 Invincea, Inc. Methods and apparatus for machine learning based malware detection
US10673879B2 (en) * 2016-09-23 2020-06-02 Sap Se Snapshot of a forensic investigation for enterprise threat detection
RU2659737C1 (en) * 2017-08-10 2018-07-03 Акционерное общество "Лаборатория Касперского" System and method of managing computing resources for detecting malicious files
US10984122B2 (en) * 2018-04-13 2021-04-20 Sophos Limited Enterprise document classification

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170063896A1 (en) * 2015-08-31 2017-03-02 Splunk Inc. Network Security System
WO2018086544A1 (en) * 2016-11-11 2018-05-17 腾讯科技(深圳)有限公司 Security protection method and device, and computer storage medium
US20180203998A1 (en) * 2017-01-19 2018-07-19 Cylance Inc. Advanced malware classification
US20180219888A1 (en) * 2017-01-30 2018-08-02 Splunk Inc. Graph-Based Network Security Threat Detection Across Time and Entities

Also Published As

Publication number Publication date
GB202103617D0 (en) 2021-04-28
WO2020046575A1 (en) 2020-03-05
GB202216902D0 (en) 2022-12-28
GB2614426A (en) 2023-07-05
GB2592132B (en) 2023-01-04
GB2614426B (en) 2023-10-11

Similar Documents

Publication Publication Date Title
US11727333B2 (en) Endpoint with remotely programmable data recorder
US11657174B2 (en) Dynamic multi-factor authentication
GB2592132A (en) Enterprise network threat detection
US20230385447A1 (en) Live discovery of enterprise threats based on security query activity
US20140201836A1 (en) Automated Internet Threat Detection and Mitigation System and Associated Methods
EP4068687A1 (en) System and method for anomaly detection in a computer network
US20230247048A1 (en) Early malware detection
WO2023042192A1 (en) A top-down cyber security system and method
FR3023040A1 (en) INFORMATION SYSTEM CYBERFERENCE SYSTEM, COMPUTER PROGRAM, AND ASSOCIATED METHOD