FIREWALL TECHNIQUES FOR COLORED OBJECTS ON ENDPOINTS

摘要

Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.

主权项

1. A method comprising:
providing an application firewall configured to provide conditional, rule-based access to network resources by an application executing on an endpoint; processing the application on the endpoint; coloring the application in response to a first observed action with a descriptor of a context for the first observed action, the context including one or more attributes selected for a relevance to threat detection; applying a rule dependent on the descriptor in response to a second observed action of the application to detect a reportable event; and limiting access by the application to a network resource with the application firewall based on the reportable event.