| 摘要 |
Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility. |
| 主权项 |
1. A method comprising:
labeling objects on an endpoint with a labeling scheme in which the objects are either in, wherein the objects conform to a compliance policy administered for the endpoint from a remote threat management facility, or the objects are out, wherein the objects do not conform to the compliance policy, thereby providing a plurality of in objects and a plurality of out objects, the objects including at least one of processes, files, and data; for in objects of the endpoint, providing access to encrypted files through a file system, with access to the encrypted files controlled by the file system; detecting a compromise of the endpoint based on a change in compliance of an in process; and in response to detecting the compromise, deleting key material cached on the endpoint, thereby revoking access to the encrypted files by the endpoint. |
