| 发明名称 |
THREAT DETECTION USING REPUTATION DATA |
| 摘要 |
Threat detection is improved by monitoring variations in observable events and correlating these variations to malicious activity. The disclosed techniques can be usefully employed with any attribute or other metric that can be instrumented on an endpoint and tracked over time including observable events such as changes to files, data, software configurations, operating systems, and so forth. Correlations may be based on historical data for a particular machine, or a group of machines such as similarly configured endpoints. Similar inferences of malicious activity can be based on the nature of a variation, including specific patterns of variation known to be associated with malware and any other unexpected patterns that deviate from normal behavior. Embodiments described herein use variations in, e.g., server software updates or URL cache hits on an endpoint, but the techniques are more generally applicable to any endpoint attribute that varies in a manner correlated with malicious activity. |
| 申请公布号 |
US2016350531(A1) |
申请公布日期 |
2016.12.01 |
| 申请号 |
US201615235722 |
申请日期 |
2016.08.12 |
| 申请人 |
Sophos Limited |
发明人 |
Harris Mark D.;Ray Kenneth D. |
| 分类号 |
G06F21/55;H04L29/06 |
主分类号 |
G06F21/55 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method comprising:
maintaining reputation data in a memory on each of a plurality of devices, the reputation data including a reputation score and a time to live for each of a plurality of executables; updating the reputation data on each of the plurality of devices using reputation scores from a remote threat management facility to add new entries for new executables accessed by the respective device and using the time to live to expire existing entries from the reputation data; monitoring, with the remote threat management facility, each one of the plurality of devices to detect, based on the reputation data on each of the devices, a variance in access to one or more of the plurality of executables relative to access to the one or more of the plurality of executables on each other one of the plurality of devices; triggering an indication of compromise based on the variance; and for the device corresponding to detected variance in access to one or more of the plurality of executables, initiating a remedial action in response to the indication of compromise. |
| 地址 |
Abingdon GB |
