| 摘要 |
Zero day threats are detected at gateway level and blocked from entering a network. A database containing signatures identifying malware is maintained at the gateway. Inbound network traffic is scanned using the signatures, and files containing malware are detected and blocked by the gateway. When a file is received by a given endpoint in the network, behavior based malware detection is used to determine whether the file contains a zero day threat. Whenever a file is adjudicated by an endpoint as containing a zero day threat, the endpoint generates an identifying signature, and transmits the signature to the gateway in real time. The gateway thus receives signatures identifying multiple zero day threats from multiple endpoints, and subsequently scans inbound network traffic for the received signatures. From that point, the gateway detects files containing the zero day threats, and blocks them from being routed to endpoints in the network. |
| 主权项 |
1. A computer implemented method for detecting zero day threats at a gateway level, and blocking zero day threats from entering a private network comprising a gateway device and a plurality of endpoint computers, the method comprising the steps of:
routing, by the gateway device, inbound and outbound network traffic to and from the private network; maintaining, by the gateway device, a plurality of signatures identifying known malware; scanning inbound network traffic for specific ones of the plurality of maintained signatures identifying known malware and detecting files containing known malware in the inbound network traffic, by the gateway device; blocking the detected files containing known malware from being routed to any endpoint computer in the private network, by the gateway device; receiving, by the gateway device, signatures identifying zero day threats from multiple ones of the plurality of endpoint computers in the private network; wherein each specific received signature identifies a specific zero day threat routed in a specific file from the gateway device to a specific endpoint computer, as a result of a signature identifying the specific zero day threat not having been present in the plurality of signatures identifying malware maintained by the gateway device when the specific zero day threat arrived at the gateway device in inbound network traffic; wherein each specific received signature having been generated by the specific endpoint computer to which the specific zero day threat was routed, responsive to the specific endpoint computer having adjudicated the specific file to comprise malware, as a result of the specific endpoint computer having performed behavior based malware detection on the specific file; adding the signatures identifying zero day threats received from multiple ones of the plurality of endpoint computers to the plurality of signatures identifying malware maintained by the gateway device; subsequently to adding a given received signature identifying a given zero day threat to the plurality of signatures identifying malware maintained by the gateway device, scanning inbound network traffic for the given received signature identifying the given zero day threat, the given received signature having been added to the plurality of maintained signatures, and detecting at least one file containing the given zero day threat, by the gateway device; and blocking the at least one file containing the given zero day threat from being routed to any endpoint computer in the private network, by the gateway device. |
