| 发明名称 |
LABELING OBJECTS ON AN ENDPOINT FOR ENCRYPTION MANAGEMENT |
| 摘要 |
Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility. |
| 申请公布号 |
US2016078225(A1) |
申请公布日期 |
2016.03.17 |
| 申请号 |
US201414485769 |
申请日期 |
2014.09.14 |
| 申请人 |
Sophos Limited |
发明人 |
Ray Kenneth D.;Schiappa Dan;Reed Simon Neil;Harris Mark D.;Watkiss Neil Robert Tyndale;Thomas Andrew J.;Cook Robert W.;Schütz Harald;Shaw John Edward Tyrone;Merry Anthony John |
| 分类号 |
G06F21/55 |
主分类号 |
G06F21/55 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method comprising:
labeling each of a plurality of processes on an endpoint with a labeling scheme in which a process is either in, wherein the process conforms to a compliance policy administered for the endpoint from a remote threat management facility, or the process is out, wherein the process does not conform to the compliance policy, thereby providing a plurality of in processes and a plurality of out processes; labeling each of a plurality of files on the endpoint as either in, wherein the file is encrypted using a remotely managed key ring, or the file is out, wherein the file is not encrypted using the remotely managed key ring, thereby providing a plurality of in files and a plurality of out files; providing access to the remotely managed key ring by the plurality of in processes, thereby facilitating access to the plurality of in files by the plurality of in processes; changing a label for one of the plurality of processes from in to out in response to an observed action for the process, thereby providing a relabeled process; and revoking access by the relabeled process to the plurality of in files, thereby preventing the relabeled process from opening additional ones of the plurality of in files and preventing the relabeled process from creating a new in file. |
| 地址 |
Abingdon GB |
