公开(公告)号：US20200074336A1

公开(公告)日：2020-03-05

申请号：US16128953

申请日：2018-09-12

申请人： Sophos Limited

发明人： Joshua Daniel Saxe ,  Andrew J. Thomas ,  Russell Humphries ,  Simon Neil Reed ,  Kenneth D. Ray ,  Joseph H. Levy

IPC分类号： G06N7/00 ,  G06K9/62 ,  G06F21/56 ,  G06F11/07 ,  G06N99/00 ,  G06F17/30

摘要： An ensemble of detection techniques are used to identify code that presents intermediate levels of threat. For example, an ensemble of machine learning techniques may be used to evaluate suspiciousness based on binaries, file paths, behaviors, reputations, and so forth, and code may be sorted into safe, unsafe, intermediate, or any similar categories. By filtering and prioritizing intermediate threats with these tools, human threat intervention can advantageously be directed toward code samples and associated contexts most appropriate for non-automated responses.

公开(公告)号：US10516682B2

公开(公告)日：2019-12-24

申请号：US15946026

申请日：2018-04-05

申请人： Sophos Limited

发明人： Beata Ladnai ,  Mark David Harris ,  Andrew J. Thomas ,  Andrew G. P. Smith ,  Russell Humphries ,  Kenneth D. Ray

IPC分类号： H04L29/06 ,  G06F16/901 ,  G06Q10/06 ,  G06Q50/26

摘要： A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.

公开(公告)号：US10516531B2

公开(公告)日：2019-12-24

申请号：US16111322

申请日：2018-08-24

申请人： Sophos Limited

发明人： Harald Schütz ,  Andrew J. Thomas ,  Kenneth D. Ray ,  Daniel Salvatore Schiappa

IPC分类号： G06F21/00 ,  H04L29/06 ,  H04L9/08 ,  G06F21/55

摘要： Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.

公开(公告)号：US20190318109A1

公开(公告)日：2019-10-17

申请号：US16165274

申请日：2018-10-19

申请人： Sophos Limited

发明人： Andrew J. Thomas

IPC分类号： G06F21/62 ,  G06F17/30 ,  H04L29/06 ,  G06N99/00

摘要： A collection of documents or other files and the like within an enterprise network are labelled according to an enterprise document classification scheme, and then a recognition model such as a neural network or other machine learning model can be used to automatically label other files throughout the enterprise network. In this manner, documents and the like throughout an enterprise can be automatically identified and managed according to features such as confidentiality, sensitivity, security risk, business value, and so forth.

公开(公告)号：US20190312839A1

公开(公告)日：2019-10-10

申请号：US15945346

申请日：2018-04-04

申请人： Sophos Limited

发明人： Moritz Daniel Grimm ,  Daniel Stutz ,  Andrew J. Thomas ,  Kenneth D. Ray

IPC分类号： H04L29/06

摘要： Secure management of an enterprise network is improved by creating a network adapter fingerprint for an endpoint that identifies all of the network adapters for that endpoint. With this information, the location and connectivity of the endpoint can be tracked and managed independent of the manner in which the endpoint is connecting to the enterprise network.

公开(公告)号：US10417419B2

公开(公告)日：2019-09-17

申请号：US15924460

申请日：2018-03-19

申请人： Sophos Limited

发明人： Beata Ladnai ,  Mark David Harris ,  Andrew J. Thomas ,  Andrew G. P. Smith ,  Russell Humphries

IPC分类号： G06F21/56 ,  G06F21/55 ,  G06F8/65

摘要： A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files, and patterns within this event graph can be used to detect the presence of malware on the endpoint. The underlying recording process may be dynamically adjusted in order to vary the amount and location of recording as the security state of the endpoint changes over time.

公开(公告)号：US10382459B2

公开(公告)日：2019-08-13

申请号：US15969725

申请日：2018-05-02

申请人： Sophos Limited

发明人： Mark D. Harris ,  Simon Neil Reed ,  Kenneth D. Ray ,  Neil Robert Tyndale Watkiss ,  Andrew J. Thomas ,  Robert W. Cook

IPC分类号： H04L29/06

摘要： Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.

公开(公告)号：US20190238589A1

公开(公告)日：2019-08-01

申请号：US16381928

申请日：2019-04-11

申请人： Sophos Limited

发明人： Daniel Stutz

IPC分类号： H04L29/06

摘要： In general, in one aspect, a system for providing honeypot network services may monitor network activity, and detect network activity indicative of network service discovery by a first device, for example, port scanning. The system may present a temporarily available network service to the first device in response to detecting the activity indicative of port scanning, for example, by redirecting traffic at an unassigned network address to a honeypot network service. The system may monitor communication between the first device and the presented honeypot network service to determine whether the monitored communication is indicative of a threat, and determine that the first device is compromised based on the monitored communication between the first device and the presented honeypot network service. The system may initiate measures to protect the network from the compromised first device.

公开(公告)号：US20190149580A1

公开(公告)日：2019-05-16

申请号：US16249492

申请日：2019-01-16

申请人： Sophos Limited

发明人： Kenneth D. Ray ,  Simon Neil Reed ,  Mark D. Harris ,  Neil Robert Tyndale Watkiss ,  Andrew J. Thomas ,  Robert W. Cook ,  Dmitri Samosseiko

IPC分类号： H04L29/06 ,  G06F16/28

CPC分类号： H04L63/20 ,  G06F16/285 ,  H04L63/0263 ,  H04L63/1408

摘要： Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.

公开(公告)号：US10284598B2

公开(公告)日：2019-05-07

申请号：US15010783

申请日：2016-01-29

申请人： Sophos Limited

发明人： Daniel Stutz

IPC分类号： H04L9/00 ,  H04L29/06

摘要： In general, in one aspect, a system for providing honeypot network services may monitor network activity, and detect network activity indicative of network service discovery by a first device, for example, port scanning. The system may present a temporarily available network service to the first device in response to detecting the activity indicative of port scanning, for example, by redirecting traffic at an unassigned network address to a honeypot network service. The system may monitor communication between the first device and the presented honeypot network service to determine whether the monitored communication is indicative of a threat, and determine that the first device is compromised based on the monitored communication between the first device and the presented honeypot network service. The system may initiate measures to protect the network from the compromised first device.