-
公开(公告)号:US11727333B2
公开(公告)日:2023-08-15
申请号:US17705640
申请日:2022-03-28
申请人: Sophos Limited
发明人: Beata Ladnai , Mark David Harris , Andrew G. P. Smith , Kenneth D. Ray , Andrew J. Thomas , Russell Humphries
IPC分类号: G06F11/07 , H04L9/40 , G06F21/55 , G06F9/54 , G06F21/56 , G06Q10/0635 , G06N5/046 , G06N20/00 , G06F17/18 , G06Q10/0639 , G06F16/955 , G06N7/00 , G06N5/04 , G06N5/022 , G06N20/20 , G06V20/52 , G06F18/214 , G06F18/21 , G06F18/23213 , G06F18/2413 , G06N5/01 , G06Q30/018 , G06Q30/0283
CPC分类号: G06Q10/0635 , G06F9/542 , G06F11/079 , G06F16/955 , G06F17/18 , G06F18/214 , G06F18/2178 , G06F18/23213 , G06F18/24143 , G06F21/554 , G06F21/56 , G06F21/562 , G06F21/565 , G06N5/01 , G06N5/022 , G06N5/04 , G06N5/046 , G06N7/00 , G06N20/00 , G06N20/20 , G06Q10/06395 , G06V20/52 , H04L63/0227 , H04L63/0263 , H04L63/1408 , H04L63/1416 , H04L63/1425 , H04L63/1433 , H04L63/1441 , H04L63/20 , G06Q30/0185 , G06Q30/0283
摘要: An endpoint coupled in a communicating relationship with an enterprise network may include a data recorder configured to store an event stream of data indicating events on the endpoint including types of changes to computing objects, a filter configured to locally process the event stream into a filtered event stream including a subset of types of changes to the computing objects, and a local security agent. The local security agent may be configured to transmit the filtered event stream to a threat management facility, respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of types of changes included in the filtered event stream, and respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.
-
公开(公告)号:US20230118204A1
公开(公告)日:2023-04-20
申请号:US18084825
申请日:2022-12-20
申请人: Sophos Limited
摘要: A multi-endpoint event graph causally relates a sequence of events among a number of computing objects at a number of logical locations including multiple endpoints in an enterprise network. The multi-endpoint event graph is used to detect malware based on malicious software moving through the enterprise network.
-
公开(公告)号:US10516682B2
公开(公告)日:2019-12-24
申请号:US15946026
申请日:2018-04-05
申请人: Sophos Limited
发明人: Beata Ladnai , Mark David Harris , Andrew J. Thomas , Andrew G. P. Smith , Russell Humphries , Kenneth D. Ray
IPC分类号: H04L29/06 , G06F16/901 , G06Q10/06 , G06Q50/26
摘要: A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.
-
公开(公告)号:US10417419B2
公开(公告)日:2019-09-17
申请号:US15924460
申请日:2018-03-19
申请人: Sophos Limited
摘要: A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files, and patterns within this event graph can be used to detect the presence of malware on the endpoint. The underlying recording process may be dynamically adjusted in order to vary the amount and location of recording as the security state of the endpoint changes over time.
-
公开(公告)号:US20220070184A1
公开(公告)日:2022-03-03
申请号:US17371864
申请日:2021-07-09
申请人: Sophos Limited
发明人: Beata Ladnai , Mark David Harris , Andrew J. Thomas , Andrew G. P. Smith , Russell Humphries , Kenneth D. Ray
IPC分类号: H04L29/06 , G06F16/901 , G06Q10/06 , G06Q50/26
摘要: A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.
-
公开(公告)号:US20200076834A1
公开(公告)日:2020-03-05
申请号:US16129113
申请日:2018-09-12
申请人: Sophos Limited
发明人: Beata Ladnai , Mark David Harris , Andrew G. P. Smith , Kenneth D. Ray , Andrew J. Thomas , Russell Humphries
摘要: Activity on an endpoint is monitored in two stages with a local agent. In a first stage, particular computing objects on the endpoint are selected for tracking. In a second stage, particular types of changes to those objects are selected. By selecting objects and object changes in this manner, a compact data stream of information highly relevant to threat detection can be provided from an endpoint to a central threat management facility. At the same time, a local data recorder creates a local record of a wider range of objects and changes. The system may support forensic activity by facilitating queries to the local data recorder on the endpoint to retrieve more complete records of local activity when the compact data stream does not adequately characterize a particular context.
-
公开(公告)号:US20200076833A1
公开(公告)日:2020-03-05
申请号:US16129087
申请日:2018-09-12
申请人: Sophos Limited
发明人: Beata Ladnai , Mark David Harris , Andrew G. P. Smith , Kenneth D. Ray , Andrew J. Thomas , Russell Humphries
摘要: Activity on an endpoint is monitored in two stages with a local agent. In a first stage, particular computing objects on the endpoint are selected for tracking. In a second stage, particular types of changes to those objects are selected. By selecting objects and object changes in this manner, a compact data stream of information highly relevant to threat detection can be provided from an endpoint to a central threat management facility. In order to support dynamic threat response, the locus and level of detection applied by the local agent can be controlled by the threat management facility and/or the endpoint.
-
公开(公告)号:US20190258800A1
公开(公告)日:2019-08-22
申请号:US16401565
申请日:2019-05-02
申请人: Sophos Limited
摘要: A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files, and patterns within this event graph can be used to detect the presence of malware on the endpoint. The underlying recording process may be dynamically adjusted in order to vary the amount and location of recording as the security state of the endpoint changes over time.
-
公开(公告)号:US09967267B2
公开(公告)日:2018-05-08
申请号:US15130244
申请日:2016-04-15
申请人: Sophos Limited
发明人: Beata Ladnai , Mark David Harris , Andrew J. Thomas , Andrew G. P. Smith , Russell Humphries , Kenneth D. Ray
CPC分类号: H04L63/1416 , G06F17/30958 , G06Q10/063 , G06Q50/26 , H04L63/1425 , H04L63/1433 , H04L63/145 , H04L63/20
摘要: A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.
-
公开(公告)号:US20170302685A1
公开(公告)日:2017-10-19
申请号:US15130244
申请日:2016-04-15
申请人: Sophos Limited
发明人: Beata Ladnai , Mark David Harris , Andrew J. Thomas , Andrew G. P. Smith , Russell Humphries , Kenneth D. Ray
CPC分类号: H04L63/1416 , G06F17/30958 , G06Q10/063 , G06Q50/26 , H04L63/1425 , H04L63/1433 , H04L63/145 , H04L63/20
摘要: A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.
-
-
-
-
-
-
-
-
-
搜索结果
35 条记录 (耗时 0.024 秒)
