-
公开(公告)号:US11552962B2
公开(公告)日:2023-01-10
申请号:US16128953
申请日:2018-09-12
申请人: Sophos Limited
发明人: Joshua Daniel Saxe , Andrew J. Thomas , Russell Humphries , Simon Neil Reed , Kenneth D. Ray , Joseph H. Levy
IPC分类号: H04L9/40 , G06N5/04 , G06N20/00 , G06F17/18 , G06F21/56 , G06Q10/06 , G06F16/955 , G06F11/07 , G06K9/62 , G06N7/00 , G06F21/55 , G06F9/54 , G06N5/00 , G06N5/02 , G06N20/20 , G06V10/44 , G06V20/52
摘要: An ensemble of detection techniques are used to identify code that presents intermediate levels of threat. For example, an ensemble of machine learning techniques may be used to evaluate suspiciousness based on binaries, file paths, behaviors, reputations, and so forth, and code may be sorted into safe, unsafe, intermediate, or any similar categories. By filtering and prioritizing intermediate threats with these tools, human threat intervention can advantageously be directed toward code samples and associated contexts most appropriate for non-automated responses.
-
公开(公告)号:US20220191225A1
公开(公告)日:2022-06-16
申请号:US17687884
申请日:2022-03-07
申请人: Sophos Limited
发明人: Kenneth D. Ray
IPC分类号: H04L9/40
摘要: A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.
-
公开(公告)号:US20220156399A1
公开(公告)日:2022-05-19
申请号:US17592734
申请日:2022-02-04
申请人: Sophos Limited
发明人: Karl Ackerman , Russell Humphries , Daniel Salvatore Schiappa , Kenneth D. Ray , Andrew J. Thomas
IPC分类号: G06F21/62 , H04L9/40 , G06N20/00 , G06F16/93 , G06F16/28 , G06F16/13 , G06F21/64 , H04L9/32 , H04L41/00 , H04L41/22
摘要: A ledger stores chain of custody information for files throughout an enterprise network. By identifying files with a homologous identifier such as a fuzzy hash that permits piecewise evaluation of similarity, the ledger can be used to track a chain of custody over a sequence of changes in content, ownership, and file properties. The ledger can be used, e.g., to evaluate trustworthiness of a file the first time it is encountered by an endpoint, or to apply enterprise policies based on trust.
-
公开(公告)号:US11288385B2
公开(公告)日:2022-03-29
申请号:US16165417
申请日:2018-10-19
申请人: Sophos Limited
发明人: Karl Ackerman , Russell Humphries , Daniel Salvatore Schiappa , Kenneth D. Ray , Andrew J. Thomas
IPC分类号: G06F21/62 , H04L29/06 , G06N20/00 , G06F16/93 , G06F16/28 , G06F16/13 , G06F21/64 , H04L9/32 , H04L41/00 , H04L41/22
摘要: A ledger stores chain of custody information for files throughout an enterprise network. By identifying files with a homologous identifier such as a fuzzy hash that permits piecewise evaluation of similarity, the ledger can be used to track a chain of custody over a sequence of changes in content, ownership, and file properties. The ledger can be used, e.g., to evaluate trustworthiness of a file the first time it is encountered by an endpoint, or to apply enterprise policies based on trust.
-
公开(公告)号:US11271950B2
公开(公告)日:2022-03-08
申请号:US15945166
申请日:2018-04-04
申请人: Sophos Limited
IPC分类号: H04L29/06
摘要: Endpoints within a subnet of a heterogeneous network are configured to cooperatively respond to internal or external notifications of compromise in order to protect the endpoints within the subnet and throughout the enterprise network. For example, each endpoint may be configured to self-isolate when a local security agent detects a compromise, and to shun one of the other endpoints in response to a corresponding notification of compromise in order to prevent the other, compromised endpoint from communicating with other endpoints and further compromising other endpoints either within the subnet or throughout the enterprise network.
-
公开(公告)号:US11258821B2
公开(公告)日:2022-02-22
申请号:US16224258
申请日:2018-12-18
申请人: Sophos Limited
IPC分类号: H04L29/06 , G06F11/00 , G06F21/56 , G06F21/55 , G06F21/44 , G06F21/57 , G06F21/64 , H04L41/142 , H04L43/10 , H04L67/104 , G06F21/45 , G06F21/40 , G06F21/43 , H04L9/32 , H04L41/0631 , H04L51/00
摘要: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.
-
公开(公告)号:US11140195B2
公开(公告)日:2021-10-05
申请号:US15945226
申请日:2018-04-04
申请人: Sophos Limited
摘要: An endpoint in an enterprise network is configured to respond to internal and external detections of compromise in a manner that permits the endpoint to cooperate with other endpoints to secure the enterprise network. For example, the endpoint may be configured to self-isolate when local monitoring detects a compromise on the endpoint, and to respond to an external notification of compromise of another endpoint by restricting communications with that other endpoint.
-
公开(公告)号:US20200074336A1
公开(公告)日:2020-03-05
申请号:US16128953
申请日:2018-09-12
申请人: Sophos Limited
发明人: Joshua Daniel Saxe , Andrew J. Thomas , Russell Humphries , Simon Neil Reed , Kenneth D. Ray , Joseph H. Levy
摘要: An ensemble of detection techniques are used to identify code that presents intermediate levels of threat. For example, an ensemble of machine learning techniques may be used to evaluate suspiciousness based on binaries, file paths, behaviors, reputations, and so forth, and code may be sorted into safe, unsafe, intermediate, or any similar categories. By filtering and prioritizing intermediate threats with these tools, human threat intervention can advantageously be directed toward code samples and associated contexts most appropriate for non-automated responses.
-
公开(公告)号:US10516682B2
公开(公告)日:2019-12-24
申请号:US15946026
申请日:2018-04-05
申请人: Sophos Limited
发明人: Beata Ladnai , Mark David Harris , Andrew J. Thomas , Andrew G. P. Smith , Russell Humphries , Kenneth D. Ray
IPC分类号: H04L29/06 , G06F16/901 , G06Q10/06 , G06Q50/26
摘要: A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.
-
公开(公告)号:US10516531B2
公开(公告)日:2019-12-24
申请号:US16111322
申请日:2018-08-24
申请人: Sophos Limited
摘要: Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.
-
-
-
-
-
-
-
-
-