Key management for compromised enterprise endpoints

Assignee

• Sophos Limited · GB

Inventors

• Harald Schütz · Linz, AT
• Andrew J. Thomas · Woodstock, GB
• Kenneth D. Ray · Seattle, US
• Daniel Salvatore Schiappa · Bellevue, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2221/2113
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.