Labeling objects on an endpoint for encryption management

Assignee

• Sophos Limited · GB

Inventors

• Kenneth D. Ray · Seattle, US
• Daniel Salvatore Schiappa · Bellevue, US
• Simon Neil Reed · Wokingham, GB
• Mark David Harris · Banbury, GB
• Neil Robert Tyndale Watkiss · Felton, GB
• Andrew J. Thomas · Woodstock, GB
• Robert W. Cook · North Vancouver, CA
• Harald Schütz · Linz, AT
• John Edward Tyrone Shaw · Felton, GB
• Anthony John Merry · Kessel-Lo, BE

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/06
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.