| CPC H04L 63/1425 (2013.01) [H04L 63/0254 (2013.01); H04L 63/0263 (2013.01); H04L 63/1441 (2013.01); H04L 63/20 (2013.01)] | 21 Claims |
|
1. A system, comprising:
a processor configured to:
monitor an endpoint for malicious activity using an endpoint agent to perform behavioral threat protection by continuously monitoring activities on the endpoint to identify and analyze a set of real-time system events that are associated with a causality event chain, wherein the endpoint comprises a local device;
filter file system related events, process related events, network related events, and operating system (OS) private application programming interface (API) events based on a filtering policy to filter out events that are noisy and/or are not useful indicators for malware detection using causality event chains, wherein at least the following events are filtered out: predetermined registry key hives and duplicate file-reads;
detect malicious activity associated with an application on the endpoint based on the causality event chain using the endpoint agent based on a set of rules, wherein the causality event chain is inspected to detect malicious activity based on a pattern of events as opposed to only inspecting each system event individually, wherein the set of rules includes one or more updated detection rules provided as an update to the endpoint agent without requiring a binary or code update, and wherein the set of rules are compiled into a lookup tree for pattern matching using the lookup tree to facilitate optimized detection logic;
in response to detecting malicious activity on the endpoint based on the causality event chain using the endpoint agent, perform a security response based on a security policy that includes the one or more updated detection rules provided as the update to the endpoint agent; and
a memory coupled to the processor and configured to provide the processor with instructions.
|