| CPC H04L 63/0263 (2013.01) [H04L 63/10 (2013.01); H04L 63/20 (2013.01)] | 20 Claims |
|
1. A method comprising:
providing a gateway for an endpoint to a network resource;
monitoring use of the gateway by an application executing on the endpoint;
on the endpoint and in response to a first observed action of the application, coloring the application with a descriptor of a context for the first observed action, wherein:
the first observed action corresponds to access to the network resource,
the descriptor includes a target action following the first observed action and a reportable event count of occurrences of the target action,
the descriptor is inheritable by one or more processes associated with the application, and
the descriptor persists through a reboot of the endpoint;
applying a rule dependent on the descriptor at the endpoint in response to a second observed action of the application to detect a reportable event, the second observed action including a pattern of occurrences of the target action following the first observed action with a count of occurrences meeting a threshold based on the reportable event count of the target action that, in combination with the first observed action, indicate a compromised state of the endpoint;
communicating the reportable event including the count of occurrences of the target action through a network from the endpoint to the gateway; and
limiting access by the application through the gateway to the network resource based on the reportable event.
|