US 12,348,538 B2
Intrusion detection using a heartbeat
Kenneth D. Ray, Seattle, WA (US)
Assigned to Sophos Limited, Abingdon (GB)
Filed by Sophos Limited, Abingdon (GB)
Filed on May 23, 2024, as Appl. No. 18/672,978.
Application 18/672,978 is a continuation of application No. 18/179,830, filed on Mar. 7, 2023, granted, now 11,997,117.
Application 18/179,830 is a continuation of application No. 17/687,884, filed on Mar. 7, 2022, granted, now 11,621,968, issued on Apr. 4, 2023.
Application 17/687,884 is a continuation of application No. 16/872,950, filed on May 12, 2020, granted, now 11,303,654, issued on Apr. 12, 2022.
Application 16/872,950 is a continuation of application No. 15/903,924, filed on Feb. 23, 2018, granted, now 10,673,873, issued on Jun. 2, 2020.
Application 15/903,924 is a continuation of application No. 14/263,966, filed on Apr. 28, 2014, granted, now 9,917,851, issued on Mar. 13, 2018.
Prior Publication US 2024/0314148 A1, Sep. 19, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1416 (2013.01) [H04L 63/0227 (2013.01); H04L 63/0236 (2013.01); H04L 63/1425 (2013.01); H04L 63/145 (2013.01); H04L 63/20 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
receiving, at a gateway, a heartbeat from an endpoint, wherein
the gateway is interposed between an enterprise network and an external network,
the heartbeat is addressed to the gateway,
the heartbeat encodes a security health status of the endpoint evaluated by a local security agent executing on the endpoint, and
the security health status of the heartbeat indicates an uncompromised security health status when no compromise of the endpoint is detected by the local security agent;
detecting a change in the security health status included in the heartbeat at the gateway;
following detecting the change of the security health status included in the heartbeat received at the gateway, receiving, at the gateway, network traffic other than the heartbeat from the endpoint; and
responding to the change in the security health status included in the heartbeat, combination with the network traffic received following the change, by initiating a remediation of the enterprise network, wherein the remediation includes a quarantine of the endpoint.