Patents by Inventor Karl Ackerman
Karl Ackerman has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11853425Abstract: Malware uses various techniques to detect a sandbox environment so that malicious code can avoid execution in closely monitored contexts that might otherwise trigger detection and remediation. A security system is dynamically updated to exploit these anti-sandbox techniques, e.g., by causing endpoints to mimic sandbox environments in a manner that discourages malware execution on the endpoint, and by updating sandboxes to alter or hide sandbox detection triggers.Type: GrantFiled: October 9, 2020Date of Patent: December 26, 2023Assignee: Sophos LimitedInventors: Ross McKerchar, Erik Jan Loman, Simon Neil Reed, Kenneth D. Ray, Andrew J. Thomas, Karl Ackerman
-
Patent number: 11843631Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.Type: GrantFiled: July 8, 2021Date of Patent: December 12, 2023Assignee: Sophos LimitedInventors: Karl Ackerman, Mark David Harris, Simon Neil Reed, Andrew J. Thomas, Kenneth D. Ray
-
Patent number: 11836664Abstract: In a threat management platform, a number of endpoints log events in an event data recorder. A local agent filters this data and feeds a filtered data stream to a central threat management facility. The central threat management facility can locally or globally tune filtering by local agents based on the current data stream, and can query local event data recorders for additional information where necessary or helpful in threat detection or forensic analysis. The central threat management facility also stores and deploys a number of security tools such as a web-based user interface supported by machine learning models to identify potential threats requiring human intervention and other models to provide human-readable context for evaluating potential threats.Type: GrantFiled: June 9, 2020Date of Patent: December 5, 2023Assignee: Sophos LimitedInventors: Karl Ackerman, Russell Humphries, Mark Anthony Russo, Andrew J. Thomas
-
Publication number: 20230385447Abstract: A threat management system provides a collection of queries for investigating security issues within an enterprise. Useful inferences are drawn about the value of different queries, and about the security posture of the enterprise, by monitoring contextual activity such as the popularity and context of query usage, patterns of end user modification to queries, and post-query activity.Type: ApplicationFiled: August 14, 2023Publication date: November 30, 2023Inventors: Karl Ackerman, Andrew J. Thomas, Kenneth D. Ray
-
Publication number: 20230344726Abstract: A computer-implemented method includes training a machine-learning model, using a training dataset that distinguishes between critical systems and non-critical systems, to classify a particular computer system as critical or non-critical, wherein a label is applied to the particular computer system during the training that identifies the particular computer system as critical or non-critical, and wherein parameters that describe the critical systems or non-critical systems are used as features during the training. The method further includes receiving an input dataset that describes a plurality of computer systems in the enterprise environment.Type: ApplicationFiled: May 17, 2023Publication date: October 26, 2023Applicant: SOPHOS LIMITEDInventor: Karl Ackerman
-
Publication number: 20230336575Abstract: Various aspects related to threat management are disclosed. An example method includes monitoring network traffic on a computer network that includes a plurality of endpoints, identifying a software application executing on at least one endpoint from one or more of the sent data or the received data, where execution of the software application is associated with a startup time window and a post-startup time window, determining a security status score for the at least one endpoint based on a comparison of the sent data and the received data with a known pattern of network activity associated with the software application, wherein the known pattern of network activity is based upon the startup time window of the software application, determining a threat status for the at least one endpoint based on the security status score, and, generating an indication of the threat status for the at least one endpoint.Type: ApplicationFiled: April 19, 2022Publication date: October 19, 2023Applicant: SOPHOS LIMITEDInventor: Karl Ackerman
-
Publication number: 20230308460Abstract: When security-related behavior is detected on an endpoint, e.g., through a local security agent executing on the endpoint, a threat management facility associated with the endpoint can interact with a user via a second local security agent on a second endpoint in order to solicit verification, authorization, authentication or the like related to the behavior. In one aspect, an administrator for an enterprise managed by the threat management facility may verify, authorize, or otherwise approve the detected behavior using this technique. In another aspect, a user of the device may use this infrastructure to approve of a potentially risky behavior on one device by using a verification procedure on a second device associated with the user.Type: ApplicationFiled: April 21, 2023Publication date: September 28, 2023Inventors: Andrew J. Thomas, Johan Petter Nordwall, Karl Ackerman, Thomas John Walsh, Christoph Georg Hoyer, Mirco Stratmann, Kerav Vaidya
-
Patent number: 11736522Abstract: An endpoint in a network periodically generates a heartbeat encoding health state information and transmits this heartbeat to other network entities. Recipients of the heartbeat may use the health state information to independently make decisions about communications with the source endpoint, for example, by isolating the endpoint to prevent further communications with other devices sharing the network with the endpoint. Isolation may be coordinated by a firewall or gateway for the network, or independently by other endpoints that receive a notification of the compromised health state.Type: GrantFiled: December 18, 2018Date of Patent: August 22, 2023Assignee: Sophos LimitedInventors: Andrew J. Thomas, Kenneth D. Ray, Karl Ackerman
-
Patent number: 11727143Abstract: A threat management system provides a collection of queries for investigating security issues within an enterprise. Useful inferences are drawn about the value of different queries, and about the security posture of the enterprise, by monitoring contextual activity such as the popularity and context of query usage, patterns of end user modification to queries, and post-query activity.Type: GrantFiled: June 9, 2021Date of Patent: August 15, 2023Assignee: Sophos LimitedInventors: Karl Ackerman, Andrew J. Thomas, Kenneth D. Ray
-
Patent number: 11722521Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.Type: GrantFiled: February 8, 2022Date of Patent: August 8, 2023Assignee: Sophos LimitedInventors: Andrew J. Thomas, Karl Ackerman, James Douglas Bean, Kenneth D. Ray, Daniel Stutz
-
Patent number: 11695647Abstract: A computer-implemented method includes training a machine-learning model, using a training dataset that distinguishes between critical systems and non-critical systems, to classify a particular computer system as critical or non-critical, wherein a label is applied to the particular computer system during the training that identifies the particular computer system as critical or non-critical, and wherein parameters that describe the critical systems or non-critical systems are used as features during the training. The method further includes receiving an input dataset that describes a plurality of computer systems in the enterprise environment.Type: GrantFiled: March 31, 2022Date of Patent: July 4, 2023Assignee: Sophos LimitedInventor: Karl Ackerman
-
Publication number: 20230208879Abstract: Disclosed herein is a technique for detecting potential phishing attacks by monitoring outbound web traffic from an endpoint, along with inbound electronic mail traffic addressed to a user of the endpoint. With this information, a search can be performed for possible sources in the web traffic of a request for a hyperlink located in the inbound mail traffic, and when no source is located, phishing remediation can be performed, including restrictions on access to the hyperlink at an endpoint operated by the user.Type: ApplicationFiled: March 2, 2023Publication date: June 29, 2023Inventors: Andrew J. Thomas, Karl Ackerman, James Douglas Bean, Kenneth D. Ray, Daniel Stutz
-
Patent number: 11616811Abstract: Phishing attacks attempt to solicit valuable information such as personal information, account credentials, and the like from human users by disguising a malicious request for information as a legitimate inquiry, typically in the form of an electronic mail or similar communication. By tracking a combination of outbound web traffic from an endpoint and inbound electronic mail traffic to the endpoint, improved detection of phishing attacks or similar efforts to wrongly obtain sensitive information can be achieved.Type: GrantFiled: December 18, 2018Date of Patent: March 28, 2023Assignee: Sophos LimitedInventors: Andrew J. Thomas, Karl Ackerman, James Douglas Bean, Kenneth D. Ray, Daniel Stutz
-
Publication number: 20220166794Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.Type: ApplicationFiled: February 8, 2022Publication date: May 26, 2022Inventors: Andrew J. Thomas, Karl Ackerman, James Douglas Bean, Kenneth D. Ray, Daniel Stutz
-
Publication number: 20220156399Abstract: A ledger stores chain of custody information for files throughout an enterprise network. By identifying files with a homologous identifier such as a fuzzy hash that permits piecewise evaluation of similarity, the ledger can be used to track a chain of custody over a sequence of changes in content, ownership, and file properties. The ledger can be used, e.g., to evaluate trustworthiness of a file the first time it is encountered by an endpoint, or to apply enterprise policies based on trust.Type: ApplicationFiled: February 4, 2022Publication date: May 19, 2022Inventors: Karl Ackerman, Russell Humphries, Daniel Salvatore Schiappa, Kenneth D. Ray, Andrew J. Thomas
-
Publication number: 20220114257Abstract: Malware uses various techniques to detect a sandbox environment so that malicious code can avoid execution in closely monitored contexts that might otherwise trigger detection and remediation. A security system is dynamically updated to exploit these anti-sandbox techniques, e.g., by causing endpoints to mimic sandbox environments in a manner that discourages malware execution on the endpoint, and by updating sandboxes to alter or hide sandbox detection triggers.Type: ApplicationFiled: October 9, 2020Publication date: April 14, 2022Inventors: Ross McKerchar, Erik Jan Loman, Simon Neil Reed, Kenneth D. Ray, Andrew J. Thomas, Karl Ackerman
-
Patent number: 11288385Abstract: A ledger stores chain of custody information for files throughout an enterprise network. By identifying files with a homologous identifier such as a fuzzy hash that permits piecewise evaluation of similarity, the ledger can be used to track a chain of custody over a sequence of changes in content, ownership, and file properties. The ledger can be used, e.g., to evaluate trustworthiness of a file the first time it is encountered by an endpoint, or to apply enterprise policies based on trust.Type: GrantFiled: October 19, 2018Date of Patent: March 29, 2022Assignee: Sophos LimitedInventors: Karl Ackerman, Russell Humphries, Daniel Salvatore Schiappa, Kenneth D. Ray, Andrew J. Thomas
-
Patent number: 11258821Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.Type: GrantFiled: December 18, 2018Date of Patent: February 22, 2022Assignee: Sophos LimitedInventors: Andrew J. Thomas, Karl Ackerman, James Douglas Bean, Kenneth D. Ray, Daniel Stutz
-
Publication number: 20210400070Abstract: A threat management system provides a collection of queries for investigating security issues within an enterprise. Useful inferences are drawn about the value of different queries, and about the security posture of the enterprise, by monitoring contextual activity such as the popularity and context of query usage, patterns of end user modification to queries, and post-query activity.Type: ApplicationFiled: June 9, 2021Publication date: December 23, 2021Inventors: Karl Ackerman, Andrew J. Thomas, Kenneth D. Ray
-
Publication number: 20210400071Abstract: An endpoint in an enterprise network is instrumented with sensors to detect security-related events occurring on the endpoint. Event data from these sensors is augmented with contextual information about, e.g., a source of each event in order to facilitate improved correlation, analysis, and visualization at a threat management facility for the enterprise network.Type: ApplicationFiled: June 9, 2021Publication date: December 23, 2021Inventors: Kenneth D. Ray, Andrew J. Thomas, Karl Ackerman