Patents by Inventor Kenneth D. Ray

Kenneth D. Ray has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20250124382
    Abstract: An endpoint coupled in a communicating relationship with an enterprise network may include a data recorder configured to store an event stream of data indicating events on the endpoint including types of changes to computing objects, a filter configured to locally process the event stream into a filtered event stream including a subset of types of changes to the computing objects, and a local security agent. The local security agent may be configured to transmit the filtered event stream to a threat management facility, respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of types of changes included in the filtered event stream, and respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.
    Type: Application
    Filed: August 20, 2024
    Publication date: April 17, 2025
    Inventors: Beata Ladnai, Mark D. Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
  • Patent number: 12273382
    Abstract: Security is improved by adding a security heartbeat for and endpoint as a factor in a multi-factor authentication system. The security heartbeat may be used directly as an authentication factor, e.g., where the heartbeat provides a reliable and verifiable indication of identity, or the security heartbeat may be used as a gating input for some other verification method, e.g., where a text message with a temporary security code can only be transmitted to a user when the user's endpoint is providing a secure heartbeat.
    Type: Grant
    Filed: December 18, 2018
    Date of Patent: April 8, 2025
    Assignee: Sophos Limited
    Inventors: Karl Ackerman, John Edward Tyrone Shaw, Craig Paradis, Andrew J. Thomas, Kenneth D. Ray
  • Patent number: 12261824
    Abstract: An application executing on an endpoint accesses remote resources using a gateway. In response to a requested remote access, the application may be marked with a descriptor that specifies a target action and a pattern of occurrences of the target action. When a second observable action on the endpoint includes the pattern of events following the first observable action, a reportable event may be generated indicating a compromised state of the endpoint. The gateway can then regulate usage of the remote resource based on the reportable event.
    Type: Grant
    Filed: October 4, 2021
    Date of Patent: March 25, 2025
    Assignee: Sophos Limited
    Inventors: Andrew J. Thomas, Neil Robert Tyndale Watkiss, Daniel Salvatore Schiappa, Kenneth D. Ray
  • Patent number: 12244641
    Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.
    Type: Grant
    Filed: August 3, 2023
    Date of Patent: March 4, 2025
    Assignee: Sophos Limited
    Inventors: Andrew J. Thomas, Karl Ackerman, James Douglas Bean, Kenneth D. Ray, Daniel Stutz
  • Patent number: 12218977
    Abstract: A threat management facility detects a device on an enterprise network and determines whether the device is one of a set of managed devices for the enterprise network. When the device is not one of the set of managed devices, the threat management facility may selectively direct the device to a portal that provides support to the user of the device while the device awaits admission to the enterprise network. As the user interacts with the portal, the portal may manage admission of unrecognized devices onto the enterprise network while making efficient use of network administrator resources.
    Type: Grant
    Filed: April 15, 2022
    Date of Patent: February 4, 2025
    Assignee: Sophos Limited
    Inventors: John Edward Tyrone Shaw, Ross McKerchar, Moritz Daniel Grimm, Jan Karl Heinrich Weber, Shail R. Talati, Kenneth D. Ray, Andrew J. Thomas
  • Publication number: 20240427930
    Abstract: An endpoint in an enterprise network is instrumented with sensors to detect security-related events occurring on the endpoint. Event data from these sensors is augmented with contextual information about, e.g., a source of each event in order to facilitate improved correlation, analysis, and visualization at a threat management facility for the enterprise network.
    Type: Application
    Filed: June 28, 2024
    Publication date: December 26, 2024
    Inventors: Kenneth D. Ray, Andrew J. Thomas, Karl Ackerman
  • Publication number: 20240311503
    Abstract: A threat management facility stores a number of entity models that characterize reportable events from one or more entities. A stream of events from compute instances within an enterprise network can then be analyzed using these entity models to detect behavior that is inconsistent or anomalous for one or more of the entities that are currently active within the enterprise network.
    Type: Application
    Filed: May 23, 2024
    Publication date: September 19, 2024
    Inventors: Joseph H. Levy, Andrew J. Thomas, Daniel Salvatore Schiappa, Kenneth D. Ray
  • Publication number: 20240314148
    Abstract: Possible Denial of Service (DOS) activity is detected and remediated based on an initial heartbeat failure from a network asset, followed by externally directed network traffic from the network asset. In general, an interruption of the heartbeat can signal the possible presence of malware on the network asset, and the externally directed network traffic, and particularly certain patterns of traffic such as a high volume of traffic toward an address with a known, good reputation, can signal the possible presence of a DoS bot on the network asset that is sourcing the network traffic.
    Type: Application
    Filed: May 23, 2024
    Publication date: September 19, 2024
    Inventor: Kenneth D. Ray
  • Patent number: 12079757
    Abstract: An endpoint coupled in a communicating relationship with an enterprise network may include a data recorder configured to store an event stream of data indicating events on the endpoint including types of changes to computing objects, a filter configured to locally process the event stream into a filtered event stream including a subset of types of changes to the computing objects, and a local security agent. The local security agent may be configured to transmit the filtered event stream to a threat management facility, respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of types of changes included in the filtered event stream, and respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.
    Type: Grant
    Filed: August 14, 2023
    Date of Patent: September 3, 2024
    Assignee: Sophos Limited
    Inventors: Beata Ladnai, Mark D. Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
  • Patent number: 12052272
    Abstract: A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.
    Type: Grant
    Filed: July 9, 2021
    Date of Patent: July 30, 2024
    Assignee: Sophos Limited
    Inventors: Beata Ladnai, Mark David Harris, Andrew J. Thomas, Andrew G. P. Smith, Russell Humphries, Kenneth D. Ray
  • Patent number: 12050715
    Abstract: A threat management system provides a collection of queries for investigating security issues within an enterprise. Useful inferences are drawn about the value of different queries, and about the security posture of the enterprise, by monitoring contextual activity such as the popularity and context of query usage, patterns of end user modification to queries, and post-query activity.
    Type: Grant
    Filed: August 14, 2023
    Date of Patent: July 30, 2024
    Assignee: Sophos Limited
    Inventors: Karl Ackerman, Andrew J. Thomas, Kenneth D. Ray
  • Patent number: 12026276
    Abstract: An endpoint in an enterprise network is instrumented with sensors to detect security-related events occurring on the endpoint. Event data from these sensors is augmented with contextual information about, e.g., a source of each event in order to facilitate improved correlation, analysis, and visualization at a threat management facility for the enterprise network.
    Type: Grant
    Filed: June 9, 2021
    Date of Patent: July 2, 2024
    Assignee: Sophos Limited
    Inventors: Kenneth D. Ray, Andrew J. Thomas, Karl Ackerman
  • Publication number: 20240214420
    Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.
    Type: Application
    Filed: August 3, 2023
    Publication date: June 27, 2024
    Inventors: Andrew J. Thomas, Karl Ackerman, James Douglas Bean, Kenneth D. Ray, Daniel Stutz
  • Patent number: 12021831
    Abstract: A gateway or other network device may be configured to monitor endpoint behavior, and to request a verification of user presence at the endpoint under certain conditions suggesting, e.g., malware or other endpoint compromise. For example, when a network request is directed to a low-reputation or unknown network address, user presence may be verified to ensure that this action was initiated by a human user rather than automatically by malware or the like. User verification may be implicit, based on local behavior such as keyboard or mouse activity, or the user verification may be explicit, such as where a notification is presented on a display of the endpoint requesting user confirmation to proceed.
    Type: Grant
    Filed: June 10, 2016
    Date of Patent: June 25, 2024
    Assignee: Sophos Limited
    Inventors: Andrew J. Thomas, Mark David Harris, Kenneth D Ray
  • Patent number: 11997117
    Abstract: Possible Denial of Service (DoS) activity is detected and remediated based on an initial heartbeat failure from a network asset, followed by externally directed network traffic from the network asset. In general, an interruption of the heartbeat can signal the possible presence of malware on the network asset, and the externally directed network traffic, and particularly certain patterns of traffic such as a high volume of traffic toward an address with a known, good reputation, can signal the possible presence of a DoS bot on the network asset that is sourcing the network traffic.
    Type: Grant
    Filed: March 7, 2023
    Date of Patent: May 28, 2024
    Assignee: Sophos Limited
    Inventor: Kenneth D. Ray
  • Patent number: 11995205
    Abstract: A threat management facility stores a number of entity models that characterize reportable events from one or more entities. A stream of events from compute instances within an enterprise network can then be analyzed using these entity models to detect behavior that is inconsistent or anomalous for one or more of the entities that are currently active within the enterprise network.
    Type: Grant
    Filed: January 13, 2023
    Date of Patent: May 28, 2024
    Assignee: Sophos Limited
    Inventors: Joseph H. Levy, Andrew J. Thomas, Daniel Salvatore Schiappa, Kenneth D. Ray
  • Patent number: 11989326
    Abstract: A compute instance may be configured to extract a feature of a data instance accessed by the compute instance, generate an anonymized feature value for the feature of the data instance, include the anonymized feature value in a feature vector corresponding to the data instance, and transmit the feature vector to a server-based computing system.
    Type: Grant
    Filed: March 30, 2021
    Date of Patent: May 21, 2024
    Assignee: Sophos Limited
    Inventors: Joseph H. Levy, Kenneth D. Ray, Joshua Daniel Saxe
  • Publication number: 20240112115
    Abstract: In a threat management platform, a number of endpoints log events in an event data recorder. A local agent filters this data and feeds a filtered data stream to a central threat management facility. The central threat management facility can locally or globally tune filtering by local agents based on the current data stream, and can query local event data recorders for additional information where necessary or helpful in threat detection or forensic analysis. The central threat management facility also stores and deploys a number of security tools such as a web-based user interface supported by machine learning models to identify potential threats requiring human intervention and other models to provide human-readable context for evaluating potential threats.
    Type: Application
    Filed: August 3, 2023
    Publication date: April 4, 2024
    Inventors: Beata Ladnai, Mark D. Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
  • Patent number: 11928231
    Abstract: An authentication model dynamically adjusts authentication factors required for access to a remote resource based on changes to a risk score for a user, a device, or some combination of these. For example, the authentication model may conditionally specify the number and type of authentication factors required by a user/device pair, and may dynamically alter authentication requirements based on changes to a current risk assessment for the user/device while the remote resource is in use.
    Type: Grant
    Filed: March 7, 2023
    Date of Patent: March 12, 2024
    Assignee: Sophos Limited
    Inventors: Joseph H. Levy, Andrew J. Thomas, Daniel Salvatore Schiappa, Kenneth D. Ray
  • Patent number: 11916907
    Abstract: Where a single networked security service supports multiple enterprises, this security service can operate as a shared source of trust so that security devices associated with one enterprise can provide authenticated, policy-based management of computing devices associated with another enterprise. For example, an enterprise firewall can advantageously manage network access for a new device based on a shared and authenticated relationship with the networked security service.
    Type: Grant
    Filed: July 8, 2020
    Date of Patent: February 27, 2024
    Assignee: Sophos Limited
    Inventors: Andrew J. Thomas, Moritz Daniel Grimm, Thomas Rolf-Werner Eckert, Kenneth D. Ray