Patents by Inventor Kenneth D. Ray

Kenneth D. Ray has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20240062133
    Abstract: An automated system attempts to characterize code as safe or unsafe. For intermediate code samples not placed with sufficient confidence in either category, human-readable analysis is automatically generated to assist a human reviewer in reaching a final disposition. For example, a random forest over human-interpretable features may be created and used to identify suspicious features in a manner that is understandable to, and actionable by, a human reviewer. Similarly, a k-nearest neighbor algorithm may be used to identify similar samples of known safe and unsafe code based on a model for, e.g., a file path, a URL, an executable, and so forth. Similar code may then be displayed (with other information) to a user for evaluation in a user interface. This comparative information can improve the speed and accuracy of human interventions by providing richer context for human review of potential threats.
    Type: Application
    Filed: September 7, 2023
    Publication date: February 22, 2024
    Inventors: Joshua Daniel Saxe, Andrew J. Thomas, Russell Humphries, Simon Neil Reed, Kenneth D. Ray, Joseph H. Levy
  • Publication number: 20240037477
    Abstract: An endpoint coupled in a communicating relationship with an enterprise network may include a data recorder configured to store an event stream of data indicating events on the endpoint including types of changes to computing objects, a filter configured to locally process the event stream into a filtered event stream including a subset of types of changes to the computing objects, and a local security agent. The local security agent may be configured to transmit the filtered event stream to a threat management facility, respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of types of changes included in the filtered event stream, and respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.
    Type: Application
    Filed: August 14, 2023
    Publication date: February 1, 2024
    Inventors: Beata Ladnai, Mark D. Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
  • Patent number: 11853425
    Abstract: Malware uses various techniques to detect a sandbox environment so that malicious code can avoid execution in closely monitored contexts that might otherwise trigger detection and remediation. A security system is dynamically updated to exploit these anti-sandbox techniques, e.g., by causing endpoints to mimic sandbox environments in a manner that discourages malware execution on the endpoint, and by updating sandboxes to alter or hide sandbox detection triggers.
    Type: Grant
    Filed: October 9, 2020
    Date of Patent: December 26, 2023
    Assignee: Sophos Limited
    Inventors: Ross McKerchar, Erik Jan Loman, Simon Neil Reed, Kenneth D. Ray, Andrew J. Thomas, Karl Ackerman
  • Patent number: 11853414
    Abstract: Trampoline and return-oriented programming attacks employ a variety of techniques to maliciously execute instructions on a device in a manner different from a legitimate programmer's original intent. By instrumenting a device to detect deviations from predicted behavior, these exploits can be identified and mitigated.
    Type: Grant
    Filed: November 16, 2021
    Date of Patent: December 26, 2023
    Assignee: Sophos Limited
    Inventors: Erik Jan Loman, Lute Edwin Engels, Andrew J. Thomas, Kenneth D. Ray
  • Patent number: 11843631
    Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.
    Type: Grant
    Filed: July 8, 2021
    Date of Patent: December 12, 2023
    Assignee: Sophos Limited
    Inventors: Karl Ackerman, Mark David Harris, Simon Neil Reed, Andrew J. Thomas, Kenneth D. Ray
  • Publication number: 20230385447
    Abstract: A threat management system provides a collection of queries for investigating security issues within an enterprise. Useful inferences are drawn about the value of different queries, and about the security posture of the enterprise, by monitoring contextual activity such as the popularity and context of query usage, patterns of end user modification to queries, and post-query activity.
    Type: Application
    Filed: August 14, 2023
    Publication date: November 30, 2023
    Inventors: Karl Ackerman, Andrew J. Thomas, Kenneth D. Ray
  • Patent number: 11755974
    Abstract: An automated system attempts to characterize code as safe or unsafe. For intermediate code samples not placed with sufficient confidence in either category, human-readable analysis is automatically generated to assist a human reviewer in reaching a final disposition. For example, a random forest over human-interpretable features may be created and used to identify suspicious features in a manner that is understandable to, and actionable by, a human reviewer. Similarly, a k-nearest neighbor algorithm may be used to identify similar samples of known safe and unsafe code based on a model for, e.g., a file path, a URL, an executable, and so forth. Similar code may then be displayed (with other information) to a user for evaluation in a user interface. This comparative information can improve the speed and accuracy of human interventions by providing richer context for human review of potential threats.
    Type: Grant
    Filed: March 1, 2021
    Date of Patent: September 12, 2023
    Assignee: Sophos Limited
    Inventors: Joshua Daniel Saxe, Andrew J. Thomas, Russell Humphries, Simon Neil Reed, Kenneth D. Ray, Joseph H. Levy
  • Patent number: 11741222
    Abstract: Attachments or other documents can be transmitted to a sandbox environment where they can be concurrently opened for remote preview from an endpoint and scanned for possible malware. A gateway or other intermediate network element may enforce this process by replacing attachments, for example, in incoming electronic mail communications, with links to a document preview hosted in the sandbox environment.
    Type: Grant
    Filed: December 15, 2020
    Date of Patent: August 29, 2023
    Assignee: Sophos Limited
    Inventors: Ross McKerchar, John Edward Tyrone Shaw, Andrew J. Thomas, Russell Humphries, Kenneth D. Ray, Daniel Salvatore Schiappa
  • Patent number: 11736522
    Abstract: An endpoint in a network periodically generates a heartbeat encoding health state information and transmits this heartbeat to other network entities. Recipients of the heartbeat may use the health state information to independently make decisions about communications with the source endpoint, for example, by isolating the endpoint to prevent further communications with other devices sharing the network with the endpoint. Isolation may be coordinated by a firewall or gateway for the network, or independently by other endpoints that receive a notification of the compromised health state.
    Type: Grant
    Filed: December 18, 2018
    Date of Patent: August 22, 2023
    Assignee: Sophos Limited
    Inventors: Andrew J. Thomas, Kenneth D. Ray, Karl Ackerman
  • Patent number: 11727333
    Abstract: An endpoint coupled in a communicating relationship with an enterprise network may include a data recorder configured to store an event stream of data indicating events on the endpoint including types of changes to computing objects, a filter configured to locally process the event stream into a filtered event stream including a subset of types of changes to the computing objects, and a local security agent. The local security agent may be configured to transmit the filtered event stream to a threat management facility, respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of types of changes included in the filtered event stream, and respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.
    Type: Grant
    Filed: March 28, 2022
    Date of Patent: August 15, 2023
    Assignee: Sophos Limited
    Inventors: Beata Ladnai, Mark David Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
  • Patent number: 11727143
    Abstract: A threat management system provides a collection of queries for investigating security issues within an enterprise. Useful inferences are drawn about the value of different queries, and about the security posture of the enterprise, by monitoring contextual activity such as the popularity and context of query usage, patterns of end user modification to queries, and post-query activity.
    Type: Grant
    Filed: June 9, 2021
    Date of Patent: August 15, 2023
    Assignee: Sophos Limited
    Inventors: Karl Ackerman, Andrew J. Thomas, Kenneth D. Ray
  • Patent number: 11722521
    Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.
    Type: Grant
    Filed: February 8, 2022
    Date of Patent: August 8, 2023
    Assignee: Sophos Limited
    Inventors: Andrew J. Thomas, Karl Ackerman, James Douglas Bean, Kenneth D. Ray, Daniel Stutz
  • Patent number: 11720844
    Abstract: In a threat management platform, a number of endpoints log events in an event data recorder. A local agent filters this data and feeds a filtered data stream to a central threat management facility. The central threat management facility can locally or globally tune filtering by local agents based on the current data stream, and can query local event data recorders for additional information where necessary or helpful in threat detection or forensic analysis. The central threat management facility also stores and deploys a number of security tools such as a web-based user interface supported by machine learning models to identify potential threats requiring human intervention and other models to provide human-readable context for evaluating potential threats.
    Type: Grant
    Filed: March 26, 2021
    Date of Patent: August 8, 2023
    Assignee: Sophos Limited
    Inventors: Beata Ladnai, Mark David Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
  • Patent number: 11716351
    Abstract: A honeypot file is cryptographically secured with a cryptographic key. The key, or related key material, is then placed on a central keystore and the file is placed on a data store within the enterprise network. Unauthorized access to the honeypot file can then be detecting by monitoring use of the associated key material, which usefully facilitates detection of file access at any time when, and from any location where, cryptographic access to the file is initiated.
    Type: Grant
    Filed: July 8, 2021
    Date of Patent: August 1, 2023
    Assignee: Sophos Limited
    Inventors: Harald Schütz, Andreas Berger, Russell Humphries, Mark D. Harris, Kenneth D. Ray
  • Publication number: 20230216883
    Abstract: Possible Denial of Service (DoS) activity is detected and remediated based on an initial heartbeat failure from a network asset, followed by externally directed network traffic from the network asset. In general, an interruption of the heartbeat can signal the possible presence of malware on the network asset, and the externally directed network traffic, and particularly certain patterns of traffic such as a high volume of traffic toward an address with a known, good reputation, can signal the possible presence of a DoS bot on the network asset that is sourcing the network traffic.
    Type: Application
    Filed: March 7, 2023
    Publication date: July 6, 2023
    Inventor: Kenneth D. Ray
  • Publication number: 20230214514
    Abstract: An authentication model dynamically adjusts authentication factors required for access to a remote resource based on changes to a risk score for a user, a device, or some combination of these. For example, the authentication model may conditionally specify the number and type of authentication factors required by a user/device pair, and may dynamically alter authentication requirements based on changes to a current risk assessment for the user/device while the remote resource is in use.
    Type: Application
    Filed: March 7, 2023
    Publication date: July 6, 2023
    Inventors: Joseph H. Levy, Andrew J. Thomas, Daniel Salvatore Schiappa, Kenneth D. Ray
  • Publication number: 20230208879
    Abstract: Disclosed herein is a technique for detecting potential phishing attacks by monitoring outbound web traffic from an endpoint, along with inbound electronic mail traffic addressed to a user of the endpoint. With this information, a search can be performed for possible sources in the web traffic of a request for a hyperlink located in the inbound mail traffic, and when no source is located, phishing remediation can be performed, including restrictions on access to the hyperlink at an endpoint operated by the user.
    Type: Application
    Filed: March 2, 2023
    Publication date: June 29, 2023
    Inventors: Andrew J. Thomas, Karl Ackerman, James Douglas Bean, Kenneth D. Ray, Daniel Stutz
  • Publication number: 20230185945
    Abstract: A threat management facility stores a number of entity models that characterize reportable events from one or more entities. A stream of events from compute instances within an enterprise network can then be analyzed using these entity models to detect behavior that is inconsistent or anomalous for one or more of the entities that are currently active within the enterprise network.
    Type: Application
    Filed: January 13, 2023
    Publication date: June 15, 2023
    Inventors: Joseph H. Levy, Andrew J. Thomas, Daniel Salvatore Schiappa, Kenneth D. Ray
  • Patent number: 11657174
    Abstract: An authentication model dynamically adjusts authentication factors required for access to a remote resource based on changes to a risk score for a user, a device, or some combination of these. For example, the authentication model may conditionally specify the number and type of authentication factors required by a user/device pair, and may dynamically alter authentication requirements based on changes to a current risk assessment for the user/device while the remote resource is in use.
    Type: Grant
    Filed: June 24, 2021
    Date of Patent: May 23, 2023
    Assignee: Sophos Limited
    Inventors: Joseph H. Levy, Andrew J. Thomas, Daniel Salvatore Schiappa, Kenneth D. Ray
  • Patent number: 11621968
    Abstract: A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.
    Type: Grant
    Filed: March 7, 2022
    Date of Patent: April 4, 2023
    Assignee: Sophos Limited
    Inventor: Kenneth D. Ray