Patents by Inventor Kenneth D. Ray

Kenneth D. Ray has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 11297073
    Abstract: Activity on an endpoint is monitored in two stages with a local agent. In a first stage, particular computing objects on the endpoint are selected for tracking. In a second stage, particular types of changes to those objects are selected. By selecting objects and object changes in this manner, a compact data stream of information highly relevant to threat detection can be provided from an endpoint to a central threat management facility. At the same time, a local data recorder creates a local record of a wider range of objects and changes. The system may support forensic activity by facilitating queries to the local data recorder on the endpoint to retrieve more complete records of local activity when the compact data stream does not adequately characterize a particular context.
    Type: Grant
    Filed: September 12, 2018
    Date of Patent: April 5, 2022
    Assignee: Sophos Limited
    Inventors: Beata Ladnai, Mark David Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
  • Patent number: 11288385
    Abstract: A ledger stores chain of custody information for files throughout an enterprise network. By identifying files with a homologous identifier such as a fuzzy hash that permits piecewise evaluation of similarity, the ledger can be used to track a chain of custody over a sequence of changes in content, ownership, and file properties. The ledger can be used, e.g., to evaluate trustworthiness of a file the first time it is encountered by an endpoint, or to apply enterprise policies based on trust.
    Type: Grant
    Filed: October 19, 2018
    Date of Patent: March 29, 2022
    Assignee: Sophos Limited
    Inventors: Karl Ackerman, Russell Humphries, Daniel Salvatore Schiappa, Kenneth D. Ray, Andrew J. Thomas
  • Patent number: 11277416
    Abstract: An enterprise security system is improved by instrumenting endpoints to explicitly label network flows according to sources of network traffic. When a network message from an endpoint is received at a gateway, firewall, or other network device/service, the network message may be examined to determine the application on the endpoint that originated the request, and this source information may be used to control routing or other handling of the network message.
    Type: Grant
    Filed: April 22, 2016
    Date of Patent: March 15, 2022
    Assignee: Sophos Limited
    Inventors: Kenneth D. Ray, Andrew J. Thomas, Mark David Harris
  • Publication number: 20220075868
    Abstract: Trampoline and return-oriented programming attacks employ a variety of techniques to maliciously execute instructions on a device in a manner different from a legitimate programmer's original intent. By instrumenting a device to detect deviations from predicted behavior, these exploits can be identified and mitigated.
    Type: Application
    Filed: November 16, 2021
    Publication date: March 10, 2022
    Inventors: Erik Jan Loman, Lute Edwin Engels, Andrew J. Thomas, Kenneth D. Ray
  • Patent number: 11271950
    Abstract: Endpoints within a subnet of a heterogeneous network are configured to cooperatively respond to internal or external notifications of compromise in order to protect the endpoints within the subnet and throughout the enterprise network. For example, each endpoint may be configured to self-isolate when a local security agent detects a compromise, and to shun one of the other endpoints in response to a corresponding notification of compromise in order to prevent the other, compromised endpoint from communicating with other endpoints and further compromising other endpoints either within the subnet or throughout the enterprise network.
    Type: Grant
    Filed: April 4, 2018
    Date of Patent: March 8, 2022
    Assignee: Sophos Limited
    Inventors: Moritz Daniel Grimm, Daniel Stutz, Andrew J. Thomas, Kenneth D. Ray
  • Publication number: 20220070184
    Abstract: A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.
    Type: Application
    Filed: July 9, 2021
    Publication date: March 3, 2022
    Inventors: Beata Ladnai, Mark David Harris, Andrew J. Thomas, Andrew G. P. Smith, Russell Humphries, Kenneth D. Ray
  • Patent number: 11258821
    Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.
    Type: Grant
    Filed: December 18, 2018
    Date of Patent: February 22, 2022
    Assignee: Sophos Limited
    Inventors: Andrew J. Thomas, Karl Ackerman, James Douglas Bean, Kenneth D. Ray, Daniel Stutz
  • Publication number: 20220014522
    Abstract: Where a single networked security service supports multiple enterprises, this security service can operate as a shared source of trust so that security devices associated with one enterprise can provide authenticated, policy-based management of computing devices associated with another enterprise. For example, an enterprise firewall can advantageously manage network access for a new device based on a shared and authenticated relationship with the networked security service.
    Type: Application
    Filed: July 8, 2020
    Publication date: January 13, 2022
    Inventors: Andrew J. Thomas, Moritz Daniel Grimm, Thomas Rolf-Werner Eckert, Kenneth D. Ray
  • Publication number: 20210400070
    Abstract: A threat management system provides a collection of queries for investigating security issues within an enterprise. Useful inferences are drawn about the value of different queries, and about the security posture of the enterprise, by monitoring contextual activity such as the popularity and context of query usage, patterns of end user modification to queries, and post-query activity.
    Type: Application
    Filed: June 9, 2021
    Publication date: December 23, 2021
    Inventors: Karl Ackerman, Andrew J. Thomas, Kenneth D. Ray
  • Publication number: 20210400071
    Abstract: An endpoint in an enterprise network is instrumented with sensors to detect security-related events occurring on the endpoint. Event data from these sensors is augmented with contextual information about, e.g., a source of each event in order to facilitate improved correlation, analysis, and visualization at a threat management facility for the enterprise network.
    Type: Application
    Filed: June 9, 2021
    Publication date: December 23, 2021
    Inventors: Kenneth D. Ray, Andrew J. Thomas, Karl Ackerman
  • Patent number: 11194900
    Abstract: Trampoline and return-oriented programming attacks employ a variety of techniques to maliciously execute instructions on a device in a manner different from a legitimate programmer's original intent. By instrumenting a device to detect deviations from predicted behavior, these exploits can be identified and mitigated.
    Type: Grant
    Filed: April 14, 2020
    Date of Patent: December 7, 2021
    Assignee: Sophos Limited
    Inventors: Erik Jan Loman, Lute Edwin Engels, Andrew J. Thomas, Kenneth D. Ray
  • Patent number: 11184391
    Abstract: An endpoint in a network periodically generates a heartbeat encoding health state information and transmits this heartbeat to other network entities. Recipients of the heartbeat may use the health state information to independently make decisions about communications with the source endpoint, for example, by isolating the endpoint to prevent further communications with other devices sharing the network with the endpoint. Isolation may be coordinated by a firewall or gateway for the network, or independently by other endpoints that receive a notification of the compromised health state.
    Type: Grant
    Filed: December 18, 2018
    Date of Patent: November 23, 2021
    Assignee: Sophos Limited
    Inventors: Andrew J. Thomas, Kenneth D. Ray, Karl Ackerman
  • Publication number: 20210342467
    Abstract: Entity models are used to evaluate potential risk of entities, either individually or in groups, in order to evaluate suspiciousness within an enterprise network. These individual or aggregated risk assessments can be used to adjust the security policy for compute instances within the enterprise network. A security policy may specify security settings such as network speed, filtering levels, network isolation, levels of privilege, and the like.
    Type: Application
    Filed: July 13, 2021
    Publication date: November 4, 2021
    Inventors: Joseph H. Levy, Andrew J. Thomas, Daniel Salvatore Schiappa, Kenneth D. Ray
  • Publication number: 20210344707
    Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.
    Type: Application
    Filed: July 8, 2021
    Publication date: November 4, 2021
    Inventors: Karl Ackerman, Mark David Harris, Simon Neil Reed, Andrew J. Thomas, Kenneth D. Ray
  • Publication number: 20210344715
    Abstract: A honeypot file is cryptographically secured with a cryptographic key. The key, or related key material, is then placed on a central keystore and the file is placed on a data store within the enterprise network. Unauthorized access to the honeypot file can then be detecting by monitoring use of the associated key material, which usefully facilitates detection of file access at any time when, and from any location where, cryptographic access to the file is initiated.
    Type: Application
    Filed: July 8, 2021
    Publication date: November 4, 2021
    Inventors: Harald Schütz, Andreas Berger, Russell Humphries, Mark D. Harris, Kenneth D. Ray
  • Patent number: 11165797
    Abstract: In the context of network activity by an endpoint in an enterprise network, malware detection is improved by using a combination of reputation information for a network address that is accessed by the endpoint with reputation information for an application on the endpoint that is accessing the network address. This information, when combined with a network usage history for the application, provides improved differentiation between malicious network activity and legitimate, user-initiated network activity.
    Type: Grant
    Filed: April 5, 2017
    Date of Patent: November 2, 2021
    Assignee: Sophos Limited
    Inventors: Karl Ackerman, Mark David Harris, Kenneth D. Ray, Andrew J. Thomas, Daniel Stutz
  • Publication number: 20210326467
    Abstract: An authentication model dynamically adjusts authentication factors required for access to a remote resource based on changes to a risk score for a user, a device, or some combination of these. For example, the authentication model may conditionally specify the number and type of authentication factors required by a user/device pair, and may dynamically alter authentication requirements based on changes to a current risk assessment for the user/device while the remote resource is in use.
    Type: Application
    Filed: June 24, 2021
    Publication date: October 21, 2021
    Inventors: Joseph H. Levy, Andrew J. Thomas, Daniel Salvatore Schiappa, Kenneth D. Ray
  • Patent number: 11140130
    Abstract: Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth.
    Type: Grant
    Filed: September 27, 2018
    Date of Patent: October 5, 2021
    Assignee: Sophos Limited
    Inventors: Andrew J. Thomas, Neil Robert Tyndale Watkiss, Daniel Salvatore Schiappa, Kenneth D. Ray
  • Patent number: 11140195
    Abstract: An endpoint in an enterprise network is configured to respond to internal and external detections of compromise in a manner that permits the endpoint to cooperate with other endpoints to secure the enterprise network. For example, the endpoint may be configured to self-isolate when local monitoring detects a compromise on the endpoint, and to respond to an external notification of compromise of another endpoint by restricting communications with that other endpoint.
    Type: Grant
    Filed: April 4, 2018
    Date of Patent: October 5, 2021
    Assignee: Sophos Limited
    Inventors: Moritz Daniel Grimm, Daniel Stutz, Andrew J. Thomas, Kenneth D. Ray
  • Patent number: 11134056
    Abstract: A threat management facility detects a device on an enterprise network and determines whether the device is one of a set of managed devices for the enterprise network. When the device is not one of the set of managed devices, the device may be directed to a portal that manages admission of unrecognized devices onto the enterprise network. Based on a response of the unrecognized device to the portal (e.g., if the unrecognized device does not respond to the portal), the device may be listed on an unclaimed device page published by the portal and accessible to authorized users of the enterprise network. An authorized user may claim the unrecognized device from the unclaimed device page and, in the process, may provide additional information regarding the unrecognized device. Once claimed, the previously unrecognized device may be permitted to communicate over the enterprise network.
    Type: Grant
    Filed: January 31, 2018
    Date of Patent: September 28, 2021
    Assignee: Sophos Limited
    Inventors: John Edward Tyrone Shaw, Ross McKerchar, Moritz Daniel Grimm, Jan Karl Heinrich Weber, Shail R. Talati, Kenneth D. Ray, Andrew J. Thomas