Patents by Inventor Mark David Harris
Mark David Harris has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11843631Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.Type: GrantFiled: July 8, 2021Date of Patent: December 12, 2023Assignee: Sophos LimitedInventors: Karl Ackerman, Mark David Harris, Simon Neil Reed, Andrew J. Thomas, Kenneth D. Ray
-
Patent number: 11727333Abstract: An endpoint coupled in a communicating relationship with an enterprise network may include a data recorder configured to store an event stream of data indicating events on the endpoint including types of changes to computing objects, a filter configured to locally process the event stream into a filtered event stream including a subset of types of changes to the computing objects, and a local security agent. The local security agent may be configured to transmit the filtered event stream to a threat management facility, respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of types of changes included in the filtered event stream, and respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.Type: GrantFiled: March 28, 2022Date of Patent: August 15, 2023Assignee: Sophos LimitedInventors: Beata Ladnai, Mark David Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
-
Patent number: 11720844Abstract: In a threat management platform, a number of endpoints log events in an event data recorder. A local agent filters this data and feeds a filtered data stream to a central threat management facility. The central threat management facility can locally or globally tune filtering by local agents based on the current data stream, and can query local event data recorders for additional information where necessary or helpful in threat detection or forensic analysis. The central threat management facility also stores and deploys a number of security tools such as a web-based user interface supported by machine learning models to identify potential threats requiring human intervention and other models to provide human-readable context for evaluating potential threats.Type: GrantFiled: March 26, 2021Date of Patent: August 8, 2023Assignee: Sophos LimitedInventors: Beata Ladnai, Mark David Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
-
Publication number: 20230118204Abstract: A multi-endpoint event graph causally relates a sequence of events among a number of computing objects at a number of logical locations including multiple endpoints in an enterprise network. The multi-endpoint event graph is used to detect malware based on malicious software moving through the enterprise network.Type: ApplicationFiled: December 20, 2022Publication date: April 20, 2023Inventors: Beata Ladnai, Mark David Harris, Andrew J. Thomas, Andrew G. P. Smith, Russell Humphries
-
Patent number: 11550909Abstract: A multi-endpoint event graph is used to detect malware based on malicious software moving through a network.Type: GrantFiled: September 30, 2020Date of Patent: January 10, 2023Assignee: Sophos LimitedInventors: Beata Ladnai, Mark David Harris, Andrew J. Thomas, Andrew G. P. Smith, Russell Humphries
-
Publication number: 20220217166Abstract: An endpoint coupled in a communicating relationship with an enterprise network may include a data recorder configured to store an event stream of data indicating events on the endpoint including types of changes to computing objects, a filter configured to locally process the event stream into a filtered event stream including a subset of types of changes to the computing objects, and a local security agent. The local security agent may be configured to transmit the filtered event stream to a threat management facility, respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of types of changes included in the filtered event stream, and respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.Type: ApplicationFiled: March 28, 2022Publication date: July 7, 2022Inventors: Beata Ladnai, Mark David Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
-
Publication number: 20220198010Abstract: An event graph can be generated, and, upon malware detection, traversed backward to identify a root cause associated with the malware detection. Using this information, rules for earlier malware detection can be created by analyzing the event graph proximal to the root cause rather than proximal to the malware detection trigger.Type: ApplicationFiled: March 8, 2022Publication date: June 23, 2022Inventors: Beata Ladnai, Mark David Harris, Andrew J. Thomas, Andrew G. P. Smith, Russell Humphries
-
Publication number: 20220198009Abstract: An event graph associated with a root cause for a change in security state on an endpoint is used to facilitate malware detection on other endpoints.Type: ApplicationFiled: March 8, 2022Publication date: June 23, 2022Inventors: Beata Ladnai, Mark David Harris, Andrew J. Thomas, Andrew G. P. Smith, Russell Humphries
-
Patent number: 11297073Abstract: Activity on an endpoint is monitored in two stages with a local agent. In a first stage, particular computing objects on the endpoint are selected for tracking. In a second stage, particular types of changes to those objects are selected. By selecting objects and object changes in this manner, a compact data stream of information highly relevant to threat detection can be provided from an endpoint to a central threat management facility. At the same time, a local data recorder creates a local record of a wider range of objects and changes. The system may support forensic activity by facilitating queries to the local data recorder on the endpoint to retrieve more complete records of local activity when the compact data stream does not adequately characterize a particular context.Type: GrantFiled: September 12, 2018Date of Patent: April 5, 2022Assignee: Sophos LimitedInventors: Beata Ladnai, Mark David Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
-
Patent number: 11277416Abstract: An enterprise security system is improved by instrumenting endpoints to explicitly label network flows according to sources of network traffic. When a network message from an endpoint is received at a gateway, firewall, or other network device/service, the network message may be examined to determine the application on the endpoint that originated the request, and this source information may be used to control routing or other handling of the network message.Type: GrantFiled: April 22, 2016Date of Patent: March 15, 2022Assignee: Sophos LimitedInventors: Kenneth D. Ray, Andrew J. Thomas, Mark David Harris
-
Publication number: 20220070184Abstract: A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.Type: ApplicationFiled: July 9, 2021Publication date: March 3, 2022Inventors: Beata Ladnai, Mark David Harris, Andrew J. Thomas, Andrew G. P. Smith, Russell Humphries, Kenneth D. Ray
-
Patent number: 11182486Abstract: A security driver loads early in the boot process for a compute instance and detects processes that are subsequently launched. The detected processes can be recorded, and then scanned with any suitable malware scanning tool(s) once a user mode is available on the compute instance. After the operating system is installed and a user mode is available, other scanning tools may also be deployed (e.g., in the user mode) to augment security of the compute instance.Type: GrantFiled: June 11, 2019Date of Patent: November 23, 2021Assignee: Sophos LimitedInventors: Richard Paul Cosgrove, Mark David Harris, Andrew G. P. Smith
-
Publication number: 20210344707Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.Type: ApplicationFiled: July 8, 2021Publication date: November 4, 2021Inventors: Karl Ackerman, Mark David Harris, Simon Neil Reed, Andrew J. Thomas, Kenneth D. Ray
-
Patent number: 11165797Abstract: In the context of network activity by an endpoint in an enterprise network, malware detection is improved by using a combination of reputation information for a network address that is accessed by the endpoint with reputation information for an application on the endpoint that is accessing the network address. This information, when combined with a network usage history for the application, provides improved differentiation between malicious network activity and legitimate, user-initiated network activity.Type: GrantFiled: April 5, 2017Date of Patent: November 2, 2021Assignee: Sophos LimitedInventors: Karl Ackerman, Mark David Harris, Kenneth D. Ray, Andrew J. Thomas, Daniel Stutz
-
Patent number: 11102238Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.Type: GrantFiled: April 5, 2017Date of Patent: August 24, 2021Assignee: Sophos LimitedInventors: Karl Ackerman, Mark David Harris, Simon Neil Reed, Andrew J. Thomas, Kenneth D. Ray
-
Patent number: 11095669Abstract: A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.Type: GrantFiled: November 8, 2019Date of Patent: August 17, 2021Assignee: Sophos LimitedInventors: Beata Ladnai, Mark David Harris, Andrew J. Thomas, Andrew G. P. Smith, Russell Humphries, Kenneth D. Ray
-
Publication number: 20210250366Abstract: In a threat management platform, a number of endpoints log events in an event data recorder. A local agent filters this data and feeds a filtered data stream to a central threat management facility. The central threat management facility can locally or globally tune filtering by local agents based on the current data stream, and can query local event data recorders for additional information where necessary or helpful in threat detection or forensic analysis. The central threat management facility also stores and deploys a number of security tools such as a web-based user interface supported by machine learning models to identify potential threats requiring human intervention and other models to provide human-readable context for evaluating potential threats.Type: ApplicationFiled: March 26, 2021Publication date: August 12, 2021Inventors: Beata Ladnai, Mark David Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
-
Patent number: 10972485Abstract: In a threat management platform, a number of endpoints log events in an event data recorder. A local agent filters this data and feeds a filtered data stream to a central threat management facility. The central threat management facility can locally or globally tune filtering by local agents based on the current data stream, and can query local event data recorders for additional information where necessary or helpful in threat detection or forensic analysis. The central threat management facility also stores and deploys a number of security tools such as a web-based user interface supported by machine learning models to identify potential threats requiring human intervention and other models to provide human-readable context for evaluating potential threats.Type: GrantFiled: September 12, 2018Date of Patent: April 6, 2021Assignee: Sophos LimitedInventors: Beata Ladnai, Mark David Harris, Andrew G. P. Smith, Kenneth D. Ray, Andrew J. Thomas, Russell Humphries
-
Patent number: 10963569Abstract: A security driver loads early in the boot process for a compute instance and detects processes that are subsequently launched and/or terminated. The detected processes can be recorded, and then scanned with any suitable malware scanning tool(s) once a user mode is available on the compute instance, including any processes that are terminated before such scanning tools are launched. After the operating system is installed and a user mode is available, other scanning tools may also be deployed (e.g., in the user mode) to augment security of the compute instance.Type: GrantFiled: June 11, 2019Date of Patent: March 30, 2021Assignee: Sophos LimitedInventors: Mark David Harris, Andrew G. P. Smith, Richard Paul Cosgrove
-
Patent number: 10951642Abstract: A threat management facility that remotely stores global reputation information for network content can be used in combination with a recognition engine such as a machine learning classifier that is locally deployed on endpoints within an enterprise network. More specifically, the recognition engine can locally evaluate reputation for a network address being accessed by an endpoint, and this reputation information can be used to dynamically establish a timeout for a request from the endpoint to the threat management facility for corresponding global reputation information.Type: GrantFiled: January 13, 2020Date of Patent: March 16, 2021Assignee: Sophos LimitedInventors: Neil Robert Tyndale Watkiss, Emile Marcus Kenning, Mark David Harris