Behavior-based ransomware detection
First Claim
1. A method for detecting and terminating malware, the method comprising:
- storing to a log in a storage device, a plurality of thread-level indicators associated with detected behavior of a target thread and respective thread-level scores associated with the thread-level indicators;
storing to a log in a storage device, a plurality of process-level indicators associated with detected behavior of a process in which the target thread is executing, and respective process-level scores associated with the process-level indicators;
monitoring the target thread executing on a computing device;
detecting, by a processor, a behavior of the target thread that conforms to one of a predefined set of behaviors indicative of ransomware;
responsive to detecting the behavior, updating the plurality of thread-level indicators to include a new thread-level indicator associated with the detected behavior of the target thread and updating the respective thread-level scores to include a new thread-level score associated with the new thread-level indicator;
generating a running score for the target thread by combining the process-level scores and the thread-level scores from the log;
determining that the running score for the target thread exceeds a predefined threshold score; and
responsive to determining that the running score exceeds the predefined threshold score, terminating execution of the target thread.
5 Assignments
0 Petitions
Accused Products
Abstract
An anti-malware application detects, stops, and quarantines ransomware. The anti-malware application monitors threads executing on a computing device and detects behaviors that conform to a predefined set of behaviors indicative of ransomware. Responsive to detecting these behaviors, indicators are stored to a log in a storage device. Each of the indicators in the log is associated with respective scores. A running score for each thread is generated by combining the respective scores of the indicators in the log. Responsive to determining that the running score exceeds a predefined threshold score, execution of the thread is terminated. The source ransomware file is then identified and quarantined.
41 Citations
18 Claims
-
1. A method for detecting and terminating malware, the method comprising:
-
storing to a log in a storage device, a plurality of thread-level indicators associated with detected behavior of a target thread and respective thread-level scores associated with the thread-level indicators; storing to a log in a storage device, a plurality of process-level indicators associated with detected behavior of a process in which the target thread is executing, and respective process-level scores associated with the process-level indicators; monitoring the target thread executing on a computing device; detecting, by a processor, a behavior of the target thread that conforms to one of a predefined set of behaviors indicative of ransomware; responsive to detecting the behavior, updating the plurality of thread-level indicators to include a new thread-level indicator associated with the detected behavior of the target thread and updating the respective thread-level scores to include a new thread-level score associated with the new thread-level indicator; generating a running score for the target thread by combining the process-level scores and the thread-level scores from the log; determining that the running score for the target thread exceeds a predefined threshold score; and responsive to determining that the running score exceeds the predefined threshold score, terminating execution of the target thread. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium storing instructions for detecting and terminating malware, the instructions when executed by a processor cause the processor to perform steps including:
-
storing to a log in a storage device, a plurality of thread-level indicators associated with detected behavior of a target thread and respective thread-level scores associated with the thread-level indicators; storing to a log in a storage device, a plurality of process-level indicators associated with detected behavior of a process in which the target thread is executing, and respective process-level scores associated with the process-level indicators; monitoring the target thread executing on a computing device; detecting a behavior of the target thread that conforms to one of a predefined set of behaviors indicative of ransomware; responsive to detecting the behavior, updating the plurality of thread-level indicators to include a new thread-level indicator associated with the detected behavior of the target thread and updating the respective thread-level scores to include a new thread-level score associated with the new thread-level indicator; generating a running score for the target thread by combining the process-level scores and the thread-level scores from the log; determining that the running score for the target thread exceeds a predefined threshold score; and responsive to determining that the running score exceeds the predefined threshold score, terminating execution of the target thread. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computing system comprising:
-
a processor; and a non-transitory computer-readable storage medium storing instructions for detecting and terminating malware, the instructions when executed by the processor cause the processor to perform steps including; storing to a log in a storage device, a plurality of thread-level indicators associated with detected behavior of a target thread and respective thread-level scores associated with the thread-level indicators; storing to a log in a storage device, a plurality of process-level indicators associated with detected behavior of a process in which the target thread is executing, and respective process-level scores associated with the process-level indicators; monitoring the target thread executing on a computing device; detecting a behavior of the target thread that conforms to one of a predefined set of behaviors indicative of ransomware; responsive to detecting the behavior, updating the plurality of thread-level indicators to include a new thread-level indicator associated with the detected behavior of the target thread and updating the respective thread-level scores to include a new thread-level score associated with the new thread-level indicator; generating a running score for the target thread by combining the process-level scores and the thread-level scores from the log; determining that the running score for the target thread exceeds a predefined threshold score; and responsive to determining that the running score exceeds the predefined threshold score, terminating execution of the target thread. - View Dependent Claims (16, 17, 18)
-
Specification