×

Behavior-based ransomware detection

  • US 10,032,025 B1
  • Filed: 07/05/2017
  • Issued: 07/24/2018
  • Est. Priority Date: 01/24/2017
  • Status: Active Grant
First Claim
Patent Images

1. A method for detecting and terminating malware, the method comprising:

  • storing to a log in a storage device, a plurality of thread-level indicators associated with detected behavior of a target thread and respective thread-level scores associated with the thread-level indicators;

    storing to a log in a storage device, a plurality of process-level indicators associated with detected behavior of a process in which the target thread is executing, and respective process-level scores associated with the process-level indicators;

    monitoring the target thread executing on a computing device;

    detecting, by a processor, a behavior of the target thread that conforms to one of a predefined set of behaviors indicative of ransomware;

    responsive to detecting the behavior, updating the plurality of thread-level indicators to include a new thread-level indicator associated with the detected behavior of the target thread and updating the respective thread-level scores to include a new thread-level score associated with the new thread-level indicator;

    generating a running score for the target thread by combining the process-level scores and the thread-level scores from the log;

    determining that the running score for the target thread exceeds a predefined threshold score; and

    responsive to determining that the running score exceeds the predefined threshold score, terminating execution of the target thread.

View all claims
  • 5 Assignments
Timeline View
Assignment View
    ×
    ×