Non-invasive whitelisting
First Claim
1. A computing device comprising:
- a storage containing a graylist executable object; and
one or more logic elements comprising a security engine operable for;
detecting that the executable object has attempted to perform an action;
intercepting the action;
querying a confidence score cache for a cached confidence score for a combination of the executable object and the action;
assigning a present confidence score to the action, the present confidence score for a combination of the executable object and the action, and accounting for the cached confidence score;
acting on the present confidence score, comprising operating a machine learning algorithm configured to compare the present confidence score to confidence scores of one or more other objects previously authorized by a user, determining that the present confidence score equals or exceeds the confidence scores of the one or more other objects, and authorizing the action without asking for user verification; and
caching the present confidence score to the confidence score cache.
10 Assignments
0 Petitions
Accused Products
Abstract
In an example, there is disclosed a security architecture for enhanced, non-invasive whitelisting of executable objects. When an executable object tries to perform an action, a security engine seamlessly intercepts the action and determines whether the action is whitelisted, blacklisted, or graylisted, assigning the action a corresponding security score. Whitelisted actions may be allowed, blacklisted actions may be disallowed, and graylisted actions may require additional verification from a user. Because the score is assigned to the combination of the executable object and the action, false positives may be avoided, such as those that may occur when an executable object is prefetched but has not yet tried to perform any useful work.
-
Citations
23 Claims
-
1. A computing device comprising:
-
a storage containing a graylist executable object; and one or more logic elements comprising a security engine operable for; detecting that the executable object has attempted to perform an action; intercepting the action; querying a confidence score cache for a cached confidence score for a combination of the executable object and the action; assigning a present confidence score to the action, the present confidence score for a combination of the executable object and the action, and accounting for the cached confidence score; acting on the present confidence score, comprising operating a machine learning algorithm configured to compare the present confidence score to confidence scores of one or more other objects previously authorized by a user, determining that the present confidence score equals or exceeds the confidence scores of the one or more other objects, and authorizing the action without asking for user verification; and caching the present confidence score to the confidence score cache. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. One or more non-transitory computer-readable mediums having stored thereon executable instructions operable for instructing a processor for:
-
detecting that a graylist executable object has attempted to perform an action; intercepting the action; querying a confidence score cache for a cached confidence score for a combination of the executable object and the action; assigning a present confidence score to the action, the present confidence score for a combination of the executable object and the action, and accounting for the cached confidence score; acting on the present confidence score, comprising operating a machine learning algorithm configured to compare the present confidence score to confidence scores of one or more other objects previously authorized by a user, determining that the present confidence score equals or exceeds the confidence scores of the one or more other objects, and authorizing the action without asking for user verification; and caching the present confidence score to the confidence score cache. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A method comprising:
-
detecting that a graylist executable object has attempted to perform an action; intercepting the action; querying a confidence score cache for a cached confidence score for a combination of the executable object and the action; assigning a present confidence score to the action, the present confidence score for a combination of the executable object and the action, and accounting for the cached confidence score; acting on the present confidence score, comprising operating a machine learning algorithm configured to compare the present confidence score to confidence scores of one or more other objects previously authorized by a user, determining that the present confidence score equals or exceeds the confidence scores of the one or more other objects, and authorizing the action without asking for user verification; and caching the present confidence score to the confidence score cache. - View Dependent Claims (23)
-
Specification