Systems and methods for tracking malicious behavior across multiple software entities
First Claim
1. A host system comprising at least one hardware processor and a memory unit, the at least one hardware processor configured to execute an entity manager and a heuristic engine, wherein:
- the entity manager is configured to organize a collection of monitored executable software entities into a plurality of entity groups, wherein organizing the collection comprises;
in response to detecting that a first entity of the collection has spawned a child entity, determining whether the first entity belongs to a group creator category of entities;
in response to determining whether the first entity belongs to the group creator category, when the first entity belongs to the group creator category;
adding a new entity group to the plurality of entity groups, and assigning the child entity to the new entity group; and
in response to determining whether the first entity belongs to the group creator category, when the first entity does not belong to the group creator category;
selecting a first entity group from the plurality of entity groups so that the first entity is a member of the first entity group, andassigning the child entity to the first entity group; and
the heuristic engine is configured, in response to a first action performed by the child entity, to;
select a second entity group from the plurality of entity groups so that the child entity is a member of the second entity group, wherein the child entity is a member of the second entity group while also being a member of the first entity group or of the new entity group; and
in response to selecting the second entity group, determine whether the first action is indicative of a malware attack according to a second action performed by another member of the second entity group, wherein the at least one hardware processor is further configured, in response to the heuristic engine determining whether the first action is indicative of a malware attack, when the first action is indicative of the malware attack, to take an anti-malware action.
1 Assignment
0 Petitions
Accused Products
Abstract
Described systems and methods allow protecting a computer system from malicious software. In some embodiments, a security application divides a set of monitored executable entities (e.g., processes) into a plurality of groups, wherein all members of a group are related by filiation or code injection. The security application may further associate a set of scores with each entity group. Such group scores may be incremented when a member of the respective group performs certain actions. Thus, even though actions performed by individual members may not be malware-indicative per se, the group score may capture collective malicious behavior and trigger malware detection. In some embodiments, group membership rules vary according to whether an entity is part of a selected subset of entities including certain OS processes, browsers and file managers. When an entity is determined to be malicious, anti-malware measures may be taken against a whole group of related entities.
16 Citations
31 Claims
-
1. A host system comprising at least one hardware processor and a memory unit, the at least one hardware processor configured to execute an entity manager and a heuristic engine, wherein:
-
the entity manager is configured to organize a collection of monitored executable software entities into a plurality of entity groups, wherein organizing the collection comprises; in response to detecting that a first entity of the collection has spawned a child entity, determining whether the first entity belongs to a group creator category of entities; in response to determining whether the first entity belongs to the group creator category, when the first entity belongs to the group creator category;
adding a new entity group to the plurality of entity groups, and assigning the child entity to the new entity group; andin response to determining whether the first entity belongs to the group creator category, when the first entity does not belong to the group creator category; selecting a first entity group from the plurality of entity groups so that the first entity is a member of the first entity group, and assigning the child entity to the first entity group; and the heuristic engine is configured, in response to a first action performed by the child entity, to; select a second entity group from the plurality of entity groups so that the child entity is a member of the second entity group, wherein the child entity is a member of the second entity group while also being a member of the first entity group or of the new entity group; and in response to selecting the second entity group, determine whether the first action is indicative of a malware attack according to a second action performed by another member of the second entity group, wherein the at least one hardware processor is further configured, in response to the heuristic engine determining whether the first action is indicative of a malware attack, when the first action is indicative of the malware attack, to take an anti-malware action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 28, 30)
-
-
14. A method comprising:
-
employing at least one hardware processor of a host system to organize a collection of monitored executable software entities into a plurality of entity groups, wherein organizing the collection comprises; in response to detecting that a first entity of the collection has spawned a child entity, determining whether the first entity belongs to a group creator category of entities; in response to determining whether the first entity belongs to the group creator category, when the first entity belongs to the group creator category;
adding a new entity group to the plurality of entity groups, and assigning the child entity to the new entity group; andin response to determining whether the first entity belongs to the group creator category, when the first entity does not belong to the group creator category;
selecting a first entity group from the plurality of entity groups so that the first entity is a member of the first entity group, and assigning the child entity to the first entity group;in response to a first action performed by the child entity, employing at least one hardware processor of the host system to select a second entity group from the plurality of entity groups so that the child entity is a member of the second entity group, wherein the child entity is a member of the second entity group while also being a member of the first entity group or of the new entity group; in response to selecting the second entity group, employing at least one hardware processor of the host system to determine whether the first action is indicative of a malware attack according to a second action performed by another member of the second entity group; and in response to determining whether the first action is indicative of a malware attack, when the first action is indicative of the malware attack, employing at least one hardware processor of the host system to take an anti-malware action. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 29, 31)
-
-
27. A non-transitory computer-readable medium storing instructions which, when executed by at least one hardware processor of a host system, cause the host system to form an entity manager and a heuristic engine, wherein:
-
the entity manager is configured to organize a collection of monitored executable software entities into a plurality of entity groups, wherein organizing the collection comprises; in response to detecting that a first entity of the collection has spawned a child entity, determining whether the first entity belongs to a group creator category of entities; in response to determining whether the first entity belongs to the group creator category, when the first entity belongs to the group creator category;
adding a new entity group to the plurality of entity groups, and assigning the child entity to the new entity group; andin response to determining whether the first entity belongs to the group creator category, when the first entity does not belong to the group creator category; selecting a first entity group from the plurality of entity groups so that the first entity is a member of the first entity group, and assigning the child entity to the first entity group; and the heuristic engine is configured, in response to a first action performed by the child entity, to; select a second entity group from the plurality of entity groups so that the child entity is a member of the second entity group, wherein the child entity is a member of the second entity group while also being a member of the first entity group or of the new entity group; and in response to selecting the second entity group, determine whether the first action is indicative of a malware attack according to a second action performed by another member of the second entity group, wherein the instructions further cause the host system, in response to determining whether the first action is indicative of a malware attack, when the first action in indicative of the malware attack, to take an anti-malware action.
-
Specification