Systems and methods for tracking malicious behavior across multiple software entities

US 10,089,465 B2
Filed: 07/24/2015
Issued: 10/02/2018
Est. Priority Date: 07/24/2015
Status: Active Grant

First Claim

Patent Images

1. A host system comprising at least one hardware processor and a memory unit, the at least one hardware processor configured to execute an entity manager and a heuristic engine, wherein:

the entity manager is configured to organize a collection of monitored executable software entities into a plurality of entity groups, wherein organizing the collection comprises;

in response to detecting that a first entity of the collection has spawned a child entity, determining whether the first entity belongs to a group creator category of entities;

in response to determining whether the first entity belongs to the group creator category, when the first entity belongs to the group creator category;

adding a new entity group to the plurality of entity groups, and assigning the child entity to the new entity group; and

in response to determining whether the first entity belongs to the group creator category, when the first entity does not belong to the group creator category;

selecting a first entity group from the plurality of entity groups so that the first entity is a member of the first entity group, andassigning the child entity to the first entity group; and

the heuristic engine is configured, in response to a first action performed by the child entity, to;

select a second entity group from the plurality of entity groups so that the child entity is a member of the second entity group, wherein the child entity is a member of the second entity group while also being a member of the first entity group or of the new entity group; and

in response to selecting the second entity group, determine whether the first action is indicative of a malware attack according to a second action performed by another member of the second entity group, wherein the at least one hardware processor is further configured, in response to the heuristic engine determining whether the first action is indicative of a malware attack, when the first action is indicative of the malware attack, to take an anti-malware action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described systems and methods allow protecting a computer system from malicious software. In some embodiments, a security application divides a set of monitored executable entities (e.g., processes) into a plurality of groups, wherein all members of a group are related by filiation or code injection. The security application may further associate a set of scores with each entity group. Such group scores may be incremented when a member of the respective group performs certain actions. Thus, even though actions performed by individual members may not be malware-indicative per se, the group score may capture collective malicious behavior and trigger malware detection. In some embodiments, group membership rules vary according to whether an entity is part of a selected subset of entities including certain OS processes, browsers and file managers. When an entity is determined to be malicious, anti-malware measures may be taken against a whole group of related entities.

16 Citations

31 Claims

1. A host system comprising at least one hardware processor and a memory unit, the at least one hardware processor configured to execute an entity manager and a heuristic engine, wherein:
- the entity manager is configured to organize a collection of monitored executable software entities into a plurality of entity groups, wherein organizing the collection comprises;
  
  in response to detecting that a first entity of the collection has spawned a child entity, determining whether the first entity belongs to a group creator category of entities;
  
  in response to determining whether the first entity belongs to the group creator category, when the first entity belongs to the group creator category;
  
  adding a new entity group to the plurality of entity groups, and assigning the child entity to the new entity group; and
  
  in response to determining whether the first entity belongs to the group creator category, when the first entity does not belong to the group creator category;
  
  selecting a first entity group from the plurality of entity groups so that the first entity is a member of the first entity group, andassigning the child entity to the first entity group; and
  
  the heuristic engine is configured, in response to a first action performed by the child entity, to;
  
  select a second entity group from the plurality of entity groups so that the child entity is a member of the second entity group, wherein the child entity is a member of the second entity group while also being a member of the first entity group or of the new entity group; and
  
  in response to selecting the second entity group, determine whether the first action is indicative of a malware attack according to a second action performed by another member of the second entity group, wherein the at least one hardware processor is further configured, in response to the heuristic engine determining whether the first action is indicative of a malware attack, when the first action is indicative of the malware attack, to take an anti-malware action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 28, 30)
- - 2. The host system of claim 1, wherein organizing the collection further comprises, in response to determining whether the first entity belongs to the group creator category, when the first entity does not belong to the group creator category:
    - selecting a third entity group from the plurality of entity groups so that the first entity is a member of the third entity group, and assigning the child entity to the third entity group.
  - 3. The host system of claim 1, wherein organizing the collection further comprises, in response to detecting that the child entity has injected code into a third entity of the collection:
    - selecting a third entity group from the plurality of entity groups so that the child entity is a member of the third entity group; and
      
      in response, assigning the third entity to the third entity group.
  - 4. The host system of claim 1, wherein organizing the collection further comprises, in response to detecting that the first entity has spawned the child entity:
    - determining whether the child entity belongs to the group creator category; and
      
      in response, when the child entity belongs to the group creator category, remove the child entity from the group creator category.
  - 5. The host system of claim 1, wherein determining whether the first entity belongs to the group creator category comprises determining whether the first entity is a component of a web browser executing on the host system.
  - 6. The host system of claim 1, wherein determining whether the first entity belongs to the group creator category comprises determining whether the first entity is a component of an operating system executing on the host system.
  - 7. The host system of claim 1, wherein determining whether the first action is indicative of the malware attack comprises determining whether the first action has occurred before the second action.
  - 8. The host system of claim 1, wherein the heuristic engine is configured to determine whether the first action is indicative of the malware attack further according to a third action performed by a third entity of the second entity group.
  - 9. The host system of claim 1, wherein determining whether the first action is indicative of the malware attack comprises determining whether the first action is part of a malware-indicative set of actions, wherein all actions of the malware-indicative set of actions are performed by members of the second entity group.
  - 10. The host system of claim 9, wherein determining whether the first action is part of the malware-indicative set of actions comprises determining whether a subset of the malware-indicative set of actions occurred in a specific order.
  - 11. The host system of claim 1, wherein the anti-malware action comprises terminating a plurality of members of the second entity group.
  - 12. The host system of claim 11, wherein the plurality of members comprises all members of the second entity group.
  - 13. The host system of claim 1, wherein the anti-malware action comprises undoing a set of changes caused to the host system by execution of members of the second entity group.
  - 28. The host system of claim 1, wherein the heuristic engine is further configured, in response to the entity manager assigning the child entity to the first group, and in response to the first action, to determine whether the first action is indicative of the malware attack according to a third action performed by yet another member of the first entity group.
  - 30. The host system of claim 1, wherein organizing the collection further comprises, in response to assigning the child entity to the first entity group, and in response to detecting that the child entity has injected code into a third entity of the collection, assigning the third entity to the first entity group.

14. A method comprising:
- employing at least one hardware processor of a host system to organize a collection of monitored executable software entities into a plurality of entity groups, wherein organizing the collection comprises;
  
  in response to detecting that a first entity of the collection has spawned a child entity, determining whether the first entity belongs to a group creator category of entities;
  
  in response to determining whether the first entity belongs to the group creator category, when the first entity belongs to the group creator category;
  
  adding a new entity group to the plurality of entity groups, and assigning the child entity to the new entity group; and
  
  in response to determining whether the first entity belongs to the group creator category, when the first entity does not belong to the group creator category;
  
  selecting a first entity group from the plurality of entity groups so that the first entity is a member of the first entity group, and assigning the child entity to the first entity group;
  
  in response to a first action performed by the child entity, employing at least one hardware processor of the host system to select a second entity group from the plurality of entity groups so that the child entity is a member of the second entity group, wherein the child entity is a member of the second entity group while also being a member of the first entity group or of the new entity group;
  
  in response to selecting the second entity group, employing at least one hardware processor of the host system to determine whether the first action is indicative of a malware attack according to a second action performed by another member of the second entity group; and
  
  in response to determining whether the first action is indicative of a malware attack, when the first action is indicative of the malware attack, employing at least one hardware processor of the host system to take an anti-malware action.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 29, 31)
- - 15. The method of claim 14, wherein organizing the collection further comprises, in response to determining whether the first entity belongs to the group creator category, when the first entity does not belong to the group creator category:
    - selecting a third entity group from the plurality of entity groups so that the first entity is a member of the third entity group, and assigning the child entity to the third entity group.
  - 16. The method of claim 14, wherein organizing the collection further comprises, in response to detecting that the child entity has injected code into a third entity of the collection:
    - selecting a third entity group from the plurality of entity groups so that the child entity is a member of the third entity group; and
      
      in response, assigning the third entity to the third entity group.
  - 17. The method of claim 14, wherein organizing the collection further comprises, in response to detecting that the first entity has spawned the child entity:
    - determining whether the child entity belongs to the group creator category; and
      
      in response, when the child entity belongs to the group creator category, remove the child entity from the group creator category.
  - 18. The method of claim 14, wherein determining whether the first entity belongs to the group creator category comprises determining whether the first entity is a component of a web browser executing on the host system.
  - 19. The method of claim 14, wherein determining whether the first entity belongs to the group creator category comprises determining whether the first entity is a component of an operating system executing on the host system.
  - 20. The method of claim 14, wherein determining whether the first action is indicative of the malware attack comprises determining whether the first action has occurred before the second action.
  - 21. The method of claim 14, further comprising determining whether the first action is indicative of the malware attack according to a third action performed by a third entity of the second entity group.
  - 22. The method of claim 14, wherein determining whether the first action is indicative of the malware attack comprises determining whether the first action is part of a malware-indicative set of actions, wherein all actions of the malware-indicative set of actions are performed by members of the second entity group.
  - 23. The method of claim 22, wherein determining whether the first action is part of the malware-indicative set of actions comprises determining whether a subset of the malware-indicative set of actions occur in a specific order.
  - 24. The method of claim 14, wherein the anti-malware action comprises terminating a plurality of members of the second entity group.
  - 25. The method of claim 24, wherein the plurality of members comprises all members of the second entity group.
  - 26. The method of claim 14, wherein the anti-malware action comprises undoing a set of changes caused to the host system by execution of members of the second entity group.
  - 29. The method of claim 14, further comprising, in response to assigning the child entity to the first group, and in response to the first action, employing at least one hardware processor of the host system to determine whether the first action is indicative of the malware attack according to a third action performed by yet another member of the first entity group.
  - 31. The method of claim 14, further comprising, in response to assigning the child entity to the first entity group, and in response to detecting that the child entity has injected code into a third entity of the collection, assigning the third entity to the first entity group.

27. A non-transitory computer-readable medium storing instructions which, when executed by at least one hardware processor of a host system, cause the host system to form an entity manager and a heuristic engine, wherein:
- the entity manager is configured to organize a collection of monitored executable software entities into a plurality of entity groups, wherein organizing the collection comprises;
  
  in response to detecting that a first entity of the collection has spawned a child entity, determining whether the first entity belongs to a group creator category of entities;
  
  in response to determining whether the first entity belongs to the group creator category, when the first entity belongs to the group creator category;
  
  adding a new entity group to the plurality of entity groups, and assigning the child entity to the new entity group; and
  
  in response to determining whether the first entity belongs to the group creator category, when the first entity does not belong to the group creator category;
  
  selecting a first entity group from the plurality of entity groups so that the first entity is a member of the first entity group, andassigning the child entity to the first entity group; and
  
  the heuristic engine is configured, in response to a first action performed by the child entity, to;
  
  select a second entity group from the plurality of entity groups so that the child entity is a member of the second entity group, wherein the child entity is a member of the second entity group while also being a member of the first entity group or of the new entity group; and
  
  in response to selecting the second entity group, determine whether the first action is indicative of a malware attack according to a second action performed by another member of the second entity group,wherein the instructions further cause the host system, in response to determining whether the first action is indicative of a malware attack, when the first action in indicative of the malware attack, to take an anti-malware action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bitdefender IPR Management Limited (Bitdefender LLC)
Original Assignee
Bitdefender IPR Management Limited (Bitdefender LLC)
Inventors
Hajmasan, Gheorghe F., Portase, Radu M.
Primary Examiner(s)
Zoubair, Noura

Application Number

US14/808,173
Publication Number

US 20170024561A1
Time in Patent Office

1,166 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

G06F 21/566 Dynamic detection, i.e. det...

Systems and methods for tracking malicious behavior across multiple software entities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

31 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for tracking malicious behavior across multiple software entities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

31 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others