Method of remediating a program and system thereof by undoing operations

US 10,102,374 B1
Filed: 10/13/2016
Issued: 10/16/2018
Est. Priority Date: 08/11/2014
Status: Active Grant

First Claim

Patent Images

1. A computerized method of remediating one or more operations linked to a given program running in an operating system, the method comprising:

querying a stateful model to retrieve a group of entities related to the given program, the stateful model being a logical data structure representing composition and state of the operating system in a live environment, the stateful model including a network of one or more interconnected objects representing one or more entities constituting the operating system, and one or more attributes characterizing each object, said objects being divided into one or more groups each representing a corresponding group of entities related to a respective program or part thereof running in the operating system, said attributes of each object including at least;

i) a group indicator indicating to which group said object belongs,ii) one or more operations associated with said object, said object being source or target of the associated operations, said associated operations being linked to the given program, andiii) one or more interconnections between said object and one or more other objects through the associated operations,wherein said group of entities related to the given program are retrieved based on a corresponding group of objects which represent said group of entities in the stateful model;

terminating at least a sub set of said group of entities related to the given program;

generating a remediation plan including one or more operations linked to the given program, said one or more operations being retrieved based on said group in the stateful model; and

executing the remediation plan by undoing at least part of said one or more operations linked to the given program thereby restoring state of the operating system to a state prior to the given program being executed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a system and a computerized method of remediating a given program running in an operating system, the method comprising: querying a stateful model to retrieve a group of entities related to the given program; terminating at least a sub set of the group of entities related to the given program; generating a remediation plan including one or more operations linked to the given program, the one or mare operations being retrieved based on the group in the stateful model; and executing the remediation plan by undoing at least part of the one or more operations linked to the given program thereby restoring state of the operating system to a state prior to the given program being executed. There is further provided a computerized method of detecting malicious code related to a program in an operating system in a live environment.

103 Citations

View as Search Results

32 Claims

1. A computerized method of remediating one or more operations linked to a given program running in an operating system, the method comprising:
- querying a stateful model to retrieve a group of entities related to the given program, the stateful model being a logical data structure representing composition and state of the operating system in a live environment, the stateful model including a network of one or more interconnected objects representing one or more entities constituting the operating system, and one or more attributes characterizing each object, said objects being divided into one or more groups each representing a corresponding group of entities related to a respective program or part thereof running in the operating system, said attributes of each object including at least;
  
  i) a group indicator indicating to which group said object belongs,ii) one or more operations associated with said object, said object being source or target of the associated operations, said associated operations being linked to the given program, andiii) one or more interconnections between said object and one or more other objects through the associated operations,wherein said group of entities related to the given program are retrieved based on a corresponding group of objects which represent said group of entities in the stateful model;
  
  terminating at least a sub set of said group of entities related to the given program;
  
  generating a remediation plan including one or more operations linked to the given program, said one or more operations being retrieved based on said group in the stateful model; and
  
  executing the remediation plan by undoing at least part of said one or more operations linked to the given program thereby restoring state of the operating system to a state prior to the given program being executed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The computerized method of claim 1, wherein each of said objects is of a type selected from a group that includes:
    - thread object, process object, file object, network object, registry object, windows object, and memory object, which represents respectively an entity of thread, process, file, network, registry, windows and memory.
  - 3. The computerized method of claim 1, wherein said objects are divided into one or more groups based on a predefined grouping rule set.
  - 4. The computerized method of claim 3, wherein the predefined grouping rule set includes a rule of creating a new group if source of a process creation operation is a designated system entity.
  - 5. The computerized method of claim 3, wherein the predefined grouping rule set includes a rule indicating a group is terminated if target of a process termination operation is a last entity alive in the group.
  - 6. The computerized method of claim 1, wherein the attributes further include bookkeeping information of the operations associated with said object, said bookkeeping information including one or more of the following:
    - file-system access statistics, memory manipulation history, modification to system settings, and interactions between entities.
  - 7. The computerized method of claim 6, wherein the bookkeeping information is generated by keeping track of operations related to modification and/or manipulation.
  - 8. The computerized method of claim 1, wherein a group of objects are further divided into one or more sub groups each related to a part of a program, and the attributes further include sub-group indicator indicating to which sub group the object belongs, wherein said querying including querying a stateful model to retrieve a sub group of entities related to a part of the given program;
    - and wherein said terminating includes terminating the sub group of entities related to the part of the given program.
  - 9. The computerized method of claim 1 further comprising generating the stateful model and identifying the given program by analyzing the stateful model.
  - 10. The computerized method of claim 1, further comprising optimizing the remediation plan by consolidating the one or more operations linked to the given program based on type of each of said operations and generating a consolidated remediation plan, and wherein said executing includes executing the consolidated remediation plan.
  - 11. The method claim 10, wherein the consolidating includes categorizing objects involved in the one or more operations linked to the given program into one or more categories, each category directed to at least one respective type of operation performed upon objects within the category, and wherein said consolidated remediation plan includes the one or more categories of objects.
  - 12. The computerized method of claim 11, wherein the consolidated remediation plan includes at least one of the following categories:
    - a category of created objects, and a category of modified/deleted objects.
  - 13. The computerized method of claim 11, wherein each of said objects involved in the one or more operations linked to at least the given program belongs to only one of said categories such that said categories of objects are mutually exclusive.
  - 14. The computerized method of claim 10, wherein the consolidated remediation plan further includes one or more undo actions associated with each of said categories of objects, said undo actions being one or more opposite operations to be executed in order to revert the one or more operations linked to at least the given program on objects within each of said categories.
  - 15. The computerized method of claim 14, wherein one of said undo actions associated with a category of created objects is to remove an actual system entity represented by each object within the category.
  - 16. The computerized method of claim 14, wherein one of said undo actions associated with a category of modified/deleted objects is to restore, for an actual system entity represented by each object within the category, to a previous content thereof prior to the given program or part thereof being executed.
  - 17. The computerized method of claim 16, wherein one of said undo actions associated with an object within the category of modified/deleted objects, in case of said object undergoing a plurality of modifications, is to restore, for an actual system entity represented by said object, to an original content thereof prior to said plurality of modifications.
  - 18. The computerized method of claim 14, wherein said executing consolidated remediation plan includes performing, for each object within a category of said categories of objects, the undo actions associated with said category.
  - 19. The method claim 14, wherein said executing consolidated remediation plan is performed in accordance with type of each object within a category.
  - 20. The computerized method of claim 16, wherein the previous content of each object is recorded in the stateful model or in a file system history module.
  - 21. The computerized method of claim 1, wherein said given program is linked to at least a second program as a result of manipulation, and the method comprises:
    - querying a stateful model to retrieve a first group of entities related to the given program and a second group of entities related to the second program, wherein a sub set of the operations directly linked to the second program which occur as a result of the manipulation are indirectly linked to the given program;
      
      determining a sub set of said second group of entities that are manipulated by the given program to be terminated and terminating said sub set of said second group of entities;
      
      generating a remediation plan including one or more operations linked to the given program; and
      
      executing the remediation plan by undoing at least part of said one or more operations linked to the given program thereby restoring state of the operating system to a state prior to the given program being executed.
  - 22. The computerized method of claim 1, wherein said executing the remediation plan is performed by undoing each of said one or more operations linked to at least the given program.
  - 23. The computerized method of claim 1, wherein the given program is a malware or a benign program.
  - 24. The computerized method of claim 1, wherein the given program is a benign program and the one or more entities related to the given program include at least one entity performing malicious operations due to manipulation of the given program by malicious code, and wherein the one or more operations linked to at least are selected to be the malicious operations.

25. A system remediating one or more operations linked to a given program running in an operating system, the system comprising a processor operatively connected to a memory, the processor configured to:
- query a stateful model to retrieve a group of entities related to the given program, the stateful model being a logical data structure representing composition and state of the operating system in a live environment, the stateful model including a network of one or more interconnected objects representing one or more entities constituting the operating system, and one or more attributes characterizing each object, said objects being divided into one or more groups each representing a corresponding group of entities related to a respective program or part thereof running in the operating system, said attributes of each object including at least;
  
  i) a group indicator indicating to which group said object belongs,ii) one or more operations associated with said object, said object being source or target of the associated operations, said associated operations being linked to the given program, andiii) one or more interconnections between said object and one or more other objects through the associated operations,wherein said group of entities related to the given program are retrieved based on a corresponding group of objects which represent said group of entities in the stateful model;
  
  terminate at least a sub set of said group of entities related to the given program;
  
  generate a remediation plan including one or more operations linked to the given program, said one or more operations being retrieved form said group in the stateful model; and
  
  execute the remediation plan by undoing at least part of said one or more operations linked to the given program thereby restoring state of the operating system to a state prior to being executed.

26. A computerized method of detecting malicious code related to a program in an operating system in a live environment, the method comprising:
- monitoring one or more operations performed in the operating system in the live environment and generating an event data characterizing each monitored operation, wherein said event data includes at least the following attributes of said monitored operation;
  
  operation type, and source of the operation;
  
  building a stateful model in accordance with the event data characterizing each monitored operation, the stateful model being a logical data structure representing composition and state of the operating system in the live environment, wherein said building comprises;
  
  for each event data characterizing a monitored operation;
  
  retrieving one or more objects from the event data, said objects representing one or more entities involved in the monitored operation, each object being of a type selected from a group that includes;
  
  process object, file object, network object, registry object, windows object and memory object, at least one of said objects representing the source of the operation;
  
  dividing the objects into one or more groups in accordance with a predefined grouping rule set, each group representing a corresponding group of entities related to a respective program or part thereof running in the operating system;
  
  generating one or more attributes characterizing each object, said attributes including at least;
  
  a) grouping information including a group indicator indicating to which group said object belongs, b) one or more operations associated with said object, said object being source or target of the associated operations, said associated operations being linked to and c) one or more interconnections between said object and one or more other objects through the associated operations; and
  
  in case of said monitored operation being a first operation of a stateful model, generating a stateful model including said objects and the attributes thereof;
  
  otherwise updating a stateful model based on said objects and the attributes thereof, thereby giving rise to an updated stateful model including a network of interconnected objects representing one or more entities constituting the operating system, and one or more attributes thereof indicating the grouping information, operations associated with the objects, and interconnections between the objects through the associated operations;
  
  analyzing the stateful model to identify one or more behaviors including at least one malicious behavior, including;
  
  analyzing the updated stateful model in accordance with one or more predefined behavioral logics, wherein said one or more predefined behavior logics are behavior signatures indicative of specific behavioral patterns, said analyzing taking into consideration the grouping information of the objects, the interconnection between the objects and the operations associated with the objects; and
  
  determining that at least one malicious behavior of said one or more behaviors is present if any of said one or more predefined behavioral logics are met, and determining the presence of malicious code based on the at least one malicious behavior, and determining a program or part thereof related to the malicious code to be malicious.
- View Dependent Claims (27, 28, 29, 30, 31, 32)
- - 27. The computerized method of claim 26, wherein the program includes one or more parts, and wherein a group of objects are further divided into one or more sub groups each related to a part of said program, and the grouping information further includes a sub-group indicator indicating to which sub group each object belongs.
  - 28. The computerized method of claim 26, further comprising remediating one or more operations linked to the program.
  - 29. The computerized method of claim 28, wherein said remediating includes:
    - querying the stateful model to retrieve a group of entities related to the program, wherein said group of entities related to the program are retrieved based on a corresponding group of objects which represent said group of entities in the stateful model;
      
      terminating at least a sub set of said group of entities related to the program;
      
      generating a remediation plan including one or more operations linked to the program, said one or more operations being retrieved from said group in the stateful model; and
      
      executing the remediation plan by undoing at least part of said one or more operations linked to the given program thereby restoring state of the operating system to a state prior to the program being executed.
  - 30. The computerized method of claim 26, wherein the predefined behavioral logics include determining a behavior of self-execution when the following condition is met:
    - a target of a process creation operation is an object that is included in the same group as a source of the process creation operation.
  - 31. The computerized method of claim 26, wherein the predefined behavioral logics include determining a behavior of self-deletion when the following condition is met:
    - a target of a file deletion operation is a source file associated with a source process of the file deletion operation.
  - 32. The computerized method of claim 26, wherein the predefined behavioral logics include determining a behavior of code injection when the following condition is met:
    - a process manipulates another process to perform operations on its behalf.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Original Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Inventors
Cohen, Almog, Weingarten, Tomer, Salem, Shlomi, Izraeli, Nir, Karelsbad, Asaf
Primary Examiner(s)
Goodchild, William J.

Application Number

US15/766,339
Time in Patent Office

733 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 9/545   where tasks reside in diffe...

Method of remediating a program and system thereof by undoing operations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

103 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Method of remediating a program and system thereof by undoing operations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others