Method of remediating a program and system thereof by undoing operations
First Claim
1. A computerized method of remediating one or more operations linked to a given program running in an operating system, the method comprising:
- querying a stateful model to retrieve a group of entities related to the given program, the stateful model being a logical data structure representing composition and state of the operating system in a live environment, the stateful model including a network of one or more interconnected objects representing one or more entities constituting the operating system, and one or more attributes characterizing each object, said objects being divided into one or more groups each representing a corresponding group of entities related to a respective program or part thereof running in the operating system, said attributes of each object including at least;
i) a group indicator indicating to which group said object belongs,ii) one or more operations associated with said object, said object being source or target of the associated operations, said associated operations being linked to the given program, andiii) one or more interconnections between said object and one or more other objects through the associated operations,wherein said group of entities related to the given program are retrieved based on a corresponding group of objects which represent said group of entities in the stateful model;
terminating at least a sub set of said group of entities related to the given program;
generating a remediation plan including one or more operations linked to the given program, said one or more operations being retrieved based on said group in the stateful model; and
executing the remediation plan by undoing at least part of said one or more operations linked to the given program thereby restoring state of the operating system to a state prior to the given program being executed.
1 Assignment
0 Petitions
Accused Products
Abstract
There is provided a system and a computerized method of remediating a given program running in an operating system, the method comprising: querying a stateful model to retrieve a group of entities related to the given program; terminating at least a sub set of the group of entities related to the given program; generating a remediation plan including one or more operations linked to the given program, the one or mare operations being retrieved based on the group in the stateful model; and executing the remediation plan by undoing at least part of the one or more operations linked to the given program thereby restoring state of the operating system to a state prior to the given program being executed. There is further provided a computerized method of detecting malicious code related to a program in an operating system in a live environment.
103 Citations
32 Claims
-
1. A computerized method of remediating one or more operations linked to a given program running in an operating system, the method comprising:
-
querying a stateful model to retrieve a group of entities related to the given program, the stateful model being a logical data structure representing composition and state of the operating system in a live environment, the stateful model including a network of one or more interconnected objects representing one or more entities constituting the operating system, and one or more attributes characterizing each object, said objects being divided into one or more groups each representing a corresponding group of entities related to a respective program or part thereof running in the operating system, said attributes of each object including at least; i) a group indicator indicating to which group said object belongs, ii) one or more operations associated with said object, said object being source or target of the associated operations, said associated operations being linked to the given program, and iii) one or more interconnections between said object and one or more other objects through the associated operations, wherein said group of entities related to the given program are retrieved based on a corresponding group of objects which represent said group of entities in the stateful model; terminating at least a sub set of said group of entities related to the given program; generating a remediation plan including one or more operations linked to the given program, said one or more operations being retrieved based on said group in the stateful model; and executing the remediation plan by undoing at least part of said one or more operations linked to the given program thereby restoring state of the operating system to a state prior to the given program being executed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A system remediating one or more operations linked to a given program running in an operating system, the system comprising a processor operatively connected to a memory, the processor configured to:
-
query a stateful model to retrieve a group of entities related to the given program, the stateful model being a logical data structure representing composition and state of the operating system in a live environment, the stateful model including a network of one or more interconnected objects representing one or more entities constituting the operating system, and one or more attributes characterizing each object, said objects being divided into one or more groups each representing a corresponding group of entities related to a respective program or part thereof running in the operating system, said attributes of each object including at least; i) a group indicator indicating to which group said object belongs, ii) one or more operations associated with said object, said object being source or target of the associated operations, said associated operations being linked to the given program, and iii) one or more interconnections between said object and one or more other objects through the associated operations, wherein said group of entities related to the given program are retrieved based on a corresponding group of objects which represent said group of entities in the stateful model; terminate at least a sub set of said group of entities related to the given program; generate a remediation plan including one or more operations linked to the given program, said one or more operations being retrieved form said group in the stateful model; and execute the remediation plan by undoing at least part of said one or more operations linked to the given program thereby restoring state of the operating system to a state prior to being executed.
-
-
26. A computerized method of detecting malicious code related to a program in an operating system in a live environment, the method comprising:
-
monitoring one or more operations performed in the operating system in the live environment and generating an event data characterizing each monitored operation, wherein said event data includes at least the following attributes of said monitored operation;
operation type, and source of the operation;building a stateful model in accordance with the event data characterizing each monitored operation, the stateful model being a logical data structure representing composition and state of the operating system in the live environment, wherein said building comprises; for each event data characterizing a monitored operation; retrieving one or more objects from the event data, said objects representing one or more entities involved in the monitored operation, each object being of a type selected from a group that includes;
process object, file object, network object, registry object, windows object and memory object, at least one of said objects representing the source of the operation;dividing the objects into one or more groups in accordance with a predefined grouping rule set, each group representing a corresponding group of entities related to a respective program or part thereof running in the operating system; generating one or more attributes characterizing each object, said attributes including at least;
a) grouping information including a group indicator indicating to which group said object belongs, b) one or more operations associated with said object, said object being source or target of the associated operations, said associated operations being linked to and c) one or more interconnections between said object and one or more other objects through the associated operations; andin case of said monitored operation being a first operation of a stateful model, generating a stateful model including said objects and the attributes thereof; otherwise updating a stateful model based on said objects and the attributes thereof, thereby giving rise to an updated stateful model including a network of interconnected objects representing one or more entities constituting the operating system, and one or more attributes thereof indicating the grouping information, operations associated with the objects, and interconnections between the objects through the associated operations; analyzing the stateful model to identify one or more behaviors including at least one malicious behavior, including; analyzing the updated stateful model in accordance with one or more predefined behavioral logics, wherein said one or more predefined behavior logics are behavior signatures indicative of specific behavioral patterns, said analyzing taking into consideration the grouping information of the objects, the interconnection between the objects and the operations associated with the objects; and determining that at least one malicious behavior of said one or more behaviors is present if any of said one or more predefined behavioral logics are met, and determining the presence of malicious code based on the at least one malicious behavior, and determining a program or part thereof related to the malicious code to be malicious. - View Dependent Claims (27, 28, 29, 30, 31, 32)
-
Specification