Anomaly detection to identify malware
First Claim
Patent Images
1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by a processor, cause the processor to:
- create, by the processor, metadata for a system;
store, in memory, the metadata for the system;
monitor activities of a highly prevalent object in the system, wherein the highly prevalent object is a process, a peripheral, or hardware on an electronic device in the system;
compare the monitored activities to the metadata for the system stored in memory, wherein comparing the monitored activities to the metadata for the system includes an analysis of metadata of the highly prevalent object to identify a polymorphic threat, an object reuse analysis of the system to detect whether the highly prevalent object is reusing metadata from another object, and a filename analysis of the system;
identify a low prevalence outlier to detect potentially malicious activity, wherein the low prevalence outlier mimics metadata of the highly prevalent object and appears as an anomaly in other metadata of the highly prevalent object; and
in response to identifying the low prevalence outlier of the highly prevalent object, scanning the low prevalence outlier of the highly prevalent object for malware.
10 Assignments
0 Petitions
Accused Products
Abstract
Particular embodiments described herein provide for an electronic device that can be configured to monitor activities of objects in a system, compare the monitored activities to metadata for the system, and identify low prevalence outliers to detect potentially malicious activity. The monitored activities can include an analysis of metadata of the objects in the system to identify polymorphic threats, an object reuse analysis of the system to detect an object reusing metadata from another object, and a filename analysis of the system.
-
Citations
15 Claims
-
1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by a processor, cause the processor to:
-
create, by the processor, metadata for a system; store, in memory, the metadata for the system; monitor activities of a highly prevalent object in the system, wherein the highly prevalent object is a process, a peripheral, or hardware on an electronic device in the system; compare the monitored activities to the metadata for the system stored in memory, wherein comparing the monitored activities to the metadata for the system includes an analysis of metadata of the highly prevalent object to identify a polymorphic threat, an object reuse analysis of the system to detect whether the highly prevalent object is reusing metadata from another object, and a filename analysis of the system; identify a low prevalence outlier to detect potentially malicious activity, wherein the low prevalence outlier mimics metadata of the highly prevalent object and appears as an anomaly in other metadata of the highly prevalent object; and in response to identifying the low prevalence outlier of the highly prevalent object, scanning the low prevalence outlier of the highly prevalent object for malware. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus comprising:
-
a memory element; and a hardware processor configured to; create metadata for a system; store, in the memory element, the metadata for the system; monitor activities of a highly prevalent object in the system, wherein the highly prevalent object is a process, a peripheral, or hardware on an electronic device in the system; compare the monitored activities to the metadata for the system stored in the memory element, wherein comparing the monitored activities to the metadata for the system includes an analysis of metadata of the highly prevalent object to identify a polymorphic threat, an object reuse analysis of the system to detect whether the highly prevalent object is reusing metadata from another object, and a filename analysis of the system; identify a low prevalence outlier to detect potentially malicious activity, wherein the low prevalence outlier mimics metadata of the highly prevalent object and appears as an anomaly in other metadata of the highly prevalent object; and in response to identifying the low prevalence outlier of the highly prevalent object, scan the low prevalence outlier of the highly prevalent object for malware. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method comprising:
-
creating metadata for a system; storing the metadata for the system; monitoring activities of a highly prevalent object in the system, wherein the highly prevalent object is a process, a peripheral, or hardware on an electronic device in the system; comparing the monitored activities to the metadata for the system, wherein comparing the monitored activities to the metadata for the system includes an analysis of metadata of the highly prevalent object to identify a polymorphic threat, an object reuse analysis of the system to detect whether the highly prevalent object is reusing metadata from another object, and a filename analysis of the system; identifying a low prevalence outlier to detect potentially malicious activity, wherein the low prevalence outlier mimics metadata of the highly prevalent object and appears as an anomaly in other metadata of the highly prevalent object; and in response to identifying the low prevalence outlier of the highly prevalent object, scanning the low prevalence outlier of the highly prevalent object for malware. - View Dependent Claims (12, 13, 14)
-
-
15. A system for anomaly detection to identify malware, the system comprising:
-
memory; and a hardware processor configured to; create metadata for a system; store, in memory, the metadata for the system; monitor activities of a highly prevalent object in the system, wherein the highly prevalent object is a process, a peripheral, or hardware on an electronic device in the system; compare the monitored activities to the metadata for the system stored in memory, wherein comparing the monitored activities to the metadata for the system includes an analysis of metadata of the highly prevalent object to identify a polymorphic threat, an object reuse analysis of the system to detect whether the highly prevalent object is reusing metadata from another object, and a filename analysis of the system; and identify a low prevalence outlier to detect potentially malicious activity, wherein the low prevalence outlier mimics metadata of the highly prevalent object and appears as an anomaly in other metadata of the highly prevalent object; and in response to identifying the low prevalence outlier of the highly prevalent object, scan the low prevalence outlier of the highly prevalent object for malware.
-
Specification