×

Anomaly detection to identify malware

  • US 10,129,291 B2
  • Filed: 06/27/2015
  • Issued: 11/13/2018
  • Est. Priority Date: 06/27/2015
  • Status: Active Grant
First Claim
Patent Images

1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by a processor, cause the processor to:

  • create, by the processor, metadata for a system;

    store, in memory, the metadata for the system;

    monitor activities of a highly prevalent object in the system, wherein the highly prevalent object is a process, a peripheral, or hardware on an electronic device in the system;

    compare the monitored activities to the metadata for the system stored in memory, wherein comparing the monitored activities to the metadata for the system includes an analysis of metadata of the highly prevalent object to identify a polymorphic threat, an object reuse analysis of the system to detect whether the highly prevalent object is reusing metadata from another object, and a filename analysis of the system;

    identify a low prevalence outlier to detect potentially malicious activity, wherein the low prevalence outlier mimics metadata of the highly prevalent object and appears as an anomaly in other metadata of the highly prevalent object; and

    in response to identifying the low prevalence outlier of the highly prevalent object, scanning the low prevalence outlier of the highly prevalent object for malware.

View all claims
  • 10 Assignments
Timeline View
Assignment View
    ×
    ×