Learned behavior based security

US 10,348,771 B2
Filed: 01/26/2018
Issued: 07/09/2019
Est. Priority Date: 10/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method for providing security policies, the method comprising:

an analysis engine of a security policy system receiving behavioral information provided by agent security software executing on user devices about applications executing on the user devices;

the analysis engine running the behavioral information through different behavioral models maintained by the security policy system; and

the analysis engine determining trustworthiness for the applications and/or user devices based on the behavioral information received from each of the user devices,wherein the trustworthiness for the applications and/or user devices are determined based on observed behaviors and the absence of expected behaviors, wherein the expected behaviors are associated with trusted applications, and the absence of expected behaviors result in lower trust scores indicating a greater chance that the applications are malware, wherein the expected behaviors include the applications displaying visible windows, and the applications are assigned lower trust scores based on determining that the applications did not display any visible windows.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present system and method pertain to the detection of malicious software and processes such as malware. A cloud security policy system receives hashes and behavioral information about applications and/or processes executing on user devices. The cloud security policy system records this information and then evaluates the trustworthiness of the hashes based on the information received from the user devices to provide a security policy for the applications and/or processes. The security policy is sent from the cloud security policy system to user devices to be applied by the user devices.

15 Citations

View as Search Results

30 Claims

1. A method for providing security policies, the method comprising:
- an analysis engine of a security policy system receiving behavioral information provided by agent security software executing on user devices about applications executing on the user devices;
  
  the analysis engine running the behavioral information through different behavioral models maintained by the security policy system; and
  
  the analysis engine determining trustworthiness for the applications and/or user devices based on the behavioral information received from each of the user devices,wherein the trustworthiness for the applications and/or user devices are determined based on observed behaviors and the absence of expected behaviors, wherein the expected behaviors are associated with trusted applications, and the absence of expected behaviors result in lower trust scores indicating a greater chance that the applications are malware, wherein the expected behaviors include the applications displaying visible windows, and the applications are assigned lower trust scores based on determining that the applications did not display any visible windows.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method as claimed in claim 1, further comprising providing security policies for the applications and/or the user devices based on the determined trustworthiness.
  - 3. A method as claimed in claim 1, wherein running the behavioral information through different behavioral models comprises running the behavioral information against data theft behavioral models to determine a degree to which the behavioral information matches data theft behaviors.
  - 4. A method as claimed in claim 1, wherein running the behavioral information through different behavioral models comprises running the behavioral information against botnet behavioral models to determine a degree to which the behavioral information matches botnet behaviors.
  - 5. A method as claimed in claim 1, wherein determining trustworthiness for the applications and/or user devices comprises determining trustworthiness for specific user devices.
  - 6. A method as claimed in claim 1, wherein determining trustworthiness for the applications and/or user devices comprises determining trustworthiness for aggregate sets of user devices.
  - 7. A method as claimed in claim 1, further comprising assigning incident trustworthiness for specific devices and collective trustworthiness based on aggregated data for the type of devices.
  - 8. A method as claimed in claim 1, further comprising determining the trustworthiness for the applications running on the user devices and determining the trustworthiness of the user devices based on the trustworthiness of the applications.
  - 9. A method as claimed in claim 1, further comprising collecting unmodeled behavioral information for the applications.
  - 10. A method as claimed in claim 9, further determining whether the unmodeled behavioral information is statistically similar with malware or trusted applications.
  - 11. A method as claimed in claim 1, further comprising analyzing variance behavior and analyzing the statistical divergence between trusted applications and malware and concluding whether the applications executing on the user devices are likely to be malware when a behavioral profile is similar to malware.
  - 12. A method as claimed in claim 1, further comprising determining a statistical divergence between the trusted applications and applications executing on the user devices and determining trustworthiness based on the divergence.
  - 13. A method as claimed in claim 1, further comprising collecting unmodeled behaviors about the applications executing on the user devices and determining whether the unmodeled behaviors are indicative of malware and evolving the models over time based on the unmodeled behaviors.
  - 14. A method as claimed in claim 13, wherein the unmodeled behaviors include network connections, types of file access and/or creation, changes to system configurations, and/or system or application programming interface calls.
  - 15. A method as claimed in claim 13, further comprising learning new malware behavior based on the unmodeled behaviors and evolving the behavioral models to include the learned new malware behavior.
  - 16. A method as claimed in claim 15, further comprising learning the new malware behavior by comparing unmodeled behaviors for trusted applications to unmodeled behaviors for known malware and detecting behavioral outliers.
  - 17. A method as claimed in claim 1, wherein the observed behaviors include the applications reading user data, making Hypertext Transfer Protocol connections, turning on microphones, turning on webcams, accessing databases, and/or recording keystrokes.

18. A security policy system, comprising:
- a services component executing on a computer of the security policy system that receives behavioral information provided by agent security software executing on user devices about applications executing on the user devices;
  
  an analysis engine executing on a computer of the security policy system that determines trustworthiness for each of the applications and/or the user devices by running the behavioral information through different behavioral models maintained by the security policy system,wherein the analysis engine determines the trustworthiness for the applications and/or user devices based on observed behaviors and the absence of expected behaviors, and wherein the expected behaviors are associated with trusted applications, and the absence of expected behaviors result in lower trust scores indicating a greater chance that the applications are malware, wherein the expected behaviors include the applications displaying visible windows, and the applications are assigned lower trust scores based on determining that the applications did not display any visible windows, andwherein the services component and the analysis engine are stored in memory of a computer and executed by a processor of a computer.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 19. A system as claimed in claim 18, further comprising a policy engine of the security policy system that provides security policies for the user devices based on the determined trustworthiness.
  - 20. A system as claimed in claim 18, wherein the policy engine provides security policies for the applications and/or the user devices based on the determined trustworthiness.
  - 21. A system as claimed in claim 18, wherein the analysis engine runs the behavioral information through different behavioral models by running the behavioral information against data theft behavioral models to determine a degree to which the behavioral information matches data theft behaviors.
  - 22. A system as claimed in claim 18, wherein the analysis engine runs the behavioral information through different behavioral models by running the behavioral information against botnet behavioral models to determine a degree to which the behavioral information matches botnet behaviors.
  - 23. A system as claimed in claim 18, wherein the analysis engine determines trustworthiness for the applications and/or user devices by determining trustworthiness for specific user devices.
  - 24. A system as claimed in claim 18, wherein the analysis engine determines trustworthiness for the applications and/or user devices by determining trustworthiness for aggregate sets of user devices.
  - 25. A system as claimed in claim 18, wherein the analysis engine assigns incident trustworthiness for specific devices and collective trustworthiness based on aggregated data for the type of devices.
  - 26. A system as claimed in claim 18, wherein the analysis engine determines the trustworthiness for the applications running on the user devices and determines the trustworthiness of the user devices based on the trustworthiness of the applications.
  - 27. A system as claimed in claim 18, wherein the services component collects unmodeled behavioral information for the applications and the analysis engine determines whether the unmodeled behavioral information is statistically similar with malware or trusted applications.
  - 28. A system as claimed in claim 18, wherein the analysis engine analyzes variance behavior and analyzes the statistical divergence between trusted applications and malware and concluding whether the applications executing on the user devices are likely to be malware when a behavioral profile is similar to malware.
  - 29. A system as claimed in claim 18, wherein the analysis engine determines a statistical divergence between the trusted applications and applications executing on the user devices and determines trustworthiness based on the divergence.
  - 30. A system as claimed in claim 18, wherein the analysis engine collects unmodeled behaviors about the applications executing on the user devices and determines whether the unmodeled behaviors are indicative of malware and evolves the models over time based on the unmodeled behaviors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Original Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Inventors
Kraemer, Jeffrey Albin
Primary Examiner(s)
Ho, Dao Q

Application Number

US15/881,044
Publication Number

US 20180152481A1
Time in Patent Office

529 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Learned behavior based security

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Learned behavior based security

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links