Learned behavior based security
First Claim
Patent Images
1. A method for providing security policies, the method comprising:
- an analysis engine of a security policy system receiving behavioral information provided by agent security software executing on user devices about applications executing on the user devices;
the analysis engine running the behavioral information through different behavioral models maintained by the security policy system; and
the analysis engine determining trustworthiness for the applications and/or user devices based on the behavioral information received from each of the user devices,wherein the trustworthiness for the applications and/or user devices are determined based on observed behaviors and the absence of expected behaviors, wherein the expected behaviors are associated with trusted applications, and the absence of expected behaviors result in lower trust scores indicating a greater chance that the applications are malware, wherein the expected behaviors include the applications displaying visible windows, and the applications are assigned lower trust scores based on determining that the applications did not display any visible windows.
4 Assignments
0 Petitions
Accused Products
Abstract
The present system and method pertain to the detection of malicious software and processes such as malware. A cloud security policy system receives hashes and behavioral information about applications and/or processes executing on user devices. The cloud security policy system records this information and then evaluates the trustworthiness of the hashes based on the information received from the user devices to provide a security policy for the applications and/or processes. The security policy is sent from the cloud security policy system to user devices to be applied by the user devices.
15 Citations
30 Claims
-
1. A method for providing security policies, the method comprising:
-
an analysis engine of a security policy system receiving behavioral information provided by agent security software executing on user devices about applications executing on the user devices; the analysis engine running the behavioral information through different behavioral models maintained by the security policy system; and the analysis engine determining trustworthiness for the applications and/or user devices based on the behavioral information received from each of the user devices, wherein the trustworthiness for the applications and/or user devices are determined based on observed behaviors and the absence of expected behaviors, wherein the expected behaviors are associated with trusted applications, and the absence of expected behaviors result in lower trust scores indicating a greater chance that the applications are malware, wherein the expected behaviors include the applications displaying visible windows, and the applications are assigned lower trust scores based on determining that the applications did not display any visible windows. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A security policy system, comprising:
-
a services component executing on a computer of the security policy system that receives behavioral information provided by agent security software executing on user devices about applications executing on the user devices; an analysis engine executing on a computer of the security policy system that determines trustworthiness for each of the applications and/or the user devices by running the behavioral information through different behavioral models maintained by the security policy system, wherein the analysis engine determines the trustworthiness for the applications and/or user devices based on observed behaviors and the absence of expected behaviors, and wherein the expected behaviors are associated with trusted applications, and the absence of expected behaviors result in lower trust scores indicating a greater chance that the applications are malware, wherein the expected behaviors include the applications displaying visible windows, and the applications are assigned lower trust scores based on determining that the applications did not display any visible windows, and wherein the services component and the analysis engine are stored in memory of a computer and executed by a processor of a computer. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification