Method of remediating operations performed by a program and system thereof

US 10,417,424 B2
Filed: 09/14/2018
Issued: 09/17/2019
Est. Priority Date: 08/11/2014
Status: Active Grant

First Claim

Patent Images

1. A real-time dynamically updated stateful model configured to aggregate and model actions performed by and/or on one or more entities in a computer operating system, the stateful model comprising:

a logical data structure representing a composition and a state of the computer operating system in a live environment, and wherein the logical data structure comprises;

a network of one or more interconnected objects representing the one or more entities constituting the computer operating system,wherein the one or more interconnected objects are derived from the sequence of operations performed in the live environment;

one or more relationships among the one or more interconnected objects;

operation data comprising one or more attributes, wherein each attribute characterizes a condition of the one or more interconnected objects and/or one or more operations of the sequence of operations associated with the one or more interconnected objects; and

one or more object groups, wherein the one or more object groups are formed by dividing the one or more interconnected objects according to a predefined grouping rule set, and wherein each group of the one or more object groups comprises objects representing a corresponding group of entities related to a program running in the live environment;

wherein the state of the computer operating system is a result of a sequence of operations performed in the live environment, and wherein the composition of the computer operating system comprises the one or more entities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a system and a computerized method of remediating one or more operations linked to a given program running in an operating system, the method comprising: querying a stateful model to retrieve a group of entities related to the given program; terminating at least a sub set of the group of entities related to the given program; generating a remediation plan including one or more operations linked to the given program, the one or more operations being retrieved based on the group in the stateful model; and executing the remediation plan by undoing at least part of the one or more operations linked to the given program thereby restoring state of the operating system to a state prior to the given program being executed. There is further provided a computerized method of detecting malicious code related to a program in an operating system in a live environment.

67 Citations

View as Search Results

20 Claims

1. A real-time dynamically updated stateful model configured to aggregate and model actions performed by and/or on one or more entities in a computer operating system, the stateful model comprising:
- a logical data structure representing a composition and a state of the computer operating system in a live environment, and wherein the logical data structure comprises;
  
  a network of one or more interconnected objects representing the one or more entities constituting the computer operating system,wherein the one or more interconnected objects are derived from the sequence of operations performed in the live environment;
  
  one or more relationships among the one or more interconnected objects;
  
  operation data comprising one or more attributes, wherein each attribute characterizes a condition of the one or more interconnected objects and/or one or more operations of the sequence of operations associated with the one or more interconnected objects; and
  
  one or more object groups, wherein the one or more object groups are formed by dividing the one or more interconnected objects according to a predefined grouping rule set, and wherein each group of the one or more object groups comprises objects representing a corresponding group of entities related to a program running in the live environment;
  
  wherein the state of the computer operating system is a result of a sequence of operations performed in the live environment, and wherein the composition of the computer operating system comprises the one or more entities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The stateful model of claim 1, wherein the sequence of operations comprises at least one malicious operation of a benign program.
  - 3. The stateful model of claim 2, wherein the at least one malicious operation is performed by a benign that has been injected or manipulated by malicious code.
  - 4. The stateful model of claim 1, wherein the one or more attributes comprise one or more of:
    - operation types, source entities of an operation, target entities of an operation, grouping information, subgroup information, object interconnections, or associated operations.
  - 5. The stateful model of claim 1, wherein the one or more attributes include at least one operation type specific attribute, wherein the at least one operation type specific attribute comprises an attribute that is unique to a specific operation type.
  - 6. The stateful model of claim 5, wherein the operation type is a file system operation, and the at least one operation type specific attribute comprises one or more of:
    - file system permissions, file paths, or file sizes.
  - 7. The stateful model of claim 5, wherein the operation type is a memory operation, and the at least one operation type specific attribute comprises one or more of:
    - memory addresses, data sizes, or memory permissions.
  - 8. The stateful model of claim 1, wherein the sequence of operations comprises at least one benign operation of a benign program.
  - 9. The stateful model of claim 1, wherein the sequence of operations comprises at least one operation of a separate program that is linked to a benign program.
  - 10. The stateful model of claim 1, wherein the stateful model is constructed using data retrieved by monitoring kernel-level operations.
  - 11. The stateful model of claim 1, wherein the one or more entities comprise one or more of:
    - threads, processes, files, networks, registries, windows, or memory.
  - 12. The stateful model of claim 1, wherein the one or more interconnected objects comprise one or more of:
    - thread objects, process objects, file objects, network objects, registry objects, windows objects, or memory objects.
  - 13. The stateful model of claim 1, wherein the one or more attributes comprise one or more of:
    - flags, modifiers, data structures, interactions between the one or more entities, relationships between the one or more entities, or associations between the one or more entities.
  - 14. The stateful model of claim 1, wherein at least one of the objects represents the source of one or more associated operations of the sequence of operations.
  - 15. The stateful model of claim 1, further comprising metadata, wherein the metadata is inferred by application of a predefined algorithm to the operation data.
  - 16. The stateful model of claim 15, wherein the metadata comprises an organizational layer that establishes order between the one or more entities.
  - 17. The stateful model of claim 15, wherein the metadata comprises an organizational layer that establishes grouping information of the one or more objects.
  - 18. The stateful model of claim 1, further comprising one or more object subgroups, wherein each of object subgroup of the one or more object subgroups comprises objects related to one or more attributes related to a distinctive part of the program.
  - 19. The stateful model of claim 1, wherein the one or more attributes comprise linking information connecting the one or more objects to the one or more operations of the sequence of operations.
  - 20. The stateful model of claim 19, wherein the linking information comprises:
    - direct linking information, wherein the direct linking information indicates that the one or more objects are a direct source or a direct target of the one or more operations; and
      
      indirect linking information, wherein the indirect linking information indicates that the one or more objects are an indirect source or an indirect target of the one or more operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Original Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Inventors
Cohen, Almog, Weingarten, Tomer, Salem, Shlomi, Izraeli, Nir, Karelsbad, Asaf
Primary Examiner(s)
Goodchild, William J.

Application Number

US16/132,240
Publication Number

US 20190114426A1
Time in Patent Office

368 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 9/545   where tasks reside in diffe...

Method of remediating operations performed by a program and system thereof

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

67 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Method of remediating operations performed by a program and system thereof

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others