Cybersecurity systems and techniques
First Claim
1. A computer-implemented cybersecurity method comprising:
- generating a log indicating a plurality of operations performed by a process and a plurality of respective times associated with the operations;
generating a process fingerprint of the process, wherein the process fingerprint identifies the process based, at least in part, on dynamic features of the process;
comparing the process fingerprint to a plurality of process fingerprints; and
based, at least in part, on a result of the comparison indicating that the process fingerprint matches a process fingerprint included in the plurality of process fingerprints, performing a data reduction operation on data associated with the process, wherein performing the data reduction operation on the data associated with the process comprises deleting the log,wherein generating the process fingerprint comprises performing a cryptographic hash operation on data representing dynamic features of the process, andwherein the data representing dynamic features of the process comprises data characterizing modules loaded by the process, data characterizing file operations associated with the process, data characterizing registry operations performed by the process, data characterizing network activity associated with the process, and/or data characterizing inter-process operations performed by the process.
1 Assignment
0 Petitions
Accused Products
Abstract
Cybersecurity systems and techniques are described. A cybersecurity method may include generating a process fingerprint of a process, wherein the process fingerprint identifies the process based, at least in part, on dynamic features of the process. Generating the process fingerprint may include performing a cryptographic hash operation on data representing dynamic features of the process. The method may further include comparing the process fingerprint to a plurality of process fingerprints, and based, at least in part, on a result of the comparison, performing a data reduction operation on data associated with the process and/or determining whether the process is a malware process.
-
Citations
28 Claims
-
1. A computer-implemented cybersecurity method comprising:
-
generating a log indicating a plurality of operations performed by a process and a plurality of respective times associated with the operations; generating a process fingerprint of the process, wherein the process fingerprint identifies the process based, at least in part, on dynamic features of the process; comparing the process fingerprint to a plurality of process fingerprints; and based, at least in part, on a result of the comparison indicating that the process fingerprint matches a process fingerprint included in the plurality of process fingerprints, performing a data reduction operation on data associated with the process, wherein performing the data reduction operation on the data associated with the process comprises deleting the log, wherein generating the process fingerprint comprises performing a cryptographic hash operation on data representing dynamic features of the process, and wherein the data representing dynamic features of the process comprises data characterizing modules loaded by the process, data characterizing file operations associated with the process, data characterizing registry operations performed by the process, data characterizing network activity associated with the process, and/or data characterizing inter-process operations performed by the process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A cybersecurity system, comprising:
-
data processing apparatus programmed to perform operations comprising; generating a log indicating a plurality of operations performed by a process and a plurality of respective times associated with the operations; generating a process fingerprint of a process, wherein the process fingerprint identifies the process based, at least in part, on dynamic features of the process; comparing the process fingerprint to a plurality of process fingerprints; and based, at least in part, on a result of the comparison indicating that the process fingerprint matches a process fingerprint included in the plurality of process fingerprints, performing a data reduction operation on data associated with the process, wherein performing the data reduction operation on the data associated with the process comprises deleting the log, wherein generating the process fingerprint comprises performing a cryptographic hash operation on data representing dynamic features of the process, and wherein the data representing dynamic features of the process comprises data characterizing modules loaded by the process, data characterizing file operations associated with the process, data characterizing registry operations performed by the process, data characterizing network activity associated with the process, and/or data characterizing inter-process operations performed by the process. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computer storage medium having instructions stored thereon that, when executed by a data processing apparatus, cause the data processing apparatus to perform operations comprising:
-
generating a log indicating a plurality of operations performed by a process and a plurality of respective times associated with the operations; generating a process fingerprint of the process, wherein the process fingerprint identifies the process based, at least in part, on dynamic features of the process; comparing the process fingerprint to a plurality of process fingerprints; and based, at least in part, on a result of the comparison indicating that the process fingerprint matches a process fingerprint included in the plurality of process fingerprints, performing a data reduction operation on data associated with the process, wherein performing the data reduction operation on the data associated with the process comprises deleting the log, wherein generating the process fingerprint comprises performing a cryptographic hash operation on data representing dynamic features of the process, and wherein the data representing dynamic features of the process comprises data characterizing modules loaded by the process, data characterizing file operations associated with the process, data characterizing registry operations performed by the process, data characterizing network activity associated with the process, and/or data characterizing inter-process operations performed by the process.
-
Specification