Cybersecurity systems and techniques

US 10,423,787 B2
Filed: 02/23/2017
Issued: 09/24/2019
Est. Priority Date: 02/23/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented cybersecurity method comprising:

generating a log indicating a plurality of operations performed by a process and a plurality of respective times associated with the operations;

generating a process fingerprint of the process, wherein the process fingerprint identifies the process based, at least in part, on dynamic features of the process;

comparing the process fingerprint to a plurality of process fingerprints; and

based, at least in part, on a result of the comparison indicating that the process fingerprint matches a process fingerprint included in the plurality of process fingerprints, performing a data reduction operation on data associated with the process, wherein performing the data reduction operation on the data associated with the process comprises deleting the log,wherein generating the process fingerprint comprises performing a cryptographic hash operation on data representing dynamic features of the process, andwherein the data representing dynamic features of the process comprises data characterizing modules loaded by the process, data characterizing file operations associated with the process, data characterizing registry operations performed by the process, data characterizing network activity associated with the process, and/or data characterizing inter-process operations performed by the process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Cybersecurity systems and techniques are described. A cybersecurity method may include generating a process fingerprint of a process, wherein the process fingerprint identifies the process based, at least in part, on dynamic features of the process. Generating the process fingerprint may include performing a cryptographic hash operation on data representing dynamic features of the process. The method may further include comparing the process fingerprint to a plurality of process fingerprints, and based, at least in part, on a result of the comparison, performing a data reduction operation on data associated with the process and/or determining whether the process is a malware process.

Citations

28 Claims

1. A computer-implemented cybersecurity method comprising:
- generating a log indicating a plurality of operations performed by a process and a plurality of respective times associated with the operations;
  
  generating a process fingerprint of the process, wherein the process fingerprint identifies the process based, at least in part, on dynamic features of the process;
  
  comparing the process fingerprint to a plurality of process fingerprints; and
  
  based, at least in part, on a result of the comparison indicating that the process fingerprint matches a process fingerprint included in the plurality of process fingerprints, performing a data reduction operation on data associated with the process, wherein performing the data reduction operation on the data associated with the process comprises deleting the log,wherein generating the process fingerprint comprises performing a cryptographic hash operation on data representing dynamic features of the process, andwherein the data representing dynamic features of the process comprises data characterizing modules loaded by the process, data characterizing file operations associated with the process, data characterizing registry operations performed by the process, data characterizing network activity associated with the process, and/or data characterizing inter-process operations performed by the process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the data representing dynamic features of the process comprises the data characterizing modules loaded by the process.
  - 3. The method of claim 1, wherein the data representing dynamic features of the process comprises the data characterizing file operations associated with the process.
  - 4. The method of claim 1, wherein the data representing dynamic features of the process comprises the data characterizing registry operations performed by the process.
  - 5. The method of claim 1, wherein the data representing dynamic features of the process comprises the data characterizing network activity associated with the process.
  - 6. The method of claim 1, wherein the data representing dynamic features of the process comprises the data characterizing inter-process operations performed by the process.
  - 7. The method of claim 1, wherein generating the process fingerprint further comprises performing the cryptographic hash operation on data representing static features of a file corresponding to the process.
  - 8. The method of claim 1, wherein the cryptographic hash operation is a rolling cryptographic hash operation.
  - 9. The method of claim 1, wherein the cryptographic hash operation is a deterministic, sequence-invariant cryptographic hash operation.
  - 10. The method of claim 1, wherein generating the process fingerprint comprises generating a first process fingerprint and a second process fingerprint.
  - 11. The method of claim 10, wherein generating the first process fingerprint comprises performing a cryptographic hash operation on data representing first dynamic features of the process, and wherein generating the second process fingerprint comprises performing a cryptographic hash operation on data representing second dynamic features of the process.
  - 12. The method of claim 11, wherein the data representing first dynamic features of the process are selected from a group comprising data characterizing modules loaded by the process, data characterizing file operations associated with the process, data characterizing registry operations performed by the process, data characterizing network activity associated with the process, and data characterizing inter-process operations performed by the process.
  - 13. The method of claim 12, wherein the data representing second dynamic features of the process are different from the data representing first dynamic features of the process, and wherein the data representing second dynamic features of the process are selected from a group comprising data characterizing modules loaded by the process, data characterizing file operations associated with the process, data characterizing registry operations performed by the process, data characterizing network activity associated with the process, and data characterizing inter-process operations performed by the process.
  - 14. The method of claim 1, wherein performing the data reduction operation on the data associated with the process further comprises replacing the log with the process fingerprint of the process.
  - 15. The method of claim 1, wherein performing the data reduction operation on the data associated with the process further comprises replacing the log with the process fingerprint of the process and data indicating a date and/or time of execution of the process.
  - 16. The method of claim 1, further comprising determining whether the process is a malware process based, at least in part, on the result of the comparison.
  - 17. The method of claim 16, wherein the plurality of process fingerprints includes one or more process fingerprints of one or more blacklisted processes, and wherein determining whether the process is a malware process based on the result of the comparison comprises determining that the process is a malware process based on the process fingerprint matching a fingerprint included in the one or more process fingerprints of the one or more blacklisted processes.
  - 18. The method of claim 16, wherein the plurality of process fingerprints includes one or more process fingerprints of one or more whitelisted processes, and wherein determining whether the process is a malware process based on the result of the comparison comprises determining that the process is not a malware process based on the process fingerprint matching a fingerprint included in the one or more process fingerprints of the one or more whitelisted processes.

19. A cybersecurity system, comprising:
- data processing apparatus programmed to perform operations comprising;
  
  generating a log indicating a plurality of operations performed by a process and a plurality of respective times associated with the operations;
  
  generating a process fingerprint of a process, wherein the process fingerprint identifies the process based, at least in part, on dynamic features of the process;
  
  comparing the process fingerprint to a plurality of process fingerprints; and
  
  based, at least in part, on a result of the comparison indicating that the process fingerprint matches a process fingerprint included in the plurality of process fingerprints, performing a data reduction operation on data associated with the process, wherein performing the data reduction operation on the data associated with the process comprises deleting the log,wherein generating the process fingerprint comprises performing a cryptographic hash operation on data representing dynamic features of the process, andwherein the data representing dynamic features of the process comprises data characterizing modules loaded by the process, data characterizing file operations associated with the process, data characterizing registry operations performed by the process, data characterizing network activity associated with the process, and/or data characterizing inter-process operations performed by the process.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The system of claim 19, wherein the cryptographic hash operation is a rolling cryptographic hash operation.
  - 21. The system of claim 19, wherein the cryptographic hash operation is a deterministic, sequence-invariant cryptographic hash operation.
  - 22. The system of claim 19, wherein generating the process fingerprint comprises generating a first process fingerprint and a second process fingerprint.
  - 23. The system of claim 22, wherein generating the first process fingerprint comprises performing a cryptographic hash operation on data representing first dynamic features of the process, the first dynamic features being dynamic features of a first type, and wherein generating the second process fingerprint comprises performing a cryptographic hash operation on data representing second dynamic features of the process, the second dynamic features being dynamic features of a second type different from the first type.
  - 24. The system of claim 19, wherein performing the data reduction operation on the data associated with the process further comprises replacing the log with the process fingerprint of the process.
  - 25. The system of claim 19, wherein the operations further comprise determining whether the process is a malware process based, at least in part, on the result of the comparison.
  - 26. The system of claim 25, wherein:
    - the plurality of process fingerprints includes one or more process fingerprints of one or more blacklisted processes, anddetermining whether the process is a malware process based on the result of the comparison comprises determining that the process is a malware process based on the process fingerprint matching a fingerprint included in the one or more process fingerprints of the one or more blacklisted processes.
  - 27. The system of claim 25, wherein:
    - wherein the plurality of process fingerprints includes one or more process fingerprints of one or more whitelisted processes, andwherein determining whether the process is a malware process based on the result of the comparison comprises determining that the process is not a malware process based on the process fingerprint matching a fingerprint included in the one or more process fingerprints of the one or more whitelisted processes.

28. A computer storage medium having instructions stored thereon that, when executed by a data processing apparatus, cause the data processing apparatus to perform operations comprising:
- generating a log indicating a plurality of operations performed by a process and a plurality of respective times associated with the operations;
  
  generating a process fingerprint of the process, wherein the process fingerprint identifies the process based, at least in part, on dynamic features of the process;
  
  comparing the process fingerprint to a plurality of process fingerprints; and
  
  based, at least in part, on a result of the comparison indicating that the process fingerprint matches a process fingerprint included in the plurality of process fingerprints, performing a data reduction operation on data associated with the process, wherein performing the data reduction operation on the data associated with the process comprises deleting the log,wherein generating the process fingerprint comprises performing a cryptographic hash operation on data representing dynamic features of the process, andwherein the data representing dynamic features of the process comprises data characterizing modules loaded by the process, data characterizing file operations associated with the process, data characterizing registry operations performed by the process, data characterizing network activity associated with the process, and/or data characterizing inter-process operations performed by the process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Original Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Inventors
Wachdorf, Daniel, Lundgren, Scott
Primary Examiner(s)
Dada, Beemnet W

Application Number

US15/440,401
Publication Number

US 20170329968A1
Time in Patent Office

943 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/554   involving event detection a...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Cybersecurity systems and techniques

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Cybersecurity systems and techniques

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links