Identification of suspicious system processes
First Claim
1. A method comprising:
- based on receipt of a record of at least a first process executing on a first end-point device in an enterprise network, identifying a set of one or more parameters associated with the first process;
identifying, corresponding to the identified set of one or more parameters, a first time pointer at which the first process was initiated;
identifying a second time pointer at which a second process was initiated on the first end-point device by a first user associated with the first end-point device;
determining that the second time pointer occurred before the first time pointer and that the first process was not initiated by the first user based, at least in part, on the set of one or more parameters;
determining that the first process is registered in a list of authorized processes for the enterprise network;
identifying the first process as a suspicious process based, at least in part, on the determinations that the second time pointer occurs prior to the first time pointer, that the first process is not registered in the list of authorized processes, and that the first process was not initiated by the first user; and
generating an alert corresponding to identification of the first process as a suspicious process.
2 Assignments
0 Petitions
Accused Products
Abstract
A computerized method for identification of suspicious processes executing on an end-point device communicatively connected to network, the network communicatively connected to a server, the method comprising receiving, by the server, a record of at least one process, initiated by and executing on by the end-point device. One or more parameters associated with the at least one process are identified. A first time pointer is identified corresponding to the identified one or more parameters, a first time pointer. A second time pointer at which a user associated with the end-point device initiated a user dependent process is identified. Whether the second time pointer occurred before the first time pointer is identified. It is determined whether the at least one process was initiated by the user based on identification of user dependent processes and corresponding attribution. An action is performed based on the above determination.
11 Citations
17 Claims
-
1. A method comprising:
-
based on receipt of a record of at least a first process executing on a first end-point device in an enterprise network, identifying a set of one or more parameters associated with the first process; identifying, corresponding to the identified set of one or more parameters, a first time pointer at which the first process was initiated; identifying a second time pointer at which a second process was initiated on the first end-point device by a first user associated with the first end-point device; determining that the second time pointer occurred before the first time pointer and that the first process was not initiated by the first user based, at least in part, on the set of one or more parameters; determining that the first process is registered in a list of authorized processes for the enterprise network; identifying the first process as a suspicious process based, at least in part, on the determinations that the second time pointer occurs prior to the first time pointer, that the first process is not registered in the list of authorized processes, and that the first process was not initiated by the first user; and generating an alert corresponding to identification of the first process as a suspicious process. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus comprising:
-
a processing unit; a memory coupled to the processing unit, the memory storing therein instructions that when executed by the processing unit cause the apparatus to, based on receipt of a record of a first process executing on a first end-point device in an enterprise network, identify a set of one or more parameters associated with the first process and identify a first time pointer at which the first process was initiated on the first end-point device based, at least in part, on the set of one or more parameters; identify a second time pointer at which a first user associated with the first end-point device initiated a second process; determine whether the second time pointer occurred before the first time pointer; based on a determination that the second time pointer occurred before the first time pointer, determine whether the first user initiated the first process; determine whether the first process is registered in a list of authorized processes for the enterprise network; and based on determinations that the second time pointer occurred before the first time pointer, that the first process is not registered in the list of authorized processes, and that the first user did not initiate the first process, identify the first process as suspicious. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable medium having stored therein computer program code executable to:
-
based on receipt of a record of a first process executing on a first end-point device, identify a set of one or more parameters associated with the first process and identify a first time pointer at which the first process was initiated on the first end-point device based, at least in part, on the set of one or more parameters; identify a second time pointer at which a first user associated with the first end-point device initiated a second process; determine whether the second time pointer occurred before the first time pointer; based on a determination that the second time pointer occurred before the first time pointer, determine whether the first user initiated the first process; determine whether the first process is registered in a list of authorized processes for the enterprise network; and based on determinations that the second time pointer occurred before the first time pointer, that the first process is not registered in the list of authorized processes, and that the first user did not initiate the first process, identify the first process as suspicious. - View Dependent Claims (14, 15, 16, 17)
-
Specification