Identification of suspicious system processes

US 10,423,789 B2
Filed: 04/03/2017
Issued: 09/24/2019
Est. Priority Date: 04/03/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

based on receipt of a record of at least a first process executing on a first end-point device in an enterprise network, identifying a set of one or more parameters associated with the first process;

identifying, corresponding to the identified set of one or more parameters, a first time pointer at which the first process was initiated;

identifying a second time pointer at which a second process was initiated on the first end-point device by a first user associated with the first end-point device;

determining that the second time pointer occurred before the first time pointer and that the first process was not initiated by the first user based, at least in part, on the set of one or more parameters;

determining that the first process is registered in a list of authorized processes for the enterprise network;

identifying the first process as a suspicious process based, at least in part, on the determinations that the second time pointer occurs prior to the first time pointer, that the first process is not registered in the list of authorized processes, and that the first process was not initiated by the first user; and

generating an alert corresponding to identification of the first process as a suspicious process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method for identification of suspicious processes executing on an end-point device communicatively connected to network, the network communicatively connected to a server, the method comprising receiving, by the server, a record of at least one process, initiated by and executing on by the end-point device. One or more parameters associated with the at least one process are identified. A first time pointer is identified corresponding to the identified one or more parameters, a first time pointer. A second time pointer at which a user associated with the end-point device initiated a user dependent process is identified. Whether the second time pointer occurred before the first time pointer is identified. It is determined whether the at least one process was initiated by the user based on identification of user dependent processes and corresponding attribution. An action is performed based on the above determination.

11 Citations

17 Claims

1. A method comprising:
- based on receipt of a record of at least a first process executing on a first end-point device in an enterprise network, identifying a set of one or more parameters associated with the first process;
  
  identifying, corresponding to the identified set of one or more parameters, a first time pointer at which the first process was initiated;
  
  identifying a second time pointer at which a second process was initiated on the first end-point device by a first user associated with the first end-point device;
  
  determining that the second time pointer occurred before the first time pointer and that the first process was not initiated by the first user based, at least in part, on the set of one or more parameters;
  
  determining that the first process is registered in a list of authorized processes for the enterprise network;
  
  identifying the first process as a suspicious process based, at least in part, on the determinations that the second time pointer occurs prior to the first time pointer, that the first process is not registered in the list of authorized processes, and that the first process was not initiated by the first user; and
  
  generating an alert corresponding to identification of the first process as a suspicious process.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the alert is displayed on a display unit of at least one of:
    - an end-point device, a computerized general control system, an enterprise control system.
  - 3. The method of claim 1, further comprising continuously monitoring the first process after identifying the first process as a suspicious process.
  - 4. The method of claim 1, further comprising:
    - generating a second alert if a change is detected while continuously monitoring the first process.
  - 5. The method of claim 1 further comprising receiving, at a server in the enterprise network, the record from an agent installed on the first end-point device.

6. An apparatus comprising:
- a processing unit;
  
  a memory coupled to the processing unit, the memory storing therein instructions that when executed by the processing unit cause the apparatus to,based on receipt of a record of a first process executing on a first end-point device in an enterprise network, identify a set of one or more parameters associated with the first process and identify a first time pointer at which the first process was initiated on the first end-point device based, at least in part, on the set of one or more parameters;
  
  identify a second time pointer at which a first user associated with the first end-point device initiated a second process;
  
  determine whether the second time pointer occurred before the first time pointer;
  
  based on a determination that the second time pointer occurred before the first time pointer, determine whether the first user initiated the first process;
  
  determine whether the first process is registered in a list of authorized processes for the enterprise network; and
  
  based on determinations that the second time pointer occurred before the first time pointer, that the first process is not registered in the list of authorized processes, and that the first user did not initiate the first process, identify the first process as suspicious.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The apparatus of claim 6, wherein the memory further has stored therein instructions executable by the processing unit to cause the apparatus to generate an alert corresponding to the identification of the first process as a suspicious process.
  - 8. The apparatus of claim 7, wherein instructions to generate the alert comprise instructions executable by the processing unit to cause the apparatus to display the alert on a display unit of at least one of:
    - an end-point device, a computerized control system, an enterprise control system.
  - 9. The apparatus of claim 6 further comprising a data storage unit, wherein memory further stores instructions executable by the processing unit to cause the apparatus to store data associated with the suspicious process in the data storage unit.
  - 10. The apparatus of claim 6 wherein the memory further stored instructions executable by the processing unit to cause the apparatus to continuously monitor the first process based on identification of the first process as a suspicious process.
  - 11. The apparatus of claim 6 further comprising a network interface, wherein the memory further stores instructions executable by the processing unit to cause the apparatus to receive the record from an agent installed on the first end-point device.
  - 12. The apparatus of claim 6 wherein the memory further stores instructions executable by the processing unit to cause the apparatus to determine whether the first process is registered in a list of authorized processes for the enterprise network, wherein the instructions to identify the first process as suspicious is also based on a determination that the first process is not registered in the list of authorized processes.

13. A non-transitory computer-readable medium having stored therein computer program code executable to:
- based on receipt of a record of a first process executing on a first end-point device, identify a set of one or more parameters associated with the first process and identify a first time pointer at which the first process was initiated on the first end-point device based, at least in part, on the set of one or more parameters;
  
  identify a second time pointer at which a first user associated with the first end-point device initiated a second process;
  
  determine whether the second time pointer occurred before the first time pointer;
  
  based on a determination that the second time pointer occurred before the first time pointer, determine whether the first user initiated the first process;
  
  determine whether the first process is registered in a list of authorized processes for the enterprise network; and
  
  based on determinations that the second time pointer occurred before the first time pointer, that the first process is not registered in the list of authorized processes, and that the first user did not initiate the first process, identify the first process as suspicious.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer-readable medium of claim 13, further having stored therein computer program code executable to generate an alert corresponding to the identification of the first process as a suspicious process.
  - 15. The non-transitory computer-readable medium of claim 14, wherein the computer program code to generate the alert comprises computer program code executable to display the alert on a display unit of at least one of:
    - an end-point device, a computerized control system, an enterprise control system.
  - 16. The non-transitory computer-readable medium of claim 13 further having stored therein computer program code to continuously monitor the first process based on identification of the first process as a suspicious process.
  - 17. The non-transitory computer-readable medium of claim 13 further having stored therein computer program code executable to receive the record from an agent installed on the first end-point device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Barak, Gil
Primary Examiner(s)
Le, Khoi V

Application Number

US15/477,547
Publication Number

US 20170286683A1
Time in Patent Office

904 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3017   where the computing system ...

G06F 11/3072   where the reporting involve...

G06F 11/3089   Monitoring arrangements det...

G06F 11/3438   monitoring of user actions ...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/725   operating on a secure refer...

G06F 2201/835   Timestamp

H04L 63/1425   Traffic logging, e.g. anoma...

Identification of suspicious system processes

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Identification of suspicious system processes

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others