Method and system for modeling all operations and executions of an attack and malicious process entry

US 10,440,036 B2
Filed: 12/09/2015
Issued: 10/08/2019
Est. Priority Date: 12/09/2015
Status: Active Grant

First Claim

Patent Images

1. A method of using a particular computer for determining an entry point for an attack on a computerized endpoint comprising:

using the particular computer to obtain an attack root for the computerized endpoint where the attack executed, the attack root comprising an attack root process performed by the computerized end point associated with the attack; and

,using the particular computer to analyze the attack root process and identify a sequence of processes from the attack root process, each of the identified processes of the sequence of processes associated with at least one of executions, creations, and injections, the sequence of the processes originating at the attack root and are linked to the entry point of the attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computerized methods and systems determine an entry point or source of an attack on an endpoint, such as a machine, e.g., a computer, node of a network, system or the like. These computerized methods and systems utilize an attack execution/attack or start root, to build an attack tree, which shows the attack on the end point and the damage caused by the attack, as it propagates through the machine, network, system, or the like.

85 Citations

View as Search Results

19 Claims

1. A method of using a particular computer for determining an entry point for an attack on a computerized endpoint comprising:
- using the particular computer to obtain an attack root for the computerized endpoint where the attack executed, the attack root comprising an attack root process performed by the computerized end point associated with the attack; and
  
  ,using the particular computer to analyze the attack root process and identify a sequence of processes from the attack root process, each of the identified processes of the sequence of processes associated with at least one of executions, creations, and injections, the sequence of the processes originating at the attack root and are linked to the entry point of the attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the attack root process includes a file.
  - 3. The method of claim 1, wherein each of the process of the sequence of processes is based on at least one discrete event.
  - 4. The method of claim 3, wherein the discrete events from the same process of the sequence of processes are merged into a single summarized event.
  - 5. The method of claim 1, wherein the identifying a sequence of processes, and executions, creations, and injections associated with each of the process of the sequence of processes, includes:
    - categorizing each identified process by a process type; and
      
      ,obtaining a creator process associated with each identified and categorized process.
  - 6. The method of claim 5, wherein categorizing each identified process by a process type includes selecting categories, the categories including:
    - payload processes;
      
      container/compression/installer processes;
      
      executables;
      
      rename processes;
      
      registry consumer processes;
      
      network processes; and
      
      processes not categorized as one of payload processes, container/compression/installer processes, executables, rename processes, registry consumer processes, and network processes.
  - 7. The method of claim 1, wherein the computerized end point includes at least one of a machine, including a computer, node of a network or system.

8. A method of using a particular computer for determining the extent of an attack on a computerized endpoint, comprising:
- using the particular computer for;
  
  obtaining an attack root for the attack in the computerized endpoint, the attack root comprising an attack root process performed by the computerized end point;
  
  reading the attack root processes;
  
  analyzing the attack root process to output subsequent processes in the computerized endpoint associated with the attack root;
  
  reading each of the subsequent processes; and
  
  ,analyzing each of the subsequent processes to output additional processes associated with the attack root process, until there are not any more processes to be read.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The method of claim 8, wherein the attack root process includes a file.
  - 10. The method of claim 8, wherein the reading and the analyzing the attack root process and each subsequent process is performed iteratively.
  - 11. The method of claim 10, wherein the analyzing the attack root process and the analyzing of said each of the subsequent processes includes obtaining at least one of:
    - executions and operations of malicious objects of files, malicious Uniform Resource Locators (URLs), and, malicious Internet Protocol (IP) addresses.
  - 12. The method of claim 10, wherein the analyzing the attack root process and the analyzing of said each of the subsequent processes includes:
    - creating a list of the files obtained from the file paths associated with each read attack root process and each read subsequent process and ordering; and
      
      ,obtaining;
      
      i) processes creating files in the file list that were not in the entry point; and
      
      , ii) process instances of the files from the file list that were executed.
  - 13. The method of claim 10, wherein the analyzing the attack root process and the analyzing of said each of the subsequent processes includes, obtaining at least one of parent processes or child processes of the attack root process or the subsequent processes.
  - 14. The method of claim 10, wherein the analyzing the attack root process and the analyzing of said each of the subsequent processes includes obtaining network operations processes from at least one of the attack root process or the subsequent processes.
  - 15. The method of claim 10, wherein the analyzing the attack root process and the analyzing of said each of the subsequent processes includes obtaining processes which opened malicious Uniform Resource Locators (URLs) and malicious Internet Protocol (IP) addresses.
  - 16. The method of claim 10, wherein the analyzing the attack root process and the analyzing of said each of the subsequent processes includes:
    - obtaining process injected into at least one of the attack root process or the subsequent processes; and
      
      ,obtaining processes injected by one of the attack root process or the subsequent processes.
  - 17. The method of claim 8, wherein the computerized end point includes at least one of a machine, including a computer, node of a network or system.

18. A computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitably programmed system to detect the extent of an attack on a computerized endpoint, by performing the following steps when such program is executed on the system, the steps comprising:
- obtaining an attack root for the attack in the computerized endpoint, the attack root comprising an attack root process performed by the computerized end point;
  
  reading the attack root process;
  
  analyzing the attack root process to output subsequent processes in the computerized endpoint associated with the attack root;
  
  reading each of the subsequent processes; and
  
  ,analyzing each of the subsequent processes to output additional processes associated with the attack root process, until there are not any more processes to be read.
- View Dependent Claims (19)
- - 19. The computer-usable storage medium of claim 18, wherein the attack root process includes a file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Limited
Original Assignee
Check Point Software Technologies Limited
Inventors
Pal, Anandabrata, Arzi, Lior, Leiderfarb, Tamara
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US14/963,267
Publication Number

US 20170171225A1
Time in Patent Office

1,399 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Method and system for modeling all operations and executions of an attack and malicious process entry

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

85 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Method and system for modeling all operations and executions of an attack and malicious process entry

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others