Method and system for modeling all operations and executions of an attack and malicious process entry
First Claim
Patent Images
1. A method of using a particular computer for determining an entry point for an attack on a computerized endpoint comprising:
- using the particular computer to obtain an attack root for the computerized endpoint where the attack executed, the attack root comprising an attack root process performed by the computerized end point associated with the attack; and
,using the particular computer to analyze the attack root process and identify a sequence of processes from the attack root process, each of the identified processes of the sequence of processes associated with at least one of executions, creations, and injections, the sequence of the processes originating at the attack root and are linked to the entry point of the attack.
1 Assignment
0 Petitions
Accused Products
Abstract
Computerized methods and systems determine an entry point or source of an attack on an endpoint, such as a machine, e.g., a computer, node of a network, system or the like. These computerized methods and systems utilize an attack execution/attack or start root, to build an attack tree, which shows the attack on the end point and the damage caused by the attack, as it propagates through the machine, network, system, or the like.
85 Citations
19 Claims
-
1. A method of using a particular computer for determining an entry point for an attack on a computerized endpoint comprising:
-
using the particular computer to obtain an attack root for the computerized endpoint where the attack executed, the attack root comprising an attack root process performed by the computerized end point associated with the attack; and
,using the particular computer to analyze the attack root process and identify a sequence of processes from the attack root process, each of the identified processes of the sequence of processes associated with at least one of executions, creations, and injections, the sequence of the processes originating at the attack root and are linked to the entry point of the attack. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of using a particular computer for determining the extent of an attack on a computerized endpoint, comprising:
using the particular computer for; obtaining an attack root for the attack in the computerized endpoint, the attack root comprising an attack root process performed by the computerized end point; reading the attack root processes; analyzing the attack root process to output subsequent processes in the computerized endpoint associated with the attack root; reading each of the subsequent processes; and
,analyzing each of the subsequent processes to output additional processes associated with the attack root process, until there are not any more processes to be read. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
-
18. A computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitably programmed system to detect the extent of an attack on a computerized endpoint, by performing the following steps when such program is executed on the system, the steps comprising:
-
obtaining an attack root for the attack in the computerized endpoint, the attack root comprising an attack root process performed by the computerized end point; reading the attack root process; analyzing the attack root process to output subsequent processes in the computerized endpoint associated with the attack root; reading each of the subsequent processes; and
,analyzing each of the subsequent processes to output additional processes associated with the attack root process, until there are not any more processes to be read. - View Dependent Claims (19)
-
Specification