Detecting malicious processes based on process location

US 10,462,162 B2
Filed: 07/24/2017
Issued: 10/29/2019
Est. Priority Date: 07/24/2017
Status: Active Grant

First Claim

Patent Images

1. A method for identifying malicious processes, the method comprising:

receiving, using an interface, at least one path indicating where a process was launched;

determining, using an analysis module executing instructions stored on a memory, a number of times the process was launched;

determining a number of different paths the process was launched from;

computing, using the analysis module, at least one inequality indicator for the at least one path based on the number of times the process was launched and the number of different paths the process was launched from to determine whether the process is malicious, wherein the inequality indicator is based on a pattern across multiple paths that is identified autonomously and not previously defined; and

isolating the process upon determining the process is malicious, wherein isolating the malicious process includes relocating the malicious process to a quarantine module for analysis.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for detecting malicious processes. Methods described herein gather data regarding process locations and calculate one or more inequality indicators related to the process paths based on economic principles. Instances of inequality with respect to process paths may indicate a path is uncommon and therefore the associated binary is used for malicious purposes.

16 Citations

14 Claims

1. A method for identifying malicious processes, the method comprising:
- receiving, using an interface, at least one path indicating where a process was launched;
  
  determining, using an analysis module executing instructions stored on a memory, a number of times the process was launched;
  
  determining a number of different paths the process was launched from;
  
  computing, using the analysis module, at least one inequality indicator for the at least one path based on the number of times the process was launched and the number of different paths the process was launched from to determine whether the process is malicious, wherein the inequality indicator is based on a pattern across multiple paths that is identified autonomously and not previously defined; and
  
  isolating the process upon determining the process is malicious, wherein isolating the malicious process includes relocating the malicious process to a quarantine module for analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the at least one inequality indicator is at least one of a Herfindahl index and a Gini coefficient.
  - 3. The method of claim 2, wherein an inequality indicator exceeding a predetermined threshold indicates an instance of inequality and therefore indicates a process is uncommon and potentially malicious.
  - 4. The method of claim 1, further comprising:
    - parsing, using the analysis module, the at least one path into at least one individual component; and
      
      removing, using the analysis module, at least one individual component from the at least one path.
  - 5. The method of claim 4, wherein removing the at least one individual component comprises removing at least one individual component that is present less than a predetermined number of times in the at least one path.
  - 6. The method of claim 4, wherein the removed at least one individual component is a username or a string specific to an instance of a computing environment.
  - 7. The method of claim 1, wherein isolating the malicious process includes elevating the malicious process for examination.

8. A system for identifying malicious processes, the system comprising:
- an interface configured to receive at least one path indicating where a process was launched;
  
  a memory; and
  
  an analysis module configured to execute instructions stored on the memory to;
  
  determine a number of times the process was launched;
  
  determine a number of different paths the process was launched from;
  
  compute at least one inequality indicator for the at least one path based on the number of times the process was launched and the number of different paths the process was launched from to determine whether the process is malicious, wherein the inequality indicator is based on a pattern across multiple paths that is identified autonomously and not previously defined; and
  
  isolate a process upon determining the process is malicious, wherein isolating the malicious process includes relocating the malicious process to a quarantine module for analysis.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the at least one inequality indicator is at least one of a Herfindahl index and a Gini coefficient.
  - 10. The system of claim 9, wherein an inequality indicator exceeding a predetermined threshold indicates an instance of inequality and therefore indicates a process is uncommon and potentially malicious.
  - 11. The system of claim 8, wherein the analysis module is further configured to:
    - parse the at least one path into at least one individual component; and
      
      remove at least one individual component from the at least one path.
  - 12. The system of claim 11, wherein the analysis module removes at least one individual component that is present less than a predetermined number of times in the at least one path.
  - 13. The system of claim 11, wherein the removed at least one individual component is a username or a string specific to an instance of a computing environment.
  - 14. The system of claim 8, isolating the malicious process includes elevating the malicious process for manual examination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rapid7, Inc.
Original Assignee
Rapid7, Inc.
Inventors
Hodgman, Roy, Keyes, Oliver, Lin, Wah-Kwan, Scutt, Michael, Stiller, Timothy
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Almaghayreh, Khalid M

Application Number

US15/657,317
Publication Number

US 20190028491A1
Time in Patent Office

827 Days
Field of Search

726 23- 25, 713187-189
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

Detecting malicious processes based on process location

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malicious processes based on process location

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links