Detecting malicious processes based on process location
First Claim
Patent Images
1. A method for identifying malicious processes, the method comprising:
- receiving, using an interface, at least one path indicating where a process was launched;
determining, using an analysis module executing instructions stored on a memory, a number of times the process was launched;
determining a number of different paths the process was launched from;
computing, using the analysis module, at least one inequality indicator for the at least one path based on the number of times the process was launched and the number of different paths the process was launched from to determine whether the process is malicious, wherein the inequality indicator is based on a pattern across multiple paths that is identified autonomously and not previously defined; and
isolating the process upon determining the process is malicious, wherein isolating the malicious process includes relocating the malicious process to a quarantine module for analysis.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for detecting malicious processes. Methods described herein gather data regarding process locations and calculate one or more inequality indicators related to the process paths based on economic principles. Instances of inequality with respect to process paths may indicate a path is uncommon and therefore the associated binary is used for malicious purposes.
16 Citations
14 Claims
-
1. A method for identifying malicious processes, the method comprising:
-
receiving, using an interface, at least one path indicating where a process was launched; determining, using an analysis module executing instructions stored on a memory, a number of times the process was launched; determining a number of different paths the process was launched from; computing, using the analysis module, at least one inequality indicator for the at least one path based on the number of times the process was launched and the number of different paths the process was launched from to determine whether the process is malicious, wherein the inequality indicator is based on a pattern across multiple paths that is identified autonomously and not previously defined; and isolating the process upon determining the process is malicious, wherein isolating the malicious process includes relocating the malicious process to a quarantine module for analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for identifying malicious processes, the system comprising:
-
an interface configured to receive at least one path indicating where a process was launched; a memory; and an analysis module configured to execute instructions stored on the memory to; determine a number of times the process was launched; determine a number of different paths the process was launched from; compute at least one inequality indicator for the at least one path based on the number of times the process was launched and the number of different paths the process was launched from to determine whether the process is malicious, wherein the inequality indicator is based on a pattern across multiple paths that is identified autonomously and not previously defined; and isolate a process upon determining the process is malicious, wherein isolating the malicious process includes relocating the malicious process to a quarantine module for analysis. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification