Systems and methods for detection and mitigation of malicious encryption
First Claim
Patent Images
1. A method for detecting an encryption key for malicious encryption, comprising:
- detecting, by a security agent executed by a computing device, writing of a first item of data to memory of the computing device;
compressing, by the security agent, a first portion of the first item of data;
calculating, by the security agent, a ratio of a size of the first portion of the first item of data to a size of a compressed first portion of the first item of data;
determining that the ratio does not exceed a predetermined threshold;
responsive to the determination that the ratio does not exceed the predetermined threshold, identifying the first item of data as comprising an encryption key; and
responsive to identifying the first item of data as comprising an encryption key, generating an alert, by the security agent, indicating a likely malicious encryption attempt.
7 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure describes systems and methods for detection and mitigation of malicious encryption. A security agent on an infected computing device may monitor data writes to disk, memory, or network transmission buffers for strings that may represent encryption keys or moduli. The security agent may apply one or more techniques to decode and parse the string to either identify or extract the keys, or rule out the string as containing an encryption key or modulus. If a key is identified, or its presence cannot be excluded, then the security agent may generate an alert and take mitigation actions.
-
Citations
19 Claims
-
1. A method for detecting an encryption key for malicious encryption, comprising:
-
detecting, by a security agent executed by a computing device, writing of a first item of data to memory of the computing device; compressing, by the security agent, a first portion of the first item of data; calculating, by the security agent, a ratio of a size of the first portion of the first item of data to a size of a compressed first portion of the first item of data; determining that the ratio does not exceed a predetermined threshold; responsive to the determination that the ratio does not exceed the predetermined threshold, identifying the first item of data as comprising an encryption key; and responsive to identifying the first item of data as comprising an encryption key, generating an alert, by the security agent, indicating a likely malicious encryption attempt. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for detecting an encryption key for malicious encryption, comprising:
-
detecting, by a security agent executed by a computing device, writing of a first item of data to memory of the computing device; identifying, by the security agent, that the first item of data meets a predetermined size requirement; responsive to the identification that the first item of data meets the predetermined size requirement, decoding the first item of data according to a predetermined encryption key encoding system; determining, by the security agent, whether a decoded first item of data includes an encryption key; responsive to the decoded first item of data not including an encryption key performing at least one further key detection procedure on the first item of data; and responsive to the decoded first item of data not including an encryption key; compressing, by the security agent, a first portion of the first item of data; calculating, by the security agent, a ratio of a size of the first portion of the first item of data to a size of a compressed first portion of the first item of data; determining that the ratio does not exceed a predetermined threshold; and responsive to the determination that the ratio does not exceed the predetermined threshold, generating the alert, by the security agent, indicating a likely malicious encryption attempt. - View Dependent Claims (9)
-
-
10. A method for detecting an encryption key for malicious encryption, comprising:
-
receiving, by a factorization host executed by a first computing device, from a second computing device, a received encryption modulus; calculating, by the factorization host, a greatest common denominator between the received encryption modulus and an additional encryption modulus, received from a third computing device and stored in a moduli database of the first computing device; determining that the greatest common denominator between the received encryption modulus and the additional encryption modulus is less than a minimum of either of the received encryption modulus and the additional encryption modulus to detect the encryption key is not presented in the received encryption modulus; and transmitting, by the first computing device, the greatest common denominator to the second computing device, receipt of the greatest common denominator triggering the second computing device to perform decryption of at least one file using the greatest common denominator. - View Dependent Claims (11)
-
-
12. A system for detecting an encryption key for malicious encryption, comprising:
-
a memory unit of a computing device, the memory unit storing a first item of data; and a security agent, executed by a processor of a computing device, configured to detect writing of the first item of data to the memory unit, and responsive to the detection; compress a first portion of the first item of data, calculate a ratio of a size of the first portion of the first item of data to a size of a compressed first portion of the first item of data, determine that the ratio does not exceed a predetermined threshold, responsive to a determination that the ratio does not exceed the predetermined threshold, identify the first item of data as comprising an encryption key, and responsive to identifying the first item of data as comprising an encryption key, generate an alert indicating a likely malicious encryption attempt. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification