Detecting malicious computer program activity using external program calls with dynamic rule sets
First Claim
1. A computer program product operable to detect malicious computer program activity, comprising:
- logging code operable to log a stream of external program calls;
primary set identifying code operable to identify, within said stream of external program calls, a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules;
secondary set identifying code operable to identify, within said stream, at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls; and
modifying code operable to modify said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity.
11 Assignments
0 Petitions
Accused Products
Abstract
A stream 14 of external computer program calls made from an application program 2 to an operating system 4 is logged by an anti-malware layer 8. This stream 14 is examined for a primary set XYZ of external program calls known to be associated with malicious computer program activity. When such a primary set XYZ of external computer program calls is identified, the malicious activity is blocked and the logged stream 14 is examined to determine one or more secondary sets of external program calls which are now added to the set of rules 10 against which the logged stream 14 of external program calls is tested. In this way the set of rules 10 is dynamically adapted so as to more rapidly and proactively identify malicious computer program activity.
63 Citations
51 Claims
-
1. A computer program product operable to detect malicious computer program activity, comprising:
-
logging code operable to log a stream of external program calls;
primary set identifying code operable to identify, within said stream of external program calls, a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules;
secondary set identifying code operable to identify, within said stream, at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls; and
modifying code operable to modify said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method of detecting malicious computer program activity, said method comprising the steps of:
-
logging a stream of external program calls;
identifying within said stream of external program calls a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules;
identifying within said stream at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls; and
modifying said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A data processing apparatus operable to detect malicious computer program activity, said apparatus comprising:
-
logging logic operable to log a stream of external program calls;
primary set identifying logic operable to identify, within said stream of external program calls, a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules;
secondary set identifying logic operable to identify, within said stream, at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls; and
modifying logic operable to modify said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
Specification