System and method for detecting hidden process using system event information

US 20070300061A1
Filed: 09/26/2006
Published: 12/27/2007
Est. Priority Date: 06/21/2006
Status: Abandoned Application

First Claim

Patent Images

1. A system for detecting a hidden process using system event information is characterized by detecting a process that is present only in a kernel layer as a hidden process by comparing a process list extracted from system event information obtained through kernel layer monitoring and a process list provided from an application list to a user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting a hidden process using system event information are provided. The system includes: a kernel layer monitoring module for extracting system event information by monitoring a kernel layer system; a kernel layer process list detecting module for detecting processes related to an event from the extracted system event information; an application layer process list detecting module for detecting a process list provided to a user from an application layer; and a hidden process detecting module for detecting a process that is present only in the kernel layer as a hidden process by comparing the processes detected from the kernel layer process list detecting module and the processes detected from the application layer process list detecting module.

126 Citations

16 Claims

1. A system for detecting a hidden process using system event information is characterized by detecting a process that is present only in a kernel layer as a hidden process by comparing a process list extracted from system event information obtained through kernel layer monitoring and a process list provided from an application list to a user.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the kernel layer monitoring extracts file event information by monitoring a file system at the kernel layer in.
  - 3. The system of claim 1, wherein the kernel layer monitoring extracts registry event information by monitoring registries accessed at the kernel layer.
  - 4. The system of claim 1, wherein the kernel layer monitoring extracts network event information by monitoring a network.
  - 5. The system of anyone of claims 2 to 4, wherein the kernel layer is monitored in real-time.
  - 6. The system of anyone of claims 1 to 4, wherein the kernel layer monitoring further includes a system event information filtering module for not detecting predetermined event information and a predetermined process.

7. A system for detecting a hidden process using system event information, comprising:
- a kernel layer monitoring module for extracting system event information by monitoring a kernel layer system;
  
  a kernel layer process list detecting module for detecting processes related to an event from the extracted system event information;
  
  an application layer process list detecting module for detecting a process list provided to a user from an application layer; and
  
  a hidden process detecting module for detecting a process that is present only in the kernel layer as a hidden process by comparing the processes detected from the kernel layer process list detecting module and the processes detected from the application layer process list detecting module.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7, wherein the kernel layer monitoring module includes a file monitoring module for extracting file event information by monitoring a file system at the kernel layer.
  - 9. The system of claim 7, wherein the kernel layer monitoring module includes a registry monitoring module for extracting registry event information by monitoring registries accessed at the kernel layer.
  - 10. The system of claim 7, wherein the kernel layer monitoring module includes a network monitoring module for extracting network event information by monitoring a network.
  - 11. The system of claim 7, wherein the kernel layer monitoring module includes:
    - a file monitoring module for extracting file event information by monitoring a file system at the kernel layer;
      
      a registry monitoring module for extracting registry event information by monitoring registries accessed at the kernel layer; and
      
      a network monitoring module for extracting network event information by monitoring a network at the kernel layer.
  - 12. The system of claim 11, wherein the application layer process list detecting module detects process information provided from the application layer through API.
  - 13. The system of anyone of claims 7 to 12, further comprising a hidden process removing module for removing the hidden process detected from the hidden process detecting module.

14. A method for detecting a hidden process using system event information comprising the steps of:
- a) extracting system event information by monitoring a kernel layer system;
  
  b) detecting processes related to an event from the extracted system event information;
  
  c) detecting a process list provided from an application layer to a user; and
  
  d) detecting a process that is present only in the kernel layer as a hidden process by comparing the processed detected from the step b) with the processed in the process list detected from the step c).
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, wherein the step a) includes the steps of:
    - a-1) extracting file event information by monitoring a file system in the kernel layer;
      
      a-2) extracting registry event information by monitoring registries accessed at the kernel layer; and
      
      a-3) extracting network event information by monitoring a network at the kernel layer.
  - 16. The method of anyone of claims 14 and 15, further comprising the step of removing the hidden process detected in the step d).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Park, Eungki, Kim, Eun Young, Yun, Youngtae

Application Number

US11/527,018
Publication Number

US 20070300061A1
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

System and method for detecting hidden process using system event information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

126 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

System and method for detecting hidden process using system event information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others