DETERMINING MALICIOUSNESS OF SOFTWARE

US 20080141376A1
Filed: 10/23/2007
Published: 06/12/2008
Est. Priority Date: 10/24/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting malicious activity, including the steps of:

intercepting activity in a processing system;

detecting attributes of an un-assessed process associated with the activity;

comparing the process attributes and activity to a database of attributes and activity associated with known malicious and non-malicious processes; and

using an inference filter to compute the likely maliciousness of the un-assessed process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting malicious activity, including the steps of: intercepting activity in a processing system 100; detecting attributes of an un-assessed process 460 associated with the activity; comparing the process attributes and activity to a database 430 of attributes and activity associated with known malicious and non-malicious processes; and using an inference filter 470 to compute the likely maliciousness of the un-assessed process.

362 Citations

25 Claims

1. A method of detecting malicious activity, including the steps of:
- intercepting activity in a processing system;
  
  detecting attributes of an un-assessed process associated with the activity;
  
  comparing the process attributes and activity to a database of attributes and activity associated with known malicious and non-malicious processes; and
  
  using an inference filter to compute the likely maliciousness of the un-assessed process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25)
- - 2. The method of claim 1, wherein a minimum number of attributes of un-assessed processes are detected before the process attributes and activity of the un-assessed processes are compared with attributes and activity associated with known malicious and non-malicious processes.
  - 3. The method of claim 1, wherein if the inference filter computes that the un-assessed process is likely to be malicious, the method further includes the step of terminating the un-assessed process associated with the activity.
  - 4. The method of claim 1, wherein if the inference filter computes that the un-assessed process is likely to be malicious, the method further includes the step of deleting a file associated with the un-assessed process run by the activity.
  - 5. The method of claim 1, wherein if the inference filter computes that the un-assessed process is likely to be malicious, the method further includes the step of notifying a user.
  - 6. The method of claim 1, wherein the method further includes the step of notifying a communications module after the inference filter computes the un-assessed process to be a likely malicious process or non-malicious process.
  - 7. The method of claim 6, wherein the communications module is in communication with an administrator and notifies the administrator if the un-assessed process was computed by the inference filter to be a likely malicious process or non-malicious process.
  - 8. The method of claim 6, wherein the communications module is in communication with a third party and notifies the third party if the un-assessed process was computed by the inference filter to be a likely malicious process or non-malicious process.
  - 9. The method of claim 8, wherein the third party is a remote database operated by a vendor.
  - 10. The method of claim 9, wherein the communications module provides the remote database with user information, process information and a user response.
  - 11. The method of claim 10, wherein the process information and user response is exchanged between other users via the remote database.
  - 12. The method of claim 11, wherein the exchange takes place after the user executes the method of claim 1.
  - 13. The method of claim 12, wherein the exchange takes place automatically at periodic intervals.
  - 14. The method of claim 12, wherein the exchange takes place when new software is installed by the user.
  - 15. The method of claim 10, wherein whether the communications module updates the database is determined by user response.
  - 16. The method of claim 1, wherein once the inference filter computes the likely maliciousness of the un-assessed process, the database is amended if a user considers that the un-assessed process is a malicious process or non-malicious process.
  - 17. A method of training an inference filter for use in a method of detecting malicious activity according to claim 1, including the steps of:
    - loading and running known malicious and known non-malicious software into a processing system;
      
      intercepting activity by the known malicious and known non-malicious software in a processing system;
      
      detecting attributes of one or more processes associated with the activity by the known malicious and known non-malicious software;
      
      storing process attributes and activity in a database;
      
      advising the inference filter if the attributes of one or more processes associated with activity are malicious or non-malicious.
  - 18. The method of claim 17, wherein the malicious and non-malicious software is loaded manually into the processing system by a user.
  - 19. The method of claim 17, wherein the malicious and non-malicious software is loaded automatically by a loader into the processing system.
  - 20. The method of claim 17, wherein the malicious and non-malicious software is loaded automatically by a loader which services a queue populated by a local or remote service.
  - 21. The method of claim 1 or 17, wherein the malicious and non-malicious activities are intercepted by API hooking techniques.
  - 22. Software for use with a computer including a processor and associated memory device for storing the software, the software including a series of instructions to cause the processor to carry out a method according to any one of claims 1 or 17.
  - 24. The software of claim 22, wherein the virtual environment is a virtual machine.
  - 25. The software of claim 22, wherein the software resides in a revertible physical machine.

23. The software of claim 23, wherein the software resides in a virtual environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
PC Tools Technology pty Ltd.
Inventors
Clausen, Simon, Huang, Kien Sen, Repasi, Rolf

Application Number

US11/877,284
Publication Number

US 20080141376A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

DETERMINING MALICIOUSNESS OF SOFTWARE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

362 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

DETERMINING MALICIOUSNESS OF SOFTWARE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

362 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links