AUXILIARY METHOD FOR INVESTIGATING LURKING PROGRAM INCIDENTS

US 20090144821A1
Filed: 11/30/2007
Published: 06/04/2009
Est. Priority Date: 11/30/2007
Status: Abandoned Application

First Claim

Patent Images

1. An auxiliary method for investigating lurking program incidents comprising the steps of:

continuously monitoring a plurality of processes run by a computer system and generating a process-invoking relationship data of each of the process being monitored when the process is created and terminated;

continuously monitoring a system registry database of the computer system and when a process is registered on an autostart registry area, an autostart-registered data of the autostart registry area is generated;

correlating the process-invoking relationship data to the autostart-registered data;

extracting high-level crucial clues of a suspicious lurking program and saving the high-level crucial clues of the suspicious lurking program into a high-level crucial clue database of the suspicious program according to the results of correlation; and

generating a process-invoking relationship log and saving the process-invoking relationship log in a process-invoking relationship log database according to the results of correlation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An auxiliary method for investigating lurking program incidents is disclosed. The method is to keep monitoring a plurality of processes run by a computer system and save process-invoking relationship data of each process being monitored when the process is created and terminated. Simultaneously, a system registry database of the computer system is also monitored and autostart-registered data of the programs is saved. Then correlate the process-invoking relationship data to the autostart-registered data for generating and saving process-invoking relationship log so as to extract and save high-level crucial clues of suspicious lurking programs. By the present method, only a little amount of high level crucial clues and process-invoking relationship log is collected and a few system resources is consumed for providing clear evidence that is helpful to investigation of lurking program incidents. Thus cost of time and labor for collecting and analyzing large amount of low-level logs is saved.

Citations

10 Claims

1. An auxiliary method for investigating lurking program incidents comprising the steps of:
- continuously monitoring a plurality of processes run by a computer system and generating a process-invoking relationship data of each of the process being monitored when the process is created and terminated;
  
  continuously monitoring a system registry database of the computer system and when a process is registered on an autostart registry area, an autostart-registered data of the autostart registry area is generated;
  
  correlating the process-invoking relationship data to the autostart-registered data;
  
  extracting high-level crucial clues of a suspicious lurking program and saving the high-level crucial clues of the suspicious lurking program into a high-level crucial clue database of the suspicious program according to the results of correlation; and
  
  generating a process-invoking relationship log and saving the process-invoking relationship log in a process-invoking relationship log database according to the results of correlation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as claimed in claim 1, wherein the process-invoking relationship data comprising:
    - an event time;
      
      a process information having a process ID and a complete file name of the process;
      
      a parent process information having a parent process ID and a complete file name of the parent process; and
      
      a process startup state that represents creation or termination of the process.
  - 3. The method as claimed in claim 1, wherein the autostart registry area comprising:
    - a log-in registry that is auto started only after log-in;
      
      a system service registry;
      
      a browser extension registry;
      
      a Windows Explorer extension registry; and
      
      a startup registry of a typical file.
  - 4. The method as claimed in claim 1, wherein the autostart-registered data comprising:
    - an event time;
      
      a process information having a process ID;
      
      a registry key having a complete name thereof and a registry key value, wherein the registry key value having a complete file name of the autostart program; and
      
      a registry state that is labeled as “
      
      registration”
      
      or “
      
      remove registration”
      
      .
  - 5. The method as claimed in claim 1, wherein conditions for correlating the process-invoking relationship data to the autostart-registered data comprising:
    - time;
      
      event time of the autostart-registered data is within lifetime—
      
      from event time of the process creation to event time of the process termination of the process;
      
      process;
      
      process ID of the process-invoking relationship data is the same with process ID of the autostart-registered data; and
      
      registry state;
      
      the registry state of the autostart-registered data is “
      
      registration”
      
      .
  - 6. The method as claimed in claim 1, wherein the process-invoking relationship log comprising:
    - a time information having time of process creation, time of process termination and time of process registered;
      
      a process information having a process ID and a complete file name of the process;
      
      a patent process information having a parent process ID and a complete file name of the patent process;
      
      a registry key information of the process having a complete name of the registry key and a registry key value; and
      
      a registry state of the process that is labeled as “
      
      registration”
      
      or “
      
      remove registration”
      
      .
  - 7. The method as claimed in claim 1, wherein the high-level crucial clues comprising:
    - a time clue (When-Info) having;
      
      time of being installed on the computer system is set as registered time of the process of the process-invoking relationship log;
      
      an installed target clue (Target-Info) having;
      
      a complete file name of an installer of the suspicious lurking program is set as complete file name of the process of the process-invoking relationship log;
      
      a complete file name of a loader of the suspicious lurking program is set as registry key value of the process-invoking relationship log;
      
      a registered address is set as complete name of the registry key of the process-invoking relationship log;
      
      a starter clue (How-Info) having;
      
      a starter of an installer of the suspicious lurking program is set as complete file name of the parent process of the process-invoking relationship log; and
      
      a starter of a loader of the suspicious lurking program;
      
      a complete file name of the starter is set according to the complete name of the registry key of the process-invoking relationship log being in an autostart registry area.
  - 8. The method as claimed in claim 7, wherein setting of the starter clue (How-Info) of the starter of the loader of the suspicious lurking program depends on a complete name of the registry key of the process-invoking relationship log as well as the complete name of the registry key of the process-invoking relationship log being in an autostart registry area and comprising conditions of:
    - once the complete name of the registry key of the process-invoking relationship log is in a log-in registry area, the starter of the loader of the suspicious lurking program is set as Windows Explorer (explorer.exe);
      
      once the complete name of the registry key of the process-invoking relationship log is in a system service registry, the starter of the loader of the suspicious lurking program is set as service management process (services.exe);
      
      once the complete name of the registry key of the process-invoking relationship log is in a browser extension registry, the starter of the loader of the suspicious lurking program is set as complete file name of the browser;
      
      once the complete name of the registry key of the process-invoking relationship log is in a Windows Explorer extension registry, the starter of the loader of the suspicious lurking program is set as complete file name of the Windows Explorer;
      
      once the complete name of the registry key of the process-invoking relationship log is in a startup registry of a typical file, the starter of the loader of the suspicious lurking program is set as complete file name of the Windows Explorer.
  - 9. The method as claimed in claim 1, wherein the step of continuously monitoring a plurality of processes run by a computer system further comprising the steps of:
    - hooking system call functions such as process creation, process termination and process deletion of an operation system;
      
      obtaining process-invoking relationship data of the process by means of other system calls when intercepting any one of the hooked system call functions that is being called, then executing the intercepted system call function.
  - 10. The method as claimed in claim 1, wherein the step of continuously monitoring a system registry database of the computer system comprising the steps of:
    - hooking system call functions such as new, write, deletion of a registry key of an system registry database of an operation system;
      
      checking whether a complete name of a registry key is on the autostart registry area when intercepting any one of the hooked system call functions that is being called;
      
      if not, executing the intercepted system call function; and
      
      if yes, generating an autostart-registered data including process ID of the process and current time obtained from other system calls;
      
      then converting parameter of the intercepted system call function to get registry key information, and corresponding the intercepted system call function to registry state, next executing the intercepted system call function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Chung-Shan Institute of Science & Technology Armaments Bureau MND (Government of The Republic of China)
Original Assignee
Chung-Shan Institute of Science & Technology Armaments Bureau MND (Government of The Republic of China)
Inventors
WONG, HSING-KUO, LU, YI-BIN

Application Number

US11/948,168
Publication Number

US 20090144821A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/552 involving long-term monitor...

AUXILIARY METHOD FOR INVESTIGATING LURKING PROGRAM INCIDENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

AUXILIARY METHOD FOR INVESTIGATING LURKING PROGRAM INCIDENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links