HOST INTRUSION PREVENTION SYSTEM USING SOFTWARE AND USER BEHAVIOR ANALYSIS
First Claim
Patent Images
1. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
- A) monitoring a user interaction with a computer, during a usage session, for an indication of a user behavior, wherein the indication of the user behavior is a result of comparing the user interaction with a predetermined behavior, referred to as a behavioral gene, where the gene is stored for reference in a database;
B) monitoring a computer code process executing during the usage session for an indication of a code operation, wherein the indication of the code operation is a result of comparing an operation with a predetermined code behavior, referred to as a code gene, where the code gene is stored for reference in a database;
C) performing step B) a number of times to collect a plurality of code operation indications;
D) comparing a combination of the user behavior and the plurality of code operation indications to a predetermined collection of user behavior-code operation indications, referred to as a phenotype, which comprises a grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and
E) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the phenotype.
9 Assignments
0 Petitions
Accused Products
Abstract
In embodiments of the present invention improved capabilities are described for threat detection using a behavioral-based host-intrusion prevention method and system for monitoring a user interaction with a computer, software application, operating system, graphic user interface, or some other component or client of a computer network, and performing an action to protect the computer network based at least in part on the user interaction and a computer code process executing during or in association with a computer usage session.
350 Citations
69 Claims
-
1. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
-
A) monitoring a user interaction with a computer, during a usage session, for an indication of a user behavior, wherein the indication of the user behavior is a result of comparing the user interaction with a predetermined behavior, referred to as a behavioral gene, where the gene is stored for reference in a database; B) monitoring a computer code process executing during the usage session for an indication of a code operation, wherein the indication of the code operation is a result of comparing an operation with a predetermined code behavior, referred to as a code gene, where the code gene is stored for reference in a database; C) performing step B) a number of times to collect a plurality of code operation indications; D) comparing a combination of the user behavior and the plurality of code operation indications to a predetermined collection of user behavior-code operation indications, referred to as a phenotype, which comprises a grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and E) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the phenotype. - View Dependent Claims (2, 3, 4, 5, 6, 9, 13, 29, 30, 38, 39, 42, 43, 53, 62, 63)
-
-
7-8. -8. (canceled)
-
10-12. -12. (canceled)
-
14-28. -28. (canceled)
-
31-37. -37. (canceled)
-
40-41. -41. (canceled)
-
44-52. -52. (canceled)
-
54-61. -61. (canceled)
-
64-67. -67. (canceled)
-
68. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
-
A) monitoring a user interaction with a computer, during a usage session, for an indication of a user behavior, wherein the indication of the user behavior is a result of comparing the user interaction with a predetermined behavior, referred to as a behavioral gene, where the gene is stored for reference in a database; B) monitoring a computer code process executing during the usage session, for an indication of a code operation, wherein the indication of the code operation is a result of comparing an operation with a predetermined code behavior, referred to as a code gene, where the code gene is stored for reference in a database; C) performing step A) a number of times to collect a plurality of user behavior indications; D) comparing a combination of the code operation indication and the plurality of user behavior indications to a predetermined collection of code operation-user behavior indications, referred to as a phenotype, which comprises a grouping of specific code and behavioral genes that are typically present in a type of malicious usage session with a computer; and E) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the phenotype.
-
-
69. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
-
A) monitoring a user interaction with a computer, during a usage session, for an indication of a user behavior, wherein the indication of the user behavior is a result of comparing the user interaction with a predetermined behavior, referred to as a behavioral gene, where the gene is stored for reference in a database; B) storing the indication of a user behavior with computer code relating to the user interaction with the computer during the usage session; C) monitoring the stored computer code relating to the user interaction with the computer during the usage session for an indication of a code operation, wherein the indication of the code operation is a result of comparing an operation with a predetermined code behavior, referred to as a code gene, where the code gene is stored for reference in a database; D) performing step C) a number of times to collect a plurality of code operation indications; E) comparing a combination of the user behavior and the plurality of code operation indications to a predetermined collection of user behavior-code operation indications, referred to as a phenotype, which comprises a grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and F) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the phenotype.
-
Specification