BEHAVIORAL-BASED HOST INTRUSION PREVENTION SYSTEM
First Claim
1. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
- A) monitoring an executing computer process for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene, where the gene is stored for reference in a database;
B) performing step A) a number of times to collect a plurality of malicious behavior indications;
C) comparing the plurality of malicious behavior indications to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code; and
D) causing an action based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype.
9 Assignments
0 Petitions
Accused Products
Abstract
In embodiments of the present invention improved capabilities are described for behavioral-based threat detection. An executing computer process is monitored for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene. A plurality of malicious behavior indications observed for the executing process are compared to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code. Upon matching the malicious behavior indications with a phenotype, an action may be caused, where the action is based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype. Related user interfaces, applications, and computer program products are disclosed.
-
Citations
11 Claims
-
1. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
-
A) monitoring an executing computer process for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene, where the gene is stored for reference in a database; B) performing step A) a number of times to collect a plurality of malicious behavior indications; C) comparing the plurality of malicious behavior indications to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code; and D) causing an action based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
Specification