BEHAVIORAL-BASED HOST INTRUSION PREVENTION SYSTEM

US 20110023118A1
Filed: 07/21/2009
Published: 01/27/2011
Est. Priority Date: 07/21/2009
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:

A) monitoring an executing computer process for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene, where the gene is stored for reference in a database;

B) performing step A) a number of times to collect a plurality of malicious behavior indications;

C) comparing the plurality of malicious behavior indications to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code; and

D) causing an action based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In embodiments of the present invention improved capabilities are described for behavioral-based threat detection. An executing computer process is monitored for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene. A plurality of malicious behavior indications observed for the executing process are compared to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code. Upon matching the malicious behavior indications with a phenotype, an action may be caused, where the action is based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype. Related user interfaces, applications, and computer program products are disclosed.

Citations

11 Claims

1. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
- A) monitoring an executing computer process for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene, where the gene is stored for reference in a database;
  
  B) performing step A) a number of times to collect a plurality of malicious behavior indications;
  
  C) comparing the plurality of malicious behavior indications to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code; and
  
  D) causing an action based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer program product of claim 1, wherein the action stops the executing computer process.
  - 3. The computer program product of claim 1, wherein the action causes the computer process to be paused while a content analysis is performed on the code that produced the executing computer process, wherein the type of content analysis performed is based on the phenotype.
  - 4. The computer program product of claim 3, wherein the content analysis involves at least one of a genotype, a hashing, a partial matching, an emulation, and an interpretation and tokenisation.
  - 5. The computer program product of claim 4, wherein partial matching involves identifying specific attributes at known locations in the file or as offsets from identifiers.
  - 6. The computer program product of claim 4, wherein interpretation and tokenisation includes lossy refactoring.
  - 7. The computer program product of claim 1, wherein the action causes a content analysis to be performed on a file produced by the executing computer process, wherein the type of content analysis performed is based on the phenotype.
  - 8. The computer program product of claim 7, wherein the content analysis involves at least one of a genotype, a hashing, a partial matching, an emulation, and an interpretation and tokenisation.
  - 9. The computer program product of claim 1, wherein the action causes a remedial action.
  - 10. The computer program product of claim 9, wherein the remedial action is at least one of pausing the executing process, halting the executing process, performing a content analysis, sending a warning to a user of an ongoing process or interaction, executing a program or application to remediate against a threat or violation, recording an interaction for a subsequent evaluation, blocking all requests to a denied network location, performing a malicious code scan on the executing process, performing a malicious code scan on a client facility, quarantining the process, isolating the process, isolating a client facility to a location within the network that restricts network access, blocking a network access port from a client facility, and reporting the process to an administration facility.
  - 11. The computer program product of claim 1, wherein the gene is at least one of a system modification and a behavior of a process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Wright, Clifford C.

Granted Patent

US 8,776,218 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 11/28   by checking the correct ord...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

BEHAVIORAL-BASED HOST INTRUSION PREVENTION SYSTEM

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

BEHAVIORAL-BASED HOST INTRUSION PREVENTION SYSTEM

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links