Malware detection by application monitoring

US 20110083186A1
Filed: 10/07/2009
Published: 04/07/2011
Est. Priority Date: 10/07/2009
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malware on a computer system, the method comprising:

monitoring the behaviour of trusted applications running on the computer system and, in the event that one or more unexpected behaviours of an application is detected, identifying a file or files responsible for the unexpected behaviour.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting malware on a computer system. The method comprises monitoring the behaviour of trusted applications running on the computer system and, in the event that unexpected behaviour of an application is detected, identifying a file or files responsible for the unexpected behaviour and tagging the file(s) as malicious or suspicious. The unexpected behaviour of the application may comprise, for example, dropping executable files, performing modifications to a registry branch which is not a registry branch of the application, reading a file type class which is not a file type class of the application, writing portable executable (PE) files, and crashing and re-starting of the application.

Citations

14 Claims

1. A method of detecting malware on a computer system, the method comprising:
- monitoring the behaviour of trusted applications running on the computer system and, in the event that one or more unexpected behaviours of an application is detected, identifying a file or files responsible for the unexpected behaviour.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, wherein an unexpected behaviour of the application comprises one of:
    - dropping an executable file;
      
      deleting executable files after execution;
      
      performing modifications to a registry branch which is not a registry branch of the application;
      
      reading or writing a file type class which is not a file type class normally associated with the application;
      
      writing to a data file which is not a data file associated with the application;
      
      writing portable executable files;
      
      crashing of the application followed by a re-start;
      
      disabling a security setting such as a firewall and/or disabling an anti-virus application;
      
      reading mail files;
      
      installing plugins to a web browser;
      
      initiating a network download from an unidentified source.
  - 3. A method according to claim 1 and comprising receiving at the computer system, from a central server, a list of trusted application and respective sets of unexpected behaviours, said step of monitoring comprising monitoring for the occurrence of the behaviours listed for the application.
  - 4. A method according to claim 1 and comprising terminating the application in the event that an unexpected behaviour of the application is detected.
  - 5. A method according to claim 1 and comprising tagging the identified file(s) as malicious or suspicious.
  - 6. A method according to claim 5 and comprising identifying other files written by the application exhibiting the unexpected behaviour and tagging those files as malicious or suspicious.
  - 7. A method according to claim 5, said step of tagging the file comprising locking the file to prevent it from being accessed and/or copied.
  - 8. A method according to claim 1 and comprising tracing any external connections made by the application exhibiting the unexpected behaviour and blocking subsequent attempts to establish connections to the same destination.

9. A computer comprising an application monitor for monitoring the behaviour of trusted applications running on the computer and, in the event that unexpected behaviour of an application is detected, for identifying a file or files responsible for the unexpected behaviour.
- View Dependent Claims (10)
- - 10. A computer according to claim 9, said application monitor being further configured to tag the identified file(s) as malicious or suspicious

11. A computer program for causing a computer to perform the steps of:
- monitoring the behaviour of trusted applications running on the computer;
  
  detecting one or more unexpected behaviours of an application; and
  
  identifying a file or files responsible for the unexpected behaviour(s).
- View Dependent Claims (12)
- - 12. A computer program according to claim 11 for causing a computer to perform the further step of tagging the identified file(s) as malicious or suspicious.

13. A computer storage medium having stored thereon instructions for causing a computer to:
- monitor the behaviour of trusted applications running on the computer system;
  
  detect one or more unexpected behaviours of an application; and
  
  identify a file or files responsible for the unexpected behaviour(s).
- View Dependent Claims (14)
- - 14. A computer storage medium according to claim 13 having stored thereon instructions to cause a computer to tag the identified file(s) as malicious or suspicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Withsecure Corporation
Original Assignee
F-Secure Oyj
Inventors
Palomaki, Pirkka, Niemela, Jarno

Granted Patent

US 8,590,045 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

Malware detection by application monitoring

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection by application monitoring

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links