SYSTEMS AND METHOD FOR MALWARE DETECTION
First Claim
1. A system for distinguishing human input events from malware-generated events, the system comprising:
- at least a central processing unit (CPU) (12);
at least an input device (17); and
memory (14) communicatively coupled to the CPU (12), the memory (14) comprising program code (18) executable by the at least a CPU (12) to perform the following steps;
obtaining first input events from a user utilizing the at least an input device;
utilizing the first input events to obtain a feature indicative of the user;
obtaining second input events; and
classifying the second input events against the feature indicative of the user to determine if the user or malware initiated the second input events.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for distinguishing human input events from malware-generated events includes one or more central processing units (CPUs), one or more input devices and memory. The memory includes program code that when executed by the CPU causes the CPU to obtain a first set of input events from a user utilizing the input device. The first input events are used to obtain or derive a feature indicative of the user, such as a multi-dimensional feature vector as provided by a support vector machine. Second input events are then obtained, and the second input events are classified against the feature to determine if either the user or malware initiated the second input events.
239 Citations
12 Claims
-
1. A system for distinguishing human input events from malware-generated events, the system comprising:
-
at least a central processing unit (CPU) (12); at least an input device (17); and memory (14) communicatively coupled to the CPU (12), the memory (14) comprising program code (18) executable by the at least a CPU (12) to perform the following steps; obtaining first input events from a user utilizing the at least an input device; utilizing the first input events to obtain a feature indicative of the user; obtaining second input events; and classifying the second input events against the feature indicative of the user to determine if the user or malware initiated the second input events. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer system for distinguishing user-initiated outbound network traffic from malware-initiated outbound network traffic, the network traffic comprising a plurality of packets that employ a multi-layered communications protocol comprising an upper application layer, a lower physical layer and a plurality of intermediate layers, the system comprising:
-
at least a central processing unit (CPU) (12); networking hardware (16) capable of carrying the network traffic; and memory (14) communicatively coupled to the CPU (12), the memory (14) comprising program code (18) executable by the CPU (12) to perform the following steps; cryptographically signing a packet at a first layer in the plurality of intermediate layers; verifying the signature of the packet at a second layer in the plurality of intermediate layers, the second layer being at a lower layer than the first layer; and correlating the packet with malware-initiated outbound network traffic if the signature of the packet at the second layer is not verified. - View Dependent Claims (9, 10)
-
-
11. A computer system for distinguishing user-initiated outbound network traffic from malware-initiated outbound network traffic, the system comprising:
-
at least a central processing unit (CPU) (12); at least an input device (17); networking hardware (16) capable of carrying the network traffic; and memory (14) communicatively coupled to the CPU (12), the memory (14) comprising program code (18) executable by the at least a CPU to perform the following steps; monitoring input events generated by the input device (17); monitoring outbound network traffic events; performing a time-based correlation analysis between the input events and the outbound network traffic events; and distinguishing malware-initiated outbound traffic according to the time-based correlation analysis. - View Dependent Claims (12)
-
Specification