Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System
First Claim
1. A method for identifying malware, the method comprising:
- identifying, by a computer system, processes in a running process list on a host computer system;
identifying, by the computer system, ports assigned to the processes in the running process list on the host computer system;
identifying, by the computer system, ports currently in use in the host computer system;
determining, by the computer system, whether any one of the ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list in the host computer system; and
responsive to a determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system, making a record, by the computer system, that a hidden, running process is present as a characteristic of an attack.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, apparatus, and computer program product for identifying malware is disclosed. The method identifies processes in a running process list on a host computer system. The method identifies ports assigned to the processes in the running process list on the host computer system. The method determines whether any one of ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list. The method then makes a record that a hidden, running process is present as a characteristic of an attack in response to a determination that one of the ports is currently in use but is not assigned to any of the processes in the running process list in the host computer system.
31 Citations
20 Claims
-
1. A method for identifying malware, the method comprising:
-
identifying, by a computer system, processes in a running process list on a host computer system; identifying, by the computer system, ports assigned to the processes in the running process list on the host computer system; identifying, by the computer system, ports currently in use in the host computer system; determining, by the computer system, whether any one of the ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list in the host computer system; and responsive to a determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system, making a record, by the computer system, that a hidden, running process is present as a characteristic of an attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer comprising:
-
a central processor unit a computer-readable tangible storage device; a computer-readable memory; and program code for identifying malware, wherein the program code is stored on the computer-readable tangible storage device for execution by the processor unit in the computer-readable memory and to be run by the processor unit to identify processes in a running process list on a host computer system;
identify ports assigned to the processes in the running process list on the host computer system;
identify ports currently in use in the host computer system;
determine whether any one of the ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list in the host computer system; and
make a record that a hidden, running process is present as a characteristic of an attack, responsive to a determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer program product, wherein the computer program product comprises:
-
a computer-readable tangible storage device(s) and computer-readable program instructions stored on the computer-readable tangible storage device(s) to identify malware, wherein the computer-readable program instructions, when executed by a central processing unit; identify processes in a running process list on a host computer system; identify ports assigned to the processes in the running process list on the host computer system; identify ports currently in use in the host computer system; determine whether any one of the ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list in the host computer system; and make a record that a hidden, running process is present as a characteristic of an attack, responsive to a determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification