Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System

US 20120084862A1
Filed: 12/09/2011
Published: 04/05/2012
Est. Priority Date: 10/29/2008
Status: Active Grant

First Claim

Patent Images

1. A method for identifying malware, the method comprising:

identifying, by a computer system, processes in a running process list on a host computer system;

identifying, by the computer system, ports assigned to the processes in the running process list on the host computer system;

identifying, by the computer system, ports currently in use in the host computer system;

determining, by the computer system, whether any one of the ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list in the host computer system; and

responsive to a determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system, making a record, by the computer system, that a hidden, running process is present as a characteristic of an attack.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, and computer program product for identifying malware is disclosed. The method identifies processes in a running process list on a host computer system. The method identifies ports assigned to the processes in the running process list on the host computer system. The method determines whether any one of ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list. The method then makes a record that a hidden, running process is present as a characteristic of an attack in response to a determination that one of the ports is currently in use but is not assigned to any of the processes in the running process list in the host computer system.

31 Citations

View as Search Results

20 Claims

1. A method for identifying malware, the method comprising:
- identifying, by a computer system, processes in a running process list on a host computer system;
  
  identifying, by the computer system, ports assigned to the processes in the running process list on the host computer system;
  
  identifying, by the computer system, ports currently in use in the host computer system;
  
  determining, by the computer system, whether any one of the ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list in the host computer system; and
  
  responsive to a determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system, making a record, by the computer system, that a hidden, running process is present as a characteristic of an attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - responsive to a absence of the determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system, making a record, by the computer system, that the attack is absent in the host computer system.
  - 3. The method of claim 1, wherein identifying, by the computer system, ports currently in use in the host computer system comprises:
    - identifying, by the computer system, a group of open ports on the host computer system, wherein the group of open ports includes the ports assigned to the processes in the running process list and the ports currently in use but not assigned to any of the processes in the running process list in the host computer system.
  - 4. The method of claim 3, wherein the one of the ports currently in use but not assigned to any of the processes in the running process list in the host computer system use is a first use of the port by a group of tasks running in the host computer system and further comprising:
    - retrieving, by the computer system a first configuration for the host computer system;
      
      identifying, by the computer system, a second use of a corresponding port by a corresponding group of tasks running on a set of host computer systems having a second configuration that matches the first configuration for the host computer system, wherein the corresponding port corresponds to the port and the corresponding group of tasks running on the set of host computer systems correspond to the group of tasks running in the host computer system;
      
      determining, by the computer system, whether a difference in port use is present between the first use of the port and the second use of the corresponding port in the set of host computer systems;
      
      responsive to a determination that the difference in port use is present, determining, by the computer system, whether the difference in port use by the group of tasks in the host computer system is new based on a history of prior uses for the corresponding port in the set of host computer systems; and
      
      responsive to a determination that the difference in port use is not new, identifying, by the computer system, that the attack is not present in the host computer system.
  - 5. The method of claim 4, further comprising:
    - responsive to the determination that the difference in port use is new, identifying, by the computer system, a time when the first use occurred and a set of changes having a scheduled time for each change, wherein the set of changes are for the group of tasks and for the a set of networking resources for the port;
      
      determining, by the computer system, whether the time when the first use occurred corresponds to the scheduled time for at least one of the changes in the set of changes; and
      
      responsive to a determination that the time when the first use occurred corresponds to the scheduled time for at least one of the changes in the set of changes, identifying, by the computer system, that the attack is not present in the host computer system.
  - 6. The method of claim 4, further comprising:
    - responsive to the determination that the difference in port use is new, sending, by the computer system, a request to a user of the host computer system to indicate whether the difference in port use is the attack.
  - 7. The method of claim 6, wherein the request to the user of the host computer system to indicate whether the difference in port use is the attack includes an additional random question, wherein an incorrect answer to the additional random question indicates that the difference in port use is the attack.
  - 8. The method of claim 4, further comprising:
    - retrieving, by the computer system, performance information about the first use of the port by the group of tasks running in the host computer system by a first monitoring program configured to monitor port use by the group of tasks running in the host computer system;
      
      retrieving, by the computer system, performance information generated by a second monitoring program in a remote computer system configured to monitor the first use of the port by the group of tasks running in the host computer system;
      
      comparing, by the computer system, the performance information generated by the first monitoring program to the performance information generated by the second monitoring program to identify a set of differences between the performance information generated by the first monitoring program and the second monitoring program; and
      
      responsive to the set of differences being present between the performance information generated by the first monitoring program and the second monitoring program, identifying, by the computer system, that the attack is present in the host computer system.

9. A computer comprising:
- a central processor unit a computer-readable tangible storage device;
  
  a computer-readable memory; and
  
  program code for identifying malware, wherein the program code is stored on the computer-readable tangible storage device for execution by the processor unit in the computer-readable memory and to be run by the processor unit to identify processes in a running process list on a host computer system;
  
  identify ports assigned to the processes in the running process list on the host computer system;
  
  identify ports currently in use in the host computer system;
  
  determine whether any one of the ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list in the host computer system; and
  
  make a record that a hidden, running process is present as a characteristic of an attack, responsive to a determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer of claim 9, wherein the program code is further configured to be run by the processor unit to make a record that the attack is absent in the host computer system, responsive to a absence of the determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system.
  - 11. The computer of claim 9, wherein identifying ports currently in use in the host computer system comprises identifying a group of open ports on the host computer system, wherein the group of open ports includes the ports assigned to the processes in the running process list and the ports currently in use but not assigned to any of the processes in the running process list in the host computer system.
  - 12. The computer of claim 11, wherein the one of the ports currently in use but not assigned to any of the processes in the running process list in the host computer system use is a first use of the port by a group of tasks running in the host computer system and wherein the program code is further configured to be run by the processor unit to retrieve a first configuration for the host computer system;
    - identify a second use of a corresponding port by a corresponding group of tasks running on a set of host computer systems having a second configuration that matches the first configuration for the host computer system, wherein the corresponding port corresponds to the port and the corresponding group of tasks running on the set of host computer systems correspond to the group of tasks running in the host computer system;
      
      determine whether a difference in port use is present between the first use of the port and the second use of the corresponding port in the set of host computer systems;
      
      determine whether the difference in port use by the group of tasks in the host computer system is new based on a history of prior uses for the corresponding port in the set of host computer systems, responsive to a determination that the difference in port use is present; and
      
      identify that the attack is not present in the host computer system, responsive to a determination that the difference in port use is not new.
  - 13. The computer of claim 12, wherein the program code is further configured to be run by the processor unit to identify a time when the first use occurred and a set of changes having a scheduled time for each change, wherein the set of changes are for the group of tasks and for the a set of networking resources for the port, responsive to the determination that the difference in port use is new;
    - determine whether the time when the first use occurred corresponds to the scheduled time for at least one of the changes in the set of changes; and
      
      identify that the attack is not present in the host computer system, responsive to a determination that the time when the first use occurred corresponds to the scheduled time for at least one of the changes in the set of changes.
  - 14. The computer of claim 12, wherein the program code is further configured to be run by the processor unit to send a request to a user of the host computer system to indicate whether the difference in port use is the attack, responsive to the determination that a difference in port use is new;
    - and wherein the request to the user of the host computer system to indicate whether the difference in port use is the attack includes an additional random question, wherein an incorrect answer to the additional random question indicates the difference in port use is the attack.

15. A computer program product, wherein the computer program product comprises:
- a computer-readable tangible storage device(s) and computer-readable program instructions stored on the computer-readable tangible storage device(s) to identify malware, wherein the computer-readable program instructions, when executed by a central processing unit;
  
  identify processes in a running process list on a host computer system;
  
  identify ports assigned to the processes in the running process list on the host computer system;
  
  identify ports currently in use in the host computer system;
  
  determine whether any one of the ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list in the host computer system; and
  
  make a record that a hidden, running process is present as a characteristic of an attack, responsive to a determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15, wherein the computer-readable program instructions, when executed by the central processing unit further:
    - make a record that the attack is absent in the host computer system, responsive to a absence of the determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system.
  - 17. The computer program product of claim 15, wherein identifying ports currently in use in the host computer system comprises identifying a group of open ports on the host computer system, wherein the group of open ports includes the ports assigned to the processes in the running process list and the ports currently in use but not assigned to any of the processes in the running process list in the host computer system.
  - 18. The computer program product of claim 17, wherein the one of the ports currently in use but not assigned to any of the processes in the running process list in the host computer system use is a first use of the port by a group of tasks running in the host computer system and wherein the computer-readable program instructions, when executed by the central processing unit further:
    - retrieve a first configuration for the host computer system;
      
      identify a second use of a corresponding port by a corresponding group of tasks running on a set of host computer systems having a second configuration that matches the first configuration for the host computer system, wherein the corresponding port corresponds to the port and the corresponding group of tasks running on the set of host computer systems correspond to the group of tasks running in the host computer system;
      
      determine whether a difference in port use is present between the first use of the port and the second use of the corresponding port in the set of host computer systems;
      
      determine whether the difference in port use by the group of tasks in the host computer system is new based on a history of prior uses for the corresponding port in the set of host computer systems, responsive to a determination that the difference in port use is present; and
      
      identify that the attack is not present in the host computer system, responsive to a determination that the difference in port use is not new.
  - 19. The computer program product of claim 18, wherein the computer-readable program instructions, when executed by the central processing unit further:
    - identify a time when the first use occurred and a set of changes having a scheduled time for each change, wherein the set of changes are for the group of tasks and for the a set of networking resources for the port, responsive to the determination that the difference in port use is new;
      
      determine whether the time when the first use occurred corresponds to the scheduled time for at least one of the changes in the set of changes; and
      
      identify that the attack is not present in the host computer system, responsive to a determination that the time when the first use occurred corresponds to the scheduled time for at least one of the changes in the set of changes
  - 20. The computer program product of claim 18, wherein the computer-readable program instructions, when executed by the central processing unit further:
    - send a request to a user of the host computer system to indicate whether the difference in port use is the attack, responsive to the determination that the difference in port use is new, wherein the request to the user of the host computer system to indicate whether the difference in port use is the attack includes an additional random question, and wherein an incorrect answer to the additional random question indicates the difference in port use is the attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Ollmann, Gunter, Freeman, Robert G.

Granted Patent

US 8,931,096 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 11/3495   for systems

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

G06F 9/44505   Configuring for program ini...

H04L 63/14   for detecting or protecting...

H04L 63/145   the attack involving the pr...

Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links