UNAUTHORIZED PROCESS DETECTION METHOD AND UNAUTHORIZED PROCESS DETECTION SYSTEM

US 20120192278A1
Filed: 06/07/2010
Published: 07/26/2012
Est. Priority Date: 09/01/2009
Status: Abandoned Application

First Claim

Patent Images

1. An unauthorized process detection method in an unauthorized process detection system for detecting an unauthorized process operated in a terminal connected to a network, comprising steps by the unauthorized process detection system of:

monitoring system access which is access as a result of execution of a process in the terminal to a storage device and an input-output device in the terminal;

associating a first activity which is acquired by the monitoring of the system access and which is processing of the process with the process that executes the first activity and recording them in a system monitoring result database;

monitoring communication via the network as a result of the execution of the process in the terminal;

associating a second activity which is acquired by the monitoring of the communication and which is processing of the process with the process that executes the second activity and recording them in a communication monitoring result database;

determining whether an activity which is the same as at least one of the first and second activities and a process that executes which is the same process or its associated process is already recorded in the system monitoring result database or in the communication monitoring result database; and

determining that the process that executed is an unauthorized process when the activity judged to be recorded meets predetermined conditions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a system whereby information on activities obtained by way of monitoring system access to input and output devices and storage devices in a terminal as well as information on activities executed by way of a terminal and obtained by way of monitoring communications through a network are associated with processes in the terminal that generated the activities, and if the activities are predetermined activities executed by the same or related processes, the system detects that unauthorized processes are running on the terminal.

18 Citations

View as Search Results

11 Claims

1. An unauthorized process detection method in an unauthorized process detection system for detecting an unauthorized process operated in a terminal connected to a network, comprising steps by the unauthorized process detection system of:
- monitoring system access which is access as a result of execution of a process in the terminal to a storage device and an input-output device in the terminal;
  
  associating a first activity which is acquired by the monitoring of the system access and which is processing of the process with the process that executes the first activity and recording them in a system monitoring result database;
  
  monitoring communication via the network as a result of the execution of the process in the terminal;
  
  associating a second activity which is acquired by the monitoring of the communication and which is processing of the process with the process that executes the second activity and recording them in a communication monitoring result database;
  
  determining whether an activity which is the same as at least one of the first and second activities and a process that executes which is the same process or its associated process is already recorded in the system monitoring result database or in the communication monitoring result database; and
  
  determining that the process that executed is an unauthorized process when the activity judged to be recorded meets predetermined conditions.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The unauthorized process detection method according to claim 1,wherein the process associated with the process that executed the activity means that there exists a process common to a first process list acquired by recursively pursuing a first process which is the process that executed the activity and a parent process that generated the first process and a second process list acquired by recursively pursuing a second process which is the associated process and a parent process that generated the second process.
  - 3. The unauthorized process detection method according to claim 1,wherein the terminal writes information showing the process that executed communication to an IP packet of communication via the network;
    - the unauthorized process detection system extracts the information of the process written to the IP packet corresponding to the second activity in the monitoring of the communication; and
      
      the unauthorized process determination system sets the process shown by the extracted information as a process that executed the second activity.
  - 4. The unauthorized process detection method according to claim 1,wherein the unauthorized process detection system outputs warning according to determination that the process that executed the activity in the terminal is an unauthorized process.
  - 5. The unauthorized process detection method according to claim 1,wherein when the terminal is a virtual machine, a virtual machine monitor that controls the virtual machine monitors the system access in the virtual machine;
    - andthe virtual machine monitor associates the first activity in the virtual machine with the information of a process that executes the first activity.

6. An unauthorized process detection system in a network to which a terminal, a communication monitoring apparatus and an unauthorized process determination apparatus are connected, comprising:
- a terminal that monitors system access which is access as a result of the execution of a process to a storage device and an input-output device, that associates a first activity which is acquired by the monitoring of the system access and which is the processing of the process with the process that executed the first activity and notifies them as an access monitoring result, and that writes information showing the process that executed the communication to communication via the network;
  
  a communication monitoring apparatus which is connected to the terminal via the network, extracts information included in the communication via the network and showing the process, monitors the communication, associates a second activity acquired by the monitoring of the communication with the extracted process, and notifies them as a communication monitoring result; and
  
  an unauthorized process determination apparatus which is connected to the terminal and the communication monitoring apparatus, is provided with databases that record the access monitoring result notified from the terminal and the communication monitoring result notified from the communication monitoring apparatus, and determines that an unauthorized process is going on in the terminal when the first or second activity included in the access monitoring result or in the communication monitoring apparatus meets predetermined conditions and the first or the second activity is already recorded in the database as an activity executed by the same process or an associated process as/with the process associated with the first or second activity.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The unauthorized process detection system according to claim 6,wherein the terminal records information showing parent-child relationship of the process, notifies a process list acquired by recursively pursuing the process and a parent process based upon the process together in the notification of the access monitoring result, and further communicates the process list acquired by recursively pursuing the parent process from the process together in the communication to the communication monitoring apparatus;
    - andthe communication monitoring apparatus further notifies of the process list in the notification of the communication monitoring result.
  - 8. The unauthorized process detection system according to claim 6,wherein the process associated with the process that executed the activity means that there exists a process common to a first process list acquired by recursively pursuing a first process which is the process that executed the activity and a parent process that generated the first process and a second process list acquired by recursively pursuing a second process which is the associated process and a parent process that generated the second process.
  - 9. The unauthorized process detection system according to claim 6,wherein the terminal writes an identifier of the process as information showing the process to an IP packet of communication via the network.
  - 10. The unauthorized process detection system according to claim 6,wherein the unauthorized process determination apparatus outputs warning according to determination that an unauthorized process is going on in the terminal.
  - 11. The unauthorized process detection system according to claim 6,wherein when the terminal is a virtual machine, the virtual machine executes a process, monitors the system access inside the terminal, associates a first activity acquired by the monitoring of the access with the process that executed the first activity, notifies the unauthorized process determination apparatus of them, and writes information showing the process that executed communication to communication via the network executed by the terminal;
    - anda virtual machine monitor that controls the virtual machine is provided.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Kito, Tetsuro, Okochi, Kazuya, Nakakoji, Hirofumi, Kawaguchi, Tatsunoshin, Kawaguchi, Nobutaka, Shigemoto, Tomohiro

Application Number

US13/387,781
Publication Number

US 20120192278A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/52 during program execution, e...

UNAUTHORIZED PROCESS DETECTION METHOD AND UNAUTHORIZED PROCESS DETECTION SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

UNAUTHORIZED PROCESS DETECTION METHOD AND UNAUTHORIZED PROCESS DETECTION SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links