SYSTEM AND METHOD FOR NON-SIGNATURE BASED DETECTION OF MALICIOUS PROCESSES

US 20120311708A1
Filed: 06/01/2011
Published: 12/06/2012
Est. Priority Date: 06/01/2011
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malicious processes, the system comprising a processor running a plurality of processes, the processor configured to, for each process:

collect a plurality of features of the process;

apply a plurality of classification rules to the plurality of features to produce a plurality of weighted threat scores, wherein each of the plurality of classification rules corresponds to a one or more of a plurality of process categories;

compare the plurality of weighted threat scores to a plurality of threshold values, wherein each of the plurality of threshold values corresponds to one of the plurality of process categories; and

classify the process in the one or more process categories based at least on the comparison of the plurality of weighted threat scores to the plurality of predetermined thresholds.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for detecting malicious processes in a non-signature based manner are disclosed. The system and method may include gathering features of processes running on an electronic device, applying a set of rules to the features, and applying a statistical analysis to the results of the rules application to determine whether a process should be classified into one or more of a plurality of process categories.

Citations

20 Claims

1. A system for detecting malicious processes, the system comprising a processor running a plurality of processes, the processor configured to, for each process:
- collect a plurality of features of the process;
  
  apply a plurality of classification rules to the plurality of features to produce a plurality of weighted threat scores, wherein each of the plurality of classification rules corresponds to a one or more of a plurality of process categories;
  
  compare the plurality of weighted threat scores to a plurality of threshold values, wherein each of the plurality of threshold values corresponds to one of the plurality of process categories; and
  
  classify the process in the one or more process categories based at least on the comparison of the plurality of weighted threat scores to the plurality of predetermined thresholds.
- View Dependent Claims (2, 3, 7, 8, 9, 10, 12, 13, 17, 18, 19, 20)
- - 2. The system of claim 1, wherein comparing the plurality of weighted threat scores to a plurality of threshold values comprises assigning a confidence level to each of the plurality of weighted threat scores based at least on the difference between the weighted threat scores and the threshold values.
  - 3. The system of claim 1, wherein the plurality of process categories comprise a plurality of malicious process categories.
  - 7. The system of claim 1, wherein the plurality of features comprise identifying whether the process is invisible.
  - 8. The system of claim 1, wherein the plurality of features comprise features indicating a network usage behavior associated with the process.
  - 9. The system of claim 1, wherein the plurality of features comprise features indicating a system tray behavior associated with the process.
  - 10. The system of claim 1, wherein the plurality of features comprise features indicating a signed certificate behavior associated with the process.
  - 12. The method of claim 1, wherein comparing the plurality of weighted threat scores to a plurality of threshold values comprises assigning a confidence level to each of the plurality of weighted threat scores based at least on the difference between the weighted threat scores and the threshold values.
  - 13. The method of claim 1, wherein the plurality of process categories comprise a plurality of malicious process categories.
  - 17. The method of claim 1, wherein the plurality of features comprise features identifying whether the process is invisible.
  - 18. The method of claim 1, wherein the plurality of features comprise features indicating a network usage behavior associated with the process.
  - 19. The system of claim 1, wherein the plurality of features comprise features indicating a system tray behavior associated with the process.
  - 20. The system of claim 1, wherein the plurality of features comprise features indicating a signed certificate behavior associated with the process.

4. The system of claim 4, wherein the plurality of malicious process categories comprise backdoor malware.
- View Dependent Claims (5, 6)
- - 5. The system of claim 4, wherein the plurality of malicious process categories comprise fake alert malware.
  - 6. The system of claim 4, wherein the plurality of malicious process categories comprise downloader malware.

11. A method for classifying a plurality of processes into a plurality of process categories, the method comprising, for each process of the plurality of processes:
- collecting a plurality of features of the process;
  
  applying a plurality of classification rules to the plurality of features to produce a plurality of weighted threat scores, wherein each of the plurality of classification rules corresponds to a one or more of the plurality of process categories;
  
  comparing the plurality of weighted threat scores to a plurality of threshold values, wherein each of the plurality of threshold values corresponds to one of the plurality of process categories; and
  
  classifying the process in the one or more process categories based at least on the comparison of the plurality of weighted threat scores to the plurality of predetermined thresholds.

15. The method of claim 15, wherein the plurality of malicious process categories comprise fake alert malware.
- View Dependent Claims (14, 16)
- - 14. The method of claim 15, wherein the plurality of malicious process categories comprise backdoor malware.
  - 16. The method of claim 15, wherein the plurality of malicious process categories comprise downloader malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Singh, Prabhat Kumar, Jyoti, Nitin, Prashanth, Palasamudram Ramagopal, Agarwal, Romanch, Vishwanath, Harinath Ramachetty

Granted Patent

US 9,323,928 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/285   Clustering or classification

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G16B 40/00   ICT specially adapted for b...

H04L 63/145   the attack involving the pr...

SYSTEM AND METHOD FOR NON-SIGNATURE BASED DETECTION OF MALICIOUS PROCESSES

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR NON-SIGNATURE BASED DETECTION OF MALICIOUS PROCESSES

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links