SYSTEM AND METHOD FOR NON-SIGNATURE BASED DETECTION OF MALICIOUS PROCESSES
First Claim
Patent Images
1. A system for detecting malicious processes, the system comprising a processor running a plurality of processes, the processor configured to, for each process:
- collect a plurality of features of the process;
apply a plurality of classification rules to the plurality of features to produce a plurality of weighted threat scores, wherein each of the plurality of classification rules corresponds to a one or more of a plurality of process categories;
compare the plurality of weighted threat scores to a plurality of threshold values, wherein each of the plurality of threshold values corresponds to one of the plurality of process categories; and
classify the process in the one or more process categories based at least on the comparison of the plurality of weighted threat scores to the plurality of predetermined thresholds.
10 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for detecting malicious processes in a non-signature based manner are disclosed. The system and method may include gathering features of processes running on an electronic device, applying a set of rules to the features, and applying a statistical analysis to the results of the rules application to determine whether a process should be classified into one or more of a plurality of process categories.
-
Citations
20 Claims
-
1. A system for detecting malicious processes, the system comprising a processor running a plurality of processes, the processor configured to, for each process:
-
collect a plurality of features of the process; apply a plurality of classification rules to the plurality of features to produce a plurality of weighted threat scores, wherein each of the plurality of classification rules corresponds to a one or more of a plurality of process categories; compare the plurality of weighted threat scores to a plurality of threshold values, wherein each of the plurality of threshold values corresponds to one of the plurality of process categories; and classify the process in the one or more process categories based at least on the comparison of the plurality of weighted threat scores to the plurality of predetermined thresholds. - View Dependent Claims (2, 3, 7, 8, 9, 10, 12, 13, 17, 18, 19, 20)
-
- 4. The system of claim 4, wherein the plurality of malicious process categories comprise backdoor malware.
-
11. A method for classifying a plurality of processes into a plurality of process categories, the method comprising, for each process of the plurality of processes:
-
collecting a plurality of features of the process; applying a plurality of classification rules to the plurality of features to produce a plurality of weighted threat scores, wherein each of the plurality of classification rules corresponds to a one or more of the plurality of process categories; comparing the plurality of weighted threat scores to a plurality of threshold values, wherein each of the plurality of threshold values corresponds to one of the plurality of process categories; and classifying the process in the one or more process categories based at least on the comparison of the plurality of weighted threat scores to the plurality of predetermined thresholds.
-
- 15. The method of claim 15, wherein the plurality of malicious process categories comprise fake alert malware.
Specification