PREEMPTIVE EVENT HANDLING

US 20150067859A1
Filed: 08/31/2014
Published: 03/05/2015
Est. Priority Date: 09/02/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method of preemptive event handling, comprising:

monitoring, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device;

detecting, in run time, a first event of said plurality of events, said first event being performed by a first process of said plurality of processes on said computing device;

classifying, in run time, said first process as a malware in response to said detection of said first event; and

preventing, in run time, said first process from running on said computing device before said first event is processed by said OS.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method of preemptive event handling, The method comprises monitoring, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device, detecting, in run time, a first event of the plurality of events, the first event being performed by a first process of the plurality of processes on the computing device, classifying, in run time, the first process as a malware in response to the detection of the first event, and preventing, in run time, the first process from running on the computing device before the first event is processed by the OS.

Citations

13 Claims

1. A computerized method of preemptive event handling, comprising:
- monitoring, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device;
  
  detecting, in run time, a first event of said plurality of events, said first event being performed by a first process of said plurality of processes on said computing device;
  
  classifying, in run time, said first process as a malware in response to said detection of said first event; and
  
  preventing, in run time, said first process from running on said computing device before said first event is processed by said OS.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising continuously scoring each of said plurality of processes with a process score according to said plurality of events;
    - wherein said detecting comprises calculating an updated process score for respective said process score of said first process in response to an analysis of said first event and wherein said classifying is performed, in run time, in response to said updated process score.
  - 3. The method of claim 2, wherein said classifying is performed when said updated process score exceeds a malware classification threshold.
  - 4. The method of claim 1, wherein said preventing is performed in response to said classifying.
  - 5. The method of claim 1, wherein said monitoring is performed by a kernel driver that channels said plurality of events for an analysis before the processing thereof.
  - 6. The method of claim 5, wherein said classifying is performed by said kernel driver based on said analysis.
  - 7. The method of claim 1, wherein said preventing is performed by a kernel driver that filters said first event.
  - 8. The method of claim 1, further comprising filtering safe events from said plurality of events.
  - 9. The method of claim 1, further comprising preventing the execution of said first process on said computing device and deleting at least one additional event associated with said first process.
  - 10. The method of claim 1, further comprising initiating a kernel driver before said OS is loaded;
    - wherein said monitoring is performed by collecting said plurality of events in the kernel level in real time.

11. A system of reverting system data effected by a malware, comprising:
- a processor;
  
  a threat monitoring module which monitors, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device and detects, in run time, a first event of said plurality of events, said first event being performed by a first process of said plurality of processes on said computing device, said threat monitoring module uses said processor to classify, in run time, said first process as a malware in response to said detection of said first event; and
  
  an event dispatcher module which prevents, in run time, said first process from running on said computing device before said first event is processed by said OS.
- View Dependent Claims (12)
- - 12. The system of claim 11, wherein said event dispatcher module and said threat monitoring module are components of a kernel driver which operates in a kernel level.

13. A computerized method of preemptive event handling, comprising:
- a computer readable storage medium;
  
  first program instructions to monitor, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device;
  
  second program instructions to detect, in run time, a first event of said plurality of events, said first event being performed by a first process of said plurality of processes on said computing device;
  
  third program instructions to classify, in run time, said first process as a malware in response to said detection of said first event; and
  
  fourth program instructions to prevent, in run time, said first process from running on said computing device before said first event is processed by said OS;
  
  wherein said first, second, third, and fourth program instructions are stored on said computer readable storage medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shine Security Ltd.
Original Assignee
Shine Security Ltd.
Inventors
KATZ, Itay, IDESES, Ianir, PORAT, Ron, BLAYER-GAT, Alon, FARAGE, Oren

Granted Patent

US 9,942,246 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

PREEMPTIVE EVENT HANDLING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

PREEMPTIVE EVENT HANDLING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links