BEHAVIORAL MODEL BASED MALWARE PROTECTION SYSTEM AND METHOD

US 20150172300A1
Filed: 01/09/2014
Published: 06/18/2015
Est. Priority Date: 12/17/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating a behavioral model configured to describe one or more interactions associated with a protected data accessible by way of a computing device;

determining an attempt to access the protected data is abnormal based, at least in part, on a comparison between the attempt to access the protected data and the behavioral model;

determining the abnormal attempt to access the protected data is a malicious process based, at least in part, on a determined degree of variation from the behavioral model; and

causing, by a processor, the malicious process to be remediated with respect to the computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of protecting a computing system or device against a malicious threat such as malware comprises generating a behavioral model configured to describe one or more interactions associated with a protected data accessible by way of a computing device. The method also comprises determining an attempt to access the protected is abnormal based, at least in part, on a comparison between the attempt to access the protected data and the behavioral model. The method further comprises determining the abnormal attempt to access the protected data is a malicious process based, at least in part, on a determined degree of variation from the behavioral model. The method additionally comprises causing, by a processor, the malicious process to be remediated with respect to the computing device.

Citations

25 Claims

1. A method comprising:
- generating a behavioral model configured to describe one or more interactions associated with a protected data accessible by way of a computing device;
  
  determining an attempt to access the protected data is abnormal based, at least in part, on a comparison between the attempt to access the protected data and the behavioral model;
  
  determining the abnormal attempt to access the protected data is a malicious process based, at least in part, on a determined degree of variation from the behavioral model; and
  
  causing, by a processor, the malicious process to be remediated with respect to the computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - generating a forensic image of one or more of the malicious process, one or more processes related to the malicious process, data associated with the malicious process, or data associated with the one or more processes related to the malicious process; and
      
      processing the forensic image to determine one or more indicators of compromise associated with the malicious process.
  - 3. The method of claim 2, further comprising:
    - causing, at least in part, one or more of the forensic image, the one or more indicators of compromise, an event log detailing the one or more interactions with the protected data, or the metadata to be stored in a database.
  - 4. The method of claim 3, further comprising:
    - causing, at least in part, the one or more indicators of compromise to be communicated to a malicious process remediation platform; and
      
      causing, at least in part, the malicious process remediation platform to initiate a proactive protection operation, the proactive protection operation comprising;
      
      sharing the one or more indicators of compromise with one or more other computing devices associated with the malicious process remediation platform;
      
      causing, at least in part, memory related to the one or more other computing devices to be scanned for the one or more indicators of compromise;
      
      determining the one or more indicators of compromise exist in the memory related to the one or more other computing devices, the one or more indicators of compromise indicating the malicious process is occurring or has occurred in the one or more other computing devices; and
      
      causing, at least in part, the malicious process to be remediated with respect to the one or more other computing devices.
  - 5. The method of claim 4, wherein the malicious process remediation platform stores the one or more of the forensic image, the one or more indicators of compromise, an event log detailing the one or more interactions with the protected data, or the metadata to be stored in the database.
  - 6. The method of claim 4, wherein one or more of the computing device or the one or more other computing devices comprise a communication device, and the remediation of the malicious process with respect to the computing device or the remediation of the malicious process with respect to the one or more other computing devices comprises:
    - determining network traffic; and
      
      one or more of blocking network traffic through the communication device to the computing device or the one or more other computing devices, or redirecting network traffic through the communication device away from the computing device or the one or more other computing devices.
  - 7. The method of claim 6, wherein the communication device comprises one or more of a router, a switch, a firewall, or an intrusion protection service.
  - 8. The method of claim 4, wherein the malicious process remediation platform and the database are remote from the computing device.
  - 9. The method of claim 1, wherein the behavioral model is generated by a behavioral modeling module remote from the computing device, the behavioral model is shared with a malicious process determination module, the malicious process determination module processes the attempt to access the protected data and compares the attempt to access the protected data with the received behavioral model, and the malicious process determination module is remote from the computing device.
  - 10. The method of claim 1, wherein the one or more interactions associated with the protected data comprise one or more of a file system event, a read or write interaction accessing the protected data, or a change to metadata.
  - 11. The method of claim 1, wherein remediation of the malicious process comprises:
    - terminating the malicious process;
      
      identifying and removing data associated with the malicious process from a memory; and
      
      identifying and removing persistence mechanisms that are configured to allow the malicious process to reoccur.
  - 12. The method of claim 1, wherein the behavioral model is based, at least in part, on received information associated with one or more of a user interacting with the computing device configured to access the protected data, the computing device configured to access the protected data, a network portal configured to enable the computing device configured to access the protected data to communicate with a remote computing device, a process by which the protected data is accessed, a file type of the protected data, metadata, or a time the protected data is accessed.
  - 13. The method of claim 1, wherein the computing device is accessible by way of a hypervisor and the attempt to access the protected data occurs by way of the hypervisor.

14. An apparatus comprising:
- at least one processor; and
  
  at least one memory including computer program code for one or more programs,the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following,generate a behavioral model configured to describe one or more interactions associated with a protected data accessible by way of a computing device;
  
  determine an attempt to access the protected data is abnormal based, at least in part, on a comparison between the attempt to access the protected data and the behavioral model;
  
  determine the abnormal attempt to access the protected data is a malicious process based, at least in part, on a determined degree of variation from the behavioral model; and
  
  cause the malicious process to be remediated with respect to the computing device.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The apparatus of claim 14, wherein the apparatus is further caused to:
    - generate a forensic image of one or more of the malicious process, one or more processes related to the malicious process, data associated with the malicious process, or data associated with the one or more processes related to the malicious process; and
      
      process the forensic image to determine one or more indicators of compromise associated with the malicious process.
  - 16. The apparatus of claim 15, wherein the apparatus is further caused to:
    - cause, at least in part, one or more of the forensic image, the one or more indicators of compromise, an event log detailing the one or more interactions with the protected data, or the metadata to be stored in a database.
  - 17. The apparatus of claim 16, wherein the apparatus is further caused to:
    - cause, at least in part, the one or more indicators of compromise to be communicated to a malicious process remediation platform; and
      
      cause, at least in part, the malicious process remediation platform to initiate a proactive protection operation, the proactive protection operation comprising;
      
      sharing the one or more indicators of compromise with one or more other computing devices associated with the malicious process remediation platform;
      
      causing, at least in part, memory related to the one or more other computing devices to be scanned for the one or more indicators of compromise;
      
      determining the one or more indicators of compromise exist in the memory related to the one or more other computing devices, the one or more indicators of compromise indicating the malicious process is occurring or has occurred in the one or more other computing devices; and
      
      causing, at least in part, the malicious process to be remediated with respect to the one or more other computing devices.
  - 18. The apparatus of claim 17, wherein the malicious process remediation platform stores the one or more of the forensic image, the one or more indicators of compromise, an event log detailing the one or more interactions with the protected data, or the metadata to be stored in the database.
  - 19. The apparatus of claim 17, wherein one or more of the computing device or the one or more other computing devices comprise a communication device, and the remediation of the malicious process with respect to the computing device or the remediation of the malicious process with respect to the one or more other computing devices comprises:
    - determining network traffic; and
      
      one or more of blocking network traffic through the communication device to the computing device or the one or more other computing devices, or redirecting network traffic through the network portal away from the computing device or the one or more other computing devices.
  - 20. The apparatus of claim 19, wherein the communication device comprises one or more of a router, a switch, a firewall, or an intrusion protection service.
  - 21. The apparatus of claim 17, wherein the malicious process remediation platform and the database are remote from the computing device.
  - 22. The apparatus of claim 14, wherein the behavioral model is generated by a behavioral modeling module remote from the computing device, the behavioral model is shared with a malicious process determination module, the malicious process determination module processes the attempt to access the protected data and compares the attempt to access the protected data with the received behavioral model, and the malicious process determination module is remote from the computing device.
  - 23. The apparatus of claim 14, wherein the one or more interactions associated with the protected data comprise one or more of a file system event, a read or write interaction accessing the protected data, or a change to metadata.
  - 24. The apparatus of claim 14, wherein remediation of the malicious process comprises:
    - terminating the malicious process;
      
      identifying and removing data associated with the malicious process from a memory; and
      
      identifying and removing persistence mechanisms that are configured to allow the malicious process to reoccur.
  - 25. The apparatus of claim 14, wherein the behavioral model is based, at least in part, on received information associated with one or more of a user interacting with the computing device configured to access the protected data, the computing device configured to access the protected data, a network portal configured to enable the computing device configured to access the protected data to communicate with a remote computing device, a process by which the protected data is accessed, a file type of the protected data, metadata, or a time the protected data is accessed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hoplite Industries, Inc.
Original Assignee
Hoplite Industries, Inc.
Inventors
COCHENOUR, Anthony James

Granted Patent

US 9,386,034 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04W 12/128   Anti-malware arrangements, ...

BEHAVIORAL MODEL BASED MALWARE PROTECTION SYSTEM AND METHOD

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

BEHAVIORAL MODEL BASED MALWARE PROTECTION SYSTEM AND METHOD

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links