SYSTEMS AND METHODS FOR IDENTIFYING A SOURCE OF A SUSPECT EVENT

US 20150278518A1
Filed: 03/31/2014
Published: 10/01/2015
Est. Priority Date: 03/31/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for identifying a source of a suspect event, comprising:

registering system events in a database;

detecting a suspicious event associated with a first process;

identifying the first process as being one of a plurality of potential puppet processes; and

querying the registered system events in the database to identify a second process, the second process detected as launching the first process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for identifying a source of a suspect event is described. In one embodiment, system events may be registered in a database. A suspicious event associated with a first process may be detected and the first process may be identified as being one of a plurality of potential puppet processes. The registered system events in the database may be queried to identify a second process, where the second process is detected as launching the first process.

12 Citations

View as Search Results

20 Claims

1. A computer-implemented method for identifying a source of a suspect event, comprising:
- registering system events in a database;
  
  detecting a suspicious event associated with a first process;
  
  identifying the first process as being one of a plurality of potential puppet processes; and
  
  querying the registered system events in the database to identify a second process, the second process detected as launching the first process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - generating a notification, the notification identifying the second process as the source of the suspect event.
  - 3. The method of claim 1, further comprising:
    - determining that the second process closes upon initiating the first process.
  - 4. The method of claim 1, further comprising:
    - upon identifying the second process that initiated the first process, identifying the first process as a puppet process.
  - 5. The method of claim 1, wherein the first process is initiated via instructions supplied directly on a command line interface by the second process.
  - 6. The method of claim 1, wherein the first process is initiated via instructions from at least one file, a path to the at least one file being supplied on a command line interface by the second process.
  - 7. The method of claim 1, further comprising:
    - maintaining a list of potential puppet processes;
      
      detecting a new puppet process via the registered system events, wherein the registered system events comprise a detected process launch event; and
      
      adding the new puppet process to the list of potential puppet processes.
  - 8. The method of claim 7, wherein the list of potential puppet processes comprises at least one process with a command line interface.
  - 9. The method of claim 8, wherein the list of potential puppet processes includes at least one of cmd.exe, rundll.exe, rundll32.exe, regsvr32.exe, dllhost.exe, regedit.exe, taskhost.exe, cscript, wscript, vbscript, perlscript, bash, ldconfig, terminal app, and x-code.app.
  - 10. The method of claim 1, wherein the system events are registered via a kernel-mode driver.

11. A computing device configured to identify a source of a suspect event, comprising:
- a processor;
  
  memory in electronic communication with the processor;
  
  instructions stored in the memory, the instructions being executable by the processor to;
  
  register system events in a database;
  
  detect a suspicious event associated with a first process;
  
  identify the first process as being one of a plurality of potential puppet processes; and
  
  query the registered system events in the database to identify a second process, the second process detected as launching the first process.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computing device of claim 11, wherein the instructions are executable by the processor to:
    - generate a notification, the notification identifying the second process as the source of the suspect event.
  - 13. The computing device of claim 11, wherein the instructions are executable by the processor to:
    - determine that the second process closes upon initiating the first process.
  - 14. The computing device of claim 11, wherein the instructions are executable by the processor to:
    - upon identifying the second process that initiated the first process, identify the first process as a puppet process.
  - 15. The computing device of claim 11, wherein the first process is initiated via instructions supplied directly on a command line interface by the second process.
  - 16. The computing device of claim 11, wherein the first process is initiated via instructions from at least one file, a path to the at least one file being supplied on a command line interface by the second process.
  - 17. The computing device of claim 11, wherein the instructions are executable by the processor to:
    - maintain a list of potential puppet processes;
      
      detect a new puppet process via the registered system events, wherein the registered system events comprise a detected process launch event; and
      
      add the new puppet process to the list of potential puppet processes.
  - 18. The computing device of claim 17, wherein the list of potential puppet processes comprises at least one process with a command line interface.

19. A computer-program product for identify, by a processor, a source of a suspect event, the computer-program product comprising a non-transitory computer-readable medium storing instructions thereon, the instructions being executable by the processor to:
- register system events in a database;
  
  detect a suspicious event associated with a first process;
  
  identify the first process as being one of a plurality of potential puppet processes; and
  
  query the registered system events in the database to identify a second process, the second process detected as launching the first process.
- View Dependent Claims (20)
- - 20. The computer-program product of claim 19, wherein the instructions are executable by the processor to:
    - generate a notification, the notification identifying the second process as the source of the suspect event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Pereira, Shane

Granted Patent

US 9,378,367 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/554 involving event detection a...

SYSTEMS AND METHODS FOR IDENTIFYING A SOURCE OF A SUSPECT EVENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR IDENTIFYING A SOURCE OF A SUSPECT EVENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links