Large Scale Malicious Process Detection

US 20160269424A1
Filed: 03/13/2015
Published: 09/15/2016
Est. Priority Date: 03/13/2015
Status: Active Grant

First Claim

Patent Images

1. A method configured to identify a set or session of processes as having certain characteristics, the method comprising:

obtaining a known set or session of processes, wherein the known set or session of processes has the certain characteristics;

obtaining a set or session of processes to be evaluated, captured from a command interface, to determine if the set or session of processes to be evaluated has the certain characteristics;

performing a weighted similarity measure between the known set or session of processes and the set or session of processes to be evaluated, wherein the weighted similarity measure is performed element wise, where a comparison is performed for each defined element in the set or session of processes to be evaluated against elements in the known set or session of processes and where elements in the known set or session of processes have different weights and where the similarity measure is dependent both on matching elements in the set or session of processes to be evaluated with elements in the known set or session of processes and the weight(s) of any elements in the known set or session of processes that match elements in the set or session of processes to be evaluated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Identify a set or session of processes as having certain characteristics. A method obtains a known set or session of processes, wherein the known set or session of processes has the certain characteristics. A set or session of processes to be evaluated is obtained. A weighted similarity measure is performed between the known set or session of processes and the set or session of processes to be evaluated. The weighted similarity measure is performed element wise, where a comparison is performed for each defined element in the set or session of processes to be evaluated against elements in the known set or session of processes.

96 Citations

View as Search Results

20 Claims

1. A method configured to identify a set or session of processes as having certain characteristics, the method comprising:
- obtaining a known set or session of processes, wherein the known set or session of processes has the certain characteristics;
  
  obtaining a set or session of processes to be evaluated, captured from a command interface, to determine if the set or session of processes to be evaluated has the certain characteristics;
  
  performing a weighted similarity measure between the known set or session of processes and the set or session of processes to be evaluated, wherein the weighted similarity measure is performed element wise, where a comparison is performed for each defined element in the set or session of processes to be evaluated against elements in the known set or session of processes and where elements in the known set or session of processes have different weights and where the similarity measure is dependent both on matching elements in the set or session of processes to be evaluated with elements in the known set or session of processes and the weight(s) of any elements in the known set or session of processes that match elements in the set or session of processes to be evaluated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein performing a weighted similarity measure comprises performing a weighted Jaccard similarity measure.
  - 3. The method of claim 1, wherein performing a weighted similarity measure comprises performing a weighted similarity measure where weighting is based on term frequency which identifies the frequency of given element values in the set or session of processes to be evaluated.
  - 4. The method of claim 1, wherein performing a weighted similarity measure comprises performing a weighted similarity measure where weighting is based on inverse document frequency which identifies the frequency of given element values in the known set or session of processes.
  - 5. The method of claim 1, wherein the elements are discrete arguments or commands.
  - 6. The method of claim 1, wherein the elements are Ngrams.
  - 7. The method of claim 1, further comprising:
    - obtaining a MinHash vector for the known set or session of processes;
      
      obtaining a MinHash vector for the set or session of processes to be evaluated;
      
      determining whether or not the MinHash vector for the set or session of processes to be evaluated meets a predetermined threshold criteria with respect to the MinHash vector for the known set or session of processes;
      
      filtering the set or session of processes to be evaluated based on the threshold determination; and
      
      wherein the weighted similarity measure is performed on the filtered set or session of processes to be evaluated.
  - 8. The method of claim 7, wherein hashing to create the MinHash vector for the set or session of processes to be evaluated is performed at a local machine where the set or session of processes to be evaluated were invoked and wherein obtaining the MinHash vector comprises obtaining the MinHash vector from the local machine.
  - 9. The method of claim 7, wherein hashing to create the MinHash vector for the set or session of processes to be evaluated is performed at a local machine where the set or session of processes to be evaluated were invoked and the MinHash vector for the known set or session of processes is obtained from a central authority and wherein determining whether or not the MinHash vector for the set or session of processes to be evaluated meets a predetermined threshold criteria with respect to the MinHash vector for the known set or session of processes is performed at the local machine.
  - 10. The method of claim 7, the one or more computer readable media further comprising computer executable instructions that when executed by the one or more processors cause the following to be performed:
    - receiving the set or session of processes to be evaluated from a local machine where the set or session of processes to be evaluated were invoked; and
      
      from the set or session of processes to be evaluated, computing the MinHash vector for the set or session of processes to be evaluated.
  - 11. The method of claim 7, the one or more computer readable media further comprising computer executable instructions that when executed by the one or more processors cause the following to be performed:
    - receiving an Ngrams vector based on the set or session of processes to be evaluated from a local machine where the set or session of processes to be evaluated were invoked; and
      
      from the set or session of processes to be evaluated, computing the MinHash vector for the set or session of processes to be evaluated.

12. In a computing environment, a system for filtering sets or sessions of processes, the system comprising:
- one or more computer processors;
  
  one or more computer readable media coupled to the one or more processors, the one or more computer readable media comprising computer executable instructions that when executed by one or more of the one or more computer processors cause the following to be performed;
  
  obtaining a set or session of processes to be evaluated, wherein the set or session of processes is captured from a command interface configured to receiver user commands for execution by one or more processors, to determine if the set or session of processes to be evaluated has the certain characteristics;
  
  obtaining a MinHash vector for a known set or session of processes;
  
  obtaining a MinHash vector from the set or session of processes to be evaluated;
  
  determining whether or not the MinHash vector for the set or session of processes to be evaluated meets a predetermined threshold criteria with respect to the MinHash vector for the known set or session of processes; and
  
  filtering the set or session of processes to be evaluated based on the threshold determination.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12, wherein hashing to create the MinHash vector for the set or session of processes to be evaluated is performed at a local machine where the set or session of processes to be evaluated were invoked and wherein obtaining the MinHash vector comprises obtaining the MinHash vector from the local machine.
  - 14. The system of claim 12, wherein hashing to create the MinHash vector for the set or session of processes to be evaluated is performed at a local machine where the set or session of processes to be evaluated were invoked and the MinHash vector for the known set or session of processes is obtained from a central authority and wherein determining whether or not the MinHash vector for the set or session of processes to be evaluated meets a predetermined threshold criteria with respect to the MinHash vector for the known set or session of processes is performed at the local machine.
  - 15. The system of claim 12, the one or more computer readable media further comprising computer executable instructions that when executed by the one or more processors cause the following to be performed:
    - receiving the set or session of processes to be evaluated from a local machine where the set or session of processes to be evaluated were invoked; and
      
      from the set or session of processes to be evaluated, computing the MinHash vector for the set or session of processes to be evaluated.
  - 16. The system of claim 12, the one or more computer readable media further comprising computer executable instructions that when executed by the one or more processors cause the following to be performed:
    - receiving an Ngrams vector based on the set or session of processes to be evaluated from a local machine where the set or session of processes to be evaluated were invoked; and
      
      from the set or session of processes to be evaluated, computing the MinHash vector for the set or session of processes to be evaluated.

17. A computing system configured to identify a set or session of processes as having certain characteristics, the system comprising:
- one or more computer processors;
  
  one or more computer readable media coupled to the one or more processors, the one or more computer readable media comprising computer executable instructions that when executed by one or more of the one or more computer processors cause the following to be performed;
  
  obtaining a known set or session of processes, wherein the known set or session of processes has the certain characteristics;
  
  obtaining a set or session of processes to be evaluated, wherein the set or session of process is captured from a command interface, to determine if the set or session of processes to be evaluated has the certain characteristics;
  
  performing a weighted similarity measure between the known set or session of processes and the set or session of processes to be evaluated, wherein the weighted similarity measure is performed element wise, where a comparison is performed for each defined element in the set or session of processes to be evaluated against elements in the known set or session of processes and where elements in the known set or session of processes have different weights and where the similarity measure is dependent both on matching elements in the set or session of processes to be evaluated with elements in the known set or session of processes and the weight(s) of any elements in the known set or session of processes that match elements in the set or session of processes to be evaluated.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein performing a weighted similarity measure comprises performing a weighted similarity measure where weighting is based on term frequency which identifies the frequency of given element values in the set or session of processes to be evaluated.
  - 19. The system of claim 17, wherein performing a weighted similarity measure comprises performing a weighted similarity measure where weighting is based on inverse document frequency which identifies the frequency of given element values in the known set or session of processes.
  - 20. The system of claim 17, the one or more computer readable media further comprising computer executable instructions that when executed by the one or more processors cause the following to be performed:
    - obtaining a MinHash vector for the known set or session of processes;
      
      obtaining a MinHash vector for the set or session of processes to be evaluated;
      
      determining whether or not the MinHash vector for the set or session of processes to be evaluated meets a predetermined threshold criteria with respect to the MinHash vector for the known set or session of processes;
      
      filtering the set or session of processes to be evaluated based on the threshold determination; and
      
      wherein the weighted similarity measure is performed on the filtered set or session of processes to be evaluated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Lapid Shafriri, Gil, Burrell, Timothy W., Chandola, Himanshu, Stokes, Jack Wilson III, Wittenberg, Craig Henry, Seifert, Christian

Granted Patent

US 9,819,689 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/2455   Query execution

G06F 16/24578   using ranking

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

Large Scale Malicious Process Detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

96 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Large Scale Malicious Process Detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links