Large Scale Malicious Process Detection
First Claim
1. A method configured to identify a set or session of processes as having certain characteristics, the method comprising:
- obtaining a known set or session of processes, wherein the known set or session of processes has the certain characteristics;
obtaining a set or session of processes to be evaluated, captured from a command interface, to determine if the set or session of processes to be evaluated has the certain characteristics;
performing a weighted similarity measure between the known set or session of processes and the set or session of processes to be evaluated, wherein the weighted similarity measure is performed element wise, where a comparison is performed for each defined element in the set or session of processes to be evaluated against elements in the known set or session of processes and where elements in the known set or session of processes have different weights and where the similarity measure is dependent both on matching elements in the set or session of processes to be evaluated with elements in the known set or session of processes and the weight(s) of any elements in the known set or session of processes that match elements in the set or session of processes to be evaluated.
1 Assignment
0 Petitions
Accused Products
Abstract
Identify a set or session of processes as having certain characteristics. A method obtains a known set or session of processes, wherein the known set or session of processes has the certain characteristics. A set or session of processes to be evaluated is obtained. A weighted similarity measure is performed between the known set or session of processes and the set or session of processes to be evaluated. The weighted similarity measure is performed element wise, where a comparison is performed for each defined element in the set or session of processes to be evaluated against elements in the known set or session of processes.
96 Citations
20 Claims
-
1. A method configured to identify a set or session of processes as having certain characteristics, the method comprising:
-
obtaining a known set or session of processes, wherein the known set or session of processes has the certain characteristics; obtaining a set or session of processes to be evaluated, captured from a command interface, to determine if the set or session of processes to be evaluated has the certain characteristics; performing a weighted similarity measure between the known set or session of processes and the set or session of processes to be evaluated, wherein the weighted similarity measure is performed element wise, where a comparison is performed for each defined element in the set or session of processes to be evaluated against elements in the known set or session of processes and where elements in the known set or session of processes have different weights and where the similarity measure is dependent both on matching elements in the set or session of processes to be evaluated with elements in the known set or session of processes and the weight(s) of any elements in the known set or session of processes that match elements in the set or session of processes to be evaluated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. In a computing environment, a system for filtering sets or sessions of processes, the system comprising:
-
one or more computer processors; one or more computer readable media coupled to the one or more processors, the one or more computer readable media comprising computer executable instructions that when executed by one or more of the one or more computer processors cause the following to be performed; obtaining a set or session of processes to be evaluated, wherein the set or session of processes is captured from a command interface configured to receiver user commands for execution by one or more processors, to determine if the set or session of processes to be evaluated has the certain characteristics; obtaining a MinHash vector for a known set or session of processes; obtaining a MinHash vector from the set or session of processes to be evaluated; determining whether or not the MinHash vector for the set or session of processes to be evaluated meets a predetermined threshold criteria with respect to the MinHash vector for the known set or session of processes; and filtering the set or session of processes to be evaluated based on the threshold determination. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A computing system configured to identify a set or session of processes as having certain characteristics, the system comprising:
-
one or more computer processors; one or more computer readable media coupled to the one or more processors, the one or more computer readable media comprising computer executable instructions that when executed by one or more of the one or more computer processors cause the following to be performed; obtaining a known set or session of processes, wherein the known set or session of processes has the certain characteristics; obtaining a set or session of processes to be evaluated, wherein the set or session of process is captured from a command interface, to determine if the set or session of processes to be evaluated has the certain characteristics; performing a weighted similarity measure between the known set or session of processes and the set or session of processes to be evaluated, wherein the weighted similarity measure is performed element wise, where a comparison is performed for each defined element in the set or session of processes to be evaluated against elements in the known set or session of processes and where elements in the known set or session of processes have different weights and where the similarity measure is dependent both on matching elements in the set or session of processes to be evaluated with elements in the known set or session of processes and the weight(s) of any elements in the known set or session of processes that match elements in the set or session of processes to be evaluated. - View Dependent Claims (18, 19, 20)
-
Specification