DETECTION AND PREVENTION FOR MALICIOUS THREATS

US 20160357966A1
Filed: 08/14/2016
Published: 12/08/2016
Est. Priority Date: 05/03/2012
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method for protecting a computer device from one or more malicious threats, comprising:

using one or more hardware processors for executing;

instructions for monitoring at least one of a plurality of events and a plurality of processes executed on said computing device in run time, and a plurality of host activities of said computing device in run time, wherein said plurality of host activities are identified by correlating among at least one of said plurality of events and said plurality of processes;

instructions for identifying a compliance of at least some of said plurality of host activities with a plurality of rules;

instructions for generating a status dataset generated according to said compliance, wherein said status dataset comprises compliance indications of said compliance;

instructions for identifying a match between said compliance indications of said status dataset and at least one of a plurality of reference profiles each indicative of a computing device operation under a malicious threat activity; and

instructions for detecting a malicious threat related to at least one malicious code executed on said computing device according to said match.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of identifying one or more malicious threats in a computing device. The device comprises monitoring a plurality of events occurring on a computing device in run time, a plurality of processes executed on the computing device in run time, and a plurality of host activities of the computing device in run time, identifying a compliance of at least some of the plurality of events, the plurality of processes, and the plurality of host activities with a plurality of rules, generating a rule compliance status dataset generated according to the compliance, identifying a match between the rule compliance status dataset and at least one of a plurality of reference profiles each indicative of a computing device operation under a malicious threat activity, and detecting a malicious threat according to the match.

16 Citations

20 Claims

1. A computer-implemented method for protecting a computer device from one or more malicious threats, comprising:
- using one or more hardware processors for executing;
  
  instructions for monitoring at least one of a plurality of events and a plurality of processes executed on said computing device in run time, and a plurality of host activities of said computing device in run time, wherein said plurality of host activities are identified by correlating among at least one of said plurality of events and said plurality of processes;
  
  instructions for identifying a compliance of at least some of said plurality of host activities with a plurality of rules;
  
  instructions for generating a status dataset generated according to said compliance, wherein said status dataset comprises compliance indications of said compliance;
  
  instructions for identifying a match between said compliance indications of said status dataset and at least one of a plurality of reference profiles each indicative of a computing device operation under a malicious threat activity; and
  
  instructions for detecting a malicious threat related to at least one malicious code executed on said computing device according to said match.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising scoring at least some of said plurality of events and detecting said malicious threat according to a combination of an outcome of said scoring and said match.
  - 3. The method of claim 2, further comprising at least some of said plurality of host activities and detecting said malicious threat according to a combination of an outcome of said scoring and said match.
  - 4. The method of claim 1, further comprising scoring a at least some of said plurality of processes and detecting said malicious threat according to a combination of an outcome of said scoring and said match.
  - 5. The method of claim 1, wherein said monitoring comprises normalizing said plurality of events.
  - 6. The method of claim 1, wherein said monitoring comprises filtering a group of unmalicious events from said plurality of events according to unmalicious event dataset comprising a plurality of event profiles generated according to a statistical analysis of a plurality of event logs recorded in a plurality of computing devices.
  - 7. The method of claim 1, wherein said identifying a compliance comprises identifying at least one of:
    - an event compliance of said plurality of events with a plurality of event level rules,a process compliance of said plurality of processes with a plurality of process level rules, anda host activity compliance of said plurality of host activities with a plurality of host activity level rules.
  - 8. The method of claim 7, wherein said generating comprises combining between data indicative of said event compliance, data indicative of said process compliance and data indicative of said host activity compliance.
  - 9. The method of claim 7, wherein said event compliance is performed by analyzing a compliance of a sequence from said plurality of events according to at least one of said plurality of event level rules.
  - 10. The method of claim 1, wherein said monitoring comprises classifying said plurality of events and counting said plurality of events in light of said classification, said compliance is checked according to said counting.
  - 11. The method of claim 1, wherein said generating comprises calculating a similarity score of said match, said detecting is performed according to said similarity score.
  - 12. The method of claim 11, further comprising scoring a threat level of at least some of said plurality of host activities;
    - said detecting is performed according to a combination of said scoring and said similarity score.
  - 13. The method of claim 1, wherein said status dataset is a binary dataset wherein each field is indicative of compliance or noncompliance with another of said plurality of rules.
  - 14. The method of claim 1, wherein said plurality of events comprises a plurality of kernel level events.
  - 15. The method of claim 1, wherein monitoring comprises documenting said plurality of events in an event log, said plurality of host activities is generated from an analysis of said event log.
  - 16. The method of claim 1, further comprising classifying at least one member of a group consisting of:
    - said plurality of events, said plurality of processes, and said plurality of host activities, sending data pertaining to said at least one member to inspection by a central unit.

17. A computer-implemented method for protecting a computer device from one or more malicious threats, comprising:
- using one or more hardware processors for executing code instructions for;
  
  monitoring a plurality of events occurring on said computing device in run time;
  
  identifying a plurality of processes executed on said computing device;
  
  calculating a process score to each said process;
  
  identifying a plurality of host activities of said computing device each related to a group of processes from said plurality of processes;
  
  scoring each said host activity by aggregating respective process scores of a respective said group of processes; and
  
  detecting a malware related to at least one malicious code executed on said computing device when at least one of said process scores and said data activity scores exceeds a respective score threshold.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, further comprising identifying a plurality of environment activities of a computing device environment comprising said computing device, each said environment activity being related to a group of host activities from a plurality of computing devices in said computing device environment and scoring each said environment activity by aggregating respective host activity scores of a respective said group of host activities.
  - 19. The method of claim 17, wherein said one or more hardware processors are adapted for executing code instructions for updating said malware profile with unrecorded behavior in at least one of event level, process level, host activity level and environment activity level.

20. A system for identifying one or more malicious threats, comprising:
- a plurality of monitoring modules installed in a plurality of computing devices, each said monitoring module comprising executable code executed by each of said computing devices for monitoring at least one of a plurality of events, a plurality of processes and a plurality of host activities of a respective hosting said computing device in run time, for checking compliance of at least one of said plurality of events, said plurality of processes and said plurality of host activities with a plurality of rules, for generating a status dataset comprising compliance indications of said compliance, and for detecting a malicious threat activity according to a match between said compliance indications of said status dataset and at least one of a plurality of reference profiles in a profile repository, wherein said plurality of processes are identified by correlating among at least one of said plurality of events, said plurality of processes and said plurality of host activities; and
  
  at least one server adapted to receive, via network, a plurality of status datasets comprising compliance indications of compliance with said plurality of rules including said status dataset from said plurality of monitoring modules and updates said profiles accordingly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shine Security Ltd.
Original Assignee
Shine Security Ltd.
Inventors
BAYORA, Andrey, BLAYER-GAT, Alon, PORAT, Ron, FARAGE, Oren

Application Number

US15/236,436
Publication Number

US 20160357966A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 12/14   Protection against unauthor...

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/556   involving covert channels, ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 9/40   Network security protocols

DETECTION AND PREVENTION FOR MALICIOUS THREATS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION AND PREVENTION FOR MALICIOUS THREATS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links