DETECTION AND PREVENTION FOR MALICIOUS THREATS
First Claim
1. A computer-implemented method for protecting a computer device from one or more malicious threats, comprising:
- using one or more hardware processors for executing;
instructions for monitoring at least one of a plurality of events and a plurality of processes executed on said computing device in run time, and a plurality of host activities of said computing device in run time, wherein said plurality of host activities are identified by correlating among at least one of said plurality of events and said plurality of processes;
instructions for identifying a compliance of at least some of said plurality of host activities with a plurality of rules;
instructions for generating a status dataset generated according to said compliance, wherein said status dataset comprises compliance indications of said compliance;
instructions for identifying a match between said compliance indications of said status dataset and at least one of a plurality of reference profiles each indicative of a computing device operation under a malicious threat activity; and
instructions for detecting a malicious threat related to at least one malicious code executed on said computing device according to said match.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of identifying one or more malicious threats in a computing device. The device comprises monitoring a plurality of events occurring on a computing device in run time, a plurality of processes executed on the computing device in run time, and a plurality of host activities of the computing device in run time, identifying a compliance of at least some of the plurality of events, the plurality of processes, and the plurality of host activities with a plurality of rules, generating a rule compliance status dataset generated according to the compliance, identifying a match between the rule compliance status dataset and at least one of a plurality of reference profiles each indicative of a computing device operation under a malicious threat activity, and detecting a malicious threat according to the match.
16 Citations
20 Claims
-
1. A computer-implemented method for protecting a computer device from one or more malicious threats, comprising:
-
using one or more hardware processors for executing; instructions for monitoring at least one of a plurality of events and a plurality of processes executed on said computing device in run time, and a plurality of host activities of said computing device in run time, wherein said plurality of host activities are identified by correlating among at least one of said plurality of events and said plurality of processes; instructions for identifying a compliance of at least some of said plurality of host activities with a plurality of rules; instructions for generating a status dataset generated according to said compliance, wherein said status dataset comprises compliance indications of said compliance; instructions for identifying a match between said compliance indications of said status dataset and at least one of a plurality of reference profiles each indicative of a computing device operation under a malicious threat activity; and instructions for detecting a malicious threat related to at least one malicious code executed on said computing device according to said match. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-implemented method for protecting a computer device from one or more malicious threats, comprising:
using one or more hardware processors for executing code instructions for; monitoring a plurality of events occurring on said computing device in run time; identifying a plurality of processes executed on said computing device; calculating a process score to each said process; identifying a plurality of host activities of said computing device each related to a group of processes from said plurality of processes; scoring each said host activity by aggregating respective process scores of a respective said group of processes; and detecting a malware related to at least one malicious code executed on said computing device when at least one of said process scores and said data activity scores exceeds a respective score threshold. - View Dependent Claims (18, 19)
-
20. A system for identifying one or more malicious threats, comprising:
-
a plurality of monitoring modules installed in a plurality of computing devices, each said monitoring module comprising executable code executed by each of said computing devices for monitoring at least one of a plurality of events, a plurality of processes and a plurality of host activities of a respective hosting said computing device in run time, for checking compliance of at least one of said plurality of events, said plurality of processes and said plurality of host activities with a plurality of rules, for generating a status dataset comprising compliance indications of said compliance, and for detecting a malicious threat activity according to a match between said compliance indications of said status dataset and at least one of a plurality of reference profiles in a profile repository, wherein said plurality of processes are identified by correlating among at least one of said plurality of events, said plurality of processes and said plurality of host activities; and at least one server adapted to receive, via network, a plurality of status datasets comprising compliance indications of compliance with said plurality of rules including said status dataset from said plurality of monitoring modules and updates said profiles accordingly.
-
Specification