Behaviour Based Malware Prevention

US 20170161499A1
Filed: 11/28/2016
Published: 06/08/2017
Est. Priority Date: 12/03/2015
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malware present on a computer system, the method comprising:

a) predefining a set of applications as benign;

b) providing profiles for respective benign applications, each profile identifying one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions;

c) monitoring behaviour of the computer system to detect performance, by a running application, of a characteristic action of a procedure of a benign application;

d) upon detection of performance of a characteristic action, using the profile provided for the associated benign application to detect a deviation from the expected actions of the procedure; and

e) using the detection of a deviation to identify the running application as malicious or suspicious.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting malware present on a computer system. A set of applications is predefined as benign, and profiles are provided for respective benign applications. Each profile identifies one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions. Behaviour of the computer system is monitored to detect performance, by a running application, of a characteristic action of a procedure of a benign application. Upon detection of performance of a characteristic action, the profile provided for the associated benign application is used to detect a deviation from the expected actions of the procedure; and the detection of a deviation is used to identify the running application as malicious or suspicious.

15 Citations

View as Search Results

17 Claims

1. A method of detecting malware present on a computer system, the method comprising:
- a) predefining a set of applications as benign;
  
  b) providing profiles for respective benign applications, each profile identifying one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions;
  
  c) monitoring behaviour of the computer system to detect performance, by a running application, of a characteristic action of a procedure of a benign application;
  
  d) upon detection of performance of a characteristic action, using the profile provided for the associated benign application to detect a deviation from the expected actions of the procedure; and
  
  e) using the detection of a deviation to identify the running application as malicious or suspicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method according to claim 1 and comprising, at steps c) and d), identifying the benign application using identifying information stored with the associated profile.
  - 3. A method according to claim 2, wherein the identifying information comprises any one or more of:
    - a hash of the benign application; and
      
      a digital signature and/or certificate associated with the benign application.
  - 4. A method according to claim 3 and comprising, at step e), identifying the running application as one of:
    - the benign application running injected code; and
      
      a malicious modification of the benign application.
  - 5. A method according to claim 4, wherein the running application is identified as the benign application running injected code in the case where the application matches said identification information, and as a malicious modification of the benign application where the application matches only a part of said identification information.
  - 6. A method according to claim 1, wherein all of the steps are performed at the computer system.
  - 7. A method according to claim 1, wherein step c) is performed at the computer system, and steps b), d) and e) are performed at a server, and comprising:
    - upon detection of performance of a characteristic action, sending from the client computer to the server, details of the characteristic action and other actions taken on the client computer; and
      
      sending from the server to the computer system, an indication as to whether or not the running application is malicious or suspicious.
  - 8. A method according to claim 9, and comprising, upon detection of a deviation at step e), sending from the server to the computer system, instructions for handling the running application.
  - 9. A method according to claim 1, wherein said procedures include any one or more of:
    - establishment of a secure session;
      
      communication over a secure session;
      
      file operations;
      
      registry operations;
      
      memory operations;
      
      network operations.
  - 10. A method according to claim 1, wherein the characteristic and/or expected actions include one or more of:
    - API calls made by the running application;
      
      information made available to plugins of the running application;
      
      actions relating to Browser Helper Objects;
      
      file access operations performed by the running application;
      
      network operations performed by the running application;
      
      encrypted communications sent by the running application.
  - 11. A method according to claim 1 and comprising, at step e), handling the running application by one or more of:
    - terminating a process of the running application;
      
      terminating the characteristic action or an action resulting from the characteristic action;
      
      removing or otherwise making safe the running application; and
      
      performing a further malware scan on the application.
  - 12. A method according to claim 1, wherein step b) comprises generating a profile for a benign application by one or both of:
    - monitoring the behaviour of the benign application running on a plurality of client computers and identifying procedures and respective characteristic and expected actions from the aggregate results; and
      
      performing a static analysis of binary code associated with the benign application.

13. A computer system comprising:
- a memory configured to store a profile for each of a set of benign applications, the profile identifying one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions;
  
  a processor configured to;
  
  monitor behaviour of the computer system to detect performance, by a running application, of a characteristic action of a procedure of a benign application;
  
  upon detection of performance of a characteristic action, use the profile provided for the associated benign application to detect a deviation from the expected actions of the procedure; and
  
  use the detection of a deviation to identify the running application as malicious or suspicious.

14. A server comprising:
- a memory configured to store a profile for each of a set of benign applications, the profile identifying one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions;
  
  a processor configured to;
  
  receive, from a computer system, results of behaviour monitoring of a running application on the computer system;
  
  upon detection of performance of a characteristic action in said results, use the profile provided for the associated benign application to detect a deviation from the expected actions of the procedure; and
  
  use the detection of a deviation to identify the running application as malicious or suspicious;
  
  send to the computer system an indication as to whether the running application is malicious or suspicious.
- View Dependent Claims (15)
- - 15. A server according to claim 14, wherein the results comprises an explicit indication of detection of a characteristic action.

16. A computer program product comprising a non-transitory computer readable medium and a computer program comprising computer readable code which, when run on a computer system, causes the computer system to:
- store a profile for each of a set of benign applications, the profile identifying one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actionsmonitor behaviour of the computer system to detect performance, by a running application, of a characteristic action of a procedure of a benign application;
  
  upon detection of performance of a characteristic action, use the profile provided for the associated benign application to detect a deviation from the expected actions of the procedure; and
  
  use the detection of a deviation to identify the running application as malicious or suspicious;
  
  wherein the computer program is stored on the computer-readable medium.

17. A computer program product comprising a non-transitory computer readable medium and a computer program comprising computer readable code which, when run on a server, causes the server to:
- store a profile for each of a set of benign applications, the profile identifying one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actionsreceive, from a computer system, results of behaviour monitoring of a running application on the computer system;
  
  upon detection of performance of a characteristic action in said results, use the profile provided for the associated benign application to detect a deviation from the expected actions of the procedure; and
  
  use the detection of a deviation to identify the running application as malicious or suspicious;
  
  send to the computer system an indication as to whether the running application is malicious or suspiciouswherein the computer program is stored on the computer-readable medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Withsecure Corporation
Original Assignee
F-Secure Corporation (F-Secure Oyj)
Inventors
HENTUNEN, Daavid

Granted Patent

US 10,083,301 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H05K 999/99   dummy group

Behaviour Based Malware Prevention

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Behaviour Based Malware Prevention

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links