Behaviour Based Malware Prevention
First Claim
1. A method of detecting malware present on a computer system, the method comprising:
- a) predefining a set of applications as benign;
b) providing profiles for respective benign applications, each profile identifying one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions;
c) monitoring behaviour of the computer system to detect performance, by a running application, of a characteristic action of a procedure of a benign application;
d) upon detection of performance of a characteristic action, using the profile provided for the associated benign application to detect a deviation from the expected actions of the procedure; and
e) using the detection of a deviation to identify the running application as malicious or suspicious.
3 Assignments
0 Petitions
Accused Products
Abstract
A method of detecting malware present on a computer system. A set of applications is predefined as benign, and profiles are provided for respective benign applications. Each profile identifies one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions. Behaviour of the computer system is monitored to detect performance, by a running application, of a characteristic action of a procedure of a benign application. Upon detection of performance of a characteristic action, the profile provided for the associated benign application is used to detect a deviation from the expected actions of the procedure; and the detection of a deviation is used to identify the running application as malicious or suspicious.
15 Citations
17 Claims
-
1. A method of detecting malware present on a computer system, the method comprising:
-
a) predefining a set of applications as benign; b) providing profiles for respective benign applications, each profile identifying one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions; c) monitoring behaviour of the computer system to detect performance, by a running application, of a characteristic action of a procedure of a benign application; d) upon detection of performance of a characteristic action, using the profile provided for the associated benign application to detect a deviation from the expected actions of the procedure; and e) using the detection of a deviation to identify the running application as malicious or suspicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer system comprising:
-
a memory configured to store a profile for each of a set of benign applications, the profile identifying one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions; a processor configured to; monitor behaviour of the computer system to detect performance, by a running application, of a characteristic action of a procedure of a benign application; upon detection of performance of a characteristic action, use the profile provided for the associated benign application to detect a deviation from the expected actions of the procedure; and use the detection of a deviation to identify the running application as malicious or suspicious.
-
-
14. A server comprising:
-
a memory configured to store a profile for each of a set of benign applications, the profile identifying one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions; a processor configured to; receive, from a computer system, results of behaviour monitoring of a running application on the computer system; upon detection of performance of a characteristic action in said results, use the profile provided for the associated benign application to detect a deviation from the expected actions of the procedure; and use the detection of a deviation to identify the running application as malicious or suspicious; send to the computer system an indication as to whether the running application is malicious or suspicious. - View Dependent Claims (15)
-
-
16. A computer program product comprising a non-transitory computer readable medium and a computer program comprising computer readable code which, when run on a computer system, causes the computer system to:
-
store a profile for each of a set of benign applications, the profile identifying one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions monitor behaviour of the computer system to detect performance, by a running application, of a characteristic action of a procedure of a benign application; upon detection of performance of a characteristic action, use the profile provided for the associated benign application to detect a deviation from the expected actions of the procedure; and use the detection of a deviation to identify the running application as malicious or suspicious; wherein the computer program is stored on the computer-readable medium.
-
-
17. A computer program product comprising a non-transitory computer readable medium and a computer program comprising computer readable code which, when run on a server, causes the server to:
-
store a profile for each of a set of benign applications, the profile identifying one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions receive, from a computer system, results of behaviour monitoring of a running application on the computer system; upon detection of performance of a characteristic action in said results, use the profile provided for the associated benign application to detect a deviation from the expected actions of the procedure; and use the detection of a deviation to identify the running application as malicious or suspicious; send to the computer system an indication as to whether the running application is malicious or suspicious wherein the computer program is stored on the computer-readable medium.
-
Specification