Method and System for Determining Initial Execution of an Attack
First Claim
1. A method for determining an initial execution of an attack on an endpoint, comprising:
- obtaining an indicator of the attack by analyzing a first process on the endpoint, the initial execution being associated with the first process by a sequence of processes that includes the first process, each respective process in the sequence of processes being executed or created by at least one of the initial execution or a process in the sequence of processes; and
identifying the initial execution based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.
1 Assignment
0 Petitions
Accused Products
Abstract
Computerized methods and systems determine an initial execution of an attack on an endpoint. An indicator of the attack is obtained by analysis of a first process on the endpoint. A sequence of processes that includes the first process associates the initial execution of the attack with the first process. Each respective process in the sequence of processes is created or executed by at least one of the initial execution or a process in the sequence of processes. The initial execution is identified based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.
-
Citations
20 Claims
-
1. A method for determining an initial execution of an attack on an endpoint, comprising:
-
obtaining an indicator of the attack by analyzing a first process on the endpoint, the initial execution being associated with the first process by a sequence of processes that includes the first process, each respective process in the sequence of processes being executed or created by at least one of the initial execution or a process in the sequence of processes; and identifying the initial execution based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer system for determining an initial execution of an attack on an endpoint, comprising:
-
a storage medium for storing computer components; and a computerized processor for executing the computer components comprising; a computer module configured for; obtaining an indicator of the attack by analyzing a first process on the endpoint, the initial execution being associated with the first process by a sequence of processes that includes the first process, each respective process in the sequence of processes being executed or created by at least one of the initial execution or a process in the sequence of processes; and identifying the initial execution based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitable programmed system to determine an initial execution of an attack on an endpoint, by performing the following steps when such program is executed on the system, the steps comprising:
-
obtaining an indicator of the attack by analyzing a first process on the endpoint, the initial execution being associated with the first process by a sequence of processes that includes the first process, each respective process in the sequence of processes being executed or created by at least one of the initial execution or a process in the sequence of processes; and identifying the initial execution based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.
-
Specification