Method and System for Determining Initial Execution of an Attack

US 20170171224A1
Filed: 12/09/2015
Published: 06/15/2017
Est. Priority Date: 12/09/2015
Status: Active Grant

First Claim

Patent Images

1. A method for determining an initial execution of an attack on an endpoint, comprising:

obtaining an indicator of the attack by analyzing a first process on the endpoint, the initial execution being associated with the first process by a sequence of processes that includes the first process, each respective process in the sequence of processes being executed or created by at least one of the initial execution or a process in the sequence of processes; and

identifying the initial execution based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computerized methods and systems determine an initial execution of an attack on an endpoint. An indicator of the attack is obtained by analysis of a first process on the endpoint. A sequence of processes that includes the first process associates the initial execution of the attack with the first process. Each respective process in the sequence of processes is created or executed by at least one of the initial execution or a process in the sequence of processes. The initial execution is identified based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.

Citations

20 Claims

1. A method for determining an initial execution of an attack on an endpoint, comprising:
- obtaining an indicator of the attack by analyzing a first process on the endpoint, the initial execution being associated with the first process by a sequence of processes that includes the first process, each respective process in the sequence of processes being executed or created by at least one of the initial execution or a process in the sequence of processes; and
  
  identifying the initial execution based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the endpoint is part of a network.
  - 3. The method of claim 1, wherein the initial execution is at least one of a suspicious process or a malicious process.
  - 4. The method of claim 1, wherein the analyzing of the first process is indicative of an activity selected from the group consisting of:
    - accessing of a malicious web site, initiating a malicious communication with a network device, opening a malicious file, and creating a malicious data object.
  - 5. The method of claim 1, wherein the combination of executions and creations of the processes in the sequence of processes is based in part on at least one characteristic of each respective process in the sequence of processes.
  - 6. The method of claim 5, wherein the at least one characteristic of each respective process is based on a reputation of the respective process, the reputation of the respective process being provided by a reputation service.
  - 7. The method of claim 1, wherein for each respective process in the sequence of processes, an executing process of the respective process is determined if the respective process is classified as a known process.
  - 8. The method of claim 1, wherein for each respective process in the sequence of processes, a creating process of the respective process is determined if the respective process is classified as a payload application process.
  - 9. The method of claim 8, wherein the determination of the creating process comprises:
    - determining at least one file opened by the payload application.
  - 10. The method of claim 9, wherein the at least one file is a malicious file.
  - 11. The method of claim 1, wherein for each respective process in the sequence of processes, a creating process of the respective process is determined if the respective process is classified as an unknown process or a malicious process.
  - 12. The method of claim 11, wherein the determination of the creating process comprises:
    - determining a file that caused the execution of the respective process.
  - 13. The method of claim 12, wherein the determination of the creating process further comprises:
    - identifying the creating process as the process in the sequence of processes that created the file.
  - 14. The method of claim 1, wherein at least one process in the sequence of processes is configured to persist after termination of a creating or executing process of the at least one process.

15. A computer system for determining an initial execution of an attack on an endpoint, comprising:
- a storage medium for storing computer components; and
  
  a computerized processor for executing the computer components comprising;
  
  a computer module configured for;
  
  obtaining an indicator of the attack by analyzing a first process on the endpoint, the initial execution being associated with the first process by a sequence of processes that includes the first process, each respective process in the sequence of processes being executed or created by at least one of the initial execution or a process in the sequence of processes; and
  
  identifying the initial execution based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer system of claim 15, wherein the identifying the initial execution is based in part on at least one characteristic of each respective process in the sequence of processes.
  - 17. The computer system of claim 16, wherein the computer module includes a reputation module, and the at least one characteristic of each respective process is based on a reputation of the respective process provided by the reputation module.
  - 18. The computer system of claim 15, wherein at least one process in the sequence of processes is configured to persist after termination of a process that created or executed the at least one process.
  - 19. The computer system of claim 15, further comprising a database for storing endpoint activity.

20. A computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitable programmed system to determine an initial execution of an attack on an endpoint, by performing the following steps when such program is executed on the system, the steps comprising:
- obtaining an indicator of the attack by analyzing a first process on the endpoint, the initial execution being associated with the first process by a sequence of processes that includes the first process, each respective process in the sequence of processes being executed or created by at least one of the initial execution or a process in the sequence of processes; and
  
  identifying the initial execution based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Limited
Original Assignee
Check Point Software Technologies Limited
Inventors
LEIDERFARB, Tamara, PAL, ANANDABRATA, ARZI, Lior

Granted Patent

US 10,880,316 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/445   Program loading or initiati...

G06F 9/4484   Executing subprograms

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Method and System for Determining Initial Execution of an Attack

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and System for Determining Initial Execution of an Attack

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links