Method And System For Modeling All Operations And Executions Of An Attack And Malicious Process Entry

US 20170171225A1
Filed: 12/09/2015
Published: 06/15/2017
Est. Priority Date: 12/09/2015
Status: Active Grant

First Claim

Patent Images

1. A method for determining an entry point for an attack on an endpoint comprising:

obtaining an attack root; and

,identifying a sequence of processes, and executions and creations associated with each of the process of the sequence, the sequence originating at the attack root.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computerized methods and systems determine an entry point or source of an attack on an endpoint, such as a machine, e.g., a computer, node of a network, system or the like. These computerized methods and systems utilize an attack execution/attack or start root, to build an attack tree, which shows the attack on the end point and the damage caused by the attack, as it propagates through the machine, network, system, or the like.

53 Citations

View as Search Results

21 Claims

1. A method for determining an entry point for an attack on an endpoint comprising:
- obtaining an attack root; and
  
  ,identifying a sequence of processes, and executions and creations associated with each of the process of the sequence, the sequence originating at the attack root.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the attack root includes a process.
  - 3. The method of claim 2, wherein the process of the attack root includes a file.
  - 4. The method of claim 1, wherein each process of the sequence of processes is based on at least one discreet event.
  - 5. The method of claim 4, wherein the discreet events from the same process of the sequence of processes are merged into a single summarized event.
  - 6. The method of claim 1, wherein the identifying a sequence of processes, and executions and creations associated with each of the process of the sequence of processes, includes:
    - categorizing each identified process by a process type; and
      
      ,obtaining a creator process associated with each identified and categorized process.
  - 7. The method of claim 4, wherein the categories for categorizing each the processes are selected from the group consisting of:
    - payload processes;
      
      container/compression/installer processes;
      
      executables;
      
      rename processes;
      
      registry consumer processes;
      
      network processes; and
      
      processes not categorized as one of payload processes, container/compression/installer processes, executables, rename processes, registry consumer processes, and network processes.
  - 8. The method of claim 1, wherein the end point includes at least one of a machine, including a computer, node of a network or system.

9. A method for determining the extent of an attack on an endpoint, comprising:
- obtaining an attack root;
  
  reading the attack root;
  
  analyzing the attack root to output subsequent processes associated with the attack root;
  
  reading each of the subsequent processes; and
  
  ,analyzing each of the subsequent processes to output additional processes associated, until there are not any more processes to be read.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 10. The method of claim 9, wherein the attack root includes a process.
  - 11. The method of claim 10, wherein the process of the attack root includes a file.
  - 12. The method of claim 10, wherein the reading and analyzing for the attach root and each subsequent process is performed iteratively.
  - 13. The method of claim 12, wherein the analyzing the attack root and the subsequent processes includes obtaining at least one of:
    - executions and operations of malicious objects of files, malicious Uniform Resource Locators (URLs), and, malicious Internet Protocol (IP) addresses.
  - 14. The method of claim 12, wherein the analyzing the attack root and the subsequent processes includes:
    - creating a list of the files obtained from the file paths associated with each read attack root and each read subsequent process and ordering; and
      
      ,obtaining;
      
      i) processes creating file in the file list that were not in the entry point; and
      
      , ii) process instances of files from the file list that were executed.
  - 15. The method of claim 12, wherein the analyzing the attack root and subsequent processes includes, obtaining at least one of parent processes and child processes of the attack root and the subsequent processes.
  - 16. The method of claim 12, wherein the analyzing the attack root and the subsequent processes includes obtaining network operations processes from at least one of the attack root and the subsequent processes.
  - 17. The method of claim 12, wherein the analyzing the attack root and the subsequent processes includes obtaining processes which opened malicious Uniform Resource Locators (URLs) and malicious Internet Protocol (IP) addresses.
  - 18. The method of claim 12, wherein the analyzing the attack root and the subsequent processes includes:
    - obtaining process injecting into at least one of the attack root or the subsequent processes; and
      
      ,obtaining processes injected by one of the attack root or the subsequent processes.
  - 19. The method of claim 9, wherein the end point includes at least one of a machine, including a computer, node of a network or system.

20. A computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitable programmed system to detect the extent of an attack on an endpoint, by performing the following steps when such program is executed on the system, the steps comprising:
- obtaining an attack root;
  
  reading the attack root;
  
  analyzing the attack root to output subsequent processes associated with the attack root;
  
  reading each of the subsequent processes; and
  
  ,analyzing each of the subsequent processes to output additional processes associated, until there are not any more processes to be read.
- View Dependent Claims (21)
- - 21. The computer-usable storage medium of claim 20, wherein the attack root includes a process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Limited
Original Assignee
Check Point Software Technologies Limited
Inventors
PAL, ANANDABRATA, Arzi, Lior, Leiderfarb, Tamara

Granted Patent

US 10,440,036 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Method And System For Modeling All Operations And Executions Of An Attack And Malicious Process Entry

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method And System For Modeling All Operations And Executions Of An Attack And Malicious Process Entry

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links