METHOD AND SYSTEM FOR IDENTIFYING UNCORRELATED SUSPICIOUS EVENTS DURING AN ATTACK
First Claim
1. A method for identifying events associated with an attack initiated on an endpoint, comprising:
- obtaining a listing of processes executed or created on the endpoint during the attack, the processes including a first process and at least one subsequent process executed or created by the first process;
analyzing whether at least one event occurred on the endpoint during a time interval associated with the attack; and
determining whether the listing of processes includes a process that when executed caused the occurrence of the at least one event.
1 Assignment
0 Petitions
Accused Products
Abstract
Computerized methods and systems identify events associated with an attack initiated on an endpoint client. A listing of processes executed or created on the endpoint during the attack is obtained. The listing of processes includes a first process and at least one subsequent process executed or created by the first process. The computerized methods and systems analyze for the occurrence of at least one event during a time interval associated with the attack. The computerized methods and systems determine whether the listing of processes includes a process that when executed caused the occurrence of the at least one event. If the listing of processes excludes process that when executed caused the occurrence of the at least one event, the at least one event and the causing process are stored, for example, in a database or memory.
-
Citations
22 Claims
-
1. A method for identifying events associated with an attack initiated on an endpoint, comprising:
-
obtaining a listing of processes executed or created on the endpoint during the attack, the processes including a first process and at least one subsequent process executed or created by the first process; analyzing whether at least one event occurred on the endpoint during a time interval associated with the attack; and determining whether the listing of processes includes a process that when executed caused the occurrence of the at least one event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer system for identifying events associated with an attack initiated on an endpoint, comprising:
-
a storage medium for storing computer components; and a computerized processor for executing the computer components comprising; a computer module configured for; obtaining a listing of processes executed or created on the endpoint during the attack, the processes including a first process and at least one subsequent process executed or created by the first process; analyzing whether at least one event occurred on the endpoint during a time interval associated with the attack; and determining whether the listing of processes includes a process that when executed caused the occurrence of the at least one event. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitable programmed system to identify events associated with an attack initiated on an endpoint, by performing the following steps when such program is executed on the system, the steps comprising:
-
obtaining a listing of processes executed or created on the endpoint during the attack, the processes including a first process and at least one subsequent process executed or created by the first process; analyzing whether at least one event occurred on the endpoint during a time interval associated with the attack; and determining whether the listing of processes includes a process that when executed caused the occurrence of the at least one event.
-
Specification