METHOD AND SYSTEM FOR IDENTIFYING UNCORRELATED SUSPICIOUS EVENTS DURING AN ATTACK

US 20170171240A1
Filed: 10/13/2016
Published: 06/15/2017
Est. Priority Date: 12/09/2015
Status: Active Grant

First Claim

Patent Images

1. A method for identifying events associated with an attack initiated on an endpoint, comprising:

obtaining a listing of processes executed or created on the endpoint during the attack, the processes including a first process and at least one subsequent process executed or created by the first process;

analyzing whether at least one event occurred on the endpoint during a time interval associated with the attack; and

determining whether the listing of processes includes a process that when executed caused the occurrence of the at least one event.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computerized methods and systems identify events associated with an attack initiated on an endpoint client. A listing of processes executed or created on the endpoint during the attack is obtained. The listing of processes includes a first process and at least one subsequent process executed or created by the first process. The computerized methods and systems analyze for the occurrence of at least one event during a time interval associated with the attack. The computerized methods and systems determine whether the listing of processes includes a process that when executed caused the occurrence of the at least one event. If the listing of processes excludes process that when executed caused the occurrence of the at least one event, the at least one event and the causing process are stored, for example, in a database or memory.

Citations

22 Claims

1. A method for identifying events associated with an attack initiated on an endpoint, comprising:
- obtaining a listing of processes executed or created on the endpoint during the attack, the processes including a first process and at least one subsequent process executed or created by the first process;
  
  analyzing whether at least one event occurred on the endpoint during a time interval associated with the attack; and
  
  determining whether the listing of processes includes a process that when executed caused the occurrence of the at least one event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - identifying the process that when executed caused the occurrence of the at least one event.
  - 3. The method of claim 2, further comprising:
    - storing in a memory at least one characteristic of the process that when executed caused the occurrence of the at least one event if the listing of processes excludes the process that when executed caused the occurrence of the at least one event.
  - 4. The method of claim 1, further comprising:
    - determining the time interval associated with the attack.
  - 5. The method of claim 4, wherein the time interval associated with the attack is defined in part by a respective start time associated with each process in the listing of processes and a respective end time associated with each process in the listing of processes.
  - 6. The method of claim 1, wherein the at least one event is selected from the group consisting of:
    - an access or modification of a data item in a user directory of the endpoint, an injection into an endpoint operating system process, a deletion of at least one process from the listing of processes, an access to a data item or application on the endpoint that satisfies a user defined classification criterion, a process executed on the endpoint lacking a digital signature, a data item having a digital certificate obtained from an untrusted certificate authority, and the creation of a first file having the same hash value as the hash value of a second file.
  - 7. The method of claim 1, further comprising:
    - storing in a memory the at least one event if the listing of processes excludes the process that when executed caused the occurrence of the at least one event.
  - 8. The method of claim 1, wherein the listing of processes includes a model of the attack on the endpoint.
  - 9. The method of claim 8, wherein the model of the attack is a tree structured model.
  - 10. The method of claim 1, wherein the analyzing whether the at least one event occurred on the endpoint during the time interval associated with the attack includes:
    - obtaining a listing of events that occurred on the endpoint; and
      
      determining whether any of the events rendered from the listing of events occurred during the time interval associated with the attack.
  - 11. The method of claim 1, further comprising:
    - causing a taking protective action if the listing of processes includes the process that when executed caused the occurrence of the at least one event.
  - 12. The method of claim 11, wherein the taking of protective action includes restoring at least one value of a data item to an original value.
  - 13. The method of claim 1, wherein the first process is defined as an initial execution of the attack initiated on the endpoint.
  - 14. The method of claim 1, wherein the at least one event is a suspicious event.

15. A computer system for identifying events associated with an attack initiated on an endpoint, comprising:
- a storage medium for storing computer components; and
  
  a computerized processor for executing the computer components comprising;
  
  a computer module configured for;
  
  obtaining a listing of processes executed or created on the endpoint during the attack, the processes including a first process and at least one subsequent process executed or created by the first process;
  
  analyzing whether at least one event occurred on the endpoint during a time interval associated with the attack; and
  
  determining whether the listing of processes includes a process that when executed caused the occurrence of the at least one event.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer system of claim 15, further comprising:
    - a database for storing a listing of events that occurred on the endpoint during the attack.
  - 17. The computer system of claim 16, wherein the computer module is further configured for:
    - retrieving the listing of events that occurred on the endpoint from the database, anddetermining whether any of the events rendered from the listing of events occurred during the time interval associated with the attack.
  - 18. The computer system of claim 15, further comprising:
    - a database for storing the at least one event, and wherein the computer module is further configured for;
      
      storing the at least one event in the database if the listing of processes excludes the process that when executed caused the occurrence of the at least one event.
  - 19. The computer system of claim 15, wherein the computer module is further configured for:
    - identifying the process that when executed caused the occurrence of the at least one event.
  - 20. The computer system of claim 19, further comprising:
    - a database for storing at least one characteristic of the process that when executed caused the occurrence of the at least one event, and wherein the computer module is further configure for;
      
      storing the at least one characteristic of the process that when executed caused the occurrence of the at least one event if the listing of processes excludes the process that when executed caused the occurrence of the at least one event.
  - 21. The computer system of claim 15, wherein the computer module includes an agent.

22. A computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitable programmed system to identify events associated with an attack initiated on an endpoint, by performing the following steps when such program is executed on the system, the steps comprising:
- obtaining a listing of processes executed or created on the endpoint during the attack, the processes including a first process and at least one subsequent process executed or created by the first process;
  
  analyzing whether at least one event occurred on the endpoint during a time interval associated with the attack; and
  
  determining whether the listing of processes includes a process that when executed caused the occurrence of the at least one event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Limited
Original Assignee
Check Point Software Technologies Limited
Inventors
LEIDERFARB, Tamara, ARZI, Lior, PAL, Anandabrata

Granted Patent

US 10,462,160 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

H04L 63/1416 Event detection, e.g. attac...

METHOD AND SYSTEM FOR IDENTIFYING UNCORRELATED SUSPICIOUS EVENTS DURING AN ATTACK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR IDENTIFYING UNCORRELATED SUSPICIOUS EVENTS DURING AN ATTACK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links