MALWARE DETECTION AND IDENTIFICATION USING DEVIATIONS IN ONE OR MORE OPERATING PARAMETERS

US 20170286670A1
Filed: 03/30/2016
Published: 10/05/2017
Est. Priority Date: 03/30/2016
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

monitoring current operating parameters for a computing system running one or more application;

obtaining baseline operating parameters for the computing system running the one or more application in the absence of malware;

identifying a deviation between the current operating parameters and the baseline operating parameters; and

determining whether the identified deviation matches a deviation associated with a predetermined malware definition.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for detecting malware, such as a virus or spyware. The method looks for deviations expected operating parameters instead of focusing solely on conventional malware signatures. The method includes monitoring current operating parameters for a computing system running one or more application, obtaining baseline operating parameters for the computing system running the one or more application in the absence of malware, identifying a deviation between the current operating parameters and the baseline operating parameters, and determining whether the identified deviation matches a deviation associated with a predetermined malware definition.

9 Citations

View as Search Results

20 Claims

1. A method, comprising:
- monitoring current operating parameters for a computing system running one or more application;
  
  obtaining baseline operating parameters for the computing system running the one or more application in the absence of malware;
  
  identifying a deviation between the current operating parameters and the baseline operating parameters; and
  
  determining whether the identified deviation matches a deviation associated with a predetermined malware definition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the baseline operating parameters are obtained by measuring the operating parameters during an initial usage of the one or more application on the computing system.
  - 3. The method of claim 1, wherein the operating parameters for the computing system identify marginal operating parameters for a plurality of applications that may be simultaneously run on the computing system, and wherein the operating parameters for the computing system running multiple applications is the sum of the marginal operating parameters for each of the multiple applications.
  - 4. The method of claim 1, wherein the operating parameters include a measure of responsiveness of one or more of the applications running on the computing system.
  - 5. The method of claim 1, wherein the operating parameters include a measure of overall utilization of the computing system.
  - 6. The method of claim 1, wherein the operating parameters identify a state of each of the one or more applications.
  - 7. The method of claim 1, further comprising:
    - storing the identified deviation in association with a malware identifier.
  - 8. The method of claim 1, further comprising:
    - storing the identified deviation in association with a malware definition.
  - 9. The method of claim 8, further comprising:
    - distributing the malware definition to another computing system, wherein the malware definition includes the identified deviation in operating parameters.
  - 10. The method of claim 1, wherein determining whether the identified deviation matches a deviation associated with a malware definition, includes comparing the identified deviation with each deviation associated with one of a plurality of malware definitions.
  - 11. The method of claim 10, further comprising:
    - identifying one of the malware definitions that is associated with a deviation matching the identified deviation; and
      
      scanning the computing system for malware consistent with the identified malware definition.
  - 12. The method of claim 10, further comprising:
    - identifying multiple malware definitions each having an associated deviation that more closely matches the identified deviation than the deviations associated with other malware definitions; and
      
      scanning the computing system for malware consistent with the multiple identified malware definitions.
  - 13. The method of claim 12, wherein the computing system is scanned for malware consistent with the multiple identified malware definitions prior to scanning for malware consistent with other malware definitions.
  - 14. The method of claim 1, further comprising:
    - generating a notification that identifies the identified deviation in operating parameters and any matching malware; and
      
      sending the notification to a management system or system administrator.

15. A computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to perform a method comprising:
- monitoring current operating parameters for a computing system running one or more application;
  
  obtaining baseline operating parameters for the computing system running the one or more application in the absence of malware;
  
  identifying a deviation between the current operating parameters and the baseline operating parameters; and
  
  determining whether the identified deviation matches a deviation associated with a predetermined malware definition.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15, wherein the baseline operating parameters are obtained by measuring the operating parameters during an initial usage of the one or more application on the computing system.
  - 17. The computer program product of claim 15, wherein the operating parameters for the computing system identify marginal operating parameters for a plurality of applications that may be simultaneously run on the computing system, and wherein the operating parameters for the computing system running multiple applications is the sum of the marginal operating parameters for each of the multiple applications.
  - 18. The computer program product of claim 15, further comprising:
    - storing the identified deviation in association with a malware definition; and
      
      distributing the malware definition to another computing system, wherein the malware definition includes the identified deviation in operating parameters.
  - 19. The computer program product of claim 15, wherein determining whether the identified deviation matches a deviation associated with a malware definition, includes comparing the identified deviation with each deviation associated with one of a plurality of malware definitions, the method further comprising:
    - identifying one of the malware definitions that is associated with a deviation matching the identified deviation; and
      
      scanning the computing system for malware consistent with the identified malware definition.
  - 20. The computer program product of claim 15, wherein determining whether the identified deviation matches a deviation associated with a malware definition, includes comparing the identified deviation with each deviation associated with one of a plurality of malware definitions, the method further comprising:
    - identifying multiple malware definitions each having an associated deviation that more closely matches the identified deviation than the deviations associated with other malware definitions; and
      
      scanning the computing system for malware consistent with the multiple identified malware definitions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lenovo Global Technologies International Ltd. (Lenovo Group Ltd.)
Original Assignee
Lenovo Enterprise Solutions (Singapore) Pte., Ltd. (Lenovo Group Ltd.)
Inventors
Artman, Paul, Cudak, Gary D., Brown, Tristian T., Wood, Christopher L.

Granted Patent

US 10,162,963 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

MALWARE DETECTION AND IDENTIFICATION USING DEVIATIONS IN ONE OR MORE OPERATING PARAMETERS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MALWARE DETECTION AND IDENTIFICATION USING DEVIATIONS IN ONE OR MORE OPERATING PARAMETERS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links