Detecting malicious processes based on process location

US 20190028491A1
Filed: 07/24/2017
Published: 01/24/2019
Est. Priority Date: 07/24/2017
Status: Active Grant

First Claim

Patent Images

1. A method for identifying malicious processes, the method comprising:

receiving, using an interface, at least one path indicating where a process was launched;

parsing, using an analysis module executing instructions stored on a memory, the at least one path into at least one individual component;

computing, using the analysis module, at least one inequality indicator for the at least one path to determine whether the process is malicious; and

isolating the process upon determining the process is malicious.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for detecting malicious processes. Methods described herein gather data regarding process locations and calculate one or more inequality indicators related to the process paths based on economic principles. Instances of inequality with respect to process paths may indicate a path is uncommon and therefore the associated binary is used for malicious purposes.

16 Citations

20 Claims

1. A method for identifying malicious processes, the method comprising:
- receiving, using an interface, at least one path indicating where a process was launched;
  
  parsing, using an analysis module executing instructions stored on a memory, the at least one path into at least one individual component;
  
  computing, using the analysis module, at least one inequality indicator for the at least one path to determine whether the process is malicious; and
  
  isolating the process upon determining the process is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the at least one inequality indicator is at least one of a Herfindahl index and a Gini coefficient.
  - 3. The method of claim 2, wherein an inequality indicator exceeding a predetermined threshold indicates an instance of inequality and therefore indicates a process is uncommon and potentially malicious.
  - 4. The method of claim 1, wherein the at least one inequality indicator is based on an identified pattern across multiple paths.
  - 5. The method of claim 4, wherein the pattern is identified autonomously and is not previously defined.
  - 6. The method of claim 1, further comprising removing, using the analysis module, at least one individual component from the at least one path.
  - 7. The method of claim 6, wherein removing the at least one individual component comprises removing at least one individual component that is present less than a predetermined number of times in the at least one path.
  - 8. The method of claim 6, wherein the removed at least one individual component is a username or a string specific to an instance of a computing environment.
  - 9. The method of claim 1, wherein isolating the malicious process includes relocating the malicious process to a quarantine module for analysis.
  - 10. The method of claim 1, wherein isolating the malicious process includes elevating the malicious process for examination.

11. A system for identifying malicious processes, the system comprising:
- an interface configured to receive at least one path indicating where a process was launched;
  
  a memory; and
  
  an analysis module configured to execute instructions stored on the memory to;
  
  parse the at least one path into at least one individual component;
  
  compute at least one inequality indicator for the at least one path to determine whether the process is malicious; and
  
  isolate a process upon determining the process is malicious.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the at least one inequality indicator is at least one of a Herfindahl index and a Gini coefficient.
  - 13. The system of claim 12, wherein an inequality indicator exceeding a predetermined threshold indicates an instance of inequality and therefore indicates a process is uncommon and potentially malicious.
  - 14. The system of claim 11, wherein the at least one inequality indicator is based on an identified pattern across multiple paths.
  - 15. The system of claim 14, wherein the pattern is identified autonomously and is not previously defined.
  - 16. The system of claim 11, wherein the analysis module is further configured to remove at least one individual component from the at least one path.
  - 17. The system of claim 16, wherein the analysis module removes at least one individual component that is present less than a predetermined number of times in the at least one path.
  - 18. The system of claim 16, wherein the removed at least one individual component is a username or a string specific to an instance of a computing environment.
  - 19. The system of claim 11, wherein the isolated process is relocated to a quarantine module for analysis.
  - 20. The system of claim 11, isolating the malicious process includes elevating the malicious process for manual examination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rapid7, Inc.
Original Assignee
Rapid7, Inc.
Inventors
Hodgman, Roy, Keyes, Oliver, Lin, Wah-Kwan, Scutt, Michael, Stiller, Timothy

Granted Patent

US 10,462,162 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

Detecting malicious processes based on process location

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malicious processes based on process location

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links