METHODS AND CLOUD-BASED SYSTEMS FOR CORRELATING MALWARE DETECTIONS BY ENDPOINT DEVICES AND SERVERS

US 20200137088A1
Filed: 03/01/2019
Published: 04/30/2020
Est. Priority Date: 10/29/2018
Status: Active Grant

First Claim

Patent Images

1. A method for correlating malware detections by endpoint devices and servers, comprising:

receiving, by a correlator, from one or more servers, one or more events collected without invasive techniques, one or more events collected using one or more invasive techniques, and one or more final verdicts;

correlating, by the correlator, the one or more events collected without invasive techniques with the one or more events collected using the one or more invasive techniques;

creating, by the correlator, a suspicious pattern, when an event of the one or more events collected without invasive techniques is correlated with an event of the one or more events collected using the one or more invasive techniques, and the event of the one or more events collected using the one or more invasive techniques is used to detect a malware; and

updating, by the correlator, databases of one or more endpoint devices with created suspicious patterns.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are systems and method for correlating malware detections by endpoint devices and servers. In one aspect, an exemplary method comprises receiving, by a correlator, from one or more servers, one or more events collected without invasive techniques, one or more events collected using one or more invasive techniques, and one or more final verdicts, correlating the one or more events collected without invasive techniques with one or more events collected using the one or more invasive techniques, creating a suspicious pattern when an event of the one or more events collected without invasive techniques is correlated with an event of the one or more events collected using the one or more invasive techniques, and the event of the one or more events collected using one or more invasive techniques is used to detect a malware, and updating databases of one or more endpoint devices with created suspicious patterns.

0 Citations

20 Claims

1. A method for correlating malware detections by endpoint devices and servers, comprising:
- receiving, by a correlator, from one or more servers, one or more events collected without invasive techniques, one or more events collected using one or more invasive techniques, and one or more final verdicts;
  
  correlating, by the correlator, the one or more events collected without invasive techniques with the one or more events collected using the one or more invasive techniques;
  
  creating, by the correlator, a suspicious pattern, when an event of the one or more events collected without invasive techniques is correlated with an event of the one or more events collected using the one or more invasive techniques, and the event of the one or more events collected using the one or more invasive techniques is used to detect a malware; and
  
  updating, by the correlator, databases of one or more endpoint devices with created suspicious patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein each final verdict is issued by a server of the one or more servers in response to receiving a sample of a process from an endpoint device of the one or more endpoint devices with a request for the final verdict, the final verdict being indicative of whether the process is a malware or clean.
  - 3. The method of claim 2, wherein the endpoint device sends the request for the final verdict to the server when the process is determined as being a suspicious pattern based on a light dynamic analysis by the endpoint device.
  - 4. The method of claim 1, further comprising:
    - updating, by the correlator, databases of the one or more servers with results of the correlation.
  - 5. The method of claim 1, wherein the one or more servers serve one or more sandboxes.
  - 6. The method of claim 1, wherein the one or more events collected without invasive techniques include at least one of:
    - guaranteed events, logging events, tracing events, and noninvasive monitoring events.
  - 7. The method of claim 1, wherein the one or more events collected using the one or more invasive techniques include at least one of:
    - events based on virtualization technologies, and events based on modification of system components.

8. A system for correlating malware detections by endpoint devices and servers, comprising:
- at least one processor of a correlator configured to;
  
  receive, by a correlator, from one or more servers, one or more events collected without invasive techniques, one or more events collected using one or more invasive techniques, and one or more final verdicts;
  
  correlate, by the correlator, the one or more events collected without invasive techniques with the one or more events collected using the one or more invasive techniques;
  
  create, by the correlator, a suspicious pattern, when an event of the one or more events collected without invasive techniques is correlated with an event of the one or more events collected using the one or more invasive techniques, and the event of the one or more events collected using the one or more invasive techniques is used to detect a malware; and
  
  update, by the correlator, databases of one or more endpoint devices with created suspicious patterns.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein each final verdict is issued by a server of the one or more servers in response to receiving a sample of a process from an endpoint device of the one or more endpoint devices with a request for the final verdict, the final verdict being indicative of whether the process is a malware or clean.
  - 10. The system of claim 9, wherein the endpoint device sends the request for the final verdict to the server when the process is determined as being a suspicious pattern based on a light dynamic analysis by the endpoint device.
  - 11. The system of claim 8, the processor of the correlator further configured to:
    - update databases of the one or more servers with results of the correlation.
  - 12. The system of claim 8, wherein the one or more servers serve one or more sandboxes.
  - 13. The system of claim 8, wherein the one or more events collected without invasive techniques include at least one of:
    - guaranteed events, logging events, tracing events, and noninvasive monitoring events.
  - 14. The system of claim 8, wherein the one or more events collected using the one or more invasive techniques include at least one of:
    - events based on virtualization technologies, and events based on modification of system components.

15. A non-transitory computer readable medium storing thereon computer executable instructions for correlating malware detections by endpoint devices and servers, including instructions for:
- receiving, by a correlator, from one or more servers, one or more events collected without invasive techniques, one or more events collected using one or more invasive techniques, and one or more final verdicts;
  
  correlating, by the correlator, the one or more events collected without invasive techniques with the one or more events collected using the one or more invasive techniques;
  
  creating, by the correlator, a suspicious pattern, when an event of the one or more events collected without invasive techniques is correlated with an event of the one or more events collected using the one or more invasive techniques, and the event of the one or more events collected using the one or more invasive techniques is used to detect a malware; and
  
  updating, by the correlator, databases of one or more endpoint devices with created suspicious patterns.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable medium of claim 15, wherein each final verdict is issued by a server of the one or more servers in response to receiving a sample of a process from an endpoint device of the one or more endpoint devices with a request for the final verdict, the final verdict being indicative of whether the process is a malware or clean.
  - 17. The non-transitory computer readable medium of claim 16, wherein the endpoint device sends the request for the final verdict to the server when the process is determined as being a suspicious pattern based on a light dynamic analysis by the endpoint device.
  - 18. The non-transitory computer readable medium of claim 15, the instructions for correlating malware detections by endpoint devices and servers, including further instructions for:
    - updating, by the correlator, databases of the one or more servers with results of the correlation.
  - 19. The non-transitory computer readable medium of claim 15, wherein the one or more servers serve one or more sandboxes.
  - 20. The non-transitory computer readable medium of claim 15, wherein the one or more events collected without invasive techniques include at least one of:
    - guaranteed events, logging events, tracing events, and noninvasive monitoring event, and the one or more events collected using the one or more invasive techniques include at least one of;
      
      events based on virtualization technologies, and events based on modification of system components

Specification

Resources

Litigation Campaign Assessment

Current Assignee
MidCap Financial Trust
Original Assignee
Acronis International GmbH (Acronis AG)
Inventors
Kostyushko, Alexey, Strogov, Vladimir, Beloussov, Serguei, Protasov, Stanislav, Pereberina, Anastasia, Grebennikov, Nikolay

Granted Patent

US 11,070,570 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

METHODS AND CLOUD-BASED SYSTEMS FOR CORRELATING MALWARE DETECTIONS BY ENDPOINT DEVICES AND SERVERS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

0 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

METHODS AND CLOUD-BASED SYSTEMS FOR CORRELATING MALWARE DETECTIONS BY ENDPOINT DEVICES AND SERVERS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

0 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others