Real time malicious software detection

US 7,877,806 B2
Filed: 07/27/2007
Issued: 01/25/2011
Est. Priority Date: 07/28/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method of detecting malicious software, wherein the method comprises:

recording one or more previously intercepted activities in a list;

intercepting a request to perform an activity in a processing system;

determining an entity associated with the activity, wherein the entity comprises at least one of;

a requesting entity of the activity; and

a target entity of the activity;

analysing the entity and the activity to determine if the entity and the activity are associated with malicious software, wherein the entity and the activity are analysed by;

accessing one or more previously intercepted activities from the list, wherein a determination has not been made as to whether the previously intercepted activities are associated with malicious software;

comparing the activity and the accessed one or more previously intercepted activities to a sequence of known malicious activities;

in the event of a positive comparison, determining, in real time, that the entity and the activity are associated with malicious software; and

in the event that the entity and the activity are determined to be associated with malicious software, restricting the request to perform the activity in the processing system.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, computer program product and/or computer readable medium of instructions for detecting malicious software, comprising intercepting a request to perform an activity in a processing system; determining an entity associated with the activity, wherein the entity comprises at least one of: a requesting entity of the activity; and a target entity of the activity; analysing the entity and the activity to determine if the request is associated with malicious software; and in the event that the request is determined to be associated with malicious software, restricting the request to perform the activity in the processing system.

Citations

15 Claims

1. A method of detecting malicious software, wherein the method comprises:
- recording one or more previously intercepted activities in a list;
  
  intercepting a request to perform an activity in a processing system;
  
  determining an entity associated with the activity, wherein the entity comprises at least one of;
  
  a requesting entity of the activity; and
  
  a target entity of the activity;
  
  analysing the entity and the activity to determine if the entity and the activity are associated with malicious software, wherein the entity and the activity are analysed by;
  
  accessing one or more previously intercepted activities from the list, wherein a determination has not been made as to whether the previously intercepted activities are associated with malicious software;
  
  comparing the activity and the accessed one or more previously intercepted activities to a sequence of known malicious activities;
  
  in the event of a positive comparison, determining, in real time, that the entity and the activity are associated with malicious software; and
  
  in the event that the entity and the activity are determined to be associated with malicious software, restricting the request to perform the activity in the processing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, wherein the method comprises:
    - filtering, using a filter module, the activity according to determine if the activity is suspicious; and
      
      in the event that the activity is determined to be suspicious, performing the analysis to determine if the request is associated with malicious software.
  - 3. The method according to claim 2, wherein the filter module comprises a list of filter rules to determine if at least one of the target entity and the requesting entity are suspicious or non-suspicious, wherein the method comprises:
    - determining an order of the list according to a frequency of instances each filter rule has been previously satisfied, wherein the filter module is used at least partially based on the determined order.
  - 4. The method according to claim 2, wherein the filter module comprises a list of susceptible target entity filter rules, wherein the step of determining if the activity is suspicious comprises determining if the target entity satisfies one of the susceptible target entity filter rules, and in response to one of the susceptible target entity filter rules being satisfied, the activity is identified as being suspicious.
  - 5. The method according to claim 2, wherein the filter module comprises a list of non-susceptible target entity filter rules, wherein the step of determining if the activity is non-suspicious comprises determining if the target entity satisfies one of the non-susceptible target entity filter rules, and in response to one of the non-susceptible target entity filter rules being satisfied, the activity is identified as being non-suspicious.
  - 6. The method according claim 2, wherein the filter module comprises a list of non-trusted requesting entity filter rules, wherein the step of determining if the activity is suspicious comprises determining if the requesting entity satisfies one of the non-trusted requesting entity filter rules, and in response to one of the non-trusted requesting entity filter rules being satisfied, the activity is identified as being suspicious.
  - 7. The method according to claim 2, wherein the filter module comprises a list of trusted requesting entity filter rules, wherein the step of determining if the activity is non-suspicious comprises determining if the requesting entity satisfies one of the non-trusted requesting entity filter rules, and in response to one of the non-trusted requesting entity filter rules being satisfied, the activity is identified as being non-suspicious.
  - 8. The method according to claim 1, wherein analysing the activity comprises:
    - determining an entity threat value for the entity, the entity threat value being indicative of a level of threat that the entity represents to the processing system, wherein the entity threat value is determined based on one or more characteristics of the entity; and
      
      comparing the entity threat value to an entity threat threshold determine if the request is associated with malicious software.
  - 9. The method according to claim 8, wherein each of the one or more characteristics of the entity is associated with a respective characteristic threat value, wherein the method comprises calculating the entity threat value using at least some of the characteristic threat values for the one or more characteristics of the entity.
  - 10. The method according to claim 8, wherein the method comprises:
    - determining one or more related entities to the entity, wherein each related entity has an associated entity threat value; and
      
      ,calculating the entity threat value for the entity using the entity threat value for at least some of the one or more related entities.
  - 11. The method according to claim 8, wherein the method comprises:
    - determining one or more related entities to the entity, wherein each related entity has an associated entity threat value; and
      
      ,calculating a group threat value for the entity and one or more related entities using the entity threat value for at least some of the one or more related entities and the entity.
  - 12. The method according to claim 1, wherein analysing the activity comprises:
    - determining one or more values indicative of an entity; and
      
      performing a fuzzy logic analysis in relation to the one or more values to determine if the request is associated with malicious software.
  - 13. The method according to claim 12, wherein the one or more values can comprise at least one of:
    - an entity threat value;
      
      a group threat value;
      
      a frequency of an event occurring;
      
      a number of related entities to the entity; and
      
      a number of child processes created by the entity.

14. A system to detect malicious software, wherein the system is configured to:
- record one or more previously intercepted activities in a list;
  
  intercept a request to perform an activity in a processing system;
  
  determine at least one of;
  
  a requesting entity of the activity; and
  
  a target entity of the activity;
  
  analyse at least one of the requesting entity, the target entity and the activity to determine if the entity and the activity are associated with malicious software, wherein the system is configured to;
  
  access one or more previously intercepted activities from the list, wherein a determination has not been made as to whether the previously intercepted activities are associated with malicious software;
  
  compare the activity and the accessed one or more previously intercepted activities to a sequence of known malicious activities;
  
  in the event of a positive comparison, determine, in real time, that the entity and the activity are associated with malicious software; and
  
  restrict the request to perform the activity in the processing system in the event that the entity and the activity are determined to be associated with malicious software.

15. A computer program product comprising a non-transitory computer readable medium having a computer program recorded therein or thereon, the computer program enabling detection of malicious software, wherein the computer program product configures the processing system to:
- record one or more previously intercepted activities in a list;
  
  intercept a request to perform an activity in a processing system;
  
  determine at least one of;
  
  a requesting entity of the activity; and
  
  a target entity of the activity;
  
  analyse at least one of the requesting entity, the target entity and the activity to determine if the entity and the activity are associated with malicious software, wherein the computer program product configures the processing system to;
  
  access one or more previously intercepted activities from the list, wherein a determination has not been made as to whether the previously intercepted activities are associated with malicious software;
  
  compare the activity and the accessed one or more previously intercepted activities to a sequence of known malicious activities;
  
  in the event of a positive comparison, determine, in real time, that the entity and the activity are associated with malicious software; and
  
  restrict the request to perform the activity in the processing system in the event that the entity and the activity are determined to be associated with malicious software.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Pereira, Ryan, Oliver, Ian, Clausen, Simon, Repasi, Rolf
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US11/829,608
Publication Number

US 20080028469A1
Time in Patent Office

1,278 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 21/577 Assessing vulnerabilities a...

Real time malicious software detection

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Real time malicious software detection

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links