Risk profiling
First Claim
Patent Images
1. A method for providing computer security, comprising:
- determining, using at least one computer processor, whether an executable associated with a static state meets one or more first predetermined criteria, the determination not requiring a known executable, other than the executable associated with the static state, or analysis of behavior of the executable and including a determination of at least one of;
whether the executable is configured as a service and whether the executable is configured to run under a highly privileged account;
associating a first risk level with the executable based at least in part upon whether the executable meets the one or more first predetermined criteria;
determining whether a current process associated with the executable meets one or more second predetermined criteria;
associating a second risk level with the current process based at least in part upon whether the current process meets the one or more second predetermined criteria, wherein the current process is initially associated with the first risk level, and wherein the first risk level is updated to the second risk level for the current process based at least in part upon whether the current process meets the one or more second predetermined criteria; and
performing a predetermined responsive action with respect to the process if the second risk level exceeds a threat detection threshold;
wherein determining whether the executable meets the one or more first predetermined criteria does not comprise comparing the executable with a virus signature.
3 Assignments
0 Petitions
Accused Products
Abstract
A technique for providing computer security is provided. Providing computer security comprises providing an executable associated with a static state, determining whether the executable meets a predetermined criterion, and associating a risk level with the criterion if it is determined that the executable meets the predetermined criterion. Determining whether the executable meets a predetermined criterion does not compare the executable with a virus signature.
-
Citations
26 Claims
-
1. A method for providing computer security, comprising:
-
determining, using at least one computer processor, whether an executable associated with a static state meets one or more first predetermined criteria, the determination not requiring a known executable, other than the executable associated with the static state, or analysis of behavior of the executable and including a determination of at least one of;
whether the executable is configured as a service and whether the executable is configured to run under a highly privileged account;associating a first risk level with the executable based at least in part upon whether the executable meets the one or more first predetermined criteria; determining whether a current process associated with the executable meets one or more second predetermined criteria; associating a second risk level with the current process based at least in part upon whether the current process meets the one or more second predetermined criteria, wherein the current process is initially associated with the first risk level, and wherein the first risk level is updated to the second risk level for the current process based at least in part upon whether the current process meets the one or more second predetermined criteria; and performing a predetermined responsive action with respect to the process if the second risk level exceeds a threat detection threshold; wherein determining whether the executable meets the one or more first predetermined criteria does not comprise comparing the executable with a virus signature. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A system for providing computer security, comprising:
-
a processor configured to; determine whether an executable associated with a static state meets one or more first predetermined criteria, the determination not requiring a known executable, other than the executable associated with the static state, or analysis of behavior of the executable and including a determination of at least one of;
whether the executable is configured as a service and whether the executable is configured to run under a highly privileged account;associate a first risk level with the executable based at least in part upon whether the executable meets the one or more first predetermined criteria; determine whether a current process associated with the executable meets one or more second predetermined criteria; associate a second risk level with the current process based at least in part upon whether the current process meets the one or more second predetermined criteria, wherein the current process is initially associated with the first risk level, and wherein the first risk level is updated to the second risk level for the current process based at least in part upon whether the current process meets the one or more second predetermined criteria; and perform a predetermined responsive action with respect to the process if the second risk level exceeds a threat detection threshold; wherein determining whether the executable meets the one or more first predetermined criteria does not comprise comparing the executable with a virus signature; and a memory, coupled with the processor, configured to provide the processor with instructions.
-
-
26. A computer program product for providing computer security, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
determining whether an executable associated with a static state meets one or more first predetermined criteria, the determination not requiring a known executable, other than the executable associated with the static state, or analysis of behavior of the executable and including a determination of at least one of;
whether the executable is configured as a service and whether the executable is configured to run under a highly privileged account;associating a first risk level with the executable based at least in part upon whether the executable meets the one or more first predetermined criteria; determining whether a current process associated with the executable meets one or more second predetermined criteria; associating a second risk level with the current process based at least in part upon whether the current process meets the one or more second predetermined criteria, wherein the current process is initially associated with the first risk level, and wherein the first risk level is updated to the second risk level for the current process based at least in part upon whether the current process meets the one or more second predetermined criteria; and performing a predetermined responsive action with respect to the process if the second risk level exceeds a threat detection threshold; wherein determining whether the executable meets the one or more first predetermined criteria does not comprise comparing the executable with a virus signature.
-
Specification