Detecting an audio/visual threat

US 7,941,852 B2
Filed: 10/03/2007
Issued: 05/10/2011
Est. Priority Date: 10/04/2006
Status: Active Grant

First Claim

Patent Images

1. A method of detecting if a processing system has been compromised with audio/visual threat, wherein the method comprises:

identifying a requesting entity and a target entity, wherein the requesting entity originates one or more requests to perform an activity in relation to the target entity, and wherein the target entity comprises an audio and/or visual communication device of the processing system;

intercepting the one or more requests to perform the activity associated with the audio and/or visual communication device of the processing system;

recording the intercepted one or more requests and properties associated with the requesting entity and the target entity in an intercepted request log file; and

performing a behavioural analysis of a trend in the processing system using the intercepted request log file to determine if the processing system exhibits behavioural characteristics indicative of the processing system having been compromised with an audio/visual threat.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, computer program product and/or computer readable medium of instructions for detecting if a processing system has been compromised with audio/visual threat. The method comprises steps of intercepting one or more requests to perform an activity associated with an audio and/or visual communication device of the processing system; and performing a behavioural analysis of the processing system to determine if the processing system exhibits behavioural characteristics indicative of the processing system having been compromised with an audio/visual threat.

16 Citations

View as Search Results

20 Claims

1. A method of detecting if a processing system has been compromised with audio/visual threat, wherein the method comprises:
- identifying a requesting entity and a target entity, wherein the requesting entity originates one or more requests to perform an activity in relation to the target entity, and wherein the target entity comprises an audio and/or visual communication device of the processing system;
  
  intercepting the one or more requests to perform the activity associated with the audio and/or visual communication device of the processing system;
  
  recording the intercepted one or more requests and properties associated with the requesting entity and the target entity in an intercepted request log file; and
  
  performing a behavioural analysis of a trend in the processing system using the intercepted request log file to determine if the processing system exhibits behavioural characteristics indicative of the processing system having been compromised with an audio/visual threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the method comprises:
    - determining, using the request to perform the activity, an entity associated with the activity; and
      
      performing the behavioural analysis in relation to the entity.
  - 3. The method according to claim 2, wherein performing the behavioural analysis comprises applying one or more behavioural rules.
  - 4. The method according to claim 3, wherein the one or more behavioural rules comprises at least one of:
    - determining if the entity indicative of at least one of audio signal and visual signals being obtained by the audio and/or visual communication device;
      
      determining if the entity is being interacted via a graphical user interface currently displayed on the desktop of the processing system;
      
      determining if the entity is recording data indicative of at least one of audio data and visual data;
      
      determining if the entity was launched by the user;
      
      determining if the entity is attempting to connect to a remote network; and
      
      determining if the entity is requesting the activity to be performed at regular intervals.
  - 5. The method according to claim 1, wherein a requesting entity requests the activity to be performed in relation to a target entity, wherein the method comprises:
    - determining, using a filter module, if the activity is suspicious or non-suspicious; and
      
      in response to determining that the activity is suspicious, analysing, using an analysis module, at least one of the activity, the requesting entity and the target entity.
  - 6. The method according to claim 5, wherein the filter module filters the activity according to the requesting entity and the target entity to determine if the activity is suspicious or non-suspicious.
  - 7. The method according to claim 5, wherein the analysis module comprises a list of activity sequences indicative of an audio/visual threat, wherein analysing the suspicious activity comprises comparing the suspicious activity and at least one of activities which occurred prior to the suspicious activity and activities which occurred after the suspicious activity to the list of activity sequences, wherein in response to a positive comparison, the activity is determined to be associated with an audio/visual threat.
  - 8. The method according to claim 1, wherein performing the behavioural analysis comprises:
    - determining an entity associated with the intercepted activity;
      
      determining an entity threat value for the entity, the entity threat value being indicative of a level of threat that the entity represents to the processing system, wherein the entity threat value is determined based on one or more characteristics of the entity; and
      
      comparing the entity threat value to an entity threat threshold to identify if the entity is malicious.
  - 9. The method according to claim 8, wherein each of the one or more characteristics of the entity is associated with a respective characteristic threat value, wherein the method comprises calculating the entity threat value using at least some of the characteristic threat values for the one or more characteristics of the entity.
  - 10. The method according to claim 9, wherein at least one of the one or more characteristics of the entity is associated with a characteristic threat value formula, wherein the method comprises calculating, using the characteristic threat value formula, the characteristic threat value.

11. A system to detect if a processing system has been compromised with audio/visual threat, the system comprising:
- a processor;
  
  memory in electronic communication with the processor;
  
  an interception module configured to;
  
  identify a requesting entity and a target entity, wherein the requesting entity originates one or more requests to perform an activity in relation to the target entity, and wherein the target entity comprises an audio and/or visual communication device of the processing system;
  
  intercept the one or more requests in the processing system to perform the activity associated with the audio and/or visual communication device of the processing system;
  
  record the intercepted one or more requests and properties associated with the requesting entity and the target entity in an intercepted request log file; and
  
  an analysis module configured to;
  
  perform a behavioural analysis of a trend in the processing system using the intercepted request log file to determine if the processing system exhibits behavioural characteristics indicative of the processing system having been compromised with an audio/visual threat.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system according to claim 11, wherein the system is configured to:
    - determine, using the request to perform the activity, an entity associated with the activity; and
      
      perform the behavioural analysis in relation to the entity.
  - 13. The system according to claim 12, wherein the system is configured to apply one or more behavioural rules to perform the behavioural analysis.
  - 14. The system according to claim 13, wherein application of the one or more behavioural rules determines at least one of:
    - if the entity is indicative of at least one of audio signal and visual signals being obtained by the audio and/or visual communication device;
      
      if the entity is being interacted via a graphical user interface currently displayed on the desktop of the processing system;
      
      if the entity is recording data indicative of at least one of audio data and visual data;
      
      if the entity was launched by the user;
      
      if the entity is attempting to connect to a remote network; and
      
      if the entity is requesting the activity to be performed at regular intervals;
      
      wherein results of the application of the one or more behavioural rules is used to determine whether the processing system having been compromised with an audio/visual threat.
  - 15. The system according to claim 11, wherein a requesting entity requests the activity to be performed in relation to a target entity, wherein the system is configured to:
    - determine, using a filter module, if the activity is suspicious or non-suspicious; and
      
      analyse, using an analysis module, at least one of the activity, the requesting entity and the target entity in response to determining that the activity is suspicious.
  - 16. The system according to claim 15, wherein the filter module filters the activity according to the requesting entity and the target entity to determine if the activity is suspicious or non-suspicious.
  - 17. The system according to claim 15, wherein the analysis module comprises a list of activity sequences indicative of an audio/visual threat, wherein the system is configured to analyse the suspicious activity by comparing the suspicious activity and at least one of activities which occurred prior to the suspicious activity and activities which occurred after the suspicious activity to the list of activity sequences, wherein in response to a positive comparison, the activity is determined to be associated with an audio/visual threat.
  - 18. The system according to claim 11, wherein the system is configured to:
    - determine an entity associated with the intercepted activity;
      
      determine an entity threat value for the entity, the entity threat value being indicative of a level of threat that the entity represents to the processing system, wherein the entity threat value is determined based on one or more characteristics of the entity; and
      
      compare the entity threat value to an entity threat threshold to identify if the entity is malicious.
  - 19. The system according to claim 18, wherein each of the one or more characteristics of the entity is associated with a respective characteristic threat value, wherein the system is configured to calculate the entity threat value using at least some of the characteristic threat values for the one or more characteristics of the entity.

20. A computer program product comprising a non-transitory computer readable medium having a computer program recorded therein or thereon, the computer program being configured to detect if a processing system has been compromised with audio/visual threat, wherein the computer program product configures the client processing system to:
- identify a requesting entity and a target entity, wherein the requesting entity originates one or more requests to perform an activity in relation to the target entity, and wherein the target entity comprises an audio and/or visual communication device of the processing system;
  
  intercept the one or more requests in the processing system to perform the activity associated with the audio and/or visual communication device of the processing system;
  
  record the intercepted one or more requests and properties associated with the requesting entity and the target entity in an intercepted request log file; and
  
  perform a behavioural analysis of a trend in the processing system using the intercepted request log file to determine if the processing system exhibits behavioural characteristics indicative of the processing system having been compromised with an audio/visual threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Clausen, Simon, Repasi, Rolf
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US11/866,753
Publication Number

US 20080086775A1
Time in Patent Office

1,315 Days
Field of Search

726/22, 726/24
US Class Current

726/22
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

Detecting an audio/visual threat

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Detecting an audio/visual threat

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others