White list creation in behavior monitoring system

US 8,161,552 B1
Filed: 09/23/2009
Issued: 04/17/2012
Est. Priority Date: 09/23/2009
Status: Active Grant

First Claim

Patent Images

1. A method of maintaining a white list for use in a behavior monitoring system for malware detection executing on a computing device, the method comprising:

detecting execution of a process;

determining that the process has a valid digital signature;

determining that the process is not launched from a removable storage device;

determining that the process is not enabled to make an inbound connection to the computing device;

determining that the process is not enabled to make an outbound connection to an external component from the computing device; and

automatically updating the white list with a process identifier associated with said process, thereby maintaining the white list without human intervention.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A white list (or exception list) for a behavior monitoring system for detecting unknown malware on a computing device is maintained automatically without human intervention. A white list contains process IDs and other data relating to processes that are determined to be (or very likely be) free of malware. If a process is on this list, the rule matching operations of a conventional behavior monitor are not performed, thereby saving processing resources on the computing device. When a process start up is detected, the behavior monitor performs a series of checks or tests. If the process has all valid digital signatures and is not launched from a removable storage device (such as a USB key) and is not enabled to make any inbound or outbound connections, it is eligible for being on the white list. The white list is also automatically maintained by removing process IDs for processes that have terminated or which attempt to make a new outbound or inbound connection, such as a TCP/UDP connection. Scheduled integrity checks on the white list are also performed by examining the process stack for each process to ensure that there are no abnormal files in the process stack.

Citations

19 Claims

1. A method of maintaining a white list for use in a behavior monitoring system for malware detection executing on a computing device, the method comprising:
- detecting execution of a process;
  
  determining that the process has a valid digital signature;
  
  determining that the process is not launched from a removable storage device;
  
  determining that the process is not enabled to make an inbound connection to the computing device;
  
  determining that the process is not enabled to make an outbound connection to an external component from the computing device; and
  
  automatically updating the white list with a process identifier associated with said process, thereby maintaining the white list without human intervention.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as recited in claim 1 further comprising:
    - detecting a new connection being made by the process in the computing device;
      
      obtaining the process identifier of the process;
      
      determining that the process identifier is on the white list; and
      
      removing the process identifier from the white list.
  - 3. A method as recited in claim 2 wherein said detecting is performed by a behavior monitoring service component of the behavior monitor system.
  - 4. A method as recited in claim 2 further comprising:
    - receiving notification of the new connection from a network input/output module in the computing device.
  - 5. A method as recited in claim 1 further comprising:
    - detecting termination of the process;
      
      determining that the process identifier for the process is on the white list; and
      
      removing the process identifier from the white list.
  - 6. A method as recited in claim 1 further comprising:
    - analyzing the process to obtain a process stack corresponding to the process;
      
      determining that the process stack contains abnormal files; and
      
      removing the process identifier from the list.
  - 7. A method as recited in claim 6 further comprising:
    - determining that files in the stack have valid digital signatures; and
      
      removing the process ID from the white list.

8. A method of maintaining a white list for use in a behavior monitoring system for malware detection executing on a computing device, the method comprising:
- receiving an indication that a process is executing;
  
  automatically updating the white list with a process identifier associated with said process when it is determined that the process has a valid digital signature and that the process is not launched from a removable storage device and that the process is not enabled to make an inbound connection to the computing device and that the process is not enabled to make an outbound connection to an external component from the computing device; and
  
  removing the process identifier from the white list when the behavior monitoring system detects a new connection being made by the process.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. A method as recited in claim 8 further comprising:
    - receiving notification of the new connection from a network input/output module in the computing device.
  - 10. A method as recited in claim 8 further comprising:
    - receiving an indication that the process is terminating;
      
      determining that the process identifier for the process is on the white list; and
      
      removing the process identifier from the white list.
  - 11. A method as recited in claim 8 further comprising:
    - analyzing the process to obtain a process stack corresponding to the process;
      
      determining that the process stack contains an abnormal file; and
      
      removing the process identifier from the list.
  - 12. A method as recited in claim 11 wherein the abnormal file is not a .ddl file or an .exe file.
  - 13. A method as recited in claim 11 further comprising:
    - determining that files in the stack do not have valid digital signatures; and
      
      removing the process ID from the white list.

14. A method of maintaining a white list for use in a behavior monitoring system for malware detection executing on a computing device, the method comprising:
- detecting execution of a process;
  
  automatically updating the white list with a process identifier associated with said process when it is determined that the process has a valid digital signature and that the process is not launched from a removable storage device and that the process is not enabled to make an inbound connection to the computing device and that the process is not enabled to make an outbound connection to an external component from the computing device; and
  
  removing the process identifier from the list when the behavior monitoring system determines that a process stack corresponding to the process contains abnormal files.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. A method as recited in claim 14 further comprising:
    - detecting a new connection being made by the process in the computing device;
      
      obtaining the process identifier is on the white list; and
      
      removing the process identifier from the white list.
  - 16. A method as recited in claim 15 wherein said detecting is performed by a behavior monitoring service component of the behavior monitor system.
  - 17. A method as recited in claim 15 further comprising:
    - receiving notification of the new connection from a network input/output module in the computing device.
  - 18. A method as recited in claim 14 further comprising:
    - detecting termination of the process;
      
      determining that the process identifier for the process is on the white list; and
      
      removing the process identifier from the white list.
  - 19. A method as recited in claim 14 further comprising:
    - determining that files in the stack have valid digital signatures; and
      
      removing the process identifier from the white list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Lu, Yi, Sun, Chih Yao, Tang, Dibin, Yang, Ruifeng, Shu, Peng, Yang, Rong
Primary Examiner(s)
Lemma, Samson

Application Number

US12/565,585
Time in Patent Office

937 Days
Field of Search

726/22, 726/23, 726/24, 726/25, 726/26, 713/188
US Class Current

726/22
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 63/145   the attack involving the pr...

White list creation in behavior monitoring system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

White list creation in behavior monitoring system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links