Systems and methods for detecting malicious processes by analyzing process names and process characteristics
First Claim
Patent Images
1. A computer-implemented method for detecting malicious processes based at least in part on an analysis of process names, the method comprising:
- identifying a process;
identifying a process name for the process;
identifying a list of known non-malicious processes, wherein the list of known non-malicious processes identifies, for each non-malicious process within the list, at least one of;
at least one process name associated with the non-malicious process;
at least one acceptable file location from which the non-malicious process may execute;
determining, at least in part by comparing the process name for the process with the list of known non-malicious processes, that the process represents an attempt to mimic a process name of at least one known non-malicious process;
determining, based on the determination that the process represents an attempt to mimic the process name of at least one known non-malicious process, that the process represents a security risk;
preventing the process from executing;
wherein at least a portion of the method is performed by a computing device comprising at least one processor.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for detecting a malicious process using file-name heuristics may comprise: 1) identifying a process, 2) identifying a process name for the process, 3) identifying a list of process names for non-malicious processes, and 4) determining, by comparing the process name for the process with the list of process names for non-malicious processes, whether to allow the process to execute. A method for maintaining a database containing information about non-malicious processes is also disclosed. Corresponding systems and computer-readable media are also disclosed.
22 Citations
18 Claims
-
1. A computer-implemented method for detecting malicious processes based at least in part on an analysis of process names, the method comprising:
-
identifying a process; identifying a process name for the process; identifying a list of known non-malicious processes, wherein the list of known non-malicious processes identifies, for each non-malicious process within the list, at least one of; at least one process name associated with the non-malicious process; at least one acceptable file location from which the non-malicious process may execute; determining, at least in part by comparing the process name for the process with the list of known non-malicious processes, that the process represents an attempt to mimic a process name of at least one known non-malicious process; determining, based on the determination that the process represents an attempt to mimic the process name of at least one known non-malicious process, that the process represents a security risk; preventing the process from executing; wherein at least a portion of the method is performed by a computing device comprising at least one processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-implemented method for maintaining a database containing information about known non-malicious processes, the method comprising;
-
receiving a process-information request from a client-side computing system, wherein the process-information request identifies at least one process; identifying a database that contains information about known non-malicious processes, wherein the database identifies, for each non-malicious process within the database, at least one of; at least one process name associated with the non-malicious process; at least one acceptable file location from which the non-malicious process may execute; determining, by comparing information contained within the process-information request received from the client-side computing system with the information about known non-malicious processes contained within the database, that the process identified in the process-information request represents an attempt to mimic a process name of at least one known non-malicious process; providing an indication to the client-side computing system that the process represents an attempt to mimic the process name of at least one known non-malicious process in order to enable the client-side computing system to determine whether the process represents a security risk. - View Dependent Claims (12, 13, 14, 15, 16, 18)
-
-
17. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by a computing device, cause the computing device to:
-
identify a process; identify a process name for the process; identify a list of known non-malicious processes, wherein the list of known non-malicious processes identifies, for each non-malicious process within the list, at least one of; at least one process name associated with the non-malicious process; at least one acceptable file location from which the non-malicious process may execute; determine, at least in part by comparing the process name for the process with the list of known non-malicious processes, that the process represents an attempt to mimic a process name of at least one known non-malicious process; determine, based on the determination that the process represents an attempt to mimic the process name of at least one known non-malicious process, that the process represents a security risk; prevent the process from executing.
-
Specification