Systems and methods for detecting malicious processes by analyzing process names and process characteristics

US 8,176,555 B1
Filed: 05/30/2008
Issued: 05/08/2012
Est. Priority Date: 05/30/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious processes based at least in part on an analysis of process names, the method comprising:

identifying a process;

identifying a process name for the process;

identifying a list of known non-malicious processes, wherein the list of known non-malicious processes identifies, for each non-malicious process within the list, at least one of;

at least one process name associated with the non-malicious process;

at least one acceptable file location from which the non-malicious process may execute;

determining, at least in part by comparing the process name for the process with the list of known non-malicious processes, that the process represents an attempt to mimic a process name of at least one known non-malicious process;

determining, based on the determination that the process represents an attempt to mimic the process name of at least one known non-malicious process, that the process represents a security risk;

preventing the process from executing;

wherein at least a portion of the method is performed by a computing device comprising at least one processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for detecting a malicious process using file-name heuristics may comprise: 1) identifying a process, 2) identifying a process name for the process, 3) identifying a list of process names for non-malicious processes, and 4) determining, by comparing the process name for the process with the list of process names for non-malicious processes, whether to allow the process to execute. A method for maintaining a database containing information about non-malicious processes is also disclosed. Corresponding systems and computer-readable media are also disclosed.

22 Citations

View as Search Results

18 Claims

1. A computer-implemented method for detecting malicious processes based at least in part on an analysis of process names, the method comprising:
- identifying a process;
  
  identifying a process name for the process;
  
  identifying a list of known non-malicious processes, wherein the list of known non-malicious processes identifies, for each non-malicious process within the list, at least one of;
  
  at least one process name associated with the non-malicious process;
  
  at least one acceptable file location from which the non-malicious process may execute;
  
  determining, at least in part by comparing the process name for the process with the list of known non-malicious processes, that the process represents an attempt to mimic a process name of at least one known non-malicious process;
  
  determining, based on the determination that the process represents an attempt to mimic the process name of at least one known non-malicious process, that the process represents a security risk;
  
  preventing the process from executing;
  
  wherein at least a portion of the method is performed by a computing device comprising at least one processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the list of known non-malicious processes is maintained on a client-side computing system.
  - 3. The method of claim 1, wherein the list of known non-malicious processes is maintained on a server.
  - 4. The method of claim 3, wherein determining that the process represents a security risk comprises:
    - transmitting, from a client-side computing system, a process-information request that identifies the process;
      
      receiving a response to the process-information request from the server;
      
      determining, based at least in part on the response received from the server, that the process represents a security risk.
  - 5. The method of claim 4, further comprising transmitting to the server an action-taken report, the action-taken report comprising at least one of:
    - the process name for the process;
      
      an indication that the process was prevented from executing;
      
      a file location associated with the process.
  - 6. The method of claim 1, wherein determining that the process represents an attempt to mimic the process name of at least one known non-malicious process comprises at least one of:
    - determining that the process name of the process is similar to the process name of at least one known non-malicious process identified within the list of known non-malicious processes;
      
      determining that the process name of the process exactly matches the process name of at least one known non-malicious process identified within the list of known non-malicious processes, but that the process is attempting to execute from an unacceptable file location.
  - 7. The method of claim 6, wherein determining that the process name of the process is similar to the process name of at least one known non-malicious process identified within the list of known non-malicious processes comprises:
    - computing a similarity metric between the process name of the process and at least one process name identified within the list of known non-malicious processes;
      
      identifying at least one process name within the list of known non-malicious processes having a similarity metric with respect to the process name of the process that falls within a predefined inexact-match-metric range.
  - 8. The method of claim 6, wherein determining that the process name of the process exactly matches the process name of at least one known non-malicious process identified within the list of known non-malicious processes, but that the process is attempting to execute from an unacceptable file location comprises:
    - identifying an exact match for the process name of the process within the list of known non-malicious processes;
      
      identifying, within the list of known non-malicious processes, at least one acceptable file location associated with the exact match;
      
      determining that a file location associated with the process is different from each acceptable file location associated with the exact match.
  - 9. The method of claim 1, wherein determining that the process represents a security risk comprises at least one of:
    - receiving an instruction from a user to prevent the process from executing;
      
      automatically determining that the process represents a security risk.
  - 10. The method of claim 9, further comprising, prior to receiving the instruction from the user, prompting the user to allow or deny the process from executing by at least one of:
    - displaying a file location associated with the process;
      
      displaying a number of letter transformations necessary to transform the process name into at least one process name identified within the list of known non-malicious processes;
      
      displaying the process name of the process;
      
      asking the user to deny or allow the process to execute;
      
      asking the user to add the file location associated with the process to the list of known non-malicious processes;
      
      asking the user to add the process name of the process to the list of known non-malicious processes.

11. A computer-implemented method for maintaining a database containing information about known non-malicious processes, the method comprising;
- receiving a process-information request from a client-side computing system, wherein the process-information request identifies at least one process;
  
  identifying a database that contains information about known non-malicious processes, wherein the database identifies, for each non-malicious process within the database, at least one of;
  
  at least one process name associated with the non-malicious process;
  
  at least one acceptable file location from which the non-malicious process may execute;
  
  determining, by comparing information contained within the process-information request received from the client-side computing system with the information about known non-malicious processes contained within the database, that the process identified in the process-information request represents an attempt to mimic a process name of at least one known non-malicious process;
  
  providing an indication to the client-side computing system that the process represents an attempt to mimic the process name of at least one known non-malicious process in order to enable the client-side computing system to determine whether the process represents a security risk.
- View Dependent Claims (12, 13, 14, 15, 16, 18)
- - 12. The method of claim 11, wherein the process-information request comprises at least one of:
    - a process name for the process;
      
      a file location associated with the process;
      
      a digital signature associated with the process.
  - 13. The method of claim 11, wherein determining that the process represents an attempt to mimic the process name of at least one known non-malicious process comprises at least one of:
    - determining that a process name of the process is similar to the process name of at least one known non-malicious process identified within the database;
      
      determining that the process name of the process exactly matches the process name of at least one known non-malicious process identified within the database, but that a file location associated with the process represents an unacceptable file location.
  - 14. The method of claim 13, wherein determining that the process name of the process is similar to the process name of at least one known non-malicious process identified within the database comprises:
    - computing a similarity metric between the process name of the process and at least one process name in the database;
      
      identifying at least one process name in the database having a similarity metric with respect to the process name of the process that falls within a predefined inexact-match-metric range.
  - 15. The method of claim 11, further comprising:
    - receiving an action-taken report from the client-side computing system;
      
      updating the database based on information contained in the action-taken report.
  - 16. The method of claim 15, wherein the action-taken report comprises at least one of:
    - a process name for the process;
      
      a file location associated with the process;
      
      an indication as to whether the process was allowed to execute;
      
      a recommendation as to whether the process name should be added to the database;
      
      a recommendation as to whether the file location associated with the process should be added to the database as an acceptable file location.
  - 18. The method of claim 13, wherein determining that the process name of the process exactly matches the process name of at least one known non-malicious process identified within the database, but that a file location associated with the process represents an unacceptable file location comprises:
    - identifying an exact match for the process name of the process within the database;
      
      identifying, within the database, at least one acceptable file location associated with the exact match;
      
      determining that the file location associated with the process is different from each acceptable file location associated with the exact match.

17. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by a computing device, cause the computing device to:
- identify a process;
  
  identify a process name for the process;
  
  identify a list of known non-malicious processes, wherein the list of known non-malicious processes identifies, for each non-malicious process within the list, at least one of;
  
  at least one process name associated with the non-malicious process;
  
  at least one acceptable file location from which the non-malicious process may execute;
  
  determine, at least in part by comparing the process name for the process with the list of known non-malicious processes, that the process represents an attempt to mimic a process name of at least one known non-malicious process;
  
  determine, based on the determination that the process represents an attempt to mimic the process name of at least one known non-malicious process, that the process represents a security risk;
  
  prevent the process from executing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Hernacki, Brian, Sobel, William E., Kennedy, Mark, Schreiner, Anthony, Peterson, Christopher
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Guirguis, Michael

Application Number

US12/130,812
Time in Patent Office

1,439 Days
Field of Search

726 22- 24
US Class Current

726/23
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Systems and methods for detecting malicious processes by analyzing process names and process characteristics

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting malicious processes by analyzing process names and process characteristics

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links