Systems and methods for preventing threats originating from a non-process based component hosted by a trusted process

US 8,205,257 B1
Filed: 07/28/2009
Issued: 06/19/2012
Est. Priority Date: 07/28/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for preventing threats originating from a non-process based component hosted by a trusted process, comprising:

monitoring, by a hardware processor, loading activity of the trusted process;

altering, by the hardware processor, a trust level associated with the trusted process when an unverified component is loaded into the trusted process;

upon altering the trust level of the trusted process, monitoring, by the hardware processor, events performed by the trusted process for a suspicious activity that comprises a portable executable (“

PE”

) file modification, PE file deletion, or PE file creation;

assigning a trust level on an image file to the unverified component based on a digital signature of the unverified component;

calling, by an operating system, an application programming interface to trace code execution by the trusted process;

tracing the code execution of the suspicious activity back to an address space belonging to the unverified component that originated the suspicious activity;

determining whether security risk associated with the unverified component that originated the suspicious activity is above a predetermined threshold; and

upon determining that the security risk associated with the unverified component that originated the suspicious activity is above the predetermined threshold, terminating, by the hardware processor, the trusted process and deleting the unverified component that originated the suspicious activity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for preventing threats originating from a non-process based component hosted by a trusted process is described. The loading activity of the trusted process is monitored. A trust level associated with the trusted process is altered when an unverified component is loaded into the trusted process. Events performed by the trusted process are monitored. An unverified component that originated the event is identified. The trusted process is terminated based on a security risk associated with the unverified component that originated the event.

Citations

14 Claims

1. A computer-implemented method for preventing threats originating from a non-process based component hosted by a trusted process, comprising:
- monitoring, by a hardware processor, loading activity of the trusted process;
  
  altering, by the hardware processor, a trust level associated with the trusted process when an unverified component is loaded into the trusted process;
  
  upon altering the trust level of the trusted process, monitoring, by the hardware processor, events performed by the trusted process for a suspicious activity that comprises a portable executable (“
  
  PE”
  
  ) file modification, PE file deletion, or PE file creation;
  
  assigning a trust level on an image file to the unverified component based on a digital signature of the unverified component;
  
  calling, by an operating system, an application programming interface to trace code execution by the trusted process;
  
  tracing the code execution of the suspicious activity back to an address space belonging to the unverified component that originated the suspicious activity;
  
  determining whether security risk associated with the unverified component that originated the suspicious activity is above a predetermined threshold; and
  
  upon determining that the security risk associated with the unverified component that originated the suspicious activity is above the predetermined threshold, terminating, by the hardware processor, the trusted process and deleting the unverified component that originated the suspicious activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the unverified component is a non-process based dynamic link library (“
    - DLL”
      
      ).
  - 3. The method of claim 1, wherein the suspicious activity further comprises a system configuration setting modification.
  - 4. The method of claim 1, further comprising identifying the unverified component that originated the suspicious activity.
  - 5. The method of claim 1, further comprising evaluating the security risk associated with the unverified component that originated the suspicious activity based on a run time event associated with the unverified component.
  - 6. The method of claim 1, further comprising evaluating the security risk associated with the unverified component that originated the suspicious activity based on static characteristics possessed by the unverified component in a static file format.
  - 7. The method of claim 1, wherein the unverified component comprises a non-process based plug-in or a non-process based extension to the trusted process.

8. A computer system configured to prevent threats originating from a non-process based component hosted by a trusted process, comprising:
- a processor;
  
  a memory in electronic communication with the processor, wherein the memory stores computer executable instructions that when executed by the processor cause the processor to perform the steps of;
  
  monitoring loading activity of the trusted process;
  
  altering a trust level associated with the trusted process when an unverified component is loaded into the trusted process;
  
  upon altering the trust level of the trusted process, monitoring events performed by the trusted process for a suspicious activity that comprises a portable executable (“
  
  PE”
  
  ) file modification, PE file deletion, or PE file creation;
  
  assigning a trust level on an image file to the unverified component based on a digital signature of the unverified component;
  
  calling an application programming interface to trace code execution by the trusted process;
  
  tracing the code execution of the suspicious activity back to an address space belonging to the unverified component that originated the suspicious activity;
  
  determining whether security risk associated with the unverified component that originated the suspicious activity is above a predetermined threshold; and
  
  upon determining that the security risk associated with the unverified component that originated the suspicious activity is above the predetermined threshold, terminating the trusted process and deleting the unverified component that originated the suspicious activity.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer system of claim 8, wherein the unverified component is a non-process based dynamic link library (“
    - DLL”
      
      ).
  - 10. The computer system of claim 8, wherein the suspicious activity further comprises a system configuration setting modification.
  - 11. The computer system of claim 8, wherein the executable instructions further cause the processor to perform the step of identifying the unverified component that originated the suspicious activity.
  - 12. The computer system of claim 8, wherein the executable instructions further cause the processor to perform the step of evaluating the security risk associated with the unverified component that originated the suspicious activity based on a run time event associated with the unverified component.
  - 13. The computer system of claim 8, wherein the security module is further configured to evaluate the security risk associated with the unverified component that originated the suspicious activity based on static characteristics possessed by the unverified component in a static file format.

14. A non-transitory computer-readable storage medium storing computer executable instructions that when executed by a processor cause the processor to perform the steps of:
- monitoring loading activity of the trusted process;
  
  altering a trust level associated with the trusted process when an unverified component is loaded into the trusted process;
  
  upon altering the trust level of the trusted process, monitoring events performed by the trusted process for a suspicious activity that comprises a portable executable (“
  
  PE”
  
  ) file modification, PE file deletion, or PE file creation;
  
  assigning a trust level on an image file to the unverified component based on a digital signature of the unverified component;
  
  calling an application programming interface to trace code execution by the trusted process;
  
  tracing the code execution of the suspicious activity back to an address space belonging to the unverified component that originated the suspicious activity;
  
  determining whether security risk associated with the unverified component that originated the suspicious activity is above a predetermined threshold; and
  
  upon determining that the security risk associated with the suspicious activity is above the predetermined threshold, terminating the trusted process and deleting the unverified component that originated the suspicious activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Satish, Sourabh, Pereira, Shane, Mann, Uri
Primary Examiner(s)
Pham, Luu

Application Number

US12/510,828
Time in Patent Office

1,057 Days
Field of Search

726 22- 24
US Class Current

726/22
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

Systems and methods for preventing threats originating from a non-process based component hosted by a trusted process

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for preventing threats originating from a non-process based component hosted by a trusted process

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links