Behavior blocking utilizing positive behavior system and method
First Claim
Patent Images
1. A method comprising:
- decreasing a suspicion of a negative action by an application if said application has previously performed a positive action comprising setting an increment value of a suspicion level counter for said negative action to a first value, wherein said positive action is use of a user interface element by said application to have a user interaction with a user,wherein if a determination is made that said application has not had said previous positive action prior to said negative action, said method further comprising setting said increment value of said suspicion level counter for said negative action to a second value greater than said first value; and
incrementing said suspicion level counter by said increment value.
2 Assignments
0 Petitions
Accused Products
Abstract
A method includes decreasing a suspicion of a negative action by an application if the application has previously performed a positive action. The positive action is an action that is never or rarely taken by malicious code. In one example, the positive action is use of a user interface element by the application to have a user interaction with a user of the computer system. By taking into consideration the positive action by the application, the occurrence of false positives is minimized.
273 Citations
21 Claims
-
1. A method comprising:
-
decreasing a suspicion of a negative action by an application if said application has previously performed a positive action comprising setting an increment value of a suspicion level counter for said negative action to a first value, wherein said positive action is use of a user interface element by said application to have a user interaction with a user, wherein if a determination is made that said application has not had said previous positive action prior to said negative action, said method further comprising setting said increment value of said suspicion level counter for said negative action to a second value greater than said first value; and incrementing said suspicion level counter by said increment value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
determining that an action by an application is a negative action; determining if said application has had a previous positive action prior to said negative action, wherein said positive action is use of a user interface element by said application to have a user interaction with a user, wherein if a determination is made that said application has had said previous positive action prior to said negative action, said method further comprising setting an increment value of a suspicion level counter for said negative action to a first value, wherein if a determination is made that said application has not had said previous positive action prior to said negative action, said method further comprising setting said increment value of said suspicion level counter for said negative action to a second value, wherein said first value is less than said second value; and incrementing said suspicion level counter by said increment value. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer readable storage medium comprising instructions for a behavior blocking application, said behavior blocking application when executed determines that an action by an application is a negative action;
-
said behavior blocking application further for determining if said application has had a previous positive action prior to said negative action, wherein said positive action is use of a user interface element by said application to have a user interaction with a user, wherein if a determination is made that said application has had said previous positive action prior to said negative action, said behavior blocking application further for setting an increment value of a suspicion level counter for said negative action to a first value, wherein if a determination is made that said application has not had said previous positive action prior to said negative action, said behavior blocking application further for setting said increment value of said suspicion level counter for said negative action to a second value, wherein said first value is less than said second value; and said behavior blocking application further for incrementing said suspicion level counter by said increment value.
-
Specification