Methods, systems, and media for detecting covert malware
First Claim
Patent Images
1. A method for detecting covert malware in a computing environment, the method comprising:
- generating simulated user activity outside of the computing environment;
conveying the simulated user activity to an application inside the computing environment;
determining whether state information of the application matches an expected state after the simulated user activity is conveyed to the application;
determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity, wherein the decoy includes at least part of the simulated user activity and wherein the decoy is inside the computing environment; and
in response to determining that the decoy has been accessed by the unauthorized entity, determining that covert malware is present in the computing environment.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: generating simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; and determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.
-
Citations
32 Claims
-
1. A method for detecting covert malware in a computing environment, the method comprising:
-
generating simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; determining whether state information of the application matches an expected state after the simulated user activity is conveyed to the application; determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity, wherein the decoy includes at least part of the simulated user activity and wherein the decoy is inside the computing environment; and in response to determining that the decoy has been accessed by the unauthorized entity, determining that covert malware is present in the computing environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15)
-
-
14. A method for detecting covert malware in a computing environment, the method comprising:
-
defining simulated user activity by a formal language, wherein actual user activity is mapped to constructs of the formal language and wherein the formal language comprises carry actions for the simulation and the conveyance of a decoy and cover actions that support believability of the simulated user activity and the decoy; generating the simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; and determining whether the decoy correspondig to the simulated user activity has been accessed by an unauthorized entity.
-
-
16. A system for detecting covert malware in a computing environment, the system comprising:
a hardware processor that; generates simulated user activity outside of the computing environment; conveys the simulated user activity to an application inside the computing environment; determines whether state information 0f the application matches an expected state after the simulated user activity is conveyed to the application; determines whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity, wherein the decoy includes at least part of the simulated user activity and wherein the decoy is inside the computing environment; and in response to determining that the decoy has been accessed by the unauthorized entity, determines that covert malware is present in the computing environment. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
30. A system for detecting covert malware in a computing environment, the system comprising:
a hardware processor that; defines simulated user activity by a formal language, wherein actual user activity is mapped to constructs of the formal language and wherein the formal language comprises carry actions for the simulation and the conveyance of a decoy and cover actions that support believability of the simulated user activity and the decoy; generates the simulated user activity outside of the computing environment; conveys the simulated user activity to an application inside the computing environment; and determines whether the decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.
-
31. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting covert malware in a computing environment, the method comprising:
-
generating simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; determining whether state information of the application matches an expected state after the simulated user activity is conveyed to the application; determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity, wherein the decoy includes at least part of the simulated user activity and wherein the decoy is inside the computing environment; and in response to determining that the decoy has been accessed by the unauthorized entity, determining that covert malware is present in the computing environment.
-
-
32. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting covert malware in a computing environment, the method comprising:
-
defining simulated user activity by a formal language, wherein actual user activity is mapped to constructs of the formal language and wherein the formal language comprises carry actions for the simulation and the conveyance of a decoy and cover actions that support believability of the simulated user activity and the decoy; generating the simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; and determining whether the decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.
-
Specification