Host intrusion prevention system using software and user behavior analysis
First Claim
Patent Images
1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
- A) monitoring a user interaction with a computer, the user interaction including a plurality of user behaviors by a single user during a usage session, for a first indication of a user behavior, wherein the first indication of the user behavior is a result of comparing the user interaction with one of a plurality of predetermined behaviors, referred to as behavioral genes, where each one of the behavior genes is stored for reference in a database;
B) monitoring a computer code process executing during the usage session for a first indication of a first code operation, wherein the first indication of the first code operation is a result of comparing the first code operation with one of a plurality of predetermined code behaviors, referred to as code genes, where each one of the code genes is stored for reference in a database;
C) performing step B) a number of times to collect a first plurality of code operation indications;
D) comparing a combination of the first indication of user behavior and the first plurality of code operation indications to a first predetermined collection of user behavior-code operation indications, referred to as a phenotype, which comprises a grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer;
E) based on a detection of a collection of known malicious behaviors in step D), performing the following steps to obtain an increased level of confidence that a known family of malware is present;
E1) monitoring the user interaction for a second indication of a second user behavior, wherein the second indication of the second user behavior is a result of comparing the user interaction with one of the behavioral genes;
E2) monitoring the computer code process executing during the usage session for a second indication of a second code operation, wherein the second indication of the second code operation is a result of comparing the second code operation with one of the code genes;
E3) performing step E2 a second number of times to collect a second plurality of code operation indications;
E4) comparing a second combination of the second user behavior and the second plurality of code operation indications to a second phenotype which comprises a second grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and
F) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the second phenotype.
9 Assignments
0 Petitions
Accused Products
Abstract
In embodiments of the present invention improved capabilities are described for threat detection using a behavioral-based host-intrusion prevention method and system for monitoring a user interaction with a computer, software application, operating system, graphic user interface, or some other component or client of a computer network, and performing an action to protect the computer network based at least in part on the user interaction and a computer code process executing during or in association with a computer usage session.
-
Citations
19 Claims
-
1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
-
A) monitoring a user interaction with a computer, the user interaction including a plurality of user behaviors by a single user during a usage session, for a first indication of a user behavior, wherein the first indication of the user behavior is a result of comparing the user interaction with one of a plurality of predetermined behaviors, referred to as behavioral genes, where each one of the behavior genes is stored for reference in a database; B) monitoring a computer code process executing during the usage session for a first indication of a first code operation, wherein the first indication of the first code operation is a result of comparing the first code operation with one of a plurality of predetermined code behaviors, referred to as code genes, where each one of the code genes is stored for reference in a database; C) performing step B) a number of times to collect a first plurality of code operation indications; D) comparing a combination of the first indication of user behavior and the first plurality of code operation indications to a first predetermined collection of user behavior-code operation indications, referred to as a phenotype, which comprises a grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; E) based on a detection of a collection of known malicious behaviors in step D), performing the following steps to obtain an increased level of confidence that a known family of malware is present; E1) monitoring the user interaction for a second indication of a second user behavior, wherein the second indication of the second user behavior is a result of comparing the user interaction with one of the behavioral genes; E2) monitoring the computer code process executing during the usage session for a second indication of a second code operation, wherein the second indication of the second code operation is a result of comparing the second code operation with one of the code genes; E3) performing step E2 a second number of times to collect a second plurality of code operation indications; E4) comparing a second combination of the second user behavior and the second plurality of code operation indications to a second phenotype which comprises a second grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and F) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the second phenotype. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
-
A) monitoring a user interaction with a computer, the user interaction including a plurality of user behaviors by a single user during a usage session, for a first indication of a user behavior, wherein the first indication of the user behavior is a result of comparing the user interaction with one of a plurality of predetermined behaviors, referred to as behavioral genes, where each one of the behavioral genes is stored for reference in a database; B) monitoring a computer code process executing during the usage session for a first indication of a first code operation, wherein the first indication of the first code operation is a result of comparing the first code operation with one of a plurality of predetermined code behaviors, referred to as code genes, where each one of the code genes is stored for reference in a database; C) performing step A) a number of times to collect a first plurality of user behavior indications; D) comparing a combination of the first indication of the first code operation and the first plurality of user behavior indications to a first predetermined collection of code operation-user behavior indications, referred to as a phenotype, which comprises a grouping of specific code and behavioral genes that are typically present in a type of malicious usage session with a computer; E) based on a detection of a collection of known malicious behaviors in step D), performing the following steps to obtain an increased level of confidence that a known family of malware is present; E1) monitoring the user interaction for a second indication of a second user behavior, wherein the second indication of the second user behavior is a result of comparing the user interaction with one of the behavioral genes; E2) monitoring the computer code process executing during the usage session for a second indication of a second code operation, wherein the second indication of the second code operation is a result of comparing the second code operation with one of the code genes; E3) performing step E1 a second number of times to collect a second plurality of user behavior indications; E4) comparing a second combination of the second plurality of user behavior indications and the second code operation indication to a second phenotype which comprises a second grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and F) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the second phenotype.
-
-
19. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
-
A) monitoring a user interaction with a computer, the user interaction including a plurality of user behaviors by a single user during a usage session, for a first indication of a user behavior, wherein the first indication of the user behavior is a result of comparing the user interaction with one of a plurality of predetermined behaviors, referred to as behavioral genes, where each one of the behavioral genes is stored for reference in a database; B) storing the first indication of the user behavior with a computer code process relating to the user interaction with the computer during the usage session; C) monitoring the computer code process relating to the user interaction with the computer during the usage session for a first indication of a first code operation, wherein the first indication of the first code operation is a result of comparing the first code operation with one of a plurality of predetermined code behaviors, referred to as code genes, where each one of the code genes is stored for reference in a database; D) performing step C) a number of times to collect a first plurality of code operation indications; E) comparing a combination of the first indication of the user behavior and the first plurality of code operation indications to a predetermined collection of user behavior-code operation indications, referred to as a phenotype, which comprises a grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; F) based on a detection of a collection of known malicious behaviors in step E), performing the following steps to obtain an increased level of confidence that a known family of malware is present; F1) monitoring the user interaction for a second indication of a second user behavior, wherein the second indication of the second user behavior is a result of comparing the user interaction with one of the behavioral genes; F2) monitoring the computer code process during the usage session for a second indication of a second code operation, wherein the second indication of the second code operation is a result of comparing the second code operation with one of the of code genes; F3) performing step F2 a second number of times to collect a second plurality of code operation indications; F4) comparing a second combination of the second user behavior and the second plurality of code operation indications to a second phenotype which comprises a second grouping of specific behavioral and code genes that are typically present in a type of malicious usage session with a computer; and G) causing an action based on a prediction that the user interaction is the type of malicious usage session as indicated by the second phenotype.
-
Specification