Method and apparatus for removing harmful software
First Claim
Patent Images
1. A method of protection from harmful software on a computer, comprising:
- using a graph rule processor, tracking a set of one or more relationships based upon the occurrence of one or more events among a plurality of nodes, the plurality of nodes representing;
a set of one or more processes on the computer and a set of one or more files on the computer, wherein the set of one or more relationships includes;
a first subset of one or more relationships among at least one process of the set of one or more processes and at least one file of the set of one or more files, wherein said first subset of one or more relationships excludes instance of-type relationships;
modifying a set of one or more characteristics based upon the set of one or more relationships;
tracking the set of one or more characteristics at each node of the plurality of nodes, wherein the set of one or more characteristics is passed around a graph;
based at least on a change in the set of characteristics, classifying as to be cleaned, at the computer, at least one node of the plurality of nodes;
comparing the at least one node to be cleaned against a plurality of rules, each of the plurality of rules comprising a condition and an action for each relationship;
based upon the comparison of the at least one node to be cleaned, classifying the at least one node to be cleaned as change and placing the node in a node change queue for processing by the graph rule processor;
determining a score for the at least one changed node, wherein the score is based upon one or more potentially malicious actions the at least one changed node has performed;
if the determined score satisfies a score trigger, classifying the at least one changed node as harmful software; and
removing, at runtime, effects of the harmful software from the computer.
14 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention address the problem of removing malicious code from infected computers.
-
Citations
26 Claims
-
1. A method of protection from harmful software on a computer, comprising:
-
using a graph rule processor, tracking a set of one or more relationships based upon the occurrence of one or more events among a plurality of nodes, the plurality of nodes representing; a set of one or more processes on the computer and a set of one or more files on the computer, wherein the set of one or more relationships includes; a first subset of one or more relationships among at least one process of the set of one or more processes and at least one file of the set of one or more files, wherein said first subset of one or more relationships excludes instance of-type relationships; modifying a set of one or more characteristics based upon the set of one or more relationships; tracking the set of one or more characteristics at each node of the plurality of nodes, wherein the set of one or more characteristics is passed around a graph; based at least on a change in the set of characteristics, classifying as to be cleaned, at the computer, at least one node of the plurality of nodes; comparing the at least one node to be cleaned against a plurality of rules, each of the plurality of rules comprising a condition and an action for each relationship; based upon the comparison of the at least one node to be cleaned, classifying the at least one node to be cleaned as change and placing the node in a node change queue for processing by the graph rule processor; determining a score for the at least one changed node, wherein the score is based upon one or more potentially malicious actions the at least one changed node has performed; if the determined score satisfies a score trigger, classifying the at least one changed node as harmful software; and removing, at runtime, effects of the harmful software from the computer. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
2. The method of clam 1, wherein said classifying is further based on at least autonomous action by the computer, including said tracking.
-
25. A computer having a method of protection from harmful software on the computer, comprising:
-
the computer having the method, the method including; using a graph rule processor, tracking a set of one or more relationships based upon the occurrence of one or more events among a plurality of nodes, the plurality of nodes representing; a set of one or more processes on the computer and a set of one or more files on the computer, wherein the set of one or more relationships includes; a first subset of one or more relationships among at least one process of the set of one or more processes and at least one file of the set of one or more files, wherein said first subset of one or more relationships excludes instance of-type relationships; modifying a set of one or more characteristics based upon the set of one or more relationships; tracking the set of one or more characteristics at each node of the plurality of nodes, wherein the set of one or more characteristics is passed around a graph; based at least on a change in the set of characteristics, classifying as to be cleaned, at the computer, at least one node of the plurality of nodes; comparing the at least one node to be cleaned against a plurality of rules, each of the plurality of rules comprising a condition and an action for each relationship; based upon the comparison of the at least one node to be cleaned, classifying the at least one node to be cleaned as change and placing the node in a node change queue for processing by the graph rule processor; determining a score for the at least one changed node, wherein the score is based upon one or more potentially malicious actions the at least one changed node has performed; if the determined score satisfies a score trigger, classifying the at least one changed node as harmful software; and removing, at runtime, effects of the harmful software from the computer.
-
-
26. A non-transitory computer readable storage medium having a method of protection from harmful software on a computer, comprising:
-
the computer readable storage medium operably connected to a graph rule processor and having the method, the method including instructions for causing the graph rule processor to; track a set of one or more relationships based upon the occurrence of one or more events among a plurality of nodes, the plurality of nodes representing; a set of one or more processes on the computer and a set of one or more files on the computer, wherein the set of one or more relationships includes; a first subset of one or more relationships among at least one process of the set of one or more processes and at least one file of the set of one or more files, wherein said first subset of one or more relationships excludes instance of-type relationships; modify a set of one or more characteristics based upon the set of one or more relationships; track the set of one or more characteristics at each node of the plurality of nodes, wherein the set of one or more characteristics is passed around a graph; based at least on a change in the set of one or more characteristics, classify as to be cleaned, at the computer, at least one node of the plurality of nodes; compare the at least one node to be cleaned against a plurality of rub rules, each of the plurality of rules comprising a condition and an action for reach relationship; based upon the comparison of the at least one node to be cleaned, classify the at least one node to be cleaned as changed and placing the node in a node change queue for processing by the graph rule processor; determining a score for the at least one changed node, wherein the score is based upon one or more potentially malicious actions the at least one changed node has performed; if the determined score satisfies a score trigger, classify the at least one changed node as harmful software; and remove, at runtime, effects of the harmful software from the computer.
-
Specification