Method and apparatus for detecting harmful software
First Claim
Patent Images
1. A method for detecting harmful running software, comprising:
- running a software application on a computing device, wherein the software application is associated with a probability that the software application is harmful, wherein the software application performs a plurality of behaviors while running, wherein each of the plurality of behaviors defines a specific action that the software application performs;
while the software application is running, for each behavior performed by the software application;
determining if the behavior is required for the software application to be identified as harmful,identifying the behavior as a necessary behavior if the behavior is required for the software application to be identified as harmful,determining an updated probability that the software application is malicious based on the behavior, andin response to the updated probability exceeding a threshold value and the software application having performed at least one necessary behavior;
identifying the software application as harmful, andperforming an action on the software application.
14 Assignments
0 Petitions
Accused Products
Abstract
Various embodiments for detecting harmful software are disclosed.
87 Citations
23 Claims
-
1. A method for detecting harmful running software, comprising:
-
running a software application on a computing device, wherein the software application is associated with a probability that the software application is harmful, wherein the software application performs a plurality of behaviors while running, wherein each of the plurality of behaviors defines a specific action that the software application performs; while the software application is running, for each behavior performed by the software application; determining if the behavior is required for the software application to be identified as harmful, identifying the behavior as a necessary behavior if the behavior is required for the software application to be identified as harmful, determining an updated probability that the software application is malicious based on the behavior, and in response to the updated probability exceeding a threshold value and the software application having performed at least one necessary behavior; identifying the software application as harmful, and performing an action on the software application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for detecting harmful running software, comprising:
-
running a software application on a computing device, wherein the software application is associated with a probability that the software application is harmful, wherein the software application performs a plurality of behaviors while running, wherein each of the plurality of behaviors defines a specific action that the software application performs; and while the software application is running, for each behavior performed by the software application; determining if the behavior is required for the software to be identified as a class of harmful software, identifying the behavior as a necessary behavior if the behavior is required for the software application to be identified as a class of harmful software, identifying the behavior as a sufficient behavior if the behavior is indicative of the class of harmful software, but is not a necessary behavior, determining, by the computing device, an updated probability based on the behavior, and in response to the updated probability exceeding a threshold value and the software application having performed all necessary behaviors associated with the class of harmful software and at least one sufficient behavior associated with the class of harmful software; identifying the software application as harmful, and performing an action on the software application. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method for detecting harmful running software, comprising:
-
running a software application on a computing device, wherein the software application is associated with a probability that the software application is harmful, wherein the software application performs a plurality of behaviors while running, wherein each of the plurality of behaviors defines a specific action that the software application performs; and while the software application is running, for each behavior performed by the software application; determining if the behavior is required for the software application to be identified as a class of harmful software or if the behavior is indicative of the class of harmful software, identifying the behavior as a necessary behavior if the behavior is required for the software application to be identified as a class of harmful software, identifying the behavior as a sufficient behavior if the behavior is indicative of the class of harmful software, but is not a necessary behavior, determining whether the behavior causes one or more low level system events, wherein each low level system event corresponds to a request made by the software application from an operating system, determining, by the computing device, an updated probability based on the behavior and the one or more low level system events, and in response to the updated probability exceeding a threshold value and the software application having performed all necessary behaviors associated with the class of harmful software and at least one sufficient behavior associated with the class of harmful software; identifying the software application as harmful, and performing an action on the software application. - View Dependent Claims (22, 23)
-
Specification