Behavioral-based host intrusion prevention system
CAFCFirst Claim
1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
- monitoring an executing computer process for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene, where the gene is stored for reference in a database and wherein the gene relates to at least one of API calls, registry access, process manipulation, and file system access;
performing the monitoring step a number of times to collect a plurality of malicious behavior indications;
comparing the plurality of malicious behavior indications to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code, and wherein the phenotype is one of a number of phenotypes that are ranked to create increasing levels of confidence that a runtime object is executing a behavior pattern comparable to a known family of malware;
triggering a content analysis of the executing computer process when the plurality of malicious behavior indications for the executing computer process corresponds to one of the number of phenotypes having a predetermined level of confidence that the executing computer process contains a known family of malware, thereby providing a prediction that the executing computer process is the type of malicious code; and
causing an action based on the prediction.
9 Assignments
1 Petition
Accused Products
Abstract
In embodiments of the present invention improved capabilities are described for behavioral-based threat detection. An executing computer process is monitored for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene. A plurality of malicious behavior indications observed for the executing process are compared to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code. Upon matching the malicious behavior indications with a phenotype, an action may be caused, where the action is based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype. Related user interfaces, applications, and computer program products are disclosed.
46 Citations
20 Claims
-
1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
-
monitoring an executing computer process for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene, where the gene is stored for reference in a database and wherein the gene relates to at least one of API calls, registry access, process manipulation, and file system access; performing the monitoring step a number of times to collect a plurality of malicious behavior indications; comparing the plurality of malicious behavior indications to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code, and wherein the phenotype is one of a number of phenotypes that are ranked to create increasing levels of confidence that a runtime object is executing a behavior pattern comparable to a known family of malware; triggering a content analysis of the executing computer process when the plurality of malicious behavior indications for the executing computer process corresponds to one of the number of phenotypes having a predetermined level of confidence that the executing computer process contains a known family of malware, thereby providing a prediction that the executing computer process is the type of malicious code; and causing an action based on the prediction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
-
progressively monitoring a process executing on a computer for an indication of malicious behavior, thereby providing a plurality of malicious behavior indications, wherein monitoring the process includes monitoring at least one of API calls, registry access, process manipulation, and file system access; comparing the plurality of malicious behavior indications to a collection of malicious behaviors in order to categorizing the process according to a phenotype, wherein the phenotype is one of a number of phenotypes that are ranked to create increasing levels of confidence that a runtime object is executing a behavior pattern comparable to a known family of malware; triggering a content analysis of the process when the plurality of malicious behavior indications for the process corresponds to one of the number of phenotypes having a predetermined level of confidence that the process contains a known family of malware, thereby providing a prediction; and causing at least one action based upon the prediction. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification