System and method for detecting malware that interferes with the user interface
First Claim
1. A method for detecting ransomware in a computer system comprising computing hardware that includes a processor and data store, a user input device and a display device, and an operating system executable on the computing hardware, the operating system including a user interface module interfaced with the user input device and the display device, the method comprising:
- monitoring a current user behavior pattern based on usage of a user input device;
comparing the user behavior against a predefined reference set of behavior patterns defined as input sequences receivable via the user input device representing expected user responsiveness to interruption of normal user interactivity with the user interface module;
monitoring a current status pattern of the operating system;
comparing the current status pattern against a reference set of operating system status patterns associated with predefined ransomware behavior including interference with operating system responsiveness to user input;
in response to a result of the comparing of the current user behavior pattern against the reference set of behavior patterns being indicative of an interruption of normal user interactivity with the user interface module, and further in response to a result of the comparing of the current status pattern against the reference set of operating system status patterns being indicative of the current status pattern having a correlation to the predefined ransomware behavior, providing an indication of a positive detection of ransomware executing on the computer system.
2 Assignments
0 Petitions
Accused Products
Abstract
System and method for detecting ransomware. A current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided.
44 Citations
26 Claims
-
1. A method for detecting ransomware in a computer system comprising computing hardware that includes a processor and data store, a user input device and a display device, and an operating system executable on the computing hardware, the operating system including a user interface module interfaced with the user input device and the display device, the method comprising:
-
monitoring a current user behavior pattern based on usage of a user input device; comparing the user behavior against a predefined reference set of behavior patterns defined as input sequences receivable via the user input device representing expected user responsiveness to interruption of normal user interactivity with the user interface module; monitoring a current status pattern of the operating system; comparing the current status pattern against a reference set of operating system status patterns associated with predefined ransomware behavior including interference with operating system responsiveness to user input; in response to a result of the comparing of the current user behavior pattern against the reference set of behavior patterns being indicative of an interruption of normal user interactivity with the user interface module, and further in response to a result of the comparing of the current status pattern against the reference set of operating system status patterns being indicative of the current status pattern having a correlation to the predefined ransomware behavior, providing an indication of a positive detection of ransomware executing on the computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for detecting ransomware, the system comprising:
-
computing hardware including a processor and data store, a user input device and a display device; an operating system executable on the computing hardware and comprising instructions stored in a non-transitory storage medium that, when executed, implement a user interface module that operationally communicates with the user input device and the display device; a user input monitoring module executable on the computing hardware and comprising instructions stored in a non-transitory storage medium that, when executed, cause the computing hardware to collect a current user behavior pattern based on user input via the user input device; an input data analysis module executable on the computing hardware and comprising instructions stored in a non-transitory storage medium that, when executed, cause the computing hardware to compare the user behavior against a predefined reference set of behavior patterns defined as input sequences receivable via the user input device representing expected user responsiveness to interruption of normal user interactivity with the user interface module; an operating system status analysis module executable on the computing hardware and comprising instructions stored in a non-transitory storage medium that, when executed, cause the computing hardware to compare a current status pattern of the operating system against a reference set of operating system status patterns associated with predefined ransomware behavior including interference with operating system responsiveness to user input; a decision module executable on the computing hardware and comprising instructions stored in a non-transitory storage medium that, when executed, cause the computing hardware to provide an indication of a positive detection of ransomware executing on the computer system in response to an output of the input data analysis module being indicative of an interruption of normal user interactivity with the user interface module, and further in response to an output of the operating system status analysis module being indicative of the current status pattern having a correlation to the predefined ransomware behavior. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification