System and method for detecting malware that interferes with the user interface

US 8,856,542 B2
Filed: 03/29/2013
Issued: 10/07/2014
Est. Priority Date: 12/25/2012
Status: Active Grant

First Claim

Patent Images

1. A method for detecting ransomware in a computer system comprising computing hardware that includes a processor and data store, a user input device and a display device, and an operating system executable on the computing hardware, the operating system including a user interface module interfaced with the user input device and the display device, the method comprising:

monitoring a current user behavior pattern based on usage of a user input device;

comparing the user behavior against a predefined reference set of behavior patterns defined as input sequences receivable via the user input device representing expected user responsiveness to interruption of normal user interactivity with the user interface module;

monitoring a current status pattern of the operating system;

comparing the current status pattern against a reference set of operating system status patterns associated with predefined ransomware behavior including interference with operating system responsiveness to user input;

in response to a result of the comparing of the current user behavior pattern against the reference set of behavior patterns being indicative of an interruption of normal user interactivity with the user interface module, and further in response to a result of the comparing of the current status pattern against the reference set of operating system status patterns being indicative of the current status pattern having a correlation to the predefined ransomware behavior, providing an indication of a positive detection of ransomware executing on the computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and method for detecting ransomware. A current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided.

44 Citations

View as Search Results

26 Claims

1. A method for detecting ransomware in a computer system comprising computing hardware that includes a processor and data store, a user input device and a display device, and an operating system executable on the computing hardware, the operating system including a user interface module interfaced with the user input device and the display device, the method comprising:
- monitoring a current user behavior pattern based on usage of a user input device;
  
  comparing the user behavior against a predefined reference set of behavior patterns defined as input sequences receivable via the user input device representing expected user responsiveness to interruption of normal user interactivity with the user interface module;
  
  monitoring a current status pattern of the operating system;
  
  comparing the current status pattern against a reference set of operating system status patterns associated with predefined ransomware behavior including interference with operating system responsiveness to user input;
  
  in response to a result of the comparing of the current user behavior pattern against the reference set of behavior patterns being indicative of an interruption of normal user interactivity with the user interface module, and further in response to a result of the comparing of the current status pattern against the reference set of operating system status patterns being indicative of the current status pattern having a correlation to the predefined ransomware behavior, providing an indication of a positive detection of ransomware executing on the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - in response to the positive detection of ransomware, initiating a ransomware de-activation process to cease operation of the ransomware.
  - 3. The method of claim 1, wherein the monitoring of the current user behavior pattern and the monitoring of the current status pattern of the operating system are performed concurrently during each of a plurality of time windows.
  - 4. The method of claim 1, wherein the monitoring of at least one of the current user behavior pattern and the monitoring of the current status pattern of the operating system includes storing of input data in a buffer, wherein a full buffer is indicative of a gathered pattern to be compared.
  - 5. The method of claim 1, wherein the comparing the current status pattern against a reference set of operating system status patterns is initiated in response to the result of the comparing of the current user behavior against the reference set of behavior patterns being indicative of usage of the user input device in a manner responsive to interruption of normal user interaction with the user interface module.
  - 6. The method of claim 1, wherein the comparing the current status pattern against a reference set of operating system status patterns includes comparing the current status pattern against a pattern indicative of restriction of cursor operation.
  - 7. The method of claim 1, wherein the comparing the current status pattern against a reference set of operating system status patterns includes comparing the current status pattern against a pattern indicative of restriction of graphical user interface control elements.
  - 8. The method of claim 1, wherein monitoring the current user behavior pattern includes monitoring the user input device for at least one sequence of keystrokes.
  - 9. The method of claim 1, wherein monitoring the current user behavior pattern includes monitoring the user input device for movement of a pointing device.
  - 10. The method of claim 1, wherein monitoring the current user behavior pattern includes monitoring the user input device for at least one of video data, audio data, or any combination thereof.
  - 11. The method of claim 1, wherein comparing the current user behavior against the reference set of behavior patterns includes comparing the current user behavior against at least one predefined sequence of keystrokes.
  - 12. The method of claim 1, wherein comparing the current user behavior against the reference set of behavior patterns includes comparing the current user behavior against at least one predefined sequence of pointing device movements.
  - 13. The method of claim 1, wherein comparing the current user behavior against the reference set of behavior patterns includes comparing the current user behavior against at least one predefined pattern of audio data, video data, or any combination thereof.

14. A system for detecting ransomware, the system comprising:
- computing hardware including a processor and data store, a user input device and a display device;
  
  an operating system executable on the computing hardware and comprising instructions stored in a non-transitory storage medium that, when executed, implement a user interface module that operationally communicates with the user input device and the display device;
  
  a user input monitoring module executable on the computing hardware and comprising instructions stored in a non-transitory storage medium that, when executed, cause the computing hardware to collect a current user behavior pattern based on user input via the user input device;
  
  an input data analysis module executable on the computing hardware and comprising instructions stored in a non-transitory storage medium that, when executed, cause the computing hardware to compare the user behavior against a predefined reference set of behavior patterns defined as input sequences receivable via the user input device representing expected user responsiveness to interruption of normal user interactivity with the user interface module;
  
  an operating system status analysis module executable on the computing hardware and comprising instructions stored in a non-transitory storage medium that, when executed, cause the computing hardware to compare a current status pattern of the operating system against a reference set of operating system status patterns associated with predefined ransomware behavior including interference with operating system responsiveness to user input;
  
  a decision module executable on the computing hardware and comprising instructions stored in a non-transitory storage medium that, when executed, cause the computing hardware to provide an indication of a positive detection of ransomware executing on the computer system in response to an output of the input data analysis module being indicative of an interruption of normal user interactivity with the user interface module, and further in response to an output of the operating system status analysis module being indicative of the current status pattern having a correlation to the predefined ransomware behavior.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, further comprising:
    - a ransomware de-activation module executable on the computing hardware and comprising instructions stored in a non-transitory storage medium that, when executed, cause the computing hardware to initiate a ransomware de-activation process to cease operation of the ransomware in response to the positive detection of ransomware.
  - 16. The system of claim 14, wherein the current user behavior pattern and the current status pattern of the operating system are collected concurrently during each of a plurality of time windows.
  - 17. The system of claim 14, wherein the user input monitoring module is configured to store input data in a buffer, and wherein the input data analysis module is configured to recognize a full buffer as being indicative of a gathered pattern to be compared.
  - 18. The system of claim 14, wherein the operating system status analysis module is configured to compare the current status pattern against a reference set of operating system status patterns in response to the output of the input data analysis module being indicative of usage of the user input device in a manner responsive to interruption of normal user interaction with the user interface module.
  - 19. The system of claim 14, wherein the operating system status analysis module is configured to compare the current status pattern against a pattern indicative of restriction of cursor operation.
  - 20. The system of claim 14, wherein the operating system status analysis module is configured to compare the current status pattern against a pattern indicative of restriction of graphical user interface control elements.
  - 21. The system of claim 14, wherein the user input monitoring module is configured to monitor the user input device for at least one sequence of keystrokes.
  - 22. The system of claim 14, wherein the user input monitoring module is configured to monitor the user input device for movement of a pointing device.
  - 23. The system of claim 14, wherein the user input monitoring module is configured to monitor the user input device for at least one of video data, audio data, or any combination thereof.
  - 24. The system of claim 14, wherein the input data analysis module is configured to compare the current user behavior against at least one predefined sequence of keystrokes.
  - 25. The system of claim 14, wherein the input data analysis module is configured to compare the current user behavior against at least one predefined sequence of pointing device movements.
  - 26. The system of claim 14, wherein the input data analysis module is configured to compare the current user behavior against at least one predefined pattern of audio data, video data, or any combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Kaspersky Lab ZAO
Inventors
MARTYNENKO, VLADISLAV V., Monastyrsky, Alexey V., Pavlyushchik, Mikhail A., Sapronov, Konstantin V., Slobodyanuk, Yuri G., Tatarinov, Ivan I.
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
MOHAMMADI, FAHIMEH M

Application Number

US13/853,468
Publication Number

US 20140181971A1
Time in Patent Office

557 Days
Field of Search

713186-189, 726 23- 24, 709/224
US Class Current

713/186
CPC Class Codes

G06F 21/316 by observing the pattern of...

G06F 21/566 Dynamic detection, i.e. det...

System and method for detecting malware that interferes with the user interface

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting malware that interferes with the user interface

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links