Systems and methods for classifying an unclassified process as a potential trusted process based on dependencies of the unclassified process

US 8,914,888 B1
Filed: 10/21/2009
Issued: 12/16/2014
Est. Priority Date: 10/21/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for classifying an unclassified process as a potentially trusted process based on dependencies of the unclassified process, comprising:

identifying a component loaded by the unclassified process;

determining whether software code from the unclassified process depends on the component loaded by the unclassified process in order to execute, wherein the determining comprises, at least in part, identifying a file system directory in which the unclassified process is located and a file system directory in which the loaded component is located; and

upon determining that the software code from the unclassified process depends on the loaded component in order to execute, classifying the unclassified process as a potentially trusted process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for classifying an unclassified process as a potentially trusted process based on dependencies of the unclassified process is described. A component loaded by the unclassified process is identified. A determination is made as to whether a hard dependency exists between the unclassified process and the loaded component. A hard dependency exists if the unclassified process depends on the loaded component in order to execute. The unclassified process is classified as a potentially trusted process if a hard dependency exists between the unclassified process and the loaded component.

30 Citations

View as Search Results

18 Claims

1. A computer-implemented method for classifying an unclassified process as a potentially trusted process based on dependencies of the unclassified process, comprising:
- identifying a component loaded by the unclassified process;
  
  determining whether software code from the unclassified process depends on the component loaded by the unclassified process in order to execute, wherein the determining comprises, at least in part, identifying a file system directory in which the unclassified process is located and a file system directory in which the loaded component is located; and
  
  upon determining that the software code from the unclassified process depends on the loaded component in order to execute, classifying the unclassified process as a potentially trusted process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising comparing one or more characteristics of the loaded component with one or more characteristics of the unclassified process.
  - 3. The method of claim 2, further comprising classifying the unclassified process as a potential malicious process upon a determination that the one or more characteristics of the loaded component are not similar to the one or more characteristics of the unclassified process.
  - 4. The method of claim 1, further comprising classifying the unclassified process as a potential trusted process if the loaded component is located in the same directory as the unclassified process.
  - 5. The method of claim 1, further comprising maintaining the process as an unclassified process if the loaded component is located in a common component directory.
  - 6. The method of claim 5, wherein the common component directory comprises operating system (OS) directories c:
    - \windows and c;
      
      \windows\system32.
  - 7. The method of claim 1, further comprising determining if the loaded component is loaded by one or more classified trusted processes.
  - 8. The method of claim 7, further comprising classifying the unclassified process as a potential trusted process upon a determination that the loaded component is also loaded by one or more classified trusted processes.

9. A computer system configured to classify an unclassified process as a potentially trusted process based on dependencies of the unclassified process, comprising:
- a processor;
  
  memory in electronic communication with the processor;
  
  instructions stored in the memory, the instructions being executable by the processor to;
  
  identify a component loaded by the unclassified process;
  
  determine whether software code from the unclassified process depends on the component loaded by the unclassified process in order to execute, wherein the instruction to determine comprises, at least in part, an instruction to identify a file system directory in which the unclassified process is located and a file system directory in which the loaded component is located; and
  
  upon determining that the software code from the unclassified process depends on the loaded component in order to execute, classify the unclassified process as a potentially trusted process.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer system of claim 9, wherein the instructions are executable by the processor to:
    - compare one or more characteristics of the loaded component with one or more characteristics of the unclassified process.
  - 11. The computer system of claim 10, wherein the instructions are executable by the processor to:
    - classify the unclassified process as a potential malicious process upon a determination that the one or more characteristics of the loaded component are not similar to the one or more characteristics of the unclassified process.
  - 12. The computer system of claim 9, wherein the instructions are executable by the processor to:
    - classify the unclassified process as a potential trusted process if the loaded component is located in the same directory as the unclassified process.
  - 13. The computer system of claim 9, wherein the instructions are executable by the processor to:
    - maintain the process as an unclassified process if the loaded component is located in a common component directory.
  - 14. The computer system of claim 13, wherein the common component directory comprises operating system (OS) directories c:
    - \windows and c;
      
      \windows\system32.
  - 15. The computer system of claim 9, wherein the instructions are executable by the processor to:
    - determine if the loaded component is loaded by one or more classified trusted processes.
  - 16. The computer system of claim 15, wherein the instructions are executable by the processor to:
    - classify the unclassified process as a potential trusted process upon a determination that the loaded component is also loaded by one or more classified trusted processes.

17. A computer-program product for classifying an unclassified process as a potentially trusted process based on dependencies of the unclassified process, the computer-program product comprising a non-transitory computer-readable medium storing instructions thereon, the instructions being executable by the processor to:
- identify a component loaded by the unclassified process;
  
  determine whether software code from the unclassified process depends on the component loaded by the unclassified process in order to execute, wherein the instruction to determine comprises, at least in part, an instruction to identify a file system directory in which the unclassified process is located and a file system directory in which the loaded component is located; and
  
  upon determining that the software code from the unclassified process depends on the loaded component in order to execute, classify the unclassified process as a potentially trusted process.
- View Dependent Claims (18)
- - 18. The computer-program product of claim 17, wherein the instructions are executable by the processor to:
    - compare one or more characteristics of the loaded component with one or more characteristics of the unclassified process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Satish, Sourabh, Pereira, Shane, Glick, Adam
Primary Examiner(s)
NGUYEN, THU HA T

Application Number

US12/603,429
Time in Patent Office

1,882 Days
Field of Search

709/223, 709/224, 719/316, 719/320, 719/321, 719/328, 719/330, 380/30, 726/22, 726/23, 726/24
US Class Current

726/24
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/145   the attack involving the pr...

Systems and methods for classifying an unclassified process as a potential trusted process based on dependencies of the unclassified process

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for classifying an unclassified process as a potential trusted process based on dependencies of the unclassified process

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links