Detecting malicious use of computer resources by tasks running on a computer system
First Claim
1. A method for identifying malware, the method comprising the steps of:
- identifying, by one or more processors, processes in a running process list on a first computer system;
identifying, by one or more processors, ports assigned to the processes in the running process list on the first computer system;
identifying, by one or more processors, ports currently in use in the first computer system;
determining, by one or more processors, a first use of a first port of the ports currently in use in the first computer system but not assigned to any of the processes in the running process list in the first computer system; and
determining, by one or more processors, whether a second computer system is using a second port on the second computer system in a non-malicious manner, wherein the second port on the second computer system maps to the first port on the first computer system, andif determined that the second computer system is using the second port on the second computer system in the non-malicious manner, determining, by one or more processors, that the first port is not being used in an attack, andif determined that the second computer system is not using the second port on the second computer system in the non-malicious manner, determining, by one or more processors, that a hidden, running process is present as a characteristic of an attack.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, apparatus, and computer program product for identifying malware is disclosed. The method identifies processes in a running process list on a host computer system. The method identifies ports assigned to the processes in the running process list on the host computer system. The method determines whether any one of ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list. The method then makes a record that a hidden, running process is present as a characteristic of an attack in response to a determination that one of the ports is currently in use but is not assigned to any of the processes in the running process list in the host computer system.
43 Citations
20 Claims
-
1. A method for identifying malware, the method comprising the steps of:
-
identifying, by one or more processors, processes in a running process list on a first computer system; identifying, by one or more processors, ports assigned to the processes in the running process list on the first computer system; identifying, by one or more processors, ports currently in use in the first computer system; determining, by one or more processors, a first use of a first port of the ports currently in use in the first computer system but not assigned to any of the processes in the running process list in the first computer system; and determining, by one or more processors, whether a second computer system is using a second port on the second computer system in a non-malicious manner, wherein the second port on the second computer system maps to the first port on the first computer system, and if determined that the second computer system is using the second port on the second computer system in the non-malicious manner, determining, by one or more processors, that the first port is not being used in an attack, and if determined that the second computer system is not using the second port on the second computer system in the non-malicious manner, determining, by one or more processors, that a hidden, running process is present as a characteristic of an attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer system for identifying malware, the computer system comprising:
-
one or more processors, one or more computer-readable tangible storage devices, one or more computer-readable memories, and program instructions stored on at least one the computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the computer-readable memories, the program instructions comprising; first program instructions to identify processes in a running process list on a first computer; second program instructions to identify ports assigned to the processes in the running process list on the first computer; third program instructions to identify ports currently in use in the first computer; fourth program instructions to determine a first use of a first port of the ports currently in use in the first computer but not assigned to any of the processes in the running process list in the first computer; and fifth program instructions to determine whether a second computer is using a second port on the second computer in a non-malicious manner, wherein the second port on the second computer maps to the first port on the first computer, and if determined that the second computer system is using the second port on the second computer system in the non-malicious manner, determine that the first port is not being used in an attack, and if determined that the second computer system is not using the second port on the second computer system in the non-malicious manner, determine that a hidden, running process is present as a characteristic of the attack. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer program product for identifying malware, the computer program product comprising:
-
one or more computer-readable tangible storage devices, one or more processors, and program instructions stored on at least one of the computer-readable tangible storage devices for execution by at least one of the one or more processors, the program instructions comprising; program instructions to identify processes in a running process list on a first computer system; program instructions to identify ports assigned to the processes in the running process list on the first computer system; program instructions to identify ports currently in use in the first computer system; program instructions to determine a first use of a first port of the ports currently in use in the first computer system but not assigned to any of the processes in the running process list in the first computer system; and program instructions to determine whether a second computer system is using a second port on the second computer system in a non-malicious manner, wherein the second port on the second computer system maps to the first port on the first computer system, and if determined that the second computer system is using the second port on the second computer system in the non-malicious manner, determine that the first port is not being used in an attack, and if determined that the second computer system is not using the second port on the second computer system in the non-malicious manner, determine that a hidden, running process is present as a characteristic of the attack. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification