System and method of limiting the operation of trusted applications in presence of suspicious programs

US 9,183,383 B1
Filed: 02/17/2015
Issued: 11/10/2015
Est. Priority Date: 12/05/2014
Status: Active Grant

First Claim

Patent Images

1. A method for limiting the operation of trusted applications in presence of suspicious programs, the method comprising:

identifying, by a hardware processor, one or more trusted applications installed on a computer;

collecting, by the hardware processor, data relating to the identified one or more trusted applications and to programs installed on the computer;

detecting, based at least partially on the collected data, one or more suspicious programs using suspicious program detection rules indicating that the one or more suspicious programs can access protected information of a given trusted application of the identified one or more trusted applications without authorization;

upon detecting at least one suspicious program, temporarily limiting an operation of the given trusted application;

producing, based on both the data relating to the identified one or more trusted applications and data relating to the detected at least one suspicious program, a list of actions to remove or terminate the at least one suspicious program from the computer; and

removing limitation of the operation of the given trusted application after the list of actions are performed to remove or terminate the at least one suspicious program from the computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are systems and methods for limiting the operation of trusted applications in presence of suspicious programs. An example method includes: identifying one or more trusted applications installed on a computer; collecting data about applications and programs installed on the computer; checking for the presence of one or more suspicious programs using suspicious program detection rules, wherein a program is considered to be suspicious when it can access protected information of a trusted application without authorization; and when at least one suspicious program is found, limiting the operation of the trusted application until the suspicious program is terminated or removed from the computer.

67 Citations

View as Search Results

20 Claims

1. A method for limiting the operation of trusted applications in presence of suspicious programs, the method comprising:
- identifying, by a hardware processor, one or more trusted applications installed on a computer;
  
  collecting, by the hardware processor, data relating to the identified one or more trusted applications and to programs installed on the computer;
  
  detecting, based at least partially on the collected data, one or more suspicious programs using suspicious program detection rules indicating that the one or more suspicious programs can access protected information of a given trusted application of the identified one or more trusted applications without authorization;
  
  upon detecting at least one suspicious program, temporarily limiting an operation of the given trusted application;
  
  producing, based on both the data relating to the identified one or more trusted applications and data relating to the detected at least one suspicious program, a list of actions to remove or terminate the at least one suspicious program from the computer; and
  
  removing limitation of the operation of the given trusted application after the list of actions are performed to remove or terminate the at least one suspicious program from the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein identifying the one or more trusted applications includes checking a database of known trusted applications.
  - 3. The method of claim 1, wherein identifying the one or more trusted applications includes checking a user provided designation of an application.
  - 4. The method of claim 1, wherein identifying the one or more trusted applications includes applying trusted application analysis rules.
  - 5. The method of claim 4, wherein the trusted application analysis rules check a plurality of conditions including one or more of:
    - whether an application has two or more permissions for reading user data;
      
      whether an application has a good rating from users;
      
      whether an application has a large number of downloads from an app store;
      
      whether an application belongs to a category of trusted software; and
      
      whether an application'"'"'s signature contains a certificate of a known legitimate software producer.
  - 6. The method of claim 1, wherein identifying the one or more suspicious programs includes applying one or more suspicious program detection rules.
  - 7. The method of claim 6, wherein the one or more suspicious program detection rules check a plurality of conditions including one or more of:
    - whether a program contains identification data of a financial institution, but does not belong to a category of financial software;
      
      whether a program is able to make screenshots when a certain event occurs;
      
      whether a program is able to read, modify and send SMS messages; and
      
      whether a program is able to intercept Data SMS messages transmitted via one or more ports of trusted applications or an antivirus program.

8. A system for limiting the operation of trusted applications in presence of suspicious programs, the system comprising:
- a memory storing a plurality of software applications and program; and
  
  a hardware processor coupled to the memory and configured to;
  
  identify one or more trusted applications in the memory;
  
  collect data relating to the identified one or more trusted applications and to the programs;
  
  detect, based at least partially on the collected data, one or more suspicious programs using suspicious program detection rules indicating that the one or more suspicious programs can access protected information of a given trusted application of the identified one or more trusted applications without authorization;
  
  upon detecting at least one suspicious program, temporarily limit an operation of the given trusted application;
  
  produce, based on both the data relating to the identified one or more trusted applications and data relating to the detected at least one suspicious program, a list of actions to remove or terminate the at least one suspicious program from the computer; and
  
  remove limitation of the operation of the given trusted application after the list of actions are performed to remove or terminate the at least one suspicious program from the computer.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein identifying the one or more trusted applications includes checking a database of known trusted applications.
  - 10. The system of claim 8, wherein identifying the one or more trusted applications includes checking a user provided designation of an application.
  - 11. The system of claim 8, wherein identifying the one or more trusted applications includes applying trusted application analysis rules.
  - 12. The system of claim 11, wherein the trusted application analysis rules check a plurality of conditions including one or more of:
    - whether an application has two or more permissions for reading user data;
      
      whether an application has a good rating from users;
      
      whether an application has a large number of downloads from an app store;
      
      whether an application belongs to a category of trusted software; and
      
      whether an application'"'"'s signature contains a certificate of a known legitimate software producer.
  - 13. The system of claim 8, wherein identifying the one or more suspicious programs includes applying one or more suspicious program detection rules.
  - 14. The system of claim 13, wherein the one or more suspicious program detection rules check a plurality of conditions including one or more of:
    - whether a program contains identification data of a financial institution, but does not belong to a category of financial software;
      
      whether a program is able to make screenshots when a certain event occurs;
      
      whether a program is able to read, modify and send SMS messages; and
      
      whether a program is able to intercept Data SMS messages transmitted via one or more ports of trusted applications or an antivirus program.

15. A computer program product, stored on a non-transitory computer readable medium, wherein the computer program product includes computer executable instructions for limiting the operation of trusted applications in presence of suspicious programs, including instructions for:
- identifying one or more trusted applications installed on a computer;
  
  collecting, by the hardware processor, data relating to the identified one or more trusted applications and to programs installed on the computer;
  
  detecting, based at least partially on the collected data, one or more suspicious programs using suspicious program detection rules indicating that the one or more suspicious programs can access protected information of a given trusted application of the identified one or more trusted applications without authorization;
  
  upon detecting at least one suspicious program, temporarily limiting an operation of the given trusted application;
  
  producing, based on both the data relating to the identified one or more trusted applications and data relating to the detected at least one suspicious program, a list of actions to remove or terminate the at least one suspicious program from the computer; and
  
  removing limitation of the operation of the given trusted application after the list of actions are performed to remove or terminate the at least one suspicious program from the computer.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The product of claim 15, wherein the instructions for identifying the one or more trusted applications include instructions for checking a database of known trusted applications.
  - 17. The product of claim 15, wherein the instructions for identifying the one or more trusted applications include instructions for checking a user provided designation of an application.
  - 18. The product of claim 15, wherein the instructions for identifying the one or more trusted applications include instructions for applying trusted application analysis rules that check a plurality of conditions including one or more of:
    - whether an application has two or more permissions for reading user data;
      
      whether an application has a good rating from users;
      
      whether an application has a large number of downloads from an app store;
      
      whether an application belongs to a category of trusted software; and
      
      whether an application'"'"'s signature contains a certificate of a known legitimate software producer.
  - 19. The product of claim 15, wherein identifying the one or more suspicious programs includes applying one or more suspicious program detection rules.
  - 20. The product of claim 19, wherein the one or more suspicious program detection rules check a plurality of conditions including one or more of:
    - whether a program contains identification data of a financial institution, but does not belong to a category of financial software;
      
      whether a program is able to make screenshots when a certain event occurs;
      
      whether a program is able to read, modify and send SMS messages; and
      
      whether a program is able to intercept Data SMS messages transmitted via one or more ports of trusted applications or an antivirus program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Lab A.O. Kaspersky
Inventors
Yablokov, Victor V., Filatov, Konstantin M., Eliseev, Evgeny Y., Unuchek, Roman S.
Primary Examiner(s)
Simitoski, Michael

Application Number

US14/623,901
Time in Patent Office

266 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 12/14   Protection against unauthor...

G06F 12/16   Protection against loss of ...

G06F 21/12   Protecting executable software

G06F 21/121   Restricting unauthorised ex...

G06F 21/44   Program or device authentic...

G06F 21/50   Monitoring users, programs ...

G06F 21/51   at application loading time...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/62   Protecting access to data v...

G06F 21/6245   Protecting personal data, e...

G06F 21/6281   at program execution time, ...

G06F 21/629   to features or functions of...

G06F 21/74   operating in dual or compar...

G06F 21/88   Detecting or preventing the...

G06F 2201/86   Event-based monitoring

G06F 2221/031 : Protect user input by softw...

G06F 2221/033 : Test or assess software

G06F 2221/034 : Test or assess a computer o...

H04W 12/128 : Anti-malware arrangements, ...

H04W 12/37 : Managing security policies ...

H04W 12/66 : Trust-dependent, e.g. using...

View All

System and method of limiting the operation of trusted applications in presence of suspicious programs

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

67 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of limiting the operation of trusted applications in presence of suspicious programs

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links