Behavioral-based host intrusion prevention system
First Claim
1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
- monitoring an executing computer process for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene, where the gene is stored for reference in a database and wherein the gene relates to at least one of API calls, registry access, process manipulation, and file system access;
performing the monitoring step a number of times to collect a plurality of malicious behavior indications;
comparing the plurality of malicious behavior indications to one or more phenotypes that rank combinations of behaviors according to increasing levels of confidence that a runtime object is executing a behavior pattern comparable to a known family of malware;
triggering a content analysis of the process when the plurality of malicious behavior indications for the process corresponds to one of the number of phenotypes having a predetermined level of confidence that the process contains a known family of malware, wherein a type of the content analysis is based on the one of the number of phenotypes, thereby providing a prediction; and
causing an action based on the prediction.
5 Assignments
0 Petitions
Accused Products
Abstract
In embodiments of the present invention improved capabilities are described for behavioral-based threat detection. An executing computer process is monitored for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene. A plurality of malicious behavior indications observed for the executing process are compared to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code. Upon matching the malicious behavior indications with a phenotype, an action may be caused, where the action is based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype. Related user interfaces, applications, and computer program products are disclosed.
-
Citations
20 Claims
-
1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
-
monitoring an executing computer process for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene, where the gene is stored for reference in a database and wherein the gene relates to at least one of API calls, registry access, process manipulation, and file system access; performing the monitoring step a number of times to collect a plurality of malicious behavior indications; comparing the plurality of malicious behavior indications to one or more phenotypes that rank combinations of behaviors according to increasing levels of confidence that a runtime object is executing a behavior pattern comparable to a known family of malware; triggering a content analysis of the process when the plurality of malicious behavior indications for the process corresponds to one of the number of phenotypes having a predetermined level of confidence that the process contains a known family of malware, wherein a type of the content analysis is based on the one of the number of phenotypes, thereby providing a prediction; and causing an action based on the prediction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
-
progressively monitoring a process executing on a computer for an indication of malicious behavior, thereby providing a plurality of malicious behavior indications, wherein monitoring the process includes monitoring at least one of API calls, registry access, process manipulation, and file system access; comparing the plurality of malicious behavior indications to one or more phenotypes that rank combinations of behaviors according to increasing levels of confidence that a runtime object is executing a behavior pattern comparable to a known family of malware; triggering a content analysis of the process when the plurality of malicious behavior indications for the process corresponds to one of the number of phenotypes having a predetermined level of confidence that the process contains a known family of malware, wherein a type of the content analysis is based on the one of the number of phenotypes, thereby providing a prediction; and causing at least one action based upon the prediction. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification