Behavioral-based host intrusion prevention system

US 9,210,182 B2
Filed: 07/07/2014
Issued: 12/08/2015
Est. Priority Date: 07/21/2009
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:

monitoring an executing computer process for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene, where the gene is stored for reference in a database and wherein the gene relates to at least one of API calls, registry access, process manipulation, and file system access;

performing the monitoring step a number of times to collect a plurality of malicious behavior indications;

comparing the plurality of malicious behavior indications to one or more phenotypes that rank combinations of behaviors according to increasing levels of confidence that a runtime object is executing a behavior pattern comparable to a known family of malware;

triggering a content analysis of the process when the plurality of malicious behavior indications for the process corresponds to one of the number of phenotypes having a predetermined level of confidence that the process contains a known family of malware, wherein a type of the content analysis is based on the one of the number of phenotypes, thereby providing a prediction; and

causing an action based on the prediction.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In embodiments of the present invention improved capabilities are described for behavioral-based threat detection. An executing computer process is monitored for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene. A plurality of malicious behavior indications observed for the executing process are compared to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code. Upon matching the malicious behavior indications with a phenotype, an action may be caused, where the action is based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype. Related user interfaces, applications, and computer program products are disclosed.

Citations

20 Claims

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
- monitoring an executing computer process for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene, where the gene is stored for reference in a database and wherein the gene relates to at least one of API calls, registry access, process manipulation, and file system access;
  
  performing the monitoring step a number of times to collect a plurality of malicious behavior indications;
  
  comparing the plurality of malicious behavior indications to one or more phenotypes that rank combinations of behaviors according to increasing levels of confidence that a runtime object is executing a behavior pattern comparable to a known family of malware;
  
  triggering a content analysis of the process when the plurality of malicious behavior indications for the process corresponds to one of the number of phenotypes having a predetermined level of confidence that the process contains a known family of malware, wherein a type of the content analysis is based on the one of the number of phenotypes, thereby providing a prediction; and
  
  causing an action based on the prediction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer program product of claim 1, wherein the action stops the executing computer process.
  - 3. The computer program product of claim 1, wherein the action causes the computer process to be paused while the content analysis is performed on the code that produced the executing computer process.
  - 4. The computer program product of claim 3, wherein the content analysis involves at least one of a genotype, a hashing, a partial matching, an emulation, and an interpretation and tokenization.
  - 5. The computer program product of claim 4, wherein the partial matching involves identifying specific attributes at known locations in the file or as offsets from identifiers.
  - 6. The computer program product of claim 4, wherein the interpretation and tokenization includes lossy refactoring.
  - 7. The computer program product of claim 1, wherein the action causes a content analysis to be performed on a file produced by the executing computer process, wherein the type of content analysis performed is based on the phenotype.
  - 8. The computer program product of claim 7, wherein the content analysis involves at least one of a genotype, a hashing, a partial matching, an emulation, and an interpretation and tokenization.
  - 9. The computer program product of claim 1, wherein the action includes a remedial action.
  - 10. The computer program product of claim 9, wherein the remedial action is at least one of pausing the executing process, halting the executing process, performing a content analysis, sending a warning to a user of an ongoing process or interaction, executing a program or application to remediate against a threat or violation, recording an interaction for a subsequent evaluation, blocking all requests to a denied network location, performing a malicious code scan on the executing process, performing a malicious code scan on a client facility, quarantining the process, isolating the process, isolating a client facility to a location within the network that restricts network access, blocking a network access port from a client facility, and reporting the process to an administration facility.
  - 11. The computer program product of claim 1, wherein the gene is at least one of a system modification and a behavior of a process.

12. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
- progressively monitoring a process executing on a computer for an indication of malicious behavior, thereby providing a plurality of malicious behavior indications, wherein monitoring the process includes monitoring at least one of API calls, registry access, process manipulation, and file system access;
  
  comparing the plurality of malicious behavior indications to one or more phenotypes that rank combinations of behaviors according to increasing levels of confidence that a runtime object is executing a behavior pattern comparable to a known family of malware;
  
  triggering a content analysis of the process when the plurality of malicious behavior indications for the process corresponds to one of the number of phenotypes having a predetermined level of confidence that the process contains a known family of malware, wherein a type of the content analysis is based on the one of the number of phenotypes, thereby providing a prediction; and
  
  causing at least one action based upon the prediction.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The computer program product of claim 12, wherein the action stops the executing computer process.
  - 14. The computer program product of claim 12, wherein the action causes the computer process to be paused while the content analysis is performed on the code that produced the executing computer process.
  - 15. The computer program product of claim 14, wherein the content analysis involves at least one of a genotype, a hashing, a partial matching, an emulation, and an interpretation and tokenization.
  - 16. The computer program product of claim 15, wherein the partial matching involves identifying specific attributes at known locations in the file or as offsets from identifiers.
  - 17. The computer program product of claim 15, wherein the interpretation and tokenization includes lossy refactoring.
  - 18. The computer program product of claim 12, wherein the action causes a content analysis to be performed on a file produced by the executing computer process, wherein the type of content analysis performed is based on the phenotype.
  - 19. The computer program product of claim 18, wherein the content analysis involves at least one of a genotype, a hashing, a partial matching, an emulation, and an interpretation and tokenization.
  - 20. The computer program product of claim 12, wherein the action includes a remedial action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Wright, Clifford C.
Primary Examiner(s)
Patel, Nirav B

Application Number

US14/324,508
Publication Number

US 20140366136A1
Time in Patent Office

519 Days
Field of Search

726 22- 25, 713/188
US Class Current

1/1
CPC Class Codes

G06F 11/28   by checking the correct ord...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Behavioral-based host intrusion prevention system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Behavioral-based host intrusion prevention system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links