Systems and methods for securing computing devices against imposter processes
First Claim
1. A computer-implemented method for securing computing devices against imposter processes, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, by the computing device, a process executing on the computing device that is subject to a security assessment;
determining, by the computing device initiating a query, based on comparing an attribute of the process to an attribute of a legitimate process, that a similarity between the process and the legitimate process meets a predetermined match threshold based at least in part on a similarity of a name of the process with a name of the legitimate process;
identifying the legitimate process in response to determining that the similarity between the process and the legitimate process meets the predetermined match threshold;
determining, by the computing device, in response to identifying the legitimate process, that the process is not the legitimate process at least in part by determining that at least one of;
the process does not comprise a digital signature that matches a digital signature of the legitimate process; and
a hash of the process does not match a hash of the legitimate process;
determining, based at least in part on the similarity between the process and the legitimate process meeting the predetermined match threshold and at least in part on determining that the process is not the legitimate process, that the process comprises an imposter process of the legitimate process;
determining, by the computing device, that a file has been created on the computing device by the imposter process;
determining, by the computing device, a security action for the file on the computing device in response to determining that the file has been created by the imposter process;
performing, by the computing device, the security action on the computing device for the file in response to determining the security action and thereby improving security on the computing device.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for securing computing devices against imposter processes may include (1) identifying a process that is subject to a security assessment, (2) determining, based on comparing an attribute of the process to an attribute of a legitimate process, that the process comprises an imposter process of the legitimate process, (3) determining that a file may have been created by the imposter process, and (4) determining a security action for the file in response to determining that the file has been created by the imposter process. Various other methods, systems, and computer-readable media are also disclosed.
19 Citations
20 Claims
-
1. A computer-implemented method for securing computing devices against imposter processes, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
identifying, by the computing device, a process executing on the computing device that is subject to a security assessment; determining, by the computing device initiating a query, based on comparing an attribute of the process to an attribute of a legitimate process, that a similarity between the process and the legitimate process meets a predetermined match threshold based at least in part on a similarity of a name of the process with a name of the legitimate process; identifying the legitimate process in response to determining that the similarity between the process and the legitimate process meets the predetermined match threshold; determining, by the computing device, in response to identifying the legitimate process, that the process is not the legitimate process at least in part by determining that at least one of; the process does not comprise a digital signature that matches a digital signature of the legitimate process; and a hash of the process does not match a hash of the legitimate process; determining, based at least in part on the similarity between the process and the legitimate process meeting the predetermined match threshold and at least in part on determining that the process is not the legitimate process, that the process comprises an imposter process of the legitimate process; determining, by the computing device, that a file has been created on the computing device by the imposter process; determining, by the computing device, a security action for the file on the computing device in response to determining that the file has been created by the imposter process; performing, by the computing device, the security action on the computing device for the file in response to determining the security action and thereby improving security on the computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for securing computing devices against imposter processes, the system comprising:
-
a memory that stores executable modules; a process identification module, stored in the memory on a computing device, that identifies a process executing on the computing device that is subject to a security assessment; an imposter determination module, stored in the memory on the computing device, that; initiates a query to determine, based on comparing an attribute of the process to an attribute of a legitimate process, that a similarity between the process and the legitimate process meets a predetermined match threshold based at least in part on a similarity of a name of the process with a name of the legitimate process; identifying the legitimate process in response to determining that the similarity between the process and the legitimate process meets the predetermined match threshold; determines, in response to identifying the legitimate process, that the process is not the legitimate process at least in part by determining that at least one of; the process does not comprise a digital signature that matches a digital signature of the legitimate process; and a hash of the process does not match a hash of the legitimate process; determines, based at least in part on the similarity between the process and the legitimate process meeting the predetermined match threshold and at least in part on determining that the process is not the legitimate process, that the process comprises an imposter process of the legitimate process; a file determination module, stored in the memory on the computing device, that determines that a file has been created on the computing device by the imposter process; a security determination module, stored in the memory on the computing device, that; determines a security action for the file on the computing device in response to determining that the file has been created by the imposter process; performs the security action on the computing device for the file in response to determining the security action and thereby improving security on the computing device; at least one hardware processor that executes the process identification module, the imposter determination module, the file determination module and the security determination module. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable-storage medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
identify, by the computing device, a process executing on the computing device that is subject to a security assessment; determine, by the computing device initiating a query, based on comparing an attribute of the process to an attribute of a legitimate process, that a similarity between the process and the legitimate process meets a predetermined match threshold based at least in part on a similarity of a name of the process with a name of the legitimate process; identifying the legitimate process in response to determining that the similarity between the process and the legitimate process meets the predetermined match threshold; determine, by the computing device, in response to identifying the legitimate process, that the process is not the legitimate process at least in part by determining that at least one of; the process does not comprise a digital signature that matches a digital signature of the legitimate process; and a hash of the process does not match a hash of the legitimate process; determine, based at least in part on the similarity between the process and the legitimate process meeting the predetermined match threshold and at least in part on determining that the process is not the legitimate process, that the process comprises an imposter process of the legitimate process; determine, by the computing device, that a file has been created on the computing device by the imposter process; determine, by the computing device, a security action for the file on the computing device in response to determining that the file has been created by the imposter process; perform, by the computing device, the security action on the computing device for the file in response to determining the security action and thereby improving security on the computing device. - View Dependent Claims (19, 20)
-
Specification