Preemptive event handling
First Claim
Patent Images
1. A computerized method of preemptive event handling, comprising:
- catching, in run time by a kernel driver at kernel level, a plurality of events of a plurality of processes before being dispatched for execution by an operating system (OS) running on a computing device;
channeling, by said kernel driver and before processing by said OS, said plurality of events for a pre-dispatching analysis;
continuously scoring each of said plurality of processes with a process score according to said plurality of events;
detecting, in run time, a first event of said plurality of events, said first event being performed by a first process of said plurality of processes on said computing device;
calculating an updated process score for respective said process score of said first process in response to an analysis of said first event;
classifying, based on said pre-dispatching analysis, in run time, said first process as a malware in response to said detection of said first event and in response to said updated process score;
preventing, in run time, said first process from running on said computing device before said first event is processed by said OS; and
preventing the execution of said first process on said computing device and deleting at least one additional event associated with said first process.
1 Assignment
0 Petitions
Accused Products
Abstract
A computerized method of preemptive event handling, The method comprises monitoring, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device, detecting, in run time, a first event of the plurality of events, the first event being performed by a first process of the plurality of processes on the computing device, classifying, in run time, the first process as a malware in response to the detection of the first event, and preventing, in run time, the first process from running on the computing device before the first event is processed by the OS.
19 Citations
10 Claims
-
1. A computerized method of preemptive event handling, comprising:
-
catching, in run time by a kernel driver at kernel level, a plurality of events of a plurality of processes before being dispatched for execution by an operating system (OS) running on a computing device; channeling, by said kernel driver and before processing by said OS, said plurality of events for a pre-dispatching analysis; continuously scoring each of said plurality of processes with a process score according to said plurality of events; detecting, in run time, a first event of said plurality of events, said first event being performed by a first process of said plurality of processes on said computing device; calculating an updated process score for respective said process score of said first process in response to an analysis of said first event; classifying, based on said pre-dispatching analysis, in run time, said first process as a malware in response to said detection of said first event and in response to said updated process score; preventing, in run time, said first process from running on said computing device before said first event is processed by said OS; and preventing the execution of said first process on said computing device and deleting at least one additional event associated with said first process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system of reverting system data effected by a malware, comprising:
-
an operating system (OS) based computing device having at least one processor; a threat monitoring module which catches, in run time at kernel level, a plurality of events of a plurality of processes before being dispatched for execution by an operating system (OS) running on a computing device and detects, in run time, a first event of said plurality of events, said first event being performed by a first process of said plurality of processes on said computing device, said threat monitoring module channels before processing by said OS, said plurality of events for a pre-dispatching analysis, continuously scores each of said plurality of processes with a process score according to said plurality of events, calculates an updated process score for respective said process score of said first process in response to an analysis of said first event and uses said processor to classify based on said pre-dispatching analysis, in run time, said first process as a malware in response to said detection of said first event and in response to said updated process score; and an event dispatcher module which prevents, in run time, said first process from running on said computing device before said first event is processed by said OS, and further prevents the execution of said first process on said computing device and deletes at least one additional event associated with said first process;
wherein said event dispatcher module and said threat monitoring module are components of a kernel driver which operates in said kernel level.
-
-
10. A computer program product for preemptive event handling, comprising:
-
a non-transitory computer readable storage medium; first program instructions executable by a computerized system to cause said computerized system to catch by a kernel driver, in run time at kernel level, a plurality of events of a plurality of processes before being dispatched for execution by an operating system (OS) running on a computing device; second program instructions executable by said computerized system to cause said computerized system to channel by said kernel driver and before processing by said OS, said plurality of events for a pre-dispatching analysis; third program instructions executable by said computerized system to cause said computerized system to continuously score each of said plurality of processes with a process score according to said plurality of events; fourth program instructions executable by said computerized system to cause said computerized system to detect, in run time, a first event of said plurality of events, said first event being performed by a first process of said plurality of processes on said computing device; fifth program instructions executable by said computerized system to cause said computerized system to calculate an updated process score for respective said process score of said first process in response to an analysis of said first event; sixth program instructions executable by said computerized system to cause said computerized system to classify, based on said pre-dispatching analysis, in run time, said first process as a malware in response to said detection of said first event and in response to said updated process score; and seventh program instructions executable by said computerized system to cause said computerized system to prevent, in run time, said first process from running on said computing device before said first event is processed by said OS, and further prevent the execution of said first process on said computing device and delete at least one additional event associated with said first process; wherein said first, second, third, fourth, fifth, sixth and seventh program instructions are stored on said non-transitory computer readable storage medium.
-
Specification