Methods, systems, and media for detecting covert malware
First Claim
1. A method for detecting covert malware in a computing environment, the method comprising:
- receiving, using a hardware processor, a first set of user actions;
automatically generating, without receiving user input, using the hardware processor, a second set of user actions that is similar to the first set of user actions based on the first set of user actions and using a model of user activity, wherein the first set of user actions is modified using the model of user activity to generate the second set of user actions in the form of simulated user actions;
replaying, using the hardware processor, the second set of user actions to an application inside the computing environment;
determining, using the hardware processor, whether state information of the application matches an expected state in response to the second set of user actions is being replayed to the application inside the computing environment;
determining, using the hardware processor, whether covert malware is present in the computing environment based at least in part on the determination of whether the state information matches the expected state; and
transmitting, using the hardware processor, an alert to a computing device in response to determining that covert malware is present in the computing environment.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: receiving a first set of user actions; generating a second set of user actions based on the first set of user actions and a model of user activity; conveying the second set of user actions to an application inside the computing environment; determining whether state information of the application matches an expected state after the second set of user actions is conveyed to the application; and determining whether covert malware is present in the computing environment based at least in part on the determination.
107 Citations
23 Claims
-
1. A method for detecting covert malware in a computing environment, the method comprising:
-
receiving, using a hardware processor, a first set of user actions; automatically generating, without receiving user input, using the hardware processor, a second set of user actions that is similar to the first set of user actions based on the first set of user actions and using a model of user activity, wherein the first set of user actions is modified using the model of user activity to generate the second set of user actions in the form of simulated user actions; replaying, using the hardware processor, the second set of user actions to an application inside the computing environment; determining, using the hardware processor, whether state information of the application matches an expected state in response to the second set of user actions is being replayed to the application inside the computing environment; determining, using the hardware processor, whether covert malware is present in the computing environment based at least in part on the determination of whether the state information matches the expected state; and transmitting, using the hardware processor, an alert to a computing device in response to determining that covert malware is present in the computing environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for detecting covert malware in a computing environment, the system comprising:
a hardware processor that is configured to; receive a first set of user actions; automatically generate, without receiving user input, a second set of user actions that is similar to the first set of user actions based on the first set of user actions and using a model of user activity, wherein the first set of user actions is modified using the model of user activity to generate the second set of user actions in the form of simulated user actions; replay the second set of user actions to an application inside the computing environment; determine whether state information of the application matches an expected state in response to the second set of user actions is being replayed to the application inside the computing environment; determine whether covert malware is present in the computing environment based at least in part on the determination of whether the state information matches the expected state; and transmit an alert to a computing device in response to determining that covert malware is present in the computing environment. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
23. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting covert malware in a computing environment, the method comprising:
-
receiving a first set of user actions; automatically generating, without receiving user input, a second set of user actions that is similar to the first set of user actions based on the first set of user actions and using a model of user activity, wherein the first set of user actions is modified using the model of user activity to generate the second set of user actions in the form of simulated user actions; replaying the second set of user actions to an application inside the computing environment; determining whether state information of the application matches an expected state in response to the second set of user actions is being replayed to the application inside the computing environment; determining whether covert malware is present in the computing environment based at least in part on the determination of whether the state information matches the expected state; and transmitting an alert to a computing device in response to determining that covert malware is present in the computing environment.
-
Specification