SYSTEM AND METHODS THEREOF FOR IDENTIFICATION OF SUSPICIOUS SYSTEM PROCESSES

US 20170286683A1
Filed: 04/03/2017
Published: 10/05/2017
Est. Priority Date: 04/03/2016
Status: Active Grant

First Claim

Patent Images

1. A computerized method for identification of suspicious processes executing on an end-point device communicatively connected to network, the network communicatively connected to a server, the method comprising:

receiving, by the server, a record of at least one process, initiated by and executing on the end-point device;

identifying one or more parameters associated with the at least one process, wherein the one or more parameters indicate on at least whether the at least one process is a familiar or unfamiliar process;

identifying, corresponding to the identified one or more parameters, a first time pointer;

identifying a second time pointer at which a user associated with the end-point device initiated a user dependent process;

performing an action based on whether the second time pointer occurred before the first time pointer and whether the at least one process was initiated by the user in view of identification of user dependent processes and corresponding attribution.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method for identification of suspicious processes executing on an end-point device communicatively connected to network, the network communicatively connected to a server, the method comprising receiving, by the server, a record of at least one process, initiated by and executing on by the end-point device. One or more parameters associated with the at least one process are identified. A first time pointer is identified corresponding to the identified one or more parameters, a first time pointer. A second time pointer at which a user associated with the end-point device initiated a user dependent process is identified. Whether the second time pointer occurred before the first time pointer is identified. It is determined whether the at least one process was initiated by the user based on identification of user dependent processes and corresponding attribution. An action is performed based on the above determination.

3 Citations

17 Claims

1. A computerized method for identification of suspicious processes executing on an end-point device communicatively connected to network, the network communicatively connected to a server, the method comprising:
- receiving, by the server, a record of at least one process, initiated by and executing on the end-point device;
  
  identifying one or more parameters associated with the at least one process, wherein the one or more parameters indicate on at least whether the at least one process is a familiar or unfamiliar process;
  
  identifying, corresponding to the identified one or more parameters, a first time pointer;
  
  identifying a second time pointer at which a user associated with the end-point device initiated a user dependent process;
  
  performing an action based on whether the second time pointer occurred before the first time pointer and whether the at least one process was initiated by the user in view of identification of user dependent processes and corresponding attribution.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - identifying the at least one process as a suspicious process if the second time pointer occurred before the first time pointer and the at least one process was not initiated by the user; and
      
      ,generating an alert corresponding to the identification of the suspicious process.
  - 3. The method of claim 2, wherein the alert is displayed on a display unit of at least one of:
    - an end-point device, a computerized general control system, an enterprise control system.
  - 4. The method of claim 2, further comprising:
    - continuously monitoring the suspicious process
  - 5. The method of claim 1, further comprising:
    - continuously monitoring the at least one process.

6. An apparatus for identification of suspicious processes executing on an end-point device, comprising:
- an interface to an enterprises'"'"' system;
  
  a mining unit for identification of at least one process initiated in the enterprise'"'"'s system;
  
  a processing unit;
  
  a memory coupled to the processing unit, the memory contains therein instructions that when executed by the processing unit configure the apparatus to identify suspicious processes,wherein the processing unit receives a record of the at least one process, the process executing on the end-point device and initiated by the end-point device,wherein the processing unit identifies one or more parameters associated with the at least one process and identifies a first time pointer at which the at least one process was initiated based on the one or more parameters, wherein the one or more parameters indicate on at least whether the at least one process is a familiar or unfamiliar process,wherein the processing unit identifies a second time pointer at which a user associated with the end-point device initiated a user dependent process and further determines whether the second time pointer occurred before the first time pointer,wherein the processing unit determines whether the at least one process was initiated by the user and takes appropriate action.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The apparatus of claim 6, wherein a process that was initiated after the initiation of the user dependent process and was not initiated by the user is identified to be a suspicious process and an alert corresponding to the identification of the suspicious process is generated.
  - 8. The apparatus of claim 7, wherein the alert is displayed on a display unit of at least one of:
    - an end-point device, a computerized control system, an enterprise control system.
  - 9. The apparatus of claim 6, further comprises:
    - a data storage unit.
  - 10. The apparatus of claim 9, wherein the identified data associated with suspicious process is stored in the data storage unit.
  - 11. The apparatus of claim 6 wherein the at least one process is monitored continuously.
  - 12. The apparatus of claim 6, wherein the suspicious process is continuously monitored.

13. A computer program product including a computer readable medium comprising computer executable program recorded on a computer readable non-transitory storage medium, said computer executable program code when executed causing a computer to:
- a) receive, by a server, a record of at least one process, initiated by and executing on by the end-point device;
  
  b) identify one or more parameters associated with the at least one process;
  
  c) identify, corresponding to the identified one or more parameters, a first time pointer, wherein the one or more parameters indicate on at least whether the at least one process is a familiar or unfamiliar process;
  
  d) identify a second time pointer at which a user associated with the end-point device initiated a user dependent process;
  
  e) determine whether the second time pointer occurred before the first time pointer; and
  
  f) determine, whether the at least one process was initiated by the user, based on identification of user dependent processes and corresponding attribution; and
  
  g) perform an action based on the determining in step e and step f.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer program product of claim 13, where the program code further causes the computer to:
    - identify the at least one process as a suspicious process if in step e the second time pointer occurred before the first time pointer and in step f the at least one process was not initiated by the user; and
      
      ,generate an alert corresponding to the identification of the suspicious process.
  - 15. The computer program product of claim 14, wherein the alert is displayed on a display unit of at least one of:
    - an end-point device, a computerized general control system, an enterprise control system.
  - 16. The computer program product of claim 14, wherein the suspicious process is continuously monitored.
  - 17. The computer program product of claim 13, wherein the at least one process is continuously monitored.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Cyber Secdo, Ltd.
Inventors
BARAK, Gil

Granted Patent

US 10,423,789 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3017   where the computing system ...

G06F 11/3072   where the reporting involve...

G06F 11/3089   Monitoring arrangements det...

G06F 11/3438   monitoring of user actions ...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/725   operating on a secure refer...

G06F 2201/835   Timestamp

H04L 63/1425   Traffic logging, e.g. anoma...

SYSTEM AND METHODS THEREOF FOR IDENTIFICATION OF SUSPICIOUS SYSTEM PROCESSES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

3 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHODS THEREOF FOR IDENTIFICATION OF SUSPICIOUS SYSTEM PROCESSES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

3 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links