Detecting malicious computer program activity using external program calls with dynamic rule sets
First Claim
1. A computer program product embodied on a non-transitory tangible computer readable medium and provided on a computer that includes a central processing unit (CPU) and an operating system, the computer program product, comprising:
- logging code operable to log a stream of external program calls during an execution of a computer program;
primary set identifying code operable to identify, within said stream of external program calls, a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules;
secondary set identifying code operable to identify, within said stream, at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls, wherein one of said at least one secondary set of one or more external program calls (2) precedes or succeeds said primary set of one or more external program calls within said stream of external program calls and (2) originates from the same computer program, memory region, or thread of the primary set of external program calls;
modifying code operable to modify said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity than said primary set of said one or more external program calls by increasing a score value associated with the secondary set of one or more external program for use in triggering an anti-malware response;
wherein said set of rules is modified to include a new rule corresponding to said secondary set of one or more external program calls, said new rule thereafter being used in addition to other rules within said set of rules.
11 Assignments
0 Petitions
Accused Products
Abstract
A stream 14 of external computer program calls made from an application program 2 to an operating system 4 is logged by an anti-malware layer 8. This stream 14 is examined for a primary set XYZ of external program calls known to be associated with malicious computer program activity. When such a primary set XYZ of external computer program calls is identified, the malicious activity is blocked and the logged stream 14 is examined to determine one or more secondary sets of external program calls which are now added to the set of rules 10 against which the logged stream 14 of external program calls is tested. In this way the set of rules 10 is dynamically adapted so as to more rapidly and proactively identify malicious computer program activity.
23 Citations
47 Claims
-
1. A computer program product embodied on a non-transitory tangible computer readable medium and provided on a computer that includes a central processing unit (CPU) and an operating system, the computer program product, comprising:
-
logging code operable to log a stream of external program calls during an execution of a computer program; primary set identifying code operable to identify, within said stream of external program calls, a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules; secondary set identifying code operable to identify, within said stream, at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls, wherein one of said at least one secondary set of one or more external program calls (2) precedes or succeeds said primary set of one or more external program calls within said stream of external program calls and (2) originates from the same computer program, memory region, or thread of the primary set of external program calls; modifying code operable to modify said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity than said primary set of said one or more external program calls by increasing a score value associated with the secondary set of one or more external program for use in triggering an anti-malware response; wherein said set of rules is modified to include a new rule corresponding to said secondary set of one or more external program calls, said new rule thereafter being used in addition to other rules within said set of rules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 46, 47)
-
-
16. A method of detecting malicious computer program activity using a processor and a memory of a computer, comprising:
-
logging a stream of external program calls during an execution of a computer program; identifying within said stream of external program calls a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules; identifying within said stream at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls, wherein one of said at least one secondary set of one or more external program calls (1) precedes or succeeds said primary set of one or more external program calls within said stream of external program calls and (2) originates from the same computer program, memory region, or thread of the primary set of external program calls; modifying said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity than said primary set of said one or more external program calls by increasing a score value associated with the secondary set of one or more external program for use in triggering an anti-malware response; wherein said set of rules is modified to include a new rule corresponding to said secondary set of one or more external program calls, said new rule thereafter being used in addition to other rules within said set of rules. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A data processing apparatus operable to detect malicious computer program activity, said apparatus comprising:
-
a central processing unit (CPU); an operating system; logging code operable to log a stream of external program calls during an execution of a computer program; primary set identifying code operable to identify, within said stream of external program calls, a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules; secondary set identifying code operable to identify, within said stream, at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls, wherein one of said at least one secondary set of one or more external program calls (1) precedes or succeeds said primary set of one or more external program calls within said stream of external program calls and (2) originates from the same computer program, memory region, or thread of the primary set of external program calls; modifying code operable to modify said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity than said primary set of said one or more external program calls by increasing a score value associated with the secondary set of one or more external program for use in triggering an anti-malware response; wherein said set of rules is modified to include a new rule corresponding to said secondary set of one or more external program calls, said new rule thereafter being used in addition to other rules within said set of rules. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
Specification