What technology area does this patent fall under?

Primary CPC classification G06F21/566. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Jan 04 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

System and method of providing a set of convolutions to a computing device for detecting anomalous events

US11216555B2 · US · B2

Patent metadata
Field	Value
Publication number	US-11216555-B2
Application number	US-201916701556-A
Country	US
Kind code	B2
Filing date	Dec 3, 2019
Priority date	Jun 16, 2017
Publication date	Jan 4, 2022
Grant date	Jan 4, 2022

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A system and method is provided for providing a set of convolutions to a computing device for detecting anomalous events occurring in an operating system of the computing device. An exemplary method includes launching an agent in an operating system of a client device, registering, by the agent, events occurring in the operating system, for each registered event, determining a context of the event, wherein the context comprises a call stack at a moment of occurrence of the event, selecting a set of features based on the call stack of the event, generating a convolution based on the selected set of features of the event and the context of the event, and adding the generated convolution to a set of convolutions of events occurring on client devices, and providing, to a client device from which a request is received, the set of convolutions of events occurring on client devices.

First claim

Opening claim text (preview).

What is claimed: 1. A method for providing a set of convolutions to a computing device for detecting anomalous events occurring in an operating system of the computing device, the method comprising: launching an agent in an operating system of a client device; registering, by the agent, events occurring in the operating system of the client device; for each registered event occurring in the operating system of the client device, determining a context of the event, wherein the context comprises a call stack at a moment of occurrence of the event; selecting a set of features based on the call stack of the event, the set of features comprising one or more of: names of loaded modules of the computing device, sequences of loading the modules, names of procedures and functions being implemented at the moment of occurrence of the event, values of parameters being transferred to the modules prior to the call for procedures and functions being exported by said modules, a presence or absence of at least one indirect call, a position independent code, and information on jumps, the information being obtained from a self-modifying code, a last branch record (LBR), a branch trace store (BTS); generating a convolution based on the selected set of features of the event and the context of the event; and adding the generated convolution to a set of convolutions of events occurring on client devices; and providing, to a client device from which a request is received, the set of convolutions of events occurring on client devices, the set of convolutions being provided to the client device for detecting anomalous events. 2. The method of claim 1 , wherein the events occurring in the operating system of the client device comprise at least one of: a launching of a process, a loading of a computer executable program code, a file operation, and a registry operation. 3. The method of claim 1 , wherein the providing of the set of convolutions to the client device comprises loading the set of convolutions onto the client device. 4. The method of claim 1 , wherein the providing of the set of convolutions to the client device comprises organizing a polling of a database without loading the set of convolutions into a local database of the client device. 5. The method of claim 1 , further comprising: registering, by an agent of a client device, at least one unclassified event; and determining, by the agent of the client device, whether or not the at least one unclassified event is anomalous based on a comparison of a convolution generated based on selected features of the unclassified event with the set of convolutions of events occurring on client devices. 6. The method of claim 5 , further comprising: deleting the software process associated with the unclassified event when the unclassified event is determined as being anomalous. 7. The method of claim 5 , further comprising: alerting a user of the client device when the unclassified event is determined as being anomalous. 8. A system for providing a set of convolutions to a computing device for detecting anomalous events occurring in an operating system of the computing device, the system comprising: a computer processor configured to: launch an agent in an operating system of a client device; register, by the agent that is launched, events occurring in the operating system of the client device; for each registered event occurring in the operating system of the client device, determine a context of the event, wherein the context comprises a call stack at a moment of occurrence of the event; select a set of features based on the call stack of the event, the set of features comprising one or more of: names of loaded modules of the computing device, sequences of loading the modules, names of procedures and functions being implemented at the moment of occurrence of the event, values of parameters being transferred to the modules prior to the call for procedures and functions being exported by said modules, a presence or absence of at least one indirect call, a position independent code, and information on jumps, the information being obtained from a self-modifying code, a last branch record (LBR), a branch trace store (BTS); generate a convolution based on the selected set of features of the event and the context of the event; and add the generated convolution to a set of convolutions of events occurring on client devices; and provide, to a client device from which a request is received, the set of convolutions of events occurring on client devices, the set of convolutions being provided to the client device for detecting anomalous events. 9. The system of claim 8 , wherein the events occurring in the operating system of the client device comprise at least one of: a launching of a process, a loading of a computer executable program code, a file operation, and a registry operation. 10. The system of claim 8 , wherein the providing of the set of convolutions to the client device comprises loading the set of convolutions onto the client device. 11. The system of claim 8 , wherein the providing of the set of convolutions to the client device comprises organizing a polling of a database without loading the set of convolutions into a local database of the client device. 12. The system of claim 8 , wherein the processor is further configured to: register, by an agent of a client device, at least one unclassified event; and determine, by the agent of the client device, whether or not the at least one unclassified event is anomalous based on a comparison of a convolution generated based on selected features of the unclassified event with the set of convolutions of events occurring on client devices. 13. The system of claim 12 , wherein the processor is further configured to: delete the software process associated with the unclassified event when the unclassified event is determined as being anomalous. 14. The system of claim 12 , wherein the processor is further configured to: alert a user of the client device when the unclassified event is determined as being anomalous. 15. A non-transitory computer readable medium storing thereon computer executable instructions for providing a set of convolutions to a computing device for detecting anomalous events occurring in an operating system of the computing device, including instructions for: launching an agent in an operating system of a client device; registering, by the agent, events occurring in the operating system of the client device; for each registered event occurring in the operating system of the client device, determining a context of the event, wherein the context comprises a call stack at a moment of occurrence of the event; selecting a set of features based on the call stack of the event, the set of features comprising one or more of: names of loaded modules of the computing device, sequences of loading the modules, names of procedures and functions being implemented at the moment of occurrence of the event, values of parameters being transferred to the modules prior to the call for procedures and functions being exported by said modules, a presence or absence of at least one indirect call, a position independent code, and information on jumps, the information being obtained from a self-modifying code, a last branch record (LBR), a branch trace store (BTS); generating a convolution based on the selected set of features of the event and the context of the event; and adding the generated convolution to a set of convolutions of events occurring on client devices; and providing, to a client device from which a

Assignees

AO Kaspersky Lab

Inventors

Classifications

G06F21/566Primary
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
G06F21/52
during program execution, e.g. stack integrity {; Preventing unwanted data erasure; Buffer overflow} · CPC title
G06F21/577
Assessing vulnerabilities and evaluating computer system security · CPC title
H04L63/1408
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
H04L63/145
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title

Patent family

Related publications grouped by family.

View patent family 61976793

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11216555B2 cover?: A system and method is provided for providing a set of convolutions to a computing device for detecting anomalous events occurring in an operating system of the computing device. An exemplary method includes launching an agent in an operating system of a client device, registering, by the agent, events occurring in the operating system, for each registered event, determining a context of the ev…
Who is the assignee on this patent?: AO Kaspersky Lab
What technology area does this patent fall under?: Primary CPC classification G06F21/566. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Jan 04 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).