Tracking of files required for running malware processes
US-2024346143-A1 · Oct 17, 2024 · US
Ransomware detection via detecting system calls pattern in encryption phase
US12541595B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12541595-B2 |
| Application number | US-202318194725-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 3, 2023 |
| Priority date | Apr 3, 2023 |
| Publication date | Feb 3, 2026 |
| Grant date | Feb 3, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
System calls performed by processes in a computing system are monitored and scored. The score is maintained over a time window. When the score exceeds a threshold score for a process in the time window, the process is determined to be a malware process and a protective operation is performed.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method comprising: labeling files, by a computing system, that are believed to be valuable to a malware process with a valuable label; monitoring system call patterns to files performed by a process operating in the computing system, which includes detecting patterns by a model trained with system calls made by known malware, wherein the model is configured to account for pattern variations in the call patterns of processes; generating a score for the process based on system call patterns made by the process, wherein each score represents a likelihood of the process being a malware process; increasing the score of the process when a core pattern is detected for the process or when a system call pattern that includes the core pattern for the process is detected, wherein the core pattern includes a specified series of system calls; increasing the score of the process when a file targeted by the system calls made by the process have the valuable label, wherein the score for the file is different when the file is not labeled with the valuable label; determining that a process is the malware process when the score of the process exceeds a threshold score; and performing a protective operation in the computing system. 2 . The method of claim 1 , wherein the series of system calls of the core pattern include an open file call, a read file call, a write file call, and a close file call. 3 . The method of claim 1 , further comprising adjusting the score of the process for each system call performed by the process. 4 . The method of claim 1 , wherein the score of the process is based on the system call patterns performed within a time window. 5 . The method of claim 1 , further comprising tracking accesses by associating the accesses of the process while accounting for system calls that cause changes to the files that are not indicative of values of the files. 6 . The method of claim 1 , further comprising categorizing the files based on how the computing system presumes that the malware values the files, wherein a first category includes files labeled as valuable. 7 . The method of claim 6 , wherein categories include one or more of financial, valuable, personal, confidential, or medical. 8 . The method of claim 6 , where the processes is associated with an overall score and a score for each of the categories. 9 . The method of claim 8 , wherein the score of the process is a combination of the overall score and the scores for the categories. 10 . A non-transitory storage medium having stored therein instructions that are executable by one or more hardware processors to perform operations comprising: labeling files, by a computing system, that are believed to be valuable to a malware process with a valuable label; monitoring system call patterns to files performed by a process operating in the computing system, which includes detecting patterns by a model trained with system calls made by known malware, wherein the model is configured to account for pattern variations in the call patterns of processes; generating a score for the process based on system call patterns made by the process, wherein each score represents a likelihood of the process being a malware process; increasing the score of the process when a core pattern is detected for the process or when a system call pattern that includes the core pattern for the process is detected, wherein the core pattern includes a specified series of system calls; increasing the score of the process when a file targeted by the system calls made by the process have the valuable label, wherein the score for the file is different when the file is not labeled with the valuable label; determining that a process is the malware process when the score of the process exceeds a threshold score; and performing a protective operation in the computing system. 11 . The non-transitory storage medium of claim 10 , wherein the series of system calls of the core pattern include an open file call, a read file call, a write file call, and a close file call. 12 . The non-transitory storage medium of claim 10 , further comprising adjusting the score of the process for each system call performed by the process. 13 . The non-transitory storage medium of claim 10 , wherein the score of the process is based on the system call patterns performed within a time window. 14 . The non-transitory storage medium of claim 10 , further comprising tracking accesses by associating the accesses of the process while accounting for system calls that cause changes to the files that are not indicative of values of the files. 15 . The non-transitory storage medium of claim 10 , further comprising categorizing the files based on how the computing system presumes that the malware values the files, wherein a first category includes files labeled as valuable. 16 . The non-transitory storage medium of claim 15 , wherein categories include one or more of financial, valuable, personal, confidential, or medical. 17 . The non-transitory storage medium of claim 15 , where each of the processes is associated with an overall score and a score for each of the categories. 18 . The non-transitory storage medium of claim 17 , wherein the score of the process is a combination of the overall score and the scores for the categories.
Assignees
Inventors
Classifications
Test or assess a computer or a system · CPC title
by checking file integrity · CPC title
- G06F21/566Primary
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12541595B2 cover?
- System calls performed by processes in a computing system are monitored and scored. The score is maintained over a time window. When the score exceeds a threshold score for a process in the time window, the process is determined to be a malware process and a protective operation is performed.
- Who is the assignee on this patent?
- Dell Products Lp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/566. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Feb 03 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).