Endpoint malware detection using an event graph
US-2017300690-A1 · Oct 19, 2017 · US
Information processing apparatus, control method, and program
US2022019660A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2022019660-A1 |
| Application number | US-201817294167-A |
| Country | US |
| Kind code | A1 |
| Filing date | Nov 16, 2018 |
| Priority date | Nov 16, 2018 |
| Publication date | Jan 20, 2022 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An information processing apparatus (2000) acquires an event graph (10) to be output and determines a subgraph satisfying a predetermined reference from the acquired event graph (10) to be output. In the event graph (10), an activity content in an event related to an activity of a program is represented as an edge (14), and each of a subject and an object of the event is represented as a node (12). The information processing apparatus (2000) outputs the event graph (10) with an output mode of the determined subgraph as a first mode and with an output mode of another portion as a mode other than the first mode. The first mode is a mode in which at least one of the number of nodes (12) and the number of edges (14) is reduced than the number included in the determined graph.
First claim
Opening claim text (preview).
What is claimed is: 1 . An information processing apparatus comprising: a determination unit that acquires an event graph to be output and determines a subgraph satisfying a predetermined reference from the acquired event graph to be output; and an output unit that outputs the event graph, with an output mode of the determined subgraph as a first mode and an output mode of another portion as a mode other than the first mode, wherein the event graph represents an activity content in an event related to an activity of a program as an edge and represents each of a subject and an object of the event as a node, and the first mode is a mode in which at least one of the number of nodes and the number of edges is reduced than the number of nodes and the number of edges included in the determined subgraph. 2 . The information processing apparatus according to claim 1 , wherein the predetermined reference is a reference satisfied by a subgraph representing an event sequence that occurs in a normal state. 3 . The information processing apparatus according to claim 2 , wherein the predetermined reference is a reference indicating that one process accesses a plurality of files having the same extension. 4 . The information processing apparatus according to claim 2 , wherein the predetermined reference is a reference indicating communication with one process performed by a plurality of apparatuses belonging to the same subnet. 5 . The information processing apparatus according to claim 2 , wherein the predetermined reference is a reference indicating that one process accesses a plurality of files or directories satisfying a second predetermined reference. 6 . The information processing apparatus according to claim 5 , wherein the second predetermined reference is a reference indicating existing under a predetermined directory, or a reference indicating being shown in a predetermined list. 7 . The information processing apparatus according to claim 1 , wherein the determination unit acquires an event graph representing an event sequence that includes the node representing the subject or the object of the event that is specified by an input operation. 8 . A control method executed by a computer, the method comprising: acquiring an event graph to be output and determining a subgraph satisfying a predetermined reference from the acquired event graph to be output; and outputting the event graph, with an output mode of the determined subgraph as a first mode and an output mode of another portion as a mode other than the first mode, wherein the event graph represents an activity content in an event related to an activity of a program as an edge and represents each of a subject and an object of the event as a node, and the first mode is a mode in which at least one of the number of nodes and the number of edges is reduced than the number of nodes and the number of edges included in the determined subgraph. 9 . The control method according to claim 8 , wherein the predetermined reference is a reference satisfied by a subgraph representing an event sequence that occurs in a normal state. 10 . The control method according to claim 9 , wherein the predetermined reference is a reference indicating that one process accesses a plurality of files having the same extension. 11 . The control method according to claim 9 , wherein the predetermined reference is a reference indicating communication with one process performed by a plurality of apparatuses belonging to the same subnet. 12 . The control method according to claim 9 , wherein the predetermined reference is a reference indicating that one process accesses a plurality of files or directories satisfying a second predetermined reference. 13 . The control method according to claim 12 , wherein the second predetermined reference is a reference indicating existing under a predetermined directory, or a reference indicating being shown in a predetermined list. 14 . The control method according to claim 8 , wherein in the determining, an event graph representing an event sequence that includes the node representing the subject or the object of the event that is specified by an input operation, is acquired. 15 . A non-transitory computer-readable storage medium storing a program that causes a computer to execute the control method according to claim 8 .
Assignees
Inventors
Classifications
involving event detection and direct action · CPC title
during program execution, e.g. stack integrity {; Preventing unwanted data erasure; Buffer overflow} · CPC title
- G06F16/9024Primary
Graphs; Linked lists (G06F16/9027 takes precedence) · CPC title
Test or assess software · CPC title
with visual {or acoustical} indication of the functioning of the machine · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2022019660A1 cover?
- An information processing apparatus (2000) acquires an event graph (10) to be output and determines a subgraph satisfying a predetermined reference from the acquired event graph (10) to be output. In the event graph (10), an activity content in an event related to an activity of a program is represented as an edge (14), and each of a subject and an object of the event is represented as a node (…
- Who is the assignee on this patent?
- Nec Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F16/9024. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Jan 20 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).