Elevated security execution mode for network-accessible devices
US-2024411878-A1 · Dec 12, 2024 · US
System and method for non-signature based detection of malicious processes
US9323928B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9323928-B2 |
| Application number | US-201113151173-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 1, 2011 |
| Priority date | Jun 1, 2011 |
| Publication date | Apr 26, 2016 |
| Grant date | Apr 26, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods for detecting malicious processes in a non-signature based manner are disclosed. The system and method may include gathering features of processes running on an electronic device, applying a set of rules to the features, and applying a statistical analysis to the results of the rules application to determine whether a process should be classified into one or more of a plurality of process categories.
First claim
Opening claim text (preview).
What is claimed is: 1. At least one non-transitory machine readable storage medium, having instructions stored thereon, the instructions when executed on a machine, cause the machine to: collect a plurality of features of each of a plurality of processes; apply a plurality of classification rules to the plurality of features, wherein each of the plurality of classification rules corresponds to one or more of a plurality of process categories, and each of the plurality of classification rules comprises a logical combination of a set of the plurality of features; apply a plurality of weights to the plurality of classification rules to produce a plurality of weighted threat scores, wherein: each weighted threat score corresponds to one or more of the plurality of process categories; and at least one of the plurality of weights includes a combination weight applied to a determination of a logical combination of two or more specified features for a particular kind of threat, wherein the combination weight as applied to the logical combination of the two or more specified features is different than a sum of individual weights of the two or more specified features; compare the plurality of weighted threat scores to a plurality of threshold values, wherein each of the plurality of threshold values corresponds to one of the plurality of process categories; and classify the process in the one or more process categories based at least on the comparison of the plurality of weighted threat scores to the plurality of predetermined thresholds. 2. The medium of claim 1 , wherein comparing the plurality of weighted threat scores to a plurality of threshold values comprises assigning a confidence level to each of the plurality of weighted threat scores based at least on the difference between the weighted threat scores and the threshold values. 3. The medium of claim 1 , wherein the plurality of process categories comprise a plurality of malicious process categories. 4. The medium of claim 3 , wherein the plurality of malicious process categories comprise backdoor malware. 5. The medium of claim 3 , wherein the plurality of malicious process categories comprise fake alert malware. 6. The medium of claim 3 , wherein the plurality of malicious process categories comprise downloader malware. 7. The medium of claim 1 , wherein the plurality of features comprise identifying whether the process is invisible. 8. The medium of claim 1 , wherein the plurality of features comprise features indicating a network usage behavior associated with the process. 9. The medium of claim 1 , wherein the plurality of features comprise features indicating a system tray behavior associated with the process. 10. The medium of claim 1 , wherein the plurality of features comprise features indicating a signed certificate behavior associated with the process. 11. A computerized method for classifying a plurality of processes into a plurality of process categories, the method comprising, for each process of the plurality of processes: collecting a plurality of features of each of the plurality of processes with a machine including a processor; applying a plurality of classification rules to the plurality of features, wherein each of the plurality of classification rules corresponds to one or more of a plurality of process categories, and each of the plurality of classification rules comprises a logical combination of a set of the plurality of features with the machine; applying a plurality of weights to the plurality of classification rules to produce a plurality of weighted threat scores with the machine, wherein: each weighted threat score corresponds to one or more of the plurality of process categories; and at least one of the plurality of weights includes a combination weight applied to a determination of a logical combination of two or more specified features for a particular kind of threat, wherein the combination weight as applied to the logical combination of the two or more specified features is different than a sum of individual weights of the two or more specified features; comparing the plurality of weighted threat scores to a plurality of threshold values, wherein each of the plurality of threshold values corresponds to one of the plurality of process categories with the machine; and classifying the process in the one or more process categories based at least on the comparison of the plurality of weighted threat scores to the plurality of predetermined thresholds with the machine. 12. The method of claim 11 , wherein comparing the plurality of weighted threat scores to a plurality of threshold values comprises assigning a confidence level to each of the plurality of weighted threat scores based at least on the difference between the weighted threat scores and the threshold values. 13. The method of claim 11 , wherein the plurality of process categories comprise a plurality of malicious process categories. 14. The method of claim 13 , wherein the plurality of malicious process categories comprise backdoor malware. 15. The method of claim 13 , wherein the plurality of malicious process categories comprise fake alert malware. 16. The method of claim 13 , wherein the plurality of malicious process categories comprise downloader malware. 17. The method of claim 11 , wherein the plurality of features comprise features identifying whether the process is invisible. 18. The method of claim 11 , wherein the plurality of features comprise features indicating a network usage behavior associated with the process. 19. The method of claim 11 , wherein the plurality of features comprise features indicating a system tray behavior associated with the process. 20. The method of claim 11 , wherein the plurality of features comprise features indicating a signed certificate behavior associated with the process. 21. The medium of claim 1 , further having instructions to cause the machine to uniquely classify the process into one of a plurality of malicious process categories, wherein: the malicious process categories each identify a different kind of malicious process; and the malicious process categories are included in the one or more process categories. 22. The medium of claim 21 , further having instructions to cause the machine to apply a different set of weights according to the classification rules for each malicious process category. 23. At least one non-transitory machine readable storage medium, having instructions stored thereon, the instructions when executed on a machine, cause the machine to: collect a plurality of features of each of a plurality of processes; apply a plurality of classification rules to the plurality of features, wherein each of the plurality of classification rules corresponds to one or more of a plurality of process categories, and each of the plurality of classification rules comprises a logical combination of a set of the plurality of features; apply a plurality of weights to the plurality of classification rules to produce a plurality of weighted threat scores, wherein: each weighted threat score corresponds to one or more of the plurality of process categories, the plurality of process categories including a plurality of malicious process categories including backdoor malware; and at least one of the plurality of weights includes a combination weight applied to a determination of a logical combination of two or more specified features for a particular kind of
Assignees
Inventors
Classifications
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
ICT specially adapted for biostatistics; ICT specially adapted for bioinformatics-related machine learning or data mining, e.g. knowledge discovery or pattern finding · CPC title
Clustering or classification · CPC title
using ranking · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9323928B2 cover?
- Systems and methods for detecting malicious processes in a non-signature based manner are disclosed. The system and method may include gathering features of processes running on an electronic device, applying a set of rules to the features, and applying a statistical analysis to the results of the rules application to determine whether a process should be classified into one or more of a plural…
- Who is the assignee on this patent?
- Agarwal Romanch, Singh Prabhat Kumar, Jyoti Nitin, and 3 more
- What technology area does this patent fall under?
- Primary CPC classification G06F21/56. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Apr 26 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).