Detection and prevention for malicious threats
Abstract
A method of identifying one or more malicious threats in a computing device. The device comprises monitoring a plurality of events occurring on a computing device in run time, a plurality of processes executed on the computing device in run time, and a plurality of host activities of the computing device in run time, identifying a compliance of at least some of the plurality of events, the plurality of processes, and the plurality of host activities with a plurality of rules, generating a rule compliance status dataset generated according to the compliance, identifying a match between the rule compliance status dataset and at least one of a plurality of reference profiles each indicative of a computing device operation under a malicious threat activity, and detecting a malicious threat according to the match.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A computer-implemented method for protecting a computer device from one or more malicious threats, comprising:
using one or more hardware processors for executing: instructions for monitoring at least one of a plurality of events and a plurality of processes executed on said computing device in run time, and a plurality of host activities of said computing device in run time, wherein said plurality of host activities are identified by correlating among at least one of said plurality of events and said plurality of processes; instructions for identifying a compliance of at least some of said plurality of host activities with a plurality of rules; instructions for generating a status dataset generated according to said compliance, wherein said status dataset comprises compliance indications of said compliance; instructions for identifying a match between said compliance indications of said status dataset and at least one of a plurality of reference profiles each indicative of a computing device operation under a malicious threat activity; and instructions for detecting a malicious threat related to at least one malicious code executed on said computing device according to said match.
2 . The method of claim 1 , further comprising scoring at least some of said plurality of events and detecting said malicious threat according to a combination of an outcome of said scoring and said match.
3 . The method of claim 2 , further comprising at least some of said plurality of host activities and detecting said malicious threat according to a combination of an outcome of said scoring and said match.
4 . The method of claim 1 , further comprising scoring a at least some of said plurality of processes and detecting said malicious threat according to a combination of an outcome of said scoring and said match.
5 . The method of claim 1 , wherein said monitoring comprises normalizing said plurality of events.
6 . The method of claim 1 , wherein said monitoring comprises filtering a group of unmalicious events from said plurality of events according to unmalicious event dataset comprising a plurality of event profiles generated according to a statistical analysis of a plurality of event logs recorded in a plurality of computing devices.
7 . The method of claim 1 , wherein said identifying a compliance comprises identifying at least one of:
an event compliance of said plurality of events with a plurality of event level rules, a process compliance of said plurality of processes with a plurality of process level rules, and a host activity compliance of said plurality of host activities with a plurality of host activity level rules.
8 . The method of claim 7 , wherein said generating comprises combining between data indicative of said event compliance, data indicative of said process compliance and data indicative of said host activity compliance.
9 . The method of claim 7 , wherein said event compliance is performed by analyzing a compliance of a sequence from said plurality of events according to at least one of said plurality of event level rules.
10 . The method of claim 1 , wherein said monitoring comprises classifying said plurality of events and counting said plurality of events in light of said classification, said compliance is checked according to said counting.
11 . The method of claim 1 , wherein said generating comprises calculating a similarity score of said match, said detecting is performed according to said similarity score.
12 . The method of claim 11 , further comprising scoring a threat level of at least some of said plurality of host activities; said detecting is performed according to a combination of said scoring and said similarity score.
13 . The method of claim 1 , wherein said status dataset is a binary dataset wherein each field is indicative of compliance or noncompliance with another of said plurality of rules.
14 . The method of claim 1 , wherein said plurality of events comprises a plurality of kernel level events.
15 . The method of claim 1 , wherein monitoring comprises documenting said plurality of events in an event log, said plurality of host activities is generated from an analysis of said event log.
16 . The method of claim 1 , further comprising classifying at least one member of a group consisting of: said plurality of events, said plurality of processes, and said plurality of host activities, sending data pertaining to said at least one member to inspection by a central unit.
17 . A computer-implemented method for protecting a computer device from one or more malicious threats, comprising:
using one or more hardware processors for executing code instructions for:
monitoring a plurality of events occurring on said computing device in run time;
identifying a plurality of processes executed on said computing device;
calculating a process score to each said process;
identifying a plurality of host activities of said computing device each related to a group of processes from said plurality of processes;
scoring each said host activity by aggregating respective process scores of a respective said group of processes; and
detecting a malware related to at least one malicious code executed on said computing device when at least one of said process scores and said data activity scores exceeds a respective score threshold.
18 . The method of claim 17 , further comprising identifying a plurality of environment activities of a computing device environment comprising said computing device, each said environment activity being related to a group of host activities from a plurality of computing devices in said computing device environment and scoring each said environment activity by aggregating respective host activity scores of a respective said group of host activities.
19 . The method of claim 17 , wherein said one or more hardware processors are adapted for executing code instructions for updating said malware profile with unrecorded behavior in at least one of event level, process level, host activity level and environment activity level.
20 . A system for identifying one or more malicious threats, comprising:
a plurality of monitoring modules installed in a plurality of computing devices, each said monitoring module comprising executable code executed by each of said computing devices for monitoring at least one of a plurality of events, a plurality of processes and a plurality of host activities of a respective hosting said computing device in run time, for checking compliance of at least one of said plurality of events, said plurality of processes and said plurality of host activities with a plurality of rules, for generating a status dataset comprising compliance indications of said compliance, and for detecting a malicious threat activity according to a match between said compliance indications of said status dataset and at least one of a plurality of reference profiles in a profile repository, wherein said plurality of processes are identified by correlating among at least one of said plurality of events, said plurality of processes and said plurality of host activities; and at least one server adapted to receive, via network, a plurality of status datasets comprising compliance indications of compliance with said plurality of rules including said status dataset from said plurality of monitoring modules and updates said profiles accordingly.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.