US2018227316A1PendingUtilityA1

Preemptive event handling

48
Assignee: SHINE SECURITY LTDPriority: Sep 2, 2013Filed: Apr 3, 2018Published: Aug 9, 2018
Est. expirySep 2, 2033(~7.1 yrs left)· nominal 20-yr term from priority
H04L 63/1408
48
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A computerized method of preemptive event handling, The method comprises monitoring, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device, detecting, in run time, a first event of the plurality of events, the first event being performed by a first process of the plurality of processes on the computing device, classifying, in run time, the first process as a malware in response to the detection of the first event, and preventing, in run time, the first process from running on the computing device before the first event is processed by the OS.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computerized method of preemptive event handling, comprising:
 monitoring, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device;   detecting, in run time, a first event of said plurality of events, said first event being performed by a first process of said plurality of processes on said computing device;   classifying, in run time, said first process as a malware in response to said detection of said first event; and   preventing, in run time, said first process from running on said computing device before said first event is processed by said OS.   
     
     
         2 . The method of  claim 1 , further comprising continuously scoring each of said plurality of processes with a process score according to said plurality of events; wherein said detecting comprises calculating an updated process score for respective said process score of said first process in response to an analysis of said first event and wherein said classifying is performed, in run time, in response to said updated process score. 
     
     
         3 . The method of  claim 2 , wherein said classifying is performed when said updated process score exceeds a malware classification threshold. 
     
     
         4 . The method of  claim 1 , wherein said preventing is performed in response to said classifying. 
     
     
         5 . The method of  claim 1 , wherein said monitoring is performed by a kernel driver that channels said plurality of events for an analysis before the processing thereof. 
     
     
         6 . The method of  claim 5 , wherein said classifying is performed by said kernel driver based on said analysis. 
     
     
         7 . The method of  claim 1 , wherein said preventing is performed by a kernel driver that filters said first event. 
     
     
         8 . The method of  claim 1 , further comprising filtering safe events from said plurality of events. 
     
     
         9 . The method of  claim 1 , further comprising preventing the execution of said first process on said computing device and deleting at least one additional event associated with said first process. 
     
     
         10 . The method of  claim 1 , further comprising initiating a kernel driver before said OS is loaded; wherein said monitoring is performed by collecting said plurality of events in the kernel level in real time. 
     
     
         11 . A system of reverting system data effected by a malware, comprising:
 a processor;   a threat monitoring module which monitors, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device and detects, in run time, a first event of said plurality of events, said first event being performed by a first process of said plurality of processes on said computing device, said threat monitoring module uses said processor to classify, in run time, said first process as a malware in response to said detection of said first event; and   an event dispatcher module which prevents, in run time, said first process from running on said computing device before said first event is processed by said OS.   
     
     
         12 . The system of  claim 11 , wherein said event dispatcher module and said threat monitoring module are components of a kernel driver which operates in a kernel level. 
     
     
         13 . A computerized method of preemptive event handling, comprising:
 a computer readable storage medium;   first program instructions to monitor, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device;   second program instructions to detect, in run time, a first event of said plurality of events, said first event being performed by a first process of said plurality of processes on said computing device;   third program instructions to classify, in run time, said first process as a malware in response to said detection of said first event; and   fourth program instructions to prevent, in run time, said first process from running on said computing device before said first event is processed by said OS;   wherein said first, second, third, and fourth program instructions are stored on said computer readable storage medium.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.