| 发明名称 | Complex scoring for malware detection | ||
| 摘要 | Described systems and methods allow protecting a computer system from malware such as viruses, Trojans, and spyware. For each of a plurality of executable entities (such as processes and threads executing on the computer system), a scoring engine records a plurality of evaluation scores, each score determined according to a distinct evaluation criterion. Every time an entity satisfies an evaluation criterion (e.g, performs an action), the respective score of the entity is updated. Updating a score of an entity may trigger score updates of entities related to the respective entity, even when the related entities are terminated, i.e., no longer active. Related entities include, among others, a parent of the respective entity, and/or an entity injecting code into the respective entity. The scoring engine determines whether an entity is malicious according to the plurality of evaluation scores of the respective entity. | ||
| 申请公布号 | US9323931(B2) | 申请公布日期 | 2016.04.26 |
| 申请号 | US201314046728 | 申请日期 | 2013.10.04 |
| 申请人 | Bitdefender IPR Management Ltd. | 发明人 | Lukacs Sandor;Tosa Raul V.;Boca Paul;Hajmasan Gheorghe;Lutas Andrei V. |
| 分类号 | H04L29/06;G06F21/56 | 主分类号 | H04L29/06 |
| 代理机构 | Law Office of Andrei D Popovici, PC | 代理人 | Law Office of Andrei D Popovici, PC |
| 主权项 | 1. A host system comprising a memory unit storing instructions which, when executed by at least one hardware processor of the host system, cause the host system to form an entity management module, an entity evaluator, and a scoring engine, wherein: the entity management module is configured to manage a collection of evaluated software entities, wherein managing the collection comprises: identifying a set of descendant entities of a first entity of the collection;determining whether the first entity is terminated;in response, when the first entity is terminated, determining whether all members of the set of descendant entities are terminated; andin response, when all members of the set of descendant entities are terminated, removing the first entity from the collection; the entity evaluator is configured to: evaluate the first entity according to an evaluation criterion; andin response, when the first entity satisfies the evaluation criterion, transmit an evaluation indicator to the scoring engine; and the scoring engine is configured to: record a first score determined for the first entity and a second score determined for a second entity of the collection, the first and second scores determined according to the evaluation criterion;in response to recording the first and second scores, and in response to receiving the evaluation indicator, update the second score according to the evaluation indicator;in response, determine whether the second entity is malicious according to the updated second score;in response to receiving the evaluation indicator, update the first score according to the evaluation indicator; andin response, determine whether the first entity is malicious according to the updated first score. | ||
| 地址 | Nicosia CY | ||