Endpoint inter-process activity extraction and pattern matching

Assignee

• International Business Machines Corporation · US

Inventors

• Xiaokui Shu · Ossining, US
• Zhongshu Gu · Ridgewood, US
• Heqing Huang · Mahwah, US
• Marc Philippe Stoecklin · Bern, CH
• Jialong Zhang · White Plains, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/20
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

An automated method for cyberattack detection and prevention in an endpoint. The technique monitors and protects the endpoint by recording inter-process events, creating an inter-process activity graph based on the recorded inter-process events, matching the inter-process activity (as represented in the activity graph) against known malicious or suspicious behavior (as embodied in a set of one or more pattern graphs), and performing a post-detection operation in response to a match between an inter-process activity and a known malicious or suspicious behavior pattern. Preferably, matching involves matching a subgraph in the activity graph with a known malicious or suspicious behavior pattern as represented in the pattern graph. During this processing, preferably both direct and indirect inter-process activities at the endpoint (or across a set of endpoints) are compared to the known behavior patterns. The approach herein provides for systematic modeling of inter-process behaviors for characterizing malicious or suspicious patterns among processes.