Systems and methods for detecting a suspicious process in an operating system environment using a file honeypots

Assignee

• Acronis International GmbH · CH

Inventors

• Vladimir Strogov · Moscow, RU
• Alexey Dod · Moscow, RU
• Alexey Kostyushko · Yerevan, AM
• Valeriy Chernyakovsky · Moscow, RU
• Serguei Beloussov · Moscow, RU
• Sergey Ulasen · Moscow, RU
• Stanislav Protasov · Moscow, RU

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L67/1097
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A system and method is provided for detecting a suspicious process in an operating system environment. In an exemplary aspect, a method comprises generating, by a hardware processor, a file honeypot in a directory in a file system and receiving a directory enumeration request from a process executing in the operating system environment. The method comprises determining whether the process is identified in a list of trusted processes and in response to determining that the process is not in the list of trusted processes, providing, to the process by the file system, a file list including the file honeypot responsive to the directory enumeration request. The method further comprises intercepting, by a file system filter driver, a file modification request for the file honeypot from the process, and identifying the process as a suspicious object responsive to intercepting the file modification request from the process.