System and method for threat detection based on stack trace and user-mode sensors

Assignee

• Acronis International GmbH · CH

Inventors

• Vladimir Strogov · Moscow, RU
• Sergey Ulasen · Moscow, RU
• Aliaksei Dodz · Singapore, SG
• Serg Bell · Singapore, SG
• Stanislav Protasov · Moscow, RU

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2221/033
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

Systems and methods for threat detection and analysis. A method includes monitoring at least one thread associated with at least one user process on a computing device. The method further includes detecting specific-system calls associated with at least one user process at user level. The specific-system calls are analyzed by applying a filter to system calls sequence feature sets associated with the specific-system calls for detecting one or more events of interest. A capture of a full stack trace of at least one user process is requested if the system calls sequence feature set is filtered and at least one event of interest is detected. A first level monitoring is provided to the computing device, which includes processing and analyzing the captured full stack trace by a machine learning (ML) stack trace analyzer to generate a first verdict for threat detection and analysis.