Detecting auto-start malware by checking its aggressive load point behaviors
US9330260B1 · kind B1 · utility
Inventor
Key dates
| Filing date | Jul 25, 2013 |
| Grant date | May 3, 2016 |
| Priority date | — |
| Expiry date | Jan 13, 2034 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F21/566
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
Program behaviors concerning load points are monitored, and a specific program attempting to actively maintain a previously set value of a specific load point is detected. In response, the specific program is adjudicated to be malware, and one or more actions are performed to protect the computer. The monitored behavior can be write operations targeting load points. In this scenario, the behavior indicating that a program is malware can comprise performing a requisite number of write operations to a load point within a requisite time period. The monitored behavior can also be altering load point values, and monitoring the results. The altering of load points can comprise removing values specifying programs to run, and/or changing names of programs. Detecting that a specific altered load point value has been automatically reset within a requisite time period to run the specific program upon start-up indicates that the program is malware.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.