CPC H04L 63/1416 (2013.01) [G06F 21/554 (2013.01); G06F 21/577 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01)] | 20 Claims |
1. A system, comprising:
a memory storing instructions: and
a processor coupled to the memory and configured by the instructions to:
receive information associated with a process event including a transition;
use at least a portion of the received information to modify a Process Tree_by propagating tag information according to tag propagation logic, wherein modifying the Process Tree includes at least one of:
(1) adding a Tag to the Process Tree for a process created by the process event, and
(2) modifying an original authorized shell Tag in the Process Tree for an existing process exited by the process event;
determine that at least a portion of the Process Tree matches a malware pattern: and
generate an Alert, based at least in part in response to determining that the malware pattern has been matched.
|