| CPC G06F 21/564 (2013.01) [G06F 21/577 (2013.01); G06F 2221/033 (2013.01)] | 20 Claims |
|
1. A security system to perform real-time forensic analysis on a running computing system to detect a thread infected with rootkit code comprising:
a processor operably coupled to a memory and a storage medium;
a system event monitor, under control of the processor, for intercepting and collecting application data in real time in the running computing system, including an application network connection log, an application event activity log and an application file operation log;
a kernel-mode system memory dump capture driver, under control of the processor, configured to capture a system memory dump;
a consistent database, in the storage medium, to receive the application data in real time from the system event monitor for storage;
a threat detection unit, under control of the processor, having a machine learning model, for analyzing system dumps, the machine learning model having been trained on clean memory dumps and memory dumps infected with a plurality of rootkit codes, and the threat detection unit being configured to:
receive the system memory dump from the system dump capture driver;
analyze, using the machine learning model, the system memory dump to determine a suspicious memory block;
compare the suspicious memory block with real-time application data in the consistent database, using a similarity scanner to determine a suspicious thread in the application data that is similar to a thread in the suspicious memory block;
analyze, using a forensic analyzer, the application log data in the consistent database and the suspicious thread to detect activity of an application related to the suspicious thread; and
send an alert to the running computer system and classify the running system state as infected by a rootkit upon detection of the activity of the application related to the suspicious thread.
|