| CPC G06F 21/56 (2013.01) [G06F 21/577 (2013.01)] | 14 Claims |
|
1. A method for monitoring execution of a process for unsafe behavior, comprising:
upon execution of a process, at a monitor agent, searching a database for information relating to the process, wherein the database is a community database stored on a central server and accessed by a plurality of monitor agents executing on client machines;
when information relating to the process is found in the database,
allowing the process to execute and monitoring the execution of the process to determine whether the process is executing within an expected behavior of a pre-authorized mask for the process;
if the process is determined not to be executing with the expected behavior of the pre-authorized mask for the process, issuing an alert; and
if the process is determined to be executing within the expected behavior of the pre-authorized mask for the process, continuing allowing the process to execute and continuing to monitor the process for the expected behavior of the pre-authorized mask for the process; and
when information relating to the process is not found in the database,
allowing the process to execute and monitoring the execution of the process; and
based on said monitoring of the execution of the process, generating a new mask for the process, wherein generating the new mask for the process comprises:
comparing the behavior of the execution of the process to known behaviors,
modifying the new mask based on new behaviors, and
storing the modified new mask in the community database, thereby enabling monitor agents to access the modified new mask when executing the process.
|