US 12,287,866 B2
System and method for threat detection based on stack trace and user-mode sensors
Vladimir Strogov, Singapore (SG); Sergey Ulasen, Singapore (SG); Aliaksei Dodz, Singapore (SG); Serg Bell, Singapore (SG); and Stanislav Protasov, Singapore (SG)
Assigned to Acronis International GmbH, Schaffhausen (CH)
Filed by Acronis International GmbH, Schaffhausen (CH)
Filed on Mar. 30, 2023, as Appl. No. 18/192,870.
Prior Publication US 2024/0330434 A1, Oct. 3, 2024
Int. Cl. G06F 21/52 (2013.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01)
CPC G06F 21/52 (2013.01) [G06F 21/566 (2013.01); G06F 2221/033 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for threat detection, the method comprising:
training a machine learning (ML) stack trace analyzer based on a plurality of full stack trace data, the training including weighting one or more events associated with the full stack trace data;
monitoring at least one thread of a first user process on a computing system, including detecting a start of the first user process and injecting, into a process memory of the first user process, a secure code to hook the specific system calls at the user level;
detecting specific system calls corresponding to the first user process at user level;
analyzing the specific system calls by applying a filter to a system calls sequence feature set associated with the specific system calls for detecting one or more events of interest;
capturing a full stack trace of the first user process if system calls sequence feature set is filtered and at least one event of interest is detected;
providing a first level monitoring to the computing device, wherein the first level monitoring includes processing and analyzing the captured full stack trace by the machine learning (ML) stack trace analyzer to generate a first verdict;
capturing a call stack at user level, wherein the call stack is associated with the first user process;
providing a second level monitoring to the computing system, wherein the second level monitoring includes providing the first verdict and the captured call stack to an aggregated ML analyzer to generate a second verdict;
monitoring at least one thread of a second process on the computing system, wherein the first process is a target process and the second process is a source process;
detecting specific system calls corresponding to the second process at user level;
associating detected system calls with the first user and the second processes;
determining the source process based on associated system calls in response to the first verdict;
when the first verdict or the second verdict are classified as malicious, analyzing the source process with static and dynamic analyzers for threat detection; and
responding to the threat detection with a response action on the computing system.