| CPC G06F 21/566 (2013.01) [G06F 21/561 (2013.01); G06F 2221/033 (2013.01)] | 19 Claims |
|
1. A security system for identifying a threat during the execution of a malicious function based on system dump sequence analysis comprising:
a system event monitor for intercepting and collecting one or more application activity events corresponding to a computing system in accordance with predefined security policy instilled within the security system;
a system dump capture driver configured to:
capture a first memory dump and a second memory dump in response to the one or more application activity events in accordance with the predefined security policy, wherein the first memory dump corresponds to memory before application activity corresponding to intercepted application activity events, and the second memory dump corresponds to memory after application activity corresponding to intercepted application activity events, and generate a differential memory dump, wherein the differential memory dump is indicative of the difference between the first memory dump and the second memory dump;
a rootkit detection engine configured to:
receive the system dump sequence as a first data input, and a system event sequence from the system event monitor as a second data input, wherein the system dump sequence consists of at least two differential memory dumps generated by the system dump capture driver and the system event sequence consist of intercepted application activity events corresponding to differential memory dumps in the system dump sequence,
classify a system state by executing a machine learning model based on the first data input and the second data input, into at least three classes, wherein the three classes are an infected system state, a suspicious system state and a clean system state.
|