| CPC G06F 21/554 (2013.01) [G06F 11/1469 (2013.01); G06F 21/552 (2013.01); G06F 21/565 (2013.01); G06F 21/566 (2013.01)] | 17 Claims |
|
1. A method for detecting malicious activity in a computing system comprising a user space and a kernel space, the method comprising:
generating, by a behavioral monitor executing in the user space, a plurality of filters in the kernel space, the plurality of filters corresponding to a plurality of processes executing in the user space, the plurality of filters generated by injecting code into the plurality of processes executing in the user space, the code creating signal handlers for each process;
transmitting, by a first process of the plurality of processes, a system call to the kernel space;
intercepting, by a first filter of the plurality of filters, the system call, wherein the first filter in the kernel space was created in association with the first process;
analyzing, by the first filter, the system call to determine how to process the system call based on one or more predefined rules stored at the first filter;
based on the analyzing, sending, by the first filter, a signal to a first signal handler associated with the first process, the signal prompting the first process to analyze arguments submitted in the system call;
responsive to receiving the signal from the first filter, analyzing, by the first process, the arguments submitted in the system call, wherein analyzing the arguments comprises:
determining that the first process or a process related to the first process has modified at least one file and/or data;
determining, by the first process, that the arguments may be associated with malicious activity;
responsive to the determining, generating, by the first process, an event and transmitting the event to the behavioral monitor, the event indicating that the first process has modified at least one file and/or data;
analyzing, by the behavioral monitor, the event to determine whether the event is associated with malicious activity, wherein analyzing the event comprises:
generating a copy of the at least one file and/or data prior to being modified by the first process, and
saving the copy and/or data of the at least one file to a backup folder or a system;
responsive to determining that the event is associated with malicious activity,
causing, by the behavioral monitor, a process group associated with the first process to cease executing, and
restoring, by the behavioral monitor, a previous version of the at least one file from the backup folder or the system.
|