Identifying malicious applications by statistical analysis of currently running programs and network connections

摘要

A security application running on a computer system generates an application list indicating applications that are currently running. The system identifies network addresses meeting established criteria, such as entries in an IP whitelist or a database of malicious servers. The system then determines whether connections to those addresses have been made within a certain timeframe, and provides the application list LAPP and identified addresses LDOMHITS to another application 712, which may be on an external server 710 receiving information from multiple clients 100, 720, 722, 724. A statistical analysis is then performed to determine which of the applications in the list provided the connection to the suspect address. The analysing application may provide instruction to the system to kill the identified malware. If the operating platform restricts access to these details, the application list can be inferred from installed applications, and the network connections from DNS cache or routing table queries. This allows the detection and elimination of hazardous programs even in systems with restrictive security models.