US 9,811,661 B1
System and method for protecting computers from unauthorized remote administration
Maxim Y. Golovkin, Moscow (RU); Alexey M. Romanenko, Moscow (RU); and Alexey V. Monastyrsky, Moscow (RU)
Assigned to AO Kaspersky Lab, Moscow (RU)
Filed by AO Kaspersky Lab, Moscow (RU)
Filed on Dec. 21, 2016, as Appl. No. 15/386,423.
Claims priority of application No. 2016125280 (RU), filed on Jun. 24, 2016.
Int. Cl. G06F 21/55 (2013.01); G06F 21/56 (2013.01)
CPC G06F 21/554 (2013.01) [G06F 21/562 (2013.01); G06F 21/568 (2013.01); G06F 2221/034 (2013.01)] 20 Claims
OG exemplary drawing
1. A computer-implemented method of detecting a remote administration of a computer system, the method comprising:
intercepting, via a processor of the computer system, a plurality of events occurring in the computer system;
determining respective parameters of each of the plurality of intercepted events;
identifying, based at least on the determined parameters, each intercepted event as being relating to a first data transfer by an application in a computer network or a second data transfer to the application from a peripheral data input device of the computer system;
determining, based on the determined parameters, a first of the identified intercepted events as being dependent on a second of the identified intercepted events;
generating a rule defining a dependency of the identified and determined parameters of the respective intercepted events, the rule identifying the dependency of the identified parameter of the first identified intercepted event on the identified parameter of the second identified intercepted event;
comparing the generated rule to a previously created rule that defines one or more dependencies of parameters of events occurring in the computer system during the remote administration;
determining a degree of similarity of the generated rule and the previously created rule;
when the degree of similarity exceeds a threshold value, identifying at least one application as a remote administration application that created the first and second identified intercepted events; and
blocking the identified remote administration application from exchanging data with the computer system.