Patents by Inventor Mikhail A. Pavlyushchik
Mikhail A. Pavlyushchik has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11449615Abstract: Disclosed herein are systems and methods for forming a log during an execution of a file with vulnerabilities. In one aspect, an exemplary method comprises, discovering an activation of a trigger during an execution of a thread of a process created upon opening the file, wherein the trigger describes conditions accompanying an event which relates to an attempt to exploit a vulnerability of the file, analyzing a stack of the process created upon opening the file, and discovering a chain of function calls preceding the event in a form of a sequence of call and return addresses, analyzing the discovered chain of function calls for fulfillment of conditions of the trigger which relate to the attempt to exploit the vulnerability, and when the conditions of the trigger are fulfilled, saving information about the chain of function calls in a log.Type: GrantFiled: May 15, 2019Date of Patent: September 20, 2022Assignee: AO Kaspersky LabInventors: Alexey V. Monastyrsky, Mikhail A. Pavlyushchik, Vladislav V. Pintiysky, Denis V. Anikin, Dmitry A. Kirsanov
-
Patent number: 11366896Abstract: A system and method is provided for detecting anomalous events based on a dump of an address space of a software process in a memory of a computing device. An exemplary method includes detecting at least one event occurring in an operating system of the computing device during an execution of the software process, determining a context of the detected event, wherein the context comprises a dump of an address space of the software process containing code that was being executed at the moment of occurrence of the detected event, selecting a set of features of the dump for use in determining whether or not the event is anomalous, transforming the selected set of features of the dump into a convolution, determining a popularity of the convolution by polling a database, and determining that the detected event is an anomalous event if the determined popularity is below a threshold value.Type: GrantFiled: December 17, 2019Date of Patent: June 21, 2022Assignee: AO KASPERSKY LABInventors: Alexey V. Monastyrsky, Mikhail A. Pavlyushchik, Alexey M. Romanenko, Maxim Y. Golovkin
-
Patent number: 11216555Abstract: A system and method is provided for providing a set of convolutions to a computing device for detecting anomalous events occurring in an operating system of the computing device. An exemplary method includes launching an agent in an operating system of a client device, registering, by the agent, events occurring in the operating system, for each registered event, determining a context of the event, wherein the context comprises a call stack at a moment of occurrence of the event, selecting a set of features based on the call stack of the event, generating a convolution based on the selected set of features of the event and the context of the event, and adding the generated convolution to a set of convolutions of events occurring on client devices, and providing, to a client device from which a request is received, the set of convolutions of events occurring on client devices.Type: GrantFiled: December 3, 2019Date of Patent: January 4, 2022Assignee: AO Kaspersky LabInventors: Alexey V. Monastyrsky, Mikhail A. Pavlyushchik, Alexey M. Romanenko, Maxim Y. Golovkin
-
Patent number: 11003772Abstract: Disclosed are systems and methods for adapting a pattern of dangerous behavior of programs. A teaching module may load into an activity monitor the pattern and establish a first usage mode for it, during which the activity monitor detects threats that correspond to that pattern, but does not perform actions for their removal. Later, in the course of a teaching period, the activity monitor detects threats based on the detection of events from the mentioned pattern. If the events have occurred as a result of user actions, and the events have a recurring nature or are regular in nature, the teaching module adds parameters to the pattern which exclude from subsequent detection those events or similar events. Upon expiration of the teaching period, the teaching module converts the pattern of dangerous behavior of programs to the second usage mode, during which threats are detected using the modified pattern and removed.Type: GrantFiled: June 18, 2018Date of Patent: May 11, 2021Assignee: AO Kaspersky LabInventors: Mikhail A. Pavlyushchik, Yuri G. Slobodyanuk, Alexey V. Monastyrsky, Vladislav V. Martynenko
-
Patent number: 10839074Abstract: Disclosed are systems and methods for adapting a pattern of dangerous behavior of programs. A teaching module may load into an activity monitor the pattern and establish a first usage mode for it, during which the activity monitor detects threats that correspond to that pattern, but does not perform actions for their removal. Later, in the course of a teaching period, the activity monitor detects threats based on the detection of events from the mentioned pattern. If the events have occurred as a result of user actions, and the events have a recurring nature or are regular in nature, the teaching module adds parameters to the pattern which exclude from subsequent detection those events or similar events. Upon expiration of the teaching period, the teaching module converts the pattern of dangerous behavior of programs to the second usage mode, during which threats are detected using the modified pattern and removed.Type: GrantFiled: June 18, 2018Date of Patent: November 17, 2020Assignee: AO KASPERSKY LABInventors: Mikhail A. Pavlyushchik, Yuri G. Slobodyanuk, Alexey V. Monastyrsky, Vladislav V. Martynenko
-
Publication number: 20200210591Abstract: Disclosed herein are systems and methods for forming a log during an execution of a file with vulnerabilities. In one aspect, an exemplary method comprises, discovering an activation of a trigger during an execution of a thread of a process created upon opening the file, wherein the trigger describes conditions accompanying an event which relates to an attempt to exploit a vulnerability of the file, analyzing a stack of the process created upon opening the file, and discovering a chain of function calls preceding the event in a form of a sequence of call and return addresses, analyzing the discovered chain of function calls for fulfillment of conditions of the trigger which relate to the attempt to exploit the vulnerability, and when the conditions of the trigger are fulfilled, saving information about the chain of function calls in a log.Type: ApplicationFiled: May 15, 2019Publication date: July 2, 2020Inventors: Alexey V. Monastyrsky, Mikhail A. Pavlyushchik, Vladislav V. Pintiysky, Denis V. Anikin, Dmitry A. Kirsanov
-
Patent number: 10691800Abstract: Disclosed are methods and systems for detecting malicious codes in the address space of processes. The described method detects a launching of a process from an executable file executing on a computer, detects access to a address within a memory area in an address space of the trusted process, wherein the memory area is a memory area that lies outside the boundaries of the trusted executable image representing the executable file and is an executable memory area, analyzes memory areas within a vicinity of the address space to determine whether another executable image is located in the memory areas, analyzing the another executable image to determine whether the other executable image contains malicious code, concluding malicious code is contained in the address space of the trusted process when the another executable image contains malicious code and performing one of removing, halting or quaranting the malicious code from the address space.Type: GrantFiled: March 20, 2018Date of Patent: June 23, 2020Assignee: AO Kaspersky LabInventor: Mikhail A. Pavlyushchik
-
Publication number: 20200125726Abstract: A system and method is provided for detecting anomalous events based on a dump of an address space of a software process in a memory of a computing device. An exemplary method includes detecting at least one event occurring in an operating system of the computing device during an execution of the software process, determining a context of the detected event, wherein the context comprises a dump of an address space of the software process containing code that was being executed at the moment of occurrence of the detected event, selecting a set of features of the dump for use in determining whether or not the event is anomalous, transforming the selected set of features of the dump into a convolution, determining a popularity of the convolution by polling a database, and determining that the detected event is an anomalous event if the determined popularity is below a threshold value.Type: ApplicationFiled: December 17, 2019Publication date: April 23, 2020Inventors: Alexey V. MONASTYRSKY, Mikhail A. PAVLYUSHCHIK, Alexey M. ROMANENKO, Maxim Y. GOLOVKIN
-
Publication number: 20200104487Abstract: A system and method is provided for providing a set of convolutions to a computing device for detecting anomalous events occurring in an operating system of the computing device. An exemplary method includes launching an agent in an operating system of a client device, registering, by the agent, events occurring in the operating system, for each registered event, determining a context of the event, wherein the context comprises a call stack at a moment of occurrence of the event, selecting a set of features based on the call stack of the event, generating a convolution based on the selected set of features of the event and the context of the event, and adding the generated convolution to a set of convolutions of events occurring on client devices, and providing, to a client device from which a request is received, the set of convolutions of events occurring on client devices.Type: ApplicationFiled: December 3, 2019Publication date: April 2, 2020Inventors: Alexey V. Monastyrsky, Mikhail A. Pavlyushchik, Alexey M. Romanenko, Maxim Y. Golovkin
-
Patent number: 10558801Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event.Type: GrantFiled: June 22, 2018Date of Patent: February 11, 2020Assignee: AO KASPERSKY LABInventors: Alexey V. Monastyrsky, Mikhail A. Pavlyushchik, Alexey M. Romanenko, Maxim Y. Golovkin
-
Patent number: 10528727Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event.Type: GrantFiled: October 5, 2017Date of Patent: January 7, 2020Assignee: AO Kaspersky LabInventors: Alexey V. Monastyrsky, Mikhail A. Pavlyushchik, Alexey M. Romanenko, Maxim Y. Golovkin
-
Patent number: 10489586Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event.Type: GrantFiled: September 29, 2017Date of Patent: November 26, 2019Assignee: AO Kaspersky LabInventors: Alexey V. Monastyrsky, Mikhail A. Pavlyushchik, Alexey M. Romanenko, Maxim Y. Golovkin
-
Patent number: 10460099Abstract: Disclosed are system and method for detecting malicious code in files. One exemplary method comprises: intercepting, by a processor, one or more application program interface (API) calls during an execution of a process launched from a file of a computing device; determining and detecting, by the processor, a presence of an exit condition of the process; in response to detecting the exit condition, identifying one or more signatures of a first type and transferring one or more saved memory dumps of the computing device to an emulator for execution; and determining and identifying a malicious code in the file in response to detecting one or more signatures of a second type based at least upon execution results of the transferred memory dumps of the computing device.Type: GrantFiled: February 13, 2017Date of Patent: October 29, 2019Assignee: AO Kaspersky LabInventors: Maxim Y. Golovkin, Alexey V. Monastyrsky, Vladislav V. Pintiysky, Mikhail A. Pavlyushchik, Vitaly V. Butuzov, Dmitry V. Karasovsky
-
Publication number: 20190121975Abstract: Disclosed are systems and methods for adapting a pattern of dangerous behavior of programs. A teaching module may load into an activity monitor the pattern and establish a first usage mode for it, during which the activity monitor detects threats that correspond to that pattern, but does not perform actions for their removal. Later, in the course of a teaching period, the activity monitor detects threats based on the detection of events from the mentioned pattern. If the events have occurred as a result of user actions, and the events have a recurring nature or are regular in nature, the teaching module adds parameters to the pattern which exclude from subsequent detection those events or similar events. Upon expiration of the teaching period, the teaching module converts the pattern of dangerous behavior of programs to the second usage mode, during which threats are detected using the modified pattern and removed.Type: ApplicationFiled: June 18, 2018Publication date: April 25, 2019Inventors: Mikhail A. PAVLYUSHCHIK, Yuri G. SLOBODYANUK, Alexey V. MONASTYRSKY, Vladislav V. MARTYNENKO
-
Publication number: 20190121976Abstract: Disclosed are systems and methods for adapting a pattern of dangerous behavior of programs. A teaching module may load into an activity monitor the pattern and establish a first usage mode for it, during which the activity monitor detects threats that correspond to that pattern, but does not perform actions for their removal. Later, in the course of a teaching period, the activity monitor detects threats based on the detection of events from the mentioned pattern. If the events have occurred as a result of user actions, and the events have a recurring nature or are regular in nature, the teaching module adds parameters to the pattern which exclude from subsequent detection those events or similar events. Upon expiration of the teaching period, the teaching module converts the pattern of dangerous behavior of programs to the second usage mode, during which threats are detected using the modified pattern and removed.Type: ApplicationFiled: June 18, 2018Publication date: April 25, 2019Inventors: Mikhail A. PAVLYUSHCHIK, Yuri G. SLOBODYANUK, Alexey V. MONASTYRSKY, Vladislav V. MARTYNENKO
-
Publication number: 20190102552Abstract: Disclosed are methods and systems for detecting malicious codes in the address space of processes. The described method detects a launching of a process from an executable file executing on a computer, detects access to a address within a memory area in an address space of the trusted process, wherein the memory area is a memory area that lies outside the boundaries of the trusted executable image representing the executable file and is an executable memory area, analyzes memory areas within a vicinity of the address space to determine whether another executable image is located in the memory areas, analyzing the another executable image to determine whether the other executable image contains malicious code, concluding malicious code is contained in the address space of the trusted process when the another executable image contains malicious code and performing one of removing, halting or quaranting the malicious code from the address space.Type: ApplicationFiled: March 20, 2018Publication date: April 4, 2019Inventor: Mikhail A. PAVLYUSHCHIK
-
Patent number: 10242186Abstract: Disclosed are system and method for detecting malicious code in address space of a process. An exemplary method comprises: detecting a first process executed on the computer in association with an application; intercepting at least one function call made by the first process to a second process; determining one or more attributes associated with the at least one function call; determining whether to perform malware analysis of code associated with the at least one function call in an address space associated with the second process based on application of one or more rules to the one or more attributes; and upon determining to perform malware analysis of the code, determining whether the code in the address space is malicious.Type: GrantFiled: June 15, 2016Date of Patent: March 26, 2019Assignee: AO Kaspersky LabInventors: Mikhail A. Pavlyushchik, Alexey V. Monastyrsky, Denis A. Nazarov
-
Publication number: 20180365415Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device.Type: ApplicationFiled: September 29, 2017Publication date: December 20, 2018Inventors: Alexey V. Monastyrsky, Mikhail A. Pavlyushchik, Alexey M. Romanenko, Maxim Y. Golovkin
-
Publication number: 20180365416Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device.Type: ApplicationFiled: June 22, 2018Publication date: December 20, 2018Inventors: Alexey V. MONASTYRSKY, Mikhail A. PAVLYUSHCHIK, Alexey M. ROMANENKO, Maxim Y. GOLOVKIN
-
Publication number: 20180365419Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device.Type: ApplicationFiled: October 5, 2017Publication date: December 20, 2018Inventors: Alexey V. Monastyrsky, Mikhail A. Pavlyushchik, Alexey M. Romanenko, Maxim Y. Golovkin