Patents by Inventor Or Chechik

Or Chechik has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 12625961
    Abstract: Methods, storage systems and computer program products implement embodiments of the present invention for protecting a computer by first deploying in a memory of the computer a hooked version of a syscall used by an operating system kernel of the computer A notification of a call to the hooked version of the syscall from a user mode of the computer is received from the hooked version of the syscall, the notification including a return address in the memory and a set of features extracted from the call. The return address and the received features are analyzed so as to classify the call as benign or malicious, and an alert is generated for the computer upon classifying the new call as malicious.
    Type: Grant
    Filed: July 31, 2024
    Date of Patent: May 12, 2026
    Assignee: Palo Alto Networks, Inc.
    Inventors: Or Chechik, Ofir Ozer, Ori Damari, Yuval Zan
  • Publication number: 20260037628
    Abstract: Methods, storage systems and computer program products implement embodiments of the present invention for protecting a computer by first deploying in a memory of the computer a hooked version of a syscall used by an operating system kernel of the computer A notification of a call to the hooked version of the syscall from a user mode of the computer is received from the hooked version of the syscall, the notification including a return address in the memory and a set of features extracted from the call. The return address and the received features are analyzed so as to classify the call as benign or malicious, and an alert is generated for the computer upon classifying the new call as malicious.
    Type: Application
    Filed: July 31, 2024
    Publication date: February 5, 2026
    Inventors: Or Chechik, Ofir Ozer, Ori Damari, Yuval Zan
  • Publication number: 20260023861
    Abstract: A method for detecting malicious code, including, in a computer, intercepting a call to an operating-system (OS) function, the call requesting an execution privilege for a memory region. In response to intercepting the call, the execution privilege requested by the call is removed. Upon detecting an exception that occurs due to an executable code in the memory region starting to run without the execution privilege, a check is made for determining whether the executable code in the memory region is malicious or benign.
    Type: Application
    Filed: July 22, 2024
    Publication date: January 22, 2026
    Inventors: Eldar Aharoni, Eli Birkan, Or Chechik, Jon Doron, Bar Lahav
  • Publication number: 20250371130
    Abstract: Methods, storage systems and computer program products implement embodiments of the present invention that include deploying, in a memory used by an operating system kernel of a computer, a hooked version of a syscall that is configured to modify an execution status of processes executing on the computer. Subsequent to one or more protected processes being specified, a notification of a call to the syscall from the hooked version of the syscall is received, the call requesting to change the execution status of a given process executing on the computer. Finally, upon ascertaining that the given process is one of the protected processes, execution of the syscall is inhibited.
    Type: Application
    Filed: May 29, 2024
    Publication date: December 4, 2025
    Inventors: Or Chechik, Ori Damari, Yaron Samuel
  • Patent number: 12361130
    Abstract: Methods, storage systems and computer program products implement embodiments of the present invention for protecting a computing device, which includes a processor and a memory and is coupled to a storage device storing a set of one or more files. In embodiments of the present invention, a call to a specified function for execution by the processor is detected, and a stack trace for the call to the specified function is generated in the memory. Upon detecting, in the stack trace, a stack frame including a return address referencing a shellcode region in the memory, wherein the shellcode region includes executable code that was not loaded from any given file on the storage device, then the referenced executable code is compared to a list of malicious shellcode. Finally, a preventive action is initiated upon detecting a match between the referenced executable code and one of malicious shellcodes in the list.
    Type: Grant
    Filed: April 17, 2023
    Date of Patent: July 15, 2025
    Assignee: Palo Alto Networks, Inc.
    Inventors: Or Chechik, Liav Zigelbaum, Eldar Aharoni, Bar Lahav
  • Publication number: 20240346145
    Abstract: Methods, storage systems and computer program products implement embodiments of the present invention for protecting a computing device, which includes a processor and a memory and is coupled to a storage device storing a set of one or more files. In embodiments of the present invention, a call to a specified function for execution by the processor is detected, and a stack trace for the call to the specified function is generated in the memory. Upon detecting, in the stack trace, a stack frame including a return address referencing a shellcode region in the memory, wherein the shellcode region includes executable code that was not loaded from any given file on the storage device, then the referenced executable code is compared to a list of malicious shellcode. Finally, a preventive action is initiated upon detecting a match between the referenced executable code and one of malicious shellcodes in the list.
    Type: Application
    Filed: April 17, 2023
    Publication date: October 17, 2024
    Inventors: Or Chechik, Liav Zigelbaum, Eldar Aharoni, Bar Lahav
  • Publication number: 20230084691
    Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system coupled to a storage device by detecting an executing process that performed a specific type of modification to a number of files stored on the storage device. A processor compares the detected number to a specified threshold and initiates, on the executing process, a preventive action in response to determining that the detected number exceeds the specified threshold.
    Type: Application
    Filed: November 2, 2022
    Publication date: March 16, 2023
    Inventors: Erez Levy, Or Chechik, Liav Zigelbaum, Eldar Aharoni
  • Patent number: 11520886
    Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system coupled to a storage device by storing, to the storage device, a set of protected files and one or more decoy files, wherein any modification to the decoy file indicates a cyber-attack on the computer system. Upon receiving a request from a process executing on the computing device to enumerate files stored on the storage device, the process is analyzed so as to classify the process as benign or suspicious. The protected files are enumerated to the process whether the process was classified as benign or suspicious. However, the one or more decoy files are enumerated to the process only upon process being classified as suspicious.
    Type: Grant
    Filed: July 26, 2020
    Date of Patent: December 6, 2022
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Erez Levy, Or Chechik, Liav Zigelbaum, Eldar Aharoni
  • Publication number: 20220027471
    Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system coupled to a storage device by storing, to the storage device, a set of protected files and one or more decoy files, wherein any modification to the decoy file indicates a cyber-attack on the computer system. Upon receiving a request from a process executing on the computing device to enumerate files stored on the storage device, the process is analyzed so as to classify the process as benign or suspicious. The protected files are enumerated to the process whether the process was classified as benign or suspicious. However, the one or more decoy files are enumerated to the process only upon process being classified as suspicious.
    Type: Application
    Filed: July 26, 2020
    Publication date: January 27, 2022
    Inventors: Erez Levy, Or Chechik, Liav Zigelbaum, Eldar Aharoni