RU2790329C1 - Method for detecting an anomaly in the behavior of a trusted process and a system for its implementation - Google Patents

Abstract

FIELD: malicious behavior cases detection.

SUBSTANCE: invention relates to solutions for detecting cases of malicious behavior based on the exploitation of vulnerabilities in trusted processes. The specified effect is achieved by joint application of a module that includes a machine learning algorithm and a stochastic modeling tool, namely the Markov chain. On the basis of Markov chains, basic models of the behavior of each trusted process are formed, while each event that occurs is determined by a weighting factor. The event weight indicates the probability that the event will occur during the execution of the trusted process.

EFFECT: improving the efficiency of detecting anomalies in the behavior of trusted processes.

10 cl, 5 dwg

Description

Technical field

The present invention relates to solutions for detecting cases of malicious behavior based on the exploitation of vulnerabilities in trusted processes, and in particular to methods and systems for detecting anomalies in the behavior of trusted processes.

State of the art

The fight against malware is one of the most important tasks of modern computer security. In the field of technical means of counteracting malicious programs, a crisis has begun to be observed over the past ten years. The rivalry between attackers who use malware and software vulnerabilities and antivirus software developers has led to the latter playing the role of "catch-up". Attackers are getting smarter every time they create malware or exploit vulnerabilities in trusted programs to their advantage.

Currently, attackers have begun to effectively hide their activities. Masking techniques have rendered traditional signature and threshold-based detective measures almost useless, where detective measures are measures that help detect incident-related activity. At the same time, the information security industry began to develop the use of behavioral analysis, which is associated with the search for activity patterns and mathematically significant deviations in user behavior (use of suspicious applications, file search operations) or program (processor) behavior, based on historical initial data.

One of the promising areas is technical solutions aimed at detecting malicious programs or deviations in the behavior of trusted programs based on the search for anomalies, since:

• allow building individual protection of the user's device;

• do not require frequent database updates;

• Capable of detecting both known and previously unknown threats.

As a result of exploiting vulnerabilities in the application, attackers may be able to perform malicious actions on behalf of a trusted process. Existing methods for detecting exploitation of vulnerabilities and subsequent destructive actions are based on classical methods, such as signature and heuristic analysis, and are not always able to detect the exploitation of a previously unknown vulnerability.

To eliminate the limitations of existing solutions for finding anomalies in the behavior of trusted processes, new solutions are required to solve the problem of finding anomalies and vulnerabilities in programs. Thus, solutions are proposed based on the use of machine learning algorithms in conjunction with Markov chains to detect the exploitation of vulnerabilities in trusted applications, namely, the detection of anomalies in the behavior of trusted processes.

Disclosure of invention

The present invention relates to solutions for detecting cases of malicious behavior based on the exploitation of vulnerabilities in trusted processes, and in particular to methods and systems for detecting anomalies in the behavior of trusted processes. The present invention consists in the joint application of a module implemented on the basis of at least one machine learning method and a module used by a stochastic modeling tool, namely a Markov chain.

The technical result of the present invention is to increase the efficiency of anomaly detection in the behavior of trusted processes by applying basic behavior models based on the Markov chain principle, together with a machine learning module based on at least one machine learning principle.

As one embodiment of the present invention, a method for detecting an anomaly in the behavior of a trusted process is provided, according to which the launch of a trusted process in a computer system is detected, a basic behavior model expressed in the form of a Markov chain is requested from the data warehouse, and a machine learning model (ML Model) for the file from which the trusted process is launched, data is collected about the trusted process using the base behavior model, during which events are tracked according to the Markov chain from the base behavior model, the probability of occurrence of each event in the trusted process is determined using the Markov chain, and calculate the overall probability of occurrence of the events that have occurred; comparing the total probability of occurring events with a predetermined threshold, when the predetermined threshold is exceeded, highlighting events that occurred while following the Markov chain, and transmitting event data to the input of the ML Model, while the data includes a chain of events that occurred; analyze the event data using the ML Model, as a result of the analysis, make a decision about anomalous behavior.

In another embodiment of the method, the basic behavior model, expressed as a Markov chain, contains chains of events that occur during the execution of a trusted process, with each event having its own probability of occurrence

In yet another embodiment of the method, events are trusted, wherein trusted events have a high probability of occurring in a chain, where the probability is calculated as the ratio of the number of occurrences of a particular event for the current process to the total number of occurrences of similar events for the current process.

In another embodiment of the method, the ML Model is pre-trained on the occurrence of text words that occurred in the attributes of events in the chain.

In another embodiment of the method, the specified ML model was trained in advance both on logs without anomalies and with them, where, as a result of training, anomalous events are determined by low coefficients.

In another embodiment of the method, when anomalous behavior is detected, the trusted process is blocked and the user is notified.

In another embodiment of the method, when making a decision about anomalous behavior, a false positive is checked by transmitting data to the component responsible for the specified check about the decision made and receiving a response with the results of the check.

In another version of the method, the result of checking a false positive is obtained, and if an error is found in the decision about the detected anomaly, then the ML Model is retrained by retraining together with the data, during the analysis of which the error occurred.

In yet another embodiment of the method, the chain of events that have occurred includes events from an initial event to an event after which a predetermined threshold was reached.

As another embodiment of the present invention, a system is proposed that contains at least one computer, including interacting tools: a learning module, a monitoring tool, an analysis tool, a data store containing statistical data on the operation of processes, basic behavior models and ML models, and stored machine-readable instructions, upon execution of which the system performs detection of an anomaly in the behavior of the trusted process according to any of the above embodiments of the method.

Brief description of the drawings

Additional objects, features and advantages of the present invention will become apparent from reading the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

On FIG. 1 shows a schematic example of a system implementation for implementing a method for detecting anomalies in the behavior of trusted processes based on Markov chains and a machine learning algorithm.

On FIG. Figure 2 shows an example of a basic model of trusted process behavior in the form of a directed graph.

OnFig. 3presented a flowchart illustrating a method for detecting anomalies in the behavior of trusted processes based on Markov chains and a machine learning algorithm.

OnFig. 4 presented a flowchart illustrating an example of generating a basic behavior model and a machine learning model (ML Model) for a trusted process.

Fig. 5 illustrates an example of a general purpose computer system with which the claimed invention may be implemented.

Although the invention may have various modifications and alternative forms, the characteristic features shown by way of example in the drawings will be described in detail. It should be understood that the purpose of the description is not to limit the invention to a particular embodiment. On the contrary, the purpose of the description is to cover all changes, modifications, included in the scope of this invention, as defined by the attached claims.

Description of embodiments of the invention

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, but may be embodied in various forms. The foregoing description is intended to assist a person skilled in the art in a thorough understanding of the invention, which is defined only within the scope of the appended claims.

The present invention consists in the joint application of a module including a mechanism based on at least one machine learning method and a stochastic modeling tool, namely, a Markov chain. The purpose of the present invention is to detect anomalies in the behavior of trusted processes. Based on the principle of the Markov chain, basic models of the behavior of each trusted process are formed, while each event that occurs is determined by a weighting factor. The event weight indicates the probability that the event will occur during the execution of the trusted process. During the execution of a trusted process, the operating system (OS) observes the occurrence of events, which are then compared with events from the created base behavior model, and a weight coefficient is determined for each event. At the same time, the overall probability of the occurrence of the entire chain of occurred events is calculated based on weight coefficients and a behavioral log is formed from the events that have occurred. When the overall probability reaches a given threshold, the generated behavioral log is sent to the input of a module designed to perform analysis using a machine learning algorithm. Based on the analysis of the generated behavioral log by the specified module, an assessment is made of the presence of an anomaly in the behavior of the trusted process. Thus, at the output of the specified module, a decision is made about the anomalous behavior of the trusted process based on a series of events that have occurred and/or the absence of any events in the specified series. In addition, based on the detected anomaly, a vulnerability in the software through which the corresponding trusted process is exploited can be further identified.

A behavioral log is an ordered set of records of events that have occurred as a result of the operation of a certain trusted process. The use of a Markov chain in the formation of a basic behavioral log (basic behavior model) is carried out as a tree representation of events occurring during execution in a trusted process, with the probability of its occurrence (weight coefficient) being determined for each event.

A trusted process is a process launched from trusted software (an executable file), and the executable file must be signed as a safe file.

The following are some embodiments of the claimed invention.

On FIG. 1 is a schematic example of an implementation of a system 100 for implementing a method for detecting anomalies in the behavior of trusted processes based on Markov chains and a machine learning algorithm.

The system 100 includes tools such as a learning module 110 , a data store 120 , a control tool 130 , and an analysis tool 140 . In turn, the data warehouse 120 contains statistical data on the operation of processes 150 , basic behavior models 160 and ML models (eng. Machine Learning - machine learning) 170 .

To implement the claimed invention, it is required to collect information about the operation of software (SW) on a computer system, and if the claimed invention is used on several computer systems connected in a network, for example, in a corporate network, such collection can be made on all computer systems ( CS) networks. Based on information about the software used, a list of processes is determined, the execution (work) of which at the CS will be considered trusted. Next, using the learning module 110, a basic behavior model 160 and an ML model 170 are formed for each software and its trusted process. Each base behavior model 160 is based on the principle of a Markov chain and additionally contains a weighting factor for each event in the chain. The base behavior model 160 is generated based on the collected information about the operation of the software, which is presented in the form of a behavioral log. Model ML 170 is a machine learning model.

It should be noted that the collection of information in the form of a behavioral log and the subsequent formation of basic behavioral models 160 can be implemented in advance and then applied to each CS when implementing the claimed invention. In this case, the basic behaviors 160 will be provided along with the solution or transmitted via the Internet 190 , and also be able to be updated via the Internet 190 . This option is particularly preferred for standard software. Early generation of baseline behaviors 160 may be implemented on a remote server (not shown in FIG. 1 ).

In another embodiment, the basic behaviors 160 are formed directly at the beginning of work, in the preparation mode for work. In this mode, information is collected in real time about the operation of at least one software during its execution, the formation of basic behavior models 160 for these processes and the formation of an ML model 170 for each software. This approach is preferable for non-distributed software or when used in a closed corporate network.

Depending on the implementation option, the formation of the basic behavior model 160 is performed both on behavioral logs containing only trusted events, and on behavioral logs containing additional anomalous events. As a result of the formation of the basic behavior model 160, low weighting factors are set for anomalous events. Thus, the base behavior model 160 contains all theoretically possible events that can occur in a trusted process, with different weighting factors for a particular software.

After generating a behavioral log for a trusted process, a weight coefficient is determined for each event from the specified log. The weight coefficient for each event is determined by collecting additional similar information about the events of similar software on other CSs. Thus, the collection is carried out either from the CS within one corporate network, or from all CSs via the Internet 190 , or from a cloud server that has information with the necessary statistics on the operation of trusted processes, also via the Internet 190 .

In one implementation, a weighting factor for an event is generated based on the probability of occurrence of the event in all behavioral logs from the collected statistics. In other words, each event in the chain contains the probability of its occurrence, and its calculation is carried out as the ratio of the number of occurrences of a particular event for the current process to the total number of occurrences of similar events for a similar current process.

Typically, trusted processes contain trusted events. A trusted event is generally an event that is not part of a malicious activity (targeted attack) and is characteristic of the behavior of the software in question. Trusted events have a high probability of occurring during the execution of a trusted process and will carry a high weight. If, for some reason, trusted events are rare, then they will not have a high weight coefficient, but this parameter, namely rarity, will be taken into account when analyzing the behavioral log using the ML 170 model before making a final decision.

An example of a basic behavior model of a trusted process in the form of a bipartite directed graph (digraph) is shown in Fig. 2 , where the vertices are processes (shaded red circle) and events (solid green circle), arcs are transitions between processes and events, and the thickness of the arcs indicates the probability of such a transition, i.e. on the probability of occurrence of the process and event.

An example of the approach of forming a behavioral log (gathering information) is based on the following principle.

A Windows operating system (OS) process consists of a set of threads, with each process consisting of at least one thread. The software starts from the entry point and runs until it ends, while the duration of the work may not be limited. While running, a thread interacts only with its RAM. To change the state of the OS (for example, when reading or writing to a file, working with a network or other processes), a thread calls the OS kernel service using one of the commands: syscall, sysenter or int XXh, i.e. a system call occurs. All kernel services are numbered, the addresses of their handler functions are contained in the SSDT system table. As a rule, functions from the OS system libraries are used, which are wrappers for these calls (ntdll.dll, kernel32.dll, and others).

In one implementation, the process information is collected using the driver 180 , which allows you to record system call numbers for each thread and thus generate a behavioral log for the process of the corresponding software. In this case, the behavioral log contains the names of the called functions associated with the numbers of system calls, and the parameters of the called functions.

In yet another embodiment, the behavioral log for a particular software and its process can be taken from pre-collected statistical data about the operation of the processes 150 and stored in the data store 120 . Process statistics 150 include at least system call numbers, function names, and function parameters that were collected while monitoring the execution of trusted CS processes or received from other CSs located on the corporate network or connected via the Internet 190 , or remote server interacting via the Internet 190 .

In yet another implementation, the data store 120 may be located on a remote CS, which is interacted with via a network, in particular, via the Internet 190 .

The learning module 110 is also designed to generate a machine learning model (ML model) 170 . The ML model for each software and its trusted process is formed on the basic principles of forming machine learning models for such tasks, namely, to assess the probability of an anomaly. Examples of ML models are models created on one or a combination of the following principles: naive Bayes classifier (eng. naive Bayes classifiers), neural networks (eng. artificial neural networks), decision tree (eng. decision tree), support vector machine ( English SVM, support vector machine).

The input parameters for training and further operation of each ML 170 model are the parameters of events that occur during the operation of the trusted process. In one implementation, textual data (eg, words) from function names that have been encountered in events occurring in the trusted process are used as parameters. Example text words that correspond to events are: CreateProcess, CreateFile, and RegSetValue. In another implementation, function parameters are additionally used as parameters. In yet another implementation, learning module 110 requests ML models 170 for required software and associated trusted processes from a remote server, which contains pre-generated ML models 170 for various software and associated trusted processes, over the Internet 190 .

It should be noted that, depending on the implementation of the invention, the learning module 110 can be implemented on another CS. In this case, communication with it will be carried out through a network, for example, the Internet 190 .

After preparing all the necessary basic behavior models 160 and training the ML 170 models to detect anomalies in the behavior of trusted processes on the CS and add them to the data store 120, the claimed invention switches from the preparation mode to the main operation mode.

In main mode, when a new trusted process, such as process 105, is started, it is detected by monitoring tool 130 . The control 130 then, by querying the data store 120, selects a base behavior 160 that corresponds to the detected trusted process 105 . The control 130 then controls the trusted process 105 . During the monitoring, the monitoring tool 130 compares the events that occur with the events from the base behavior 160 , based on which, in real time, calculates the overall probability of occurrence of the events. The calculation is carried out on the basis of determining the probability of occurrence (weight coefficient) of each event in the chain of events from the basic behavior model 160 and their further multiplication with each other. When a predetermined threshold is reached, data is extracted from the passed part of the chain of the basic behavior model 160 and sent to the analysis tool 140 . The retrieved data is a behavioral log that contains only events that have occurred, the total probability of occurrence of which has overcome a given threshold, and the parameters of the specified events. For example, text words that were found in the attributes of occurred events will be used as parameters.

The parser 140 accesses (queries) the data store 120 to obtain an ML 170 model that corresponds to the analyzed software. Next, the analysis tool 140 transmits the received parameters from the control tool 130 to the input of the model ML 170 . The analysis tool 140 uses the ML model 170 to analyze the parameters. In one of the implementation options, the ML model will break the text data into words, according to which it will perform the analysis. Based on the results of the analysis, a decision is made about the presence of anomalous behavior in the trusted process. So, for example, the decision will indicate the presence of anomalous behavior of a trusted process, if in the resulting chain of transitions between processes and events of the form: winword -> CreateProcess -> wmic -> CreateProcess, there will be lines: powershell and encodedcommand. An example, when the decision will talk about the absence of anomalous behavior, will be the formed chain of the form: excel -> CreateProcess with the line calc.exe.

It should be noted that, depending on the implementation of the claimed invention, the decision on the presence of anomalous behavior made by the analysis tool 140 can be either final or intermediate. In the case where the decision is an intermediate decision, the final decision will be the decision combining the decision from the analyzer 140 and the results received from the monitor 130 , including information about the threshold exceeded and the behavioral log. In one implementation, the final solution is the average of the chain probability and the ML model solution.

An example of detecting anomalies in the behavior of a trusted process on the example of the executable file "winword.exe" of Microsoft Word software.

Suppose that for the executable file "winword.exe" a basic behavior model has been created, expressed as a Markov chain, and an ML model has been trained for it.

Also assume that the base behavior for the trusted process of the executable "winword.exe" includes the following events:

winword.exe run:

Launching the application (Probability of occurrence or weighting factor: 0.9);

As events occur in the trusted process, the system 100 compares them with the events in the above base behavior chain, using the control 130 , moves along it and calculates the overall probability of occurrence of the events that occurred. When a predetermined threshold is reached from the passed part of the chain, the control tool 130 extracts data that it sends to the analysis tool 140 , namely, to the input of the ML model for further analysis. Based on the results of this analysis, the analysis engine 140 makes a decision about the presence of anomalous behavior in the trusted process.

In one of the options for the operation of a trusted process, the traversed part of the chain may contain the following events:

1. winword.exe (Probability: 1.0 as it is the root process).

2. Application launch (Probability: 0.9).

3. cmd.exe (Probability: 0.8).

4. Application launch (Probability: 0.8).

5. svchost.exe (Probability: 0.2).

Therefore, the output of the chain (the total probability of occurrence of events that have occurred) will correspond to: 1.0 x 0.9 x 0.8 x 0.8 x 0.2 = 0.11520000000000002.

If the given threshold was equal to 0.2, then the total probability passed it. Accordingly, the control means 130 will make a preliminary decision about the presence of an anomaly. Next, the data is extracted and passed to the analyzer 140 as input to the ML model. Let's say the data is words from the attributes of system calls (for example, names of functions and events) from the chain. The analyzer 140 uses the ML model to analyze the received data by words, on the basis of which it makes a final decision about anomalous behavior.

In a particular implementation case, system 100 , when making a decision about the presence of an anomaly in the behavior of a trusted process, additionally transmits information, including the decision made and information about the software and its trusted process, to at least one external CS security component (not shown in Fig. 1 ). External protection components can be CS components or protection components (for example, antivirus) that have the following mechanisms: preventing infection, sending notifications to the user or corporate network management tool, blocking the process, checking the mentioned solution for false positives.

In another particular case of implementation, the system 100 , in the case of transmitting information to the CS component responsible for checking false positives, waits for a response and does not transmit information to other components of the CS. The response contains either information about the absence of a false positive, or about its presence, together with information about the error that led to the erroneous decision. In the case where the false positive is not confirmed, the decision remains in effect and the system 100 passes the information to other components of the CS to ensure data and OS protection. Otherwise, when the false positive is confirmed, the system 100 cancels the decision about the identified anomaly in the behavior of the trusted process and, using the learning module 110, retrains the corresponding ML model and/or performs a change in the basic behavior model based on the information received from the specified CS component. The CS component responsible for checking false positives, when implemented, can be both a technical solution that allows you to independently conduct a check, and a technical solution that interacts with the user (administrator) through the output and input elements. The technical solution that conducts an independent check of false positives is based on the collection of data on the verified decision made from other similar solutions and uses different verification rules in the analysis.

OnFig. 3presented a flowchart illustrating a method for detecting anomalies in the behavior of trusted processes based on Markov chains and a machine learning algorithm. The presented method is implemented using the system tools presented in the descriptionFig. 1.

At step 310 (preliminary), training module 110 performs preparatory work, including the creation of a basic behavior model and an ML model for at least one trusted process. Said preparatory work is shown in the description of FIG. 1 .

At block 320 , the monitor 130 detects that a trusted process is running.

At step 330 , the base behavior model for the detected trusted process is selected using the control 130 , where the specified model is expressed as a Markov chain.

At step 340 , the monitoring tool 130 monitors the operation of the detected trusted process, during which the total probability of occurrence of events occurring in the trusted process is calculated based on the basic behavior model.

At step 350 , it is determined by means of the control 130 whether the overall probability exceeds a predetermined threshold.

At step 360 , with the help of the control tool 130 , in the event that the overall probability has reached or exceeded a predetermined threshold, data is extracted from the resulting chain of events that have occurred and transferred to the analysis tool 140 , namely, to the input of a machine learning model (ML model).

It is worth noting that, depending on the implementation, the parser 140 may include the required ML model. In the event that the parser 140 does not include the required ML model, the parser 140 first queries the data store 120 for the ML model corresponding to said trusted process and then passes the data to it as input.

At step 370 , the analyzer 140 makes a decision about the presence of anomalous behavior in the trusted process based on data analysis using the ML model.

OnFig. 4 presented a flowchart illustrating an example of generating a basic behavior model and a machine learning model (ML Model) for a trusted process. The presented example is implemented using the system tools presented in the descriptionFig. 1.

At block 410 , the driver 180 collects information about events occurring in the trusted process during the execution of the software. The collected information is a behavioral log that is passed to the learning module 110 .

At step 420 , the behavioral log is analyzed using the learning module 110 to recognize the events that have occurred and to identify the parameters of the events that have occurred during the operation of the trusted process. In one embodiment, the text words that are in the event attributes are defined as parameters.

At block 430 , learning module 110 additionally requests statistical data about the operation of such a trusted process. The request is sent to the data store and/or to a remote server.

At step 440 , the training module 110 determines a weight for each event from the received behavioral log. In one implementation, a weighting factor for an event is generated based on the probability of occurrence of the event in all behavioral logs from the collected statistics. Each event in the chain is a probability, it is calculated as the ratio of the number of occurrences of a particular event for the current process to the total number of occurrences of similar events for the current process.

At step 450 , using the learning module 110 , a basic behavior model is formed according to the Markov chain principle, which is a tree-like sequence of events occurring during the execution of software in a trusted process, with each event indicating the probability of its occurrence (weight coefficient).

At 460 , the training module 110 trains the ML model based on the detected event parameters.

At step 470 , the base behavior model and the ML model are added to the data store 120 using the learning module 110 .

Fig. 5 represents an example of a general purpose computer system 20 that can be used as a client computer (eg, a personal computer) or a server shown in FIG. 1 . Computer system 20 includes a central processing unit 21 , system memory 22 , and a system bus 23 , which contains various system components, including memory associated with the central processing unit 21 . The system bus 23 is implemented as any bus structure known in the art, in turn comprising a bus memory or bus memory controller, a peripheral bus, and a local bus capable of interfacing with any other bus architecture. The system memory contains read-only memory (ROM) 24 , random access memory (RAM) 25 . The main input/output system (BIOS) 26 contains the basic procedures that ensure the transfer of information between the elements of the computer system 20 , for example, at the time of booting the operating system using ROM 24 .

The computer system 20 in turn comprises a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29 and an optical drive 30 for reading and writing to removable optical disks 31 such as CD-ROM, DVD -ROM and other optical storage media. The hard disk 27 , the magnetic disk drive 28 , the optical drive 30 are connected to the system bus 23 via the hard disk interface 32 , the magnetic disk interface 33 , and the optical drive interface 34 , respectively. Drives and related computer storage media are non-volatile means of storing computer instructions, data structures, program modules, and other computer system data 20 .

The present description discloses an implementation of a system that uses a hard disk 27' , a removable magnetic disk 29' , and a removable optical disk 31' , but it should be understood that other types of computer storage media 56 that are capable of storing data in a computer-readable form (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.), which are connected to the system bus 23 through the controller 55.

The computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38 and program data 39 . The user has the ability to enter commands and information into the personal computer 20 through input devices (keyboard 40 , mouse 42 ). Other input devices (not shown) may be used: microphone, joystick, game console, scanner, etc. Such input devices are typically connected to the computer system 20 through a serial port 46 , which in turn is connected to the system bus, but may be connected in other ways, such as through a parallel port, game port, or universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48' . In addition to the monitor 47 , the personal computer may be equipped with other peripheral output devices (not shown), such as speakers, a printer, and the like.

The computer system 20 is capable of operating in a networked environment using a network connection to another or more remote computers 49 . The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the nature of the computer system 20 shown in FIG. 5 . Other devices may also be present in the computer network, such as routers, network stations, peer-to-peer devices, or other network nodes.

The network connections may form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the computer system (personal computer) 20 is connected to the local network 50 via a network adapter or network interface 51 . When using networks, personal computer 20 may use a modem 54 or other means to communicate with a wide area network, such as the Internet. The modem 54 , which is an internal or external device, is connected to the system bus 23 via the serial port 46 . It should be clarified that network connections are only indicative and are not required to represent the exact network configuration, i.e. in fact, there are other ways to establish a connection by technical means of communication from one computer to another.

In conclusion, it should be noted that the information given in the description are examples that do not limit the scope of the present invention defined by the formula. A person skilled in the art will appreciate that there may be other embodiments of the present invention consistent with the spirit and scope of the present invention.

Claims (19)

1. A method for detecting an anomaly in the behavior of a trusted process, according to which: A. detecting a trusted process running on the computer system; b. querying the data store for a basic behavior model expressed as a Markov chain and a machine learning model (ML Model) for the file from which the trusted process is launched; V. collect data about the trusted process using the basic behavior model, during which: i. track ongoing events according to the Markov chain from the basic behavior model, ii. determine the probability of occurrence of each event in the trusted process by applying the Markov chain and iii. calculate the overall probability of occurrence of the events that have occurred; d. comparing the overall probability of occurrence of occurred events with a given threshold; e. when a predetermined threshold is exceeded, the events that occurred while following the Markov chain are selected and the data about the events are transmitted to the input of the ML Model, while the data includes the chain of events that have occurred; e. analyze the event data using the ML Model, as a result of the analysis, make a decision about anomalous behavior. 2. The method according to claim 1, in which the basic behavior model, expressed in the form of a Markov chain, contains chains of events that occur during the execution of a trusted process, with each event having its own probability of occurrence. 3. The method according to claim 2, in which the events are trusted, while trusted events have a high probability of occurrence in the chain, where the probability is calculated as the ratio of the number of occurrences of a particular event for the current process to the total number of occurrences of similar events for the current process. 4. The method according to claim 1, wherein the ML Model is pre-trained on the occurrence of text words that occurred in event attributes in the chain. 5. The method according to claim 1, in which the specified ML model was trained in advance both on logs without anomalies and with them, where as a result of training, anomalous events are determined by low coefficients. 6. The method according to claim 1, in which, when anomalous behavior is detected, the trusted process is blocked and the user is notified. 7. The method according to claim. 1, in which when making a decision on anomalous behavior, a check for false positives is carried out by transmitting data to the component responsible for the specified check about the decision made and receiving a response with the results of the check. 8. The method according to claim 7, in which the result of checking a false positive is obtained, while if an error is detected in the decision about the detected anomaly, then the ML Model is retrained by retraining together with the data in the analysis of which the error occurred. 9. The method of claim. 1, in which the chain of occurred events includes events from the initial event to the event after which the specified threshold was reached. 10. A system containing at least one computer, including means interacting with each other: a learning module, a control tool, an analysis tool, a data store containing statistical data on the operation of processes, basic behavior models and ML models, and stored machine-readable instructions, when executed which the system performs anomaly detection in the behavior of the trusted process according to the method according to any one of paragraphs. 1–9.

Images