SYSTEM AND METHOD OF DETECTING DIRECTED ATTACK ON CORPORATE INFRASTRUCTURE Russian patent published in 2016 - IPC G06F21/00 

FIELD: information technology.

SUBSTANCE: invention relates to protection against computer threats. Method of detecting harmful objects on a computing device comprises the following steps: a) obtaining of information on at least one object on the computing device containing, among them, a checksum of the object by means of a device for detection of suspicious objects; b) analysis of the said information on the object by means of a device for detection of suspicious objects, at that, based on a set of heuristic rules used by the device for detection of suspicious objects, one determines if the analysed object is suspicious or not; c) collection, by means of device for detection of suspicious objects, of information on the object, if it was classified as suspicious at the earlier stage, while the said information includes at least an API-function call history log, time of appearance of the object on the computing device, and transmission of the collected information on the suspicious object to a device for objects analysis; d) performance of analysis of the received from the device for detection of suspicious objects information on the object by the device for objects analysis; at that, based on a set of heuristic rules used by the device for objects analysis, done determines whether the suspicious object is potentially harmful or not, and sends a request for transmission of the potentially harmful object; at that, recognition of the suspicious object as potentially harmful in accordance with heuristic rules is carried out by comparing information on the analysed object and information on objects stored in a database of harmful objects and a database of safe objects; at that, the set of heuristic rules used for the said analysis differs from the set of heuristic rules used by the device for detection of suspicious objects; e) reception of a request from the device for objects analysis for transmission of a potentially harmful object by means of the device for detection of suspicious objects; f) determination, with the help of the device for complying with safety policy, of a possibility for transmission of the potentially harmful object to the device for objects analysis; at that, if transmission the potentially harmful object is prohibited in accordance with the security policy used by the device for complying with security policy, the latter inhibits transmission of the potentially harmful object to the device for objects analysis, otherwise the transmission is allowed; g) transmission, with the help of the device for detection of suspicious objects of the potentially harmful object for analysis to the device of objects analysis, if transmission was permitted by the device for complying with security policies at the earlier stage; h) analysis of received potentially harmful object by means of the device for objects analysis, at that, one clarifies, whether the degree of similarity of the potentially harmful object with any object from a database of harmful objects exceeds the preset threshold, and if the degree of similarity of the potentially harmful object with any object from a database of harmful objects exceeds the preset threshold, the said object is recognised as harmful.

EFFECT: higher safety of a computing device.

2 cl, 3 dwg