In most client security applications that are installed on an end user's computer (for example, personal firewalls and antivirus software), the user and/or manufacturer of the security application defines exclusions to the blocking policies of the security products. For example, the user might define an exclusion allowing a trusted personal accounting program to transmit financial data to the Internet, or the manufacturer of anti-virus software may define an exclusion allowing its own update management program to overwrite anti-virus signatures stored on the user's hard disk. In other words, certain trusted processes are allowed to perform activities which the security software, by default, blocks processes from performing. These exclusions to blocking policies are for well known, trusted, applications. A resulting problem is that these exclusions are often wrongly carried over across upgrades, plug-in changes, and worst of all, unauthorized attachment to the trusted processes by malicious code, such as a computer virus or worm.
The majority of processes running on an end user computer have a standard pattern of system resource utilization and user interaction. For example, a process that has never used the network is unlikely to start using the network. Likewise, an application that uses the network heavily, but has never enumerated every file on the hard drive is unlikely to start enumerating the hard drive.
What is needed are methods, computer readable media and computer systems for detecting anomalous behavior by previously trusted processes, so that appropriate corrective action can be taken, such as revoking the blocking exclusions.