Virus intrusion route identification device, virus intrusion route identification method, and program
First Claim
Patent Images
1. A virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, the virus intrusion route determining device comprising:
- an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content; and
a processor configured to;
(a) determine, upon detecting a virus, an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history memory; and
(b) output information indicating the intrusion route determined by the processor, the output information including information indicating a route in which the virus moved,wherein the processor is configured to determine the intrusion route by searching the operation history that is a history of operations executed in the terminal device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention aims to backtrack a virus infection route with more detail than in the conventional case. CPUs of client devices respectively monitor operations, and cause storage devices to store operation histories. The CPU determines, upon detecting a virus, the time and date at which the virus was first saved in the client device based on the operation history stored in the storage device, and determines a virus intrusion route based on the operation content that was executed at the determined time and date.
-
Citations
27 Claims
-
1. A virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, the virus intrusion route determining device comprising:
-
an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content; and a processor configured to; (a) determine, upon detecting a virus, an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history memory; and (b) output information indicating the intrusion route determined by the processor, the output information including information indicating a route in which the virus moved, wherein the processor is configured to determine the intrusion route by searching the operation history that is a history of operations executed in the terminal device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 18)
-
-
16. A method for backtracking a virus intrusion route of a virus to a terminal device, the method comprising:
-
an operation history storing process of storing an operation history, which is a history of operations executed in the terminal device, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content, into an operation history memory; a determining process of determining, upon detecting a virus, an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history storage unit; and an outputting process of outputting information indicating the intrusion route determined in the determining process, the output information including information indicating a route in which the virus moved, wherein the determining process includes (1) searching the operation history that is a history of operations executed in the terminal device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key, and (2) determining the intrusion route based on the searching.
-
-
17. A program stored in a non-transitory computer-readable recording medium that causes a computer to execute virus intrusion route determining processing for backtracking an intrusion route of a virus to a terminal device, wherein the computer has an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content, and wherein the program causes the computer to function as:
-
(a) a determining unit configured to determine, upon detecting a virus, an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history memory; and (b) an output unit configured to output information indicating the intrusion route determined by the determining unit, the output information including information indicating a route in which the virus moved, and wherein the determination by the determining unit comprises (1) searching the operation history that is a history of operations executed in the terminal device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key, and (2) determining the intrusion route based on the search.
-
-
19. A virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, the virus intrusion route determining device comprising:
-
an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content; and a processor configured to; (a) attempt to determine, upon detecting a virus, an intrusion route of the virus by backtracking the intrusion route based on the operation history stored in the operation history memory; and (b) transmit, to a server device connected to the terminal device, a request for determining an intrusion route based on the operation history stored in the server device, when the processor cannot determine the intrusion route based on the operation history stored in the operation history memory, wherein the terminal device is provided with the virus intrusion route determining device and the server device is also provided with the virus intrusion route determining device, and the virus intrusion route determining device provided in the terminal device and the virus intrusion route determining device provided in the server device cooperate with each other to determine the intrusion route to the terminal device, and wherein the determination of the intrusion route to the terminal device comprises (1) searching the operation history that is a history of operations executed in the terminal device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key, and (2) determining the intrusion route based on the search.
-
-
20. A virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, the virus intrusion route determining device comprising:
-
an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device; and a processor configured to attempt to determine, upon detecting a virus, an intrusion route of the virus, the attempted determination comprising conducting an examination of the operation history stored in the operation history storage unit that is a history of operations executed in the terminal device, wherein the terminal device is provided with the virus intrusion route determining device that stores, in the terminal device, a first operation history, and a server device connected to the terminal device is also provided with the virus intrusion route determining device that stores, in the server device, a second operation history, wherein before the processor provided in the terminal device determines the intrusion route, the processor provided in the terminal device transmits, to a server device, a request for determining the intrusion route, wherein the processor provided in the server device determines the intrusion route with respect to the second operation history, wherein the processor provided in the terminal device conducted an examination of the first operation history during a first time period, wherein the second operation history was acquired during a second time period, and wherein the second time period is later in time than the first time period.
-
-
21. A virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, the virus intrusion route determining device comprising:
-
an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, including at least one process ID (identification), which is information identifying a software process; and a processor configured to, upon detecting a virus, determine an intrusion route of the virus by backtracking the intrusion route based on the operation history stored in the operation history memory that is a history of operations executed in the terminal device, wherein the processor is further configured to determine, based on a process ID of a process in which the virus was detected, one or more files operated between activation of the process and detection of the virus, wherein when a plurality of files are determined, the processor performs narrowing-down of the plurality of files to one file that is related to the intrusion route after executing weighting with respect to the plurality of files.
-
-
22. A method for backtracking an intrusion route of a virus to a terminal device, the method comprising:
-
storing, by the terminal device, an operation history, which is a history of operations executed in the terminal device, into an operation history memory, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content; attempting to determine, by the terminal device, upon detecting a virus, an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history memory that is a history of operations executed in the terminal device; and transmitting, to a server device connected to the terminal device, a request for determining an intrusion route based on an operation history stored in the server device, when the intrusion route cannot be determined based on the operation history stored in the operation history memory, wherein the terminal device is provided with the virus intrusion route determining device and the server device is also provided with the virus intrusion route determining device, and the virus intrusion route determining device provided in the terminal device and the virus intrusion route determining device provided in the server device cooperate with each other to determine the intrusion route, wherein the request for determining a virus intrusion route includes a request (1) to search the operation history stored in the server device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key, and (2) to determine the intrusion route based the search.
-
-
23. A program stored in a non-transitory computer-readable recording medium that causes a computer to function as a virus intrusion route determining device that backtracks an intrusion route of a virus to a terminal device, wherein the computer includes an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content, the program causing the computer to function as:
-
a determining unit configured to attempt to determine, upon detecting a virus, an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history memory that is a history of operations executed in the terminal device; and a request transmitting unit configured to transmit, to a server device connected to the terminal device, a request for determining an intrusion route based on an operation history stored in the server device, when the determining unit cannot determine the intrusion route based on the operation history stored in the operation history memory, wherein the terminal device is provided with the virus intrusion route determining device and the server device is also provided with the virus intrusion route determining device, and the virus intrusion route determining device provided in the terminal device and the virus intrusion route determining device provided in the server device cooperate with each other to determine the intrusion route, wherein the request for determining a virus intrusion route includes a request (1) to search the operation history stored in the server device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key, and (2) to determine the intrusion route based on the search.
-
-
24. A method that is executed in a virus intrusion route determining device that backtracks an intrusion route of a virus to a terminal device, wherein the terminal device has a virus intrusion route determining device that stores, in the terminal device, a first operation history, and a server device connected to the terminal device also has a virus intrusion route determining device that stores, in the server device, a second operation history, the method comprising:
-
storing an operation history, which is a history of operations executed in the terminal device, into an operation history memory; and determining, upon detecting a virus, an intrusion route of the detected virus, based on the operation history stored in the operation history memory that is a history of operations executed in the terminal device, wherein the terminal device transmits, to the server device, before determining the intrusion route, a request for determining the intrusion route, wherein the virus intrusion route determining device provided in the server device determines the intrusion route with respect to the second operation history, wherein the virus intrusion route determining device provided in the terminal device conducted an examination of the first operation history during a first time period, wherein the second operation history was acquired during a second time period, and wherein the second time period is later in time than the first time period.
-
-
25. A program stored in a non-transitory computer-readable recording medium that causes a computer to function as a virus intrusion route determining device that backtracks an intrusion route of a virus to a terminal device, the computer having an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, the program causing the computer to function as:
-
a determining unit configured to attempt to determine, upon detecting a virus, an intrusion route of the detected virus, the attempted determination comprising conducting an examination of the operation history stored in the operation history memory that is a history of operations executed in the terminal device, wherein the terminal device is provided with the virus intrusion route determining device that stores, in the terminal device, a first operation history, and a server device connected to the terminal device is also provided with the virus intrusion route determining device that stores, in the server device, a second operation history, wherein before the determining unit provided in the terminal device determines the intrusion route, the determining unit provided in the terminal device transmits, to the server device, a request for determining the intrusion route, wherein the determining unit provided in the server device determines the intrusion route based on the second operation history, wherein the determining unit provided in the terminal device conducted an examination of the first operation history during a first time period, wherein the second operation history was acquired during a second time period, and wherein the second time period is later in time than the first time period.
-
-
26. A method in a virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, the method comprising:
-
a storing process of storing an operation history, which is a history of operations executed in the terminal device, into an operation history storage unit; and a determining process of, upon detecting a virus, determining an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history storage unit that is a history of operations executed in the terminal device, wherein the determining process includes the processes of; (a) determining, based on process identification information of a process in which the virus was detected, one or more files operated between activation of the process and detection of the virus; and (b) performing, when a plurality of files are determined, narrowing-down of the plurality of files to one file that is related to the intrusion route after executing weighting with respect to the plurality of files.
-
-
27. A program stored in a non-transitory computer-readable recording medium that causes a computer to function as a virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, wherein the program causes the computer to function as:
-
an operation history storage unit configured to store an operation history, which is a history of operations executed in the terminal device; and a determining unit for, upon detecting a virus, determining an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history storage unit that is a history of operations executed in the terminal device, wherein the determining unit is further configured to determine, based on process identification information of a process in which the virus was detected, one or more files operated between activation of the process and detection of the virus, and wherein, when a plurality of files are determined, the determining unit performs narrowing-down of the plurality of files to one file that is related to the virus intrusion route after executing weighting with respect to the plurality of files.
-
Specification