Virus intrusion route identification device, virus intrusion route identification method, and program

US 10,326,792 B2
Filed: 05/28/2015
Issued: 06/18/2019
Est. Priority Date: 12/07/2012
Status: Active Grant

First Claim

Patent Images

1. A virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, the virus intrusion route determining device comprising:

an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content; and

a processor configured to;

(a) determine, upon detecting a virus, an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history memory; and

(b) output information indicating the intrusion route determined by the processor, the output information including information indicating a route in which the virus moved,wherein the processor is configured to determine the intrusion route by searching the operation history that is a history of operations executed in the terminal device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention aims to backtrack a virus infection route with more detail than in the conventional case. CPUs of client devices respectively monitor operations, and cause storage devices to store operation histories. The CPU determines, upon detecting a virus, the time and date at which the virus was first saved in the client device based on the operation history stored in the storage device, and determines a virus intrusion route based on the operation content that was executed at the determined time and date.

Citations

27 Claims

1. A virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, the virus intrusion route determining device comprising:
- an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content; and
  
  a processor configured to;
  
  (a) determine, upon detecting a virus, an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history memory; and
  
  (b) output information indicating the intrusion route determined by the processor, the output information including information indicating a route in which the virus moved,wherein the processor is configured to determine the intrusion route by searching the operation history that is a history of operations executed in the terminal device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 18)
- - 2. The virus intrusion route determining device according to claim 1, wherein the virus intrusion route determining device is provided in the terminal device.
  - 3. The virus intrusion route determining device according to claim 1, wherein the virus intrusion route determining device is provided in a server device that is connected to the terminal device.
  - 4. The virus intrusion route determining device according to claim 3, wherein the processor is further configured to:
    - (a) detect a virus; and
      
      (b) transmit, to the server device, a request for determining an intrusion route of the detected virus.
  - 5. The virus intrusion route determining device according to claim 3, wherein the terminal device includes:
    - a processor configured to transfer an operation history stored in the operation history memory of the terminal device so that the operation history is stored in the server device, and deleting all or part of the transferred operation history.
  - 6. The virus intrusion route determining device according to claim 1, wherein the processor is further configured to determine an intrusion entry via which a virus is intruded into the terminal device by determining, for each of records constituting the operation history, whether or not an operation content included therein is a specific operation content that is executed at the time of virus intrusion.
  - 7. The virus intrusion route determining device according to claim 1, wherein the processor is further configured to determine the intrusion route by additionally searching the operation history for a parent process that called a child process involved in saving of the virus.
  - 8. The virus intrusion route determining device according to claim 3, wherein the operation history stored in the operation history memory of the virus intrusion route determining device provided in the server device covers a longer period of time than an operation history stored in an operation history memory of a virus intrusion route determining device provided in the terminal device.
  - 9. The virus intrusion route determining device according to claim 3, wherein operation histories acquired by a plurality of terminal devices are stored in the operation history memory provided in the server device, andwherein the processor is further configured to search, when a virus has been found in one of the plurality of terminal devices, the operation histories of the plurality of terminal devices based on a path name or process identification information that is related to the virus, and to determine the intrusion route.
  - 10. The virus intrusion route determining device according to claim 1, wherein the processor is further configured to search in the operation history memory, based on process identification information of a process in which the virus was detected, for a path name of a file operated between activation of the process and detection of the virus, and to determine a terminal device that provided the file, based on the path name found by the search.
  - 11. The virus intrusion route determining device according to claim 1, wherein the processor is further configured to search the operation history memory, based on process identification information of a process in which the virus was detected, for a path name of a file operated between activation of the process and detection of the virus, and to recognize the process itself as a virus when a file operated between activation of the process and detection of the virus is not found.
  - 12. The virus intrusion route determining device according to claim 3, wherein the processor is further configured to:
    - (a) determine, based on process identification information of a process in which a virus was detected, another process in which an executable file of that process, in which the virus was detected, was created;
      
      (b) determine whether or not the other process is an e-mail mail user agent (MUA); and
      
      (c) determine, if the other process is an e-mail MUA,(1) an operation history indicating that the e-mail MUA received an e-mail to which the executable file of the process is attached,(2) a sender of the e-mail based on the operation history,(3) an operation history indicating that the sender transferred the e-mail,(4) an operation history indicating that the e-mail transferred by the sender was received by yet another sender, and(5) the intrusion route based on the operation histories.
  - 13. The virus intrusion route determining device according to claim 3, wherein the processor is further configured to:
    - determine, based on process identification information of a process in which a virus was detected, a path name of a file operated by the process;
      
      determine, based on the path name of the file, an operation history indicating that the file was stored in a removable device;
      
      determine identification information of the removable device based on the operation history;
      
      determine another terminal device that has ever connected to the removable device, based on the identification information of the removable device, anddetermine the intrusion route based on the operation history of the other terminal device.
  - 14. The virus intrusion route determining device according to claim 1, wherein the processor is further configured to determine, based on process identification information of a process in which a virus was detected, a file operated between activation of the process and detection of the virus operation,wherein, when a plurality of files are determined, the processor performs narrowing-down of the plurality of files to one file that is related to the intrusion route by executing weighting with respect to the plurality of files, andwherein the weighting is executed according to at least one of (1) the time and date at which the one file, of the plurality of files, was operated, (2) the execution result of the one file, (3) the result obtained by executing virus detection on the one file, and (4) information input by a user.
  - 15. The virus intrusion route determining device according to claim 1, wherein the processor is further configured to determine a route in which the virus was distributed based on the operation history stored in the operation history memory.
  - 18. The virus intrusion route determining device according to claim 1, wherein the processor is further configured to, when a virus has been found in the terminal device, search the operation history stored in the operation history memory, based on a time and date related to the virus, for a file name, a path name, or process identification information that is related to the virus, and to determine the virus intrusion route.

16. A method for backtracking a virus intrusion route of a virus to a terminal device, the method comprising:
- an operation history storing process of storing an operation history, which is a history of operations executed in the terminal device, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content, into an operation history memory;
  
  a determining process of determining, upon detecting a virus, an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history storage unit; and
  
  an outputting process of outputting information indicating the intrusion route determined in the determining process, the output information including information indicating a route in which the virus moved,wherein the determining process includes (1) searching the operation history that is a history of operations executed in the terminal device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key, and (2) determining the intrusion route based on the searching.

17. A program stored in a non-transitory computer-readable recording medium that causes a computer to execute virus intrusion route determining processing for backtracking an intrusion route of a virus to a terminal device, wherein the computer has an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content, and wherein the program causes the computer to function as:
- (a) a determining unit configured to determine, upon detecting a virus, an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history memory; and
  
  (b) an output unit configured to output information indicating the intrusion route determined by the determining unit, the output information including information indicating a route in which the virus moved, andwherein the determination by the determining unit comprises (1) searching the operation history that is a history of operations executed in the terminal device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key, and (2) determining the intrusion route based on the search.

19. A virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, the virus intrusion route determining device comprising:
- an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content; and
  
  a processor configured to;
  
  (a) attempt to determine, upon detecting a virus, an intrusion route of the virus by backtracking the intrusion route based on the operation history stored in the operation history memory; and
  
  (b) transmit, to a server device connected to the terminal device, a request for determining an intrusion route based on the operation history stored in the server device, when the processor cannot determine the intrusion route based on the operation history stored in the operation history memory,wherein the terminal device is provided with the virus intrusion route determining device and the server device is also provided with the virus intrusion route determining device, and the virus intrusion route determining device provided in the terminal device and the virus intrusion route determining device provided in the server device cooperate with each other to determine the intrusion route to the terminal device, andwherein the determination of the intrusion route to the terminal device comprises (1) searching the operation history that is a history of operations executed in the terminal device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key, and (2) determining the intrusion route based on the search.

20. A virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, the virus intrusion route determining device comprising:
- an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device; and
  
  a processor configured to attempt to determine, upon detecting a virus, an intrusion route of the virus, the attempted determination comprising conducting an examination of the operation history stored in the operation history storage unit that is a history of operations executed in the terminal device,wherein the terminal device is provided with the virus intrusion route determining device that stores, in the terminal device, a first operation history, and a server device connected to the terminal device is also provided with the virus intrusion route determining device that stores, in the server device, a second operation history,wherein before the processor provided in the terminal device determines the intrusion route, the processor provided in the terminal device transmits, to a server device, a request for determining the intrusion route,wherein the processor provided in the server device determines the intrusion route with respect to the second operation history,wherein the processor provided in the terminal device conducted an examination of the first operation history during a first time period,wherein the second operation history was acquired during a second time period, andwherein the second time period is later in time than the first time period.

21. A virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, the virus intrusion route determining device comprising:
- an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, including at least one process ID (identification), which is information identifying a software process; and
  
  a processor configured to, upon detecting a virus, determine an intrusion route of the virus by backtracking the intrusion route based on the operation history stored in the operation history memory that is a history of operations executed in the terminal device,wherein the processor is further configured to determine, based on a process ID of a process in which the virus was detected, one or more files operated between activation of the process and detection of the virus, wherein when a plurality of files are determined, the processor performs narrowing-down of the plurality of files to one file that is related to the intrusion route after executing weighting with respect to the plurality of files.

22. A method for backtracking an intrusion route of a virus to a terminal device, the method comprising:
- storing, by the terminal device, an operation history, which is a history of operations executed in the terminal device, into an operation history memory, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content;
  
  attempting to determine, by the terminal device, upon detecting a virus, an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history memory that is a history of operations executed in the terminal device; and
  
  transmitting, to a server device connected to the terminal device, a request for determining an intrusion route based on an operation history stored in the server device, when the intrusion route cannot be determined based on the operation history stored in the operation history memory,wherein the terminal device is provided with the virus intrusion route determining device and the server device is also provided with the virus intrusion route determining device, and the virus intrusion route determining device provided in the terminal device and the virus intrusion route determining device provided in the server device cooperate with each other to determine the intrusion route,wherein the request for determining a virus intrusion route includes a request (1) to search the operation history stored in the server device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key, and (2) to determine the intrusion route based the search.

23. A program stored in a non-transitory computer-readable recording medium that causes a computer to function as a virus intrusion route determining device that backtracks an intrusion route of a virus to a terminal device, wherein the computer includes an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, including (a) at least one process ID (identification), which is information identifying a software process, and (b) operation content, the program causing the computer to function as:
- a determining unit configured to attempt to determine, upon detecting a virus, an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history memory that is a history of operations executed in the terminal device; and
  
  a request transmitting unit configured to transmit, to a server device connected to the terminal device, a request for determining an intrusion route based on an operation history stored in the server device, when the determining unit cannot determine the intrusion route based on the operation history stored in the operation history memory,wherein the terminal device is provided with the virus intrusion route determining device and the server device is also provided with the virus intrusion route determining device, and the virus intrusion route determining device provided in the terminal device and the virus intrusion route determining device provided in the server device cooperate with each other to determine the intrusion route,wherein the request for determining a virus intrusion route includes a request (1) to search the operation history stored in the server device based on the operation content that is related to the virus and by using a process ID that is related to the virus as a search key, and (2) to determine the intrusion route based on the search.

24. A method that is executed in a virus intrusion route determining device that backtracks an intrusion route of a virus to a terminal device, wherein the terminal device has a virus intrusion route determining device that stores, in the terminal device, a first operation history, and a server device connected to the terminal device also has a virus intrusion route determining device that stores, in the server device, a second operation history, the method comprising:
- storing an operation history, which is a history of operations executed in the terminal device, into an operation history memory; and
  
  determining, upon detecting a virus, an intrusion route of the detected virus, based on the operation history stored in the operation history memory that is a history of operations executed in the terminal device,wherein the terminal device transmits, to the server device, before determining the intrusion route, a request for determining the intrusion route,wherein the virus intrusion route determining device provided in the server device determines the intrusion route with respect to the second operation history,wherein the virus intrusion route determining device provided in the terminal device conducted an examination of the first operation history during a first time period,wherein the second operation history was acquired during a second time period, andwherein the second time period is later in time than the first time period.

25. A program stored in a non-transitory computer-readable recording medium that causes a computer to function as a virus intrusion route determining device that backtracks an intrusion route of a virus to a terminal device, the computer having an operation history memory configured to store an operation history, which is a history of operations executed in the terminal device, the program causing the computer to function as:
- a determining unit configured to attempt to determine, upon detecting a virus, an intrusion route of the detected virus, the attempted determination comprising conducting an examination of the operation history stored in the operation history memory that is a history of operations executed in the terminal device,wherein the terminal device is provided with the virus intrusion route determining device that stores, in the terminal device, a first operation history, and a server device connected to the terminal device is also provided with the virus intrusion route determining device that stores, in the server device, a second operation history,wherein before the determining unit provided in the terminal device determines the intrusion route, the determining unit provided in the terminal device transmits, to the server device, a request for determining the intrusion route,wherein the determining unit provided in the server device determines the intrusion route based on the second operation history,wherein the determining unit provided in the terminal device conducted an examination of the first operation history during a first time period,wherein the second operation history was acquired during a second time period, andwherein the second time period is later in time than the first time period.

26. A method in a virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, the method comprising:
- a storing process of storing an operation history, which is a history of operations executed in the terminal device, into an operation history storage unit; and
  
  a determining process of, upon detecting a virus, determining an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history storage unit that is a history of operations executed in the terminal device,wherein the determining process includes the processes of;
  
  (a) determining, based on process identification information of a process in which the virus was detected, one or more files operated between activation of the process and detection of the virus; and
  
  (b) performing, when a plurality of files are determined, narrowing-down of the plurality of files to one file that is related to the intrusion route after executing weighting with respect to the plurality of files.

27. A program stored in a non-transitory computer-readable recording medium that causes a computer to function as a virus intrusion route determining device for backtracking an intrusion route of a virus to a terminal device, wherein the program causes the computer to function as:
- an operation history storage unit configured to store an operation history, which is a history of operations executed in the terminal device; and
  
  a determining unit for, upon detecting a virus, determining an intrusion route of the detected virus by backtracking the intrusion route based on the operation history stored in the operation history storage unit that is a history of operations executed in the terminal device,wherein the determining unit is further configured to determine, based on process identification information of a process in which the virus was detected, one or more files operated between activation of the process and detection of the virus, andwherein, when a plurality of files are determined, the determining unit performs narrowing-down of the plurality of files to one file that is related to the virus intrusion route after executing weighting with respect to the plurality of files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Canon Hi-Tech Limited (Canon Inc.)
Original Assignee
Canon Hi-Tech Limited (Canon Inc.)
Inventors
Hagiwara, Hiroshi, Yotsuyanagi, Takashi
Primary Examiner(s)
Sholeman, Abu S

Application Number

US14/723,898
Publication Number

US 20150264062A1
Time in Patent Office

1,482 Days
Field of Search

726 4
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/567   using dedicated hardware

H04L 2463/146   Tracing the source of attacks

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Virus intrusion route identification device, virus intrusion route identification method, and program

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Virus intrusion route identification device, virus intrusion route identification method, and program

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links