Identification apparatus, control method therefor, and storage medium

US 10,382,477 B2
Filed: 09/30/2016
Issued: 08/13/2019
Est. Priority Date: 11/05/2014
Status: Active Grant

First Claim

Patent Images

1. An identification apparatus for identifying a spread range of malware, the spread range being a set of media to which the malware has been spread, comprising:

at least one memory that stores instructions and stores an operation history as a history of an operation executed in at least one information processing apparatus; and

at least one processor that, upon executing the instructions, functions asan acquisition unit configured to acquire malware spread information including information indicating malware; and

an identification unit configured toidentify, based on the operation history, an intrusion route of the malware indicated by the malware spread information acquired by the acquisition unit,generate at least one piece of malware spread information corresponding to at least one operation included in the intrusion route in the operation history, andidentify the spread range of the malware by, for each of the at least one piece of malware spread information, identifying at least one operation of spreading the malware in the operation history by setting, as a direct or indirect start point, the malware indicated by the malware spread information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided an identification apparatus. A storage unit stores an operation history as a history of an operation executed in at least one information processing apparatus. An acquisition unit acquires malware spread information including information indicating malware. An identification unit identifies, based on the operation history, an intrusion route of the malware indicated by the malware spread information acquired by the acquisition unit, generates at least one piece of malware spread information corresponding to at least one operation included in the intrusion route in the operation history, and identifies, in the operation history, for each of the at least one piece of malware spread information, at least one operation of spreading the malware by setting, as a direct or indirect start point, the malware indicated by the malware spread information.

38 Citations

15 Claims

1. An identification apparatus for identifying a spread range of malware, the spread range being a set of media to which the malware has been spread, comprising:
- at least one memory that stores instructions and stores an operation history as a history of an operation executed in at least one information processing apparatus; and
  
  at least one processor that, upon executing the instructions, functions asan acquisition unit configured to acquire malware spread information including information indicating malware; and
  
  an identification unit configured toidentify, based on the operation history, an intrusion route of the malware indicated by the malware spread information acquired by the acquisition unit,generate at least one piece of malware spread information corresponding to at least one operation included in the intrusion route in the operation history, andidentify the spread range of the malware by, for each of the at least one piece of malware spread information, identifying at least one operation of spreading the malware in the operation history by setting, as a direct or indirect start point, the malware indicated by the malware spread information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 15)
- - 2. The identification apparatus according to claim 1, whereinthe malware spread information further includes cause information indicating a cause of one of spread and intrusion of the malware, andthe identification unit identifies the at least one operation by processing based on the cause information.
  - 3. The identification apparatus according to claim 2, whereinif the cause information indicates that the malware has been spread due to a file, the identification unit identifies, in the operation history, an operation for at least one of file creation, file change, registry creation, registry change, and access to a shared memory by a process generated by executing the malware indicated by the malware spread information.
  - 4. The identification apparatus according to claim 2, whereinif the cause information indicates that the malware has been spread due to the file, the identification unit identifies, in the operation history, an operation for at least one of file creation, file change, registry creation, registry change, and access to a shared memory by one of a process activated by the process generated by executing the malware indicated by the malware spread information and a process which has loaded the malware indicated by the malware spread information.
  - 5. The identification apparatus according to claim 2, whereinif the cause information indicates that the malware has been spread due to the file, the identification unit identifies, in the operation history, an operation for at least one of a copy, movement, and rename of the malware indicated by the malware spread information.
  - 6. The identification apparatus according to claim 2, whereinif the cause information indicates that the malware has entered due to Web access, the identification unit identifies, in the operation history, an operation for at least one of file creation and file overwrite, which has been performed by a process that has accessed a URL of an intrusion source indicated by the malware spread information between access to the URL of the intrusion source and access to another URL.
  - 7. The identification apparatus according to claim 2, whereinif the cause information indicates that the malware has entered due to mail reception, the identification unit identifies, in the operation history, an operation for at least one of file creation and file overwrite by a process which has received mail from a mail address of an intrusion source indicated by the malware spread information.
  - 8. The identification apparatus according to claim 2, whereinif the cause information indicates that the malware has been spread due to a removable device, the identification unit identifies, in the operation history, an operation for at least one of a copy, movement, and rename of a file from the removable device of an intrusion source indicated by the malware spread information.
  - 9. The identification apparatus according to claim 2, whereinif the cause information indicates that the malware has been spread due to a shared folder, the identification unit identifies, in the operation history, an operation for at least one of a copy, movement, and rename of a file from the shared folder of an intrusion source indicated by the malware spread information.
  - 10. The identification apparatus according to claim 1, whereinthe identification unit generates at least one piece of malware spread information corresponding to at least one operation identified based on the malware spread information acquired by the acquisition unit.
  - 11. The identification apparatus according to claim 1, wherein, upon executing the instructions, the at least one processor further functions as:
    - a detection unit configured to detect malware,wherein the acquisition unit acquires malware spread information corresponding to the malware detected by the detection unit.
  - 12. The identification apparatus according to claim 1, whereinthe acquisition unit acquires malware spread information input by a user.
  - 15. The identification apparatus according to claim 1, wherein the set of media includes information about one or more types of media including computers, files, registries, shared memories, and removable storage devices.

13. A control method for an identification apparatus for identifying a spread range of malware, the spread range being a set of media to which the malware has been spread, comprising:
- storing an operation history as a history of an operation executed in at least one information processing apparatus;
  
  acquiring malware spread information including information indicating malware; and
  
  identifying, based on the operation history, an intrusion route of the malware indicated by the malware spread information acquired in the acquiring,generating at least one piece of malware spread information corresponding to at least one operation included in the intrusion route in the operation history, andidentifying the spread range of the malware by, for each of the at least one piece of malware spread information, identifying at least one operation of spreading the malware in the operation history by setting, as a direct or indirect start point, the malware indicated by the malware spread information.

14. A non-transitory computer-readable storage medium which stores a program for causing a computer to execute a control method for identifying a spread range of malware, the spread range being a set of media to which the malware has been spread, the method comprising:
- storing an operation history as a history of an operation executed in at least one information processing apparatus;
  
  acquiring malware spread information including information indicating malware; and
  
  identifying, based on the operation history, an intrusion route of the malware indicated by the malware spread information acquired in the acquiring,generating at least one piece of malware spread information corresponding to at least one operation included in the intrusion route in the operation history, andidentifying the spread range of the malware by, for each of the at least one piece of malware spread information, identifying at least one operation of spreading the malware in the operation history by setting, as a direct or indirect start point, the malware indicated by the malware spread information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Canon Hi-Tech Limited (Canon Inc.)
Original Assignee
Canon Hi-Tech Limited (Canon Inc.)
Inventors
Takano, Kazuki
Primary Examiner(s)
Sholeman, Abu S

Application Number

US15/281,798
Publication Number

US 20170019415A1
Time in Patent Office

1,047 Days
Field of Search

72 23, 726 23
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

H04L 2463/146   Tracing the source of attacks

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

Identification apparatus, control method therefor, and storage medium

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Identification apparatus, control method therefor, and storage medium

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links