Systems and methods for detecting system attacks
First Claim
1. A computer-implemented method for cooperatively detecting infections on remote computing systems running cooperative anti-malware agents, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- determining, via a first instance of an anti-malware agent installed on a client system, that the client system is under attack;
identifying, via the first instance of the anti-malware agent, a compromised client system from which the attack originated;
in response to identifying the compromised client system from which the attack originated, determining, via the first instance of the anti-malware agent and without the use of a backend server, that the compromised client system includes a second instance of the anti-malware agent by;
querying the compromised client system directly to determine whether the compromised client system includes the second instance of the anti-malware agent;
receiving, from the compromised client system, an indication that the compromised client system includes the second instance of the anti-malware agent;
in response to determining that the compromised client system includes the second instance of the anti-malware agent, notifying, from the first instance of the anti-malware agent, the second instance of the anti-malware agent that the compromised client system performed the attack.
6 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for detecting system attacks may include (1) receiving, from a detecting system capable of detecting attacks, information that identifies an attack that originated from a compromised client system that is remote from the detecting system, (2) determining that the attack originated from the compromised client system, (3) determining that the compromised client system includes an anti-malware agent, and (4) notifying the anti-malware agent on the compromised client system that the compromised client system performed the attack. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for cooperatively detecting infections on remote computing systems running cooperative anti-malware agents, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
determining, via a first instance of an anti-malware agent installed on a client system, that the client system is under attack; identifying, via the first instance of the anti-malware agent, a compromised client system from which the attack originated; in response to identifying the compromised client system from which the attack originated, determining, via the first instance of the anti-malware agent and without the use of a backend server, that the compromised client system includes a second instance of the anti-malware agent by; querying the compromised client system directly to determine whether the compromised client system includes the second instance of the anti-malware agent; receiving, from the compromised client system, an indication that the compromised client system includes the second instance of the anti-malware agent; in response to determining that the compromised client system includes the second instance of the anti-malware agent, notifying, from the first instance of the anti-malware agent, the second instance of the anti-malware agent that the compromised client system performed the attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for cooperatively detecting infections on computing systems running cooperative anti-malware agents, the system comprising:
-
an identification module stored in memory of a client system, that; determines, via a first instance of an anti-malware agent installed on the client system, that the client system is under attack; and identifies, via the first instance of the anti-malware agent, a compromised client system from which the attack originated; a determination module stored in the memory of the client system under attack, that, in response to the identification module identifying the compromised client system from which the attack originated, determines, via the first instance of the anti-malware agent and without the use of a backend server, that the compromised client system includes a second instance of the anti-malware agent by; querying the compromised client system directly to determine whether the compromised client system includes the second instance of the anti-malware agent; receiving, from the compromised client system, an indication that the compromised client system includes the second instance of the anti-malware agent; a notification module stored in the memory of the client system under attack, that, in response to the determination module determining that the compromised client system includes the second instance of the anti-malware agent, notifies, via the first instance of the anti-malware agent, the second instance of the anti-malware agent that the compromised client system performed the attack; at least one physical processor configured to execute at least the identification module, the determination module and the notification module. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
determine, via a first instance of an anti-malware agent installed on a client system, that the client system is under attack; identify, via the first instance of the anti-malware agent, a compromised client system from which the attack originated; in response to identifying the compromised client system from which the attack originated, determine, via the first instance of the anti-malware agent and without the use of a backend server, that the compromised client system includes a second instance of the anti-malware agent by; querying the compromised client system directly to determine whether the compromised client system includes the second instance of the anti-malware agent; receiving, from the compromised client system, an indication that the compromised client system includes the second instance of the anti-malware agent; in response to determining that the compromised client system includes the second instance of the anti-malware agent, notify, from the first instance of the anti-malware agent, the second instance of the anti-malware agent that the compromised client system performed the attack. - View Dependent Claims (18, 19, 20)
-
Specification