Systems and methods for detecting system attacks

US 10,721,267 B1
Filed: 07/18/2014
Issued: 07/21/2020
Est. Priority Date: 07/18/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for cooperatively detecting infections on remote computing systems running cooperative anti-malware agents, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

determining, via a first instance of an anti-malware agent installed on a client system, that the client system is under attack;

identifying, via the first instance of the anti-malware agent, a compromised client system from which the attack originated;

in response to identifying the compromised client system from which the attack originated, determining, via the first instance of the anti-malware agent and without the use of a backend server, that the compromised client system includes a second instance of the anti-malware agent by;

querying the compromised client system directly to determine whether the compromised client system includes the second instance of the anti-malware agent;

receiving, from the compromised client system, an indication that the compromised client system includes the second instance of the anti-malware agent;

in response to determining that the compromised client system includes the second instance of the anti-malware agent, notifying, from the first instance of the anti-malware agent, the second instance of the anti-malware agent that the compromised client system performed the attack.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for detecting system attacks may include (1) receiving, from a detecting system capable of detecting attacks, information that identifies an attack that originated from a compromised client system that is remote from the detecting system, (2) determining that the attack originated from the compromised client system, (3) determining that the compromised client system includes an anti-malware agent, and (4) notifying the anti-malware agent on the compromised client system that the compromised client system performed the attack. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for cooperatively detecting infections on remote computing systems running cooperative anti-malware agents, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- determining, via a first instance of an anti-malware agent installed on a client system, that the client system is under attack;
  
  identifying, via the first instance of the anti-malware agent, a compromised client system from which the attack originated;
  
  in response to identifying the compromised client system from which the attack originated, determining, via the first instance of the anti-malware agent and without the use of a backend server, that the compromised client system includes a second instance of the anti-malware agent by;
  
  querying the compromised client system directly to determine whether the compromised client system includes the second instance of the anti-malware agent;
  
  receiving, from the compromised client system, an indication that the compromised client system includes the second instance of the anti-malware agent;
  
  in response to determining that the compromised client system includes the second instance of the anti-malware agent, notifying, from the first instance of the anti-malware agent, the second instance of the anti-malware agent that the compromised client system performed the attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein determining that the client system is under attack comprises at least one of:
    - identifying a file suspected of including malware;
      
      identifying a behavior suspected to be malicious.
  - 3. The computer-implemented method of claim 2, wherein notifying the second instance of the anti-malware agent that the compromised client system performed the attack comprises transmitting, to the second instance of the anti-malware agent, a targeted notification that indicates that an attack originated from the compromised client system.
  - 4. The computer-implemented method of claim 1, wherein determining that the client system is under attack comprises at least one of:
    - detecting malicious or unwanted network traffic from the compromised client system;
      
      detecting an attempt to exploit a known vulnerability of the client system under attack;
      
      detecting an unauthorized attempt to create a file on the client system under attack;
      
      detecting an unauthorized attempt to modify an existing file on the client system under attack;
      
      detecting an attempt to modify an executing process of the client system under attack;
      
      detecting an unauthorized attempt to modify a system configuration database on the client system under attack;
      
      detecting an unexpected attempt to execute a software program on the client system under attack;
      
      detecting an unauthorized attempt to access sensitive data on the client system under attack;
      
      detecting an attempt to bypass a security system of the client system under attack;
      
      detecting an attempt to disable a security system of the client system under attack.
  - 5. The computer-implemented method of claim 1, wherein the first instance of the anti-malware agent and the second instance of the anti-malware agent comprise cooperative anti-malware agents from a same software vendor.
  - 6. The computer-implemented method of claim 1, wherein determining that the compromised client system includes a second instance of the anti-malware agent further comprises determining that:
    - the compromised client system was successfully attacked by malware that instigated the attack on the client system under attack;
      
      the malware avoided detection by the second instance of the anti-malware agent.
  - 7. The computer-implemented method of claim 1, wherein notifying the second instance of the anti-malware agent comprises transmitting, to the second instance of the anti-malware agent, at least one of:
    - a category of attack that originated from the compromised client system;
      
      information identifying malware that infected the compromised client system;
      
      instructions for halting the attack originating from the compromised client system;
      
      instructions for removing malware that infected the compromised client system;
      
      instructions to perform an anti-malware scan on the compromised client system;
      
      instructions for submitting a suspected malware file to an anti-malware service.
  - 8. The computer-implemented method of claim 1, further comprising performing a security action comprising at least one of:
    - notifying an administrator that an attack originated from the compromised client system;
      
      performing a malware scan on the client system under attack;
      
      instructing an additional computing system in communication with the compromised client system to perform a malware scan of the additional computing system.

9. A system for cooperatively detecting infections on computing systems running cooperative anti-malware agents, the system comprising:
- an identification module stored in memory of a client system, that;
  
  determines, via a first instance of an anti-malware agent installed on the client system, that the client system is under attack; and
  
  identifies, via the first instance of the anti-malware agent, a compromised client system from which the attack originated;
  
  a determination module stored in the memory of the client system under attack, that, in response to the identification module identifying the compromised client system from which the attack originated, determines, via the first instance of the anti-malware agent and without the use of a backend server, that the compromised client system includes a second instance of the anti-malware agent by;
  
  querying the compromised client system directly to determine whether the compromised client system includes the second instance of the anti-malware agent;
  
  receiving, from the compromised client system, an indication that the compromised client system includes the second instance of the anti-malware agent;
  
  a notification module stored in the memory of the client system under attack, that, in response to the determination module determining that the compromised client system includes the second instance of the anti-malware agent, notifies, via the first instance of the anti-malware agent, the second instance of the anti-malware agent that the compromised client system performed the attack;
  
  at least one physical processor configured to execute at least the identification module, the determination module and the notification module.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the notification module notifies the second instance of the anti-malware agent that the compromised client system performed the attack by transmitting, to the second instance of the anti-malware agent, a targeted notification that indicates that an attack originated from the compromised client system.
  - 11. The system of claim 10, wherein the first instance of the anti-malware agent and the second instance of the anti-malware agent comprise cooperative anti-malware agents from a same software vendor.
  - 12. The system of claim 9, wherein the identification module identifies the attack by at least one of:
    - detecting malicious or unwanted network traffic from the compromised client system;
      
      detecting an attempt to exploit a known vulnerability of the client system under attack;
      
      detecting an unauthorized attempt to create a file on the client system under attack;
      
      detecting an unauthorized attempt to modify an existing file on the client system under attack;
      
      detecting an attempt to modify an executing process of the client system under attack;
      
      detecting an unauthorized attempt to modify a system configuration database on the client system under attack.
  - 13. The system of claim 9, wherein the identification module identifies the attack by at least one of:
    - detecting an unexpected attempt to execute a software program on the client system under attack;
      
      detecting an unauthorized attempt to access sensitive data on the client system under attack;
      
      detecting an attempt to bypass a security system of the client system under attack;
      
      detecting an attempt to disable a security system of the client system under attack.
  - 14. The system of claim 9, wherein the first instance of the anti-malware agent identifies the attack based on information obtained from a network gateway.
  - 15. The system of claim 9, wherein the notification module notifies the second instance of the anti-malware agent by transmitting to the second instance of the anti-malware agent at least one of:
    - a category of attack that originated from the compromised client system;
      
      information identifying malware that infected the compromised client system;
      
      instructions for halting the attack originating from the compromised client system;
      
      instructions for removing malware that infected the compromised client system;
      
      instructions to perform an anti-malware scan on the compromised client system;
      
      instructions for submitting a suspected malware file to an anti-malware service.
  - 16. The system of claim 9, further comprising a security module stored in memory of the client system, that performs a security action comprising at least one of:
    - performing a malware scan on the client system under attack;
      
      instructing an additional computing system in communication with the compromised client system to perform a malware scan of the additional computing system.

17. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- determine, via a first instance of an anti-malware agent installed on a client system, that the client system is under attack;
  
  identify, via the first instance of the anti-malware agent, a compromised client system from which the attack originated;
  
  in response to identifying the compromised client system from which the attack originated, determine, via the first instance of the anti-malware agent and without the use of a backend server, that the compromised client system includes a second instance of the anti-malware agent by;
  
  querying the compromised client system directly to determine whether the compromised client system includes the second instance of the anti-malware agent;
  
  receiving, from the compromised client system, an indication that the compromised client system includes the second instance of the anti-malware agent;
  
  in response to determining that the compromised client system includes the second instance of the anti-malware agent, notify, from the first instance of the anti-malware agent, the second instance of the anti-malware agent that the compromised client system performed the attack.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the first instance of the anti-malware agent and the second instance of the anti-malware agent comprise cooperative anti-malware agents from a same software vendor.
  - 19. The non-transitory computer-readable medium of claim 18, wherein the first instance of the anti-malware agent notifies the second instance of the anti-malware agent that the compromised client system performed the attack by transmitting, to the second instance of the anti-malware agent, a targeted notification that indicates that an attack originated from the compromised client system.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the first instance of the anti-malware agent determines that the client system is under attack by at least one of:
    - detecting malicious or unexpected network traffic from the compromised client system;
      
      detecting an attempt to exploit a known vulnerability of the client system under attack;
      
      detecting an unauthorized attempt to create a file on the client system under attack;
      
      detecting an unauthorized attempt to modify an existing file on the client system under attack;
      
      detecting an attempt to modify an executing process of the client system under attack;
      
      detecting an unauthorized attempt to modify a system configuration database on the client system under attack;
      
      detecting an unexpected attempt to execute a software program on the client system under attack;
      
      detecting an unauthorized attempt to access sensitive data on the client system under attack;
      
      detecting an attempt to bypass a security system of the client system under attack;
      
      detecting an attempt to disable a security system of the client system under attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
NortonLifeLock Inc.
Inventors
Alexander, Christopher
Primary Examiner(s)
Rahman, Mahfuzur
Assistant Examiner(s)
Cruz-Franqui, Richard W

Application Number

US14/335,232
Time in Patent Office

2,195 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/245   Query processing

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Systems and methods for detecting system attacks

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting system attacks

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links