Andromeda strain hacker analysis system and method
First Claim
1. A method, in a data processing system, for identifying a point of immunity to a computer based attack, comprising:
- generating a first call trace of a first process, in an infectable computer system, that processes a data packet suspected of being associated with a computer based attack;
generating a second call trace of a second process, comparable to the first process, in an immune computer system, that processes the data packet suspected of being associated with a computer based attack;
comparing the first call trace to the second call trace; and
determining a point of immunity based on results of the comparison of the first call trace to the second call trace.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for determining a point of immunity of a computing system to a computer virus are provided. A trace of the calls of a process, that processes a data packet which is suspected of having a computer virus, in both an infected computing system and an immune computing system are obtained. Differences in the call traces are used to pinpoint a point in the series of calls at which the processing by the two processes diverge. The process corresponding to this point of divergence is then determined and version information of the version of the corresponding process on the infected computing system and the immune computing system are determined. Differences in the version information are identified and immunization recommendations are made based on the identified differences in the version information.
-
Citations
20 Claims
-
1. A method, in a data processing system, for identifying a point of immunity to a computer based attack, comprising:
-
generating a first call trace of a first process, in an infectable computer system, that processes a data packet suspected of being associated with a computer based attack;
generating a second call trace of a second process, comparable to the first process, in an immune computer system, that processes the data packet suspected of being associated with a computer based attack;
comparing the first call trace to the second call trace; and
determining a point of immunity based on results of the comparison of the first call trace to the second call trace. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product in a computer readable medium for identifying a point of immunity to a computer based attack, comprising:
-
first instructions for generating a first call trace of a first process, in an infectable computer system, that processes a data packet suspected of being associated with a computer based attack;
second instructions for generating a second call trace of a second process, comparable to the first process, in an immune computer system, that processes the data packet suspected of being associated with a computer based attack;
third instructions for comparing the first call trace to the second call trace; and
fourth instructions for determining a point of immunity based on results of the comparison of the first call trace to the second call trace. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for identifying a point of immunity to a computer based attack, comprising:
-
means for generating a first call trace of a first process, in an infectable computer system, that processes a data packet suspected of being associated with a computer based attack;
means for generating a second call trace of a second process, comparable to the fist process, in an immune computer system, that processes the data packet suspected of being associated with a computer based attack;
means for comparing the first call trace to the second call trace; and
means for determining a point of immunity based on results of the comparison of the first call trace to the second call trace.
-
Specification