System and method of identifying the source of an attack on a computer network

US 20060070130A1
Filed: 09/27/2004
Published: 03/30/2006
Est. Priority Date: 09/27/2004
Status: Active Grant

First Claim

Patent Images

1. A method of identifying the source of a malware that was released onto a communication network, the method comprising:

(a) obtaining the memory state of a plurality of computing devices connected to the communication network;

(b) determining that the malware was released onto the communication network;

(c) identifying computing devices in the communication network that are infected with the malware; and

(d) tracing the spread of the malware between computing devices infected with the malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a system and method of tracing the spread of computer malware in a communication network. One aspect of the present invention is a method that traces the spread of computer malware in a communication network. When suspicious data characteristic of malware is identified in a computing device connected to the communication network, the method causes data that describes the state of the computing device to be stored in a database. After a specific attack against the communication network is confirmed, computing devices that are infected with the malware are identified. Then, the spread of the malware between computing devices in the communication network is traced back to a source.

Citations

26 Claims

1. A method of identifying the source of a malware that was released onto a communication network, the method comprising:
- (a) obtaining the memory state of a plurality of computing devices connected to the communication network;
  
  (b) determining that the malware was released onto the communication network;
  
  (c) identifying computing devices in the communication network that are infected with the malware; and
  
  (d) tracing the spread of the malware between computing devices infected with the malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein obtaining the memory state of a plurality of computing devices connected to the communication network includes:
    - (a) receiving notice that suspicious data characteristic of malware is detected in a client computing device connected to the communication network; and
      
      (b) transmitting data representative of the memory state of the client computing device to a server computing device.
  - 3. The method of claim 2, wherein the notice that suspicious data characteristic of malware is detected in a client computing device connected to the communication network is obtained from an anti-virus software application that makes an application programming interface call when the suspicious data is detected.
  - 4. The method of claim 2, wherein the notice that suspicious data characteristic of malware is detected in a client computing device connected to the communication network includes categorical information about the suspicious data.
  - 5. The method of claim 2, wherein the notice that suspicious data characteristic of malware is detected in a client computing device connected to the communication network includes the suspicious data.
  - 6. The method of claim 2, wherein the memory state of the client computing device transmitted to the server computing device is contained in minidump file.
  - 7. The method of claim 1, wherein determining that the malware was released onto the communication network includes analyzing categorical data obtained from an anti-virus software application and wherein the categorical data describes characteristics of the malware.
  - 8. The method claim 1, wherein identifying computing devices in the communication network that are infected with the malware includes:
    - (a) obtaining program code that implements the malware; and
      
      (b) generating a data set that describes characteristics of the malware from sample computing devices; and
      
      (c) comparing the data set that describes characteristics of the malware obtained from the sample computing devices with characteristics of the malware as observed in computing devices connected to the communication network.
  - 9. The method of claim 8, wherein generating a data set that describes characteristics of the malware includes installing the program code that implements the malware on the sample computing devices.
  - 10. The method of claim 8, wherein comparing the data set that describes characteristics of the malware obtained from the sample set of computing devices with characteristics of the malware as observed in computing devices connected to the communication network includes comparing data contained in minidump files.
  - 11. The method of claim 1, wherein tracing the spread of the malware between computing devices infected with the malware includes:
    - (a) recording when each client computing device reported suspicious data characteristic of the malware; and
      
      (b) sorting the client computing devices infected with the malware based on when the suspicious data was reported.

12. A computer-readable medium bearing computer-executable instructions that, when executed, carries out a method of identifying the source of a malware that was released onto a communication network, the method comprising:
- (a) obtaining the memory state of a plurality of computing devices connected to the communication network;
  
  (b) determining that the malware was released onto the communication network;
  
  (c) identifying computing devices in the communication network that are infected with the malware; and
  
  (d) tracing the spread of the malware between computing devices infected with the malware.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computer-readable medium of claim 12, wherein obtaining the memory state of a plurality of computing devices connected to the communication network includes:
    - (a) receiving notice that suspicious data characteristic of malware is detected in a client computing device connected to the communication network; and
      
      (b) transmitting data representative of the memory state of the client computing device to a server computing device.
  - 14. The computer-readable medium of claim 13, wherein the notice that suspicious data characteristic of malware is detected in a client computing device connected to the communication network is obtained from an anti-virus software application that makes an application programming interface call when the suspicious data is detected.
  - 15. The computer-readable medium of claim 13, wherein the notice that suspicious data characteristic of malware is detected in a client computing device connected to the communication network includes categorical information about the suspicious data.
  - 16. The computer-readable medium of claim 13, wherein the notice that suspicious data characteristic of malware is detected in a client computing device connected to the communication network includes the suspicious data.
  - 17. The computer-readable medium of claim 13, wherein the memory state of the client computing device transmitted to the server computing device is contained in minidump file.
  - 18. The computer-readable medium of claim 12, wherein determining that the malware was released onto the communication network includes analyzing categorical data obtained from an anti-virus software application and wherein the categorical data describes characteristics of the malware.
  - 19. The computer-readable medium of claim 12, wherein identifying computing devices in the communication network that are infected with the malware includes:
    - (a) obtaining program code that implements the malware; and
      
      (b) generating a data set that describes characteristics of the malware from sample computing devices; and
      
      (c) comparing the data set that describes characteristics of the malware obtained from the sample computing devices with characteristics of the malware as observed in computing devices connected to the communication network.
  - 20. The computer-readable medium of claim 19, wherein generating a data set that describes characteristics of the malware includes installing the program code that implements the malware on the sample computing devices.
  - 21. The computer-readable medium of claim 19, wherein comparing the data set that describes characteristics of the malware obtained from the sample set of computing devices with characteristics of the malware as observed in computing devices connected to the communication network includes comparing data contained in minidump files.
  - 22. The computer-readable medium of claim 12, wherein tracing the spread of the malware between computing devices infected with the malware includes:
    - (a) recording when each client computing device reported suspicious data characteristic of the malware; and
      
      (b) sorting the client computing devices infected with the malware based on when the suspicious data was reported.

23. A software system for identifying the source of a malware that was released onto a communication network, the software system comprising:
- (a) anti-virus software for detecting the presence of suspicious data on a client computing device;
  
  (b) an application program interface to present functions to software applications for reporting suspicious data;
  
  (c) an operating system for capturing the memory state of the computing device when suspicious data is reported; and
  
  (d) a memory collection database operative to store data that captures the memory state of the computing device received from the operating system.
- View Dependent Claims (24, 25, 26)
- - 24. The software system of claim 23, further comprising a memory collection server operative to manage the collection of data in the memory collection database.
  - 25. The software system of claim 23, wherein the anti-virus software is configured to generate function calls to the application program interface when suspicious data is identified.
  - 26. The software system of claim 23, wherein the operating system is configured to capture the memory state of the computing device in a minidump file and wherein the memory collection database stores minidump files generated by the operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Costea, Mihai, Aucsmith, David W.

Granted Patent

US 7,434,261 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 2463/146   Tracing the source of attacks

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

System and method of identifying the source of an attack on a computer network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of identifying the source of an attack on a computer network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links