Method and system for a self-healing device

US 20060137010A1
Filed: 12/21/2004
Published: 06/22/2006
Est. Priority Date: 12/21/2004
Status: Active Grant

First Claim

Patent Images

1. A method for a self-healing device, the method comprising:

uncovering evidence indicating a presence of an infection in a device at a first point in time;

restoring a state of the device to an earlier point in time to remove the infection, wherein the state at the earlier point in time is sufficiently trustworthy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A self-healing device is provided in which changes made between the time that an infection resulting from an attack on the device was detected and an earlier point in time to which the device is capable of being restored may be recovered based, at least in part, on what kinds of changes were made, whether the changes were bona fide or malware induced, whether the changes were made after the time that the infection likely occurred, and whether new software was installed.

107 Citations

View as Search Results

20 Claims

1. A method for a self-healing device, the method comprising:
- uncovering evidence indicating a presence of an infection in a device at a first point in time;
  
  restoring a state of the device to an earlier point in time to remove the infection, wherein the state at the earlier point in time is sufficiently trustworthy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein uncovering evidence indicating the presence of the infection includes uncovering evidence indicating a time that the infection may have occurred.
  - 3. The method of claim 1, further comprising:
    - detecting changes in the state of the device proximate to the first point in time, wherein uncovering evidence indicating the presence of the infection is based on the changes that were detected.
  - 4. The method of claim 3, wherein detecting changes in the state of the device proximate to the first point in time includes parsing information from a change journal maintained for a file system used by the device.
  - 5. The method of claim 4, wherein the change journal is a Windows NT File System change journal.
  - 6. The method of claim 3, wherein detecting changes in the state of the device proximate to the first point in time includes determining differences between archived and live data on the device.
  - 7. The method of claim 3, wherein detecting changes in the state of the device proximate to the first point in time includes examining a disk state saved on the device.
  - 8. The method of claim 7, further comprising:
    - determining that the state of the device at the earlier point in time is sufficiently trustworthy when the disk state saved on the device at the earlier point in time is not infected.
  - 9. The method of claim 8, wherein determining that the state of the device at the earlier point in time is sufficiently trustworthy includes grading the disk state saved on the device at the earlier point in time based on a level of trustworthiness, the grade level of trustworthiness being greater when the saved disk state is not infected and lesser when the saved disk state is infected.
  - 10. The method of claim 9, wherein the disk state is a volume shadow copy generated by Windows Volume Snapshot Services.

11. A method of recovering from a malware attack, the method comprising:
- obtaining information from at least one of a change journal and a saved disk state;
  
  analyzing the information to uncover evidence indicating that an infection has occurred; and
  
  localizing the infection in time based on the information.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, further comprising:
    - identifying changes occurring since the time of the infection; and
      
      rolling back the changes to before the time of the infection.
  - 13. The method of claim 12, further comprising:
    - presenting the identified changes to a user; and
      
      receiving authorization from the user before rolling back the changes.
  - 14. The method of claim 11, wherein the information is parsed from the at least one of the change journal and the saved disk state.
  - 15. The method of claim 11, wherein the information is a state change associated with the device.
  - 16. The method of claim 11, wherein the change journal is a Windows NT File System change journal.
  - 17. The method of claim 11, wherein the saved disk state is a volume shadow copy generated by Windows Volume Snapshot Services.

18. A system for a self-healing device, the system comprising:
- a repository of malware information;
  
  a repository of system audit information;
  
  a processor to uncover evidence of infection from a malware attack, to identify changes occurring since the evidence of infection, and to recover from the malware attack by removing the changes based on at least one of the malware information and the system audit information.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, further comprising:
    - a user input authorizing recovery from the malware attack by removing the changes, wherein the processor displays the identified changes occurring since the evidence of infection, and recovers from the malware attack after receiving the user input authorizing removing the changes.
  - 20. The system of claim 18, wherein the repository of system audit information includes at least one of a change journal and a saved disk state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Marinescu, Adrian M., Kramer, Michael, Field, Scott A., Carter-Schwendler, Carl, Seinfeld, Marc E., Luber, Paul

Granted Patent

US 7,624,443 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/568   eliminating virus, restorin...

Y10S 707/99953   Recoverability

Method and system for a self-healing device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

107 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for a self-healing device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links