IDENTIFYING EXPLOITATION OF VULNERABILITIES USING ERROR REPORT
First Claim
1. A method of computer forensics to determine whether an error report contains evidence of an exploit, the method comprising:
- scanning the error report for a memory pattern indicative of an attempt to subvert a security mechanism;
scanning the error report for exception information indicative of a point of attack; and
recording forensic data associated with a result of any of the scanning steps onto a computer-readable storage medium.
3 Assignments
0 Petitions
Accused Products
Abstract
A tool and method examine error report information from a computer to determine not only whether a virus or other malware may be present on the computer but also may determine what vulnerability a particular exploit was attempting to use to subvert security mechanism to install the virus. A system monitor may collect both error reports and information about the error report, such as geographic location, hardware configuration, and software/operating system version information to build a profile of the spread of an attack and to be able to issue notifications related to increased data collection for errors, including crashes related to suspected services under attack.
-
Citations
20 Claims
-
1. A method of computer forensics to determine whether an error report contains evidence of an exploit, the method comprising:
-
scanning the error report for a memory pattern indicative of an attempt to subvert a security mechanism; scanning the error report for exception information indicative of a point of attack; and recording forensic data associated with a result of any of the scanning steps onto a computer-readable storage medium. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for collecting and managing error report data that determines when an exploit has taken place on one or more networked computers comprising:
-
a network connection for receiving error report data from a plurality of networked computers; a data store for collecting the error report data from the plurality of networked computers; a notification module responsive to an identification of an exploit in a service of one of the plurality of computers that sends a notice to each of the plurality of computers to collect and forward maximal error data associated with the service; a data collection module that obtains state data regarding the one of the plurality of computers; and an analysis module that analyzes data in the data store and state data to produce the identification of the exploit in the service. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A method of performing computer forensics to determine whether an error report contains evidence of an exploit, the method comprising:
-
receiving an error report file; scanning the error report for a known exploit at an executable memory location; scanning for NOPSleds; scanning for a decoder loop; scanning for each of a malicious text, a malicious string, and a malicious binary sequence; scanning for evidence of a disabled defense program; scanning for a hijacked control structure; examining exception information for a location of a vulnerability that indicates a point of attack; and reporting one of the error report file and the result of the exploit analysis to a system monitor via a network connection. - View Dependent Claims (20)
-
Specification