Automated Malware Detection and Remediation
First Claim
1. A method of analyzing a selected computer, wherein the selected computer is part of a computer network, the method comprising:
- inspecting a predetermined set of operational attributes of the selected computer to detect a change in a state of the selected computer;
in response to a detected change in state, scanning the selected computer to create a snapshot of the state of the selected computer;
transmitting the snapshot from the selected computer to an analytic system;
in the analytic system, comparing the snapshot with an aggregated collection of snapshots previously respectively received from a plurality of computers in the computer network, and identifying, in comparison to the aggregated collection of snapshots previously respectively received from the plurality of other computers in the computer network, an anomalous state of the selected computer;
initiating, from the analytic system, a probe of the selected computer to gather additional information related to the anomalous state of the selected computer; and
receiving the additional information and, based thereon, generating a remediation action for the anomalous state of the selected computer.
6 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for detecting malware in a selected computer that is part of a network of computers. The approach includes inspecting a predetermined set of operational attributes of the selected computer to detect a change in a state of the selected computer. In response to a detected change in state, the selected computer is scanned to create a snapshot of the overall state of the selected computer. The snapshot is transmitted to an analytic system wherein it is compared with an aggregated collection of snapshots previously respectively received from a plurality of computers in the computer network. Based on the comparison, anomalous state of the selected computer can be identified. In turn, a probe of the selected computer is launched to gather additional information related to the anomalous state of the selected computer so that a remediation action for the anomalous state of the selected computer can be generated.
-
Citations
19 Claims
-
1. A method of analyzing a selected computer, wherein the selected computer is part of a computer network, the method comprising:
-
inspecting a predetermined set of operational attributes of the selected computer to detect a change in a state of the selected computer; in response to a detected change in state, scanning the selected computer to create a snapshot of the state of the selected computer; transmitting the snapshot from the selected computer to an analytic system; in the analytic system, comparing the snapshot with an aggregated collection of snapshots previously respectively received from a plurality of computers in the computer network, and identifying, in comparison to the aggregated collection of snapshots previously respectively received from the plurality of other computers in the computer network, an anomalous state of the selected computer; initiating, from the analytic system, a probe of the selected computer to gather additional information related to the anomalous state of the selected computer; and receiving the additional information and, based thereon, generating a remediation action for the anomalous state of the selected computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A malware detection system, comprising:
-
an agent component installed on a computer in a computer network; and a state change inspection module associated with the agent component, the state change inspection module configured to inspect a predetermined set of attributes of the computer and initiate a request for an on-demand scan of a state of the computer when a change to one of the attributes is detected; the agent configured to perform the on-demand scan resulting in a snapshot of the sate of the computer, receive instructions to perform a probe of an identified anomaly determined from an analysis of the snapshot, and perform a remedial action with respect to the anomaly upon receipt of instructions to do so. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification