Automated Malware Detection and Remediation

US 20110247071A1
Filed: 04/06/2010
Published: 10/06/2011
Est. Priority Date: 04/06/2010
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing a selected computer, wherein the selected computer is part of a computer network, the method comprising:

inspecting a predetermined set of operational attributes of the selected computer to detect a change in a state of the selected computer;

in response to a detected change in state, scanning the selected computer to create a snapshot of the state of the selected computer;

transmitting the snapshot from the selected computer to an analytic system;

in the analytic system, comparing the snapshot with an aggregated collection of snapshots previously respectively received from a plurality of computers in the computer network, and identifying, in comparison to the aggregated collection of snapshots previously respectively received from the plurality of other computers in the computer network, an anomalous state of the selected computer;

initiating, from the analytic system, a probe of the selected computer to gather additional information related to the anomalous state of the selected computer; and

receiving the additional information and, based thereon, generating a remediation action for the anomalous state of the selected computer.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for detecting malware in a selected computer that is part of a network of computers. The approach includes inspecting a predetermined set of operational attributes of the selected computer to detect a change in a state of the selected computer. In response to a detected change in state, the selected computer is scanned to create a snapshot of the overall state of the selected computer. The snapshot is transmitted to an analytic system wherein it is compared with an aggregated collection of snapshots previously respectively received from a plurality of computers in the computer network. Based on the comparison, anomalous state of the selected computer can be identified. In turn, a probe of the selected computer is launched to gather additional information related to the anomalous state of the selected computer so that a remediation action for the anomalous state of the selected computer can be generated.

Citations

19 Claims

1. A method of analyzing a selected computer, wherein the selected computer is part of a computer network, the method comprising:
- inspecting a predetermined set of operational attributes of the selected computer to detect a change in a state of the selected computer;
  
  in response to a detected change in state, scanning the selected computer to create a snapshot of the state of the selected computer;
  
  transmitting the snapshot from the selected computer to an analytic system;
  
  in the analytic system, comparing the snapshot with an aggregated collection of snapshots previously respectively received from a plurality of computers in the computer network, and identifying, in comparison to the aggregated collection of snapshots previously respectively received from the plurality of other computers in the computer network, an anomalous state of the selected computer;
  
  initiating, from the analytic system, a probe of the selected computer to gather additional information related to the anomalous state of the selected computer; and
  
  receiving the additional information and, based thereon, generating a remediation action for the anomalous state of the selected computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein inspecting occurs at least every 1 minute.
  - 3. The method of claim 1, wherein inspecting comprises inspecting registry keys, running processes, open ports, performance counters, security settings, files or memory objects.
  - 4. The method of claim 1, wherein inspecting comprises inspecting for an auto-start mechanism.
  - 5. The method of claim 1, further comprising processing the snapshot for comparison with the aggregated collection of snapshots ahead of another snapshot that was not a result of a detected change in state.
  - 6. The method of claim 1, further comprising determining that the anomalous state of the selected computer is a result of malware.
  - 7. The method of claim 1, wherein the anomalous state of the selected computer is determined to be caused by an anomalous application, the method further comprising displaying, via a user interface, details associated with the anomalous application.
  - 8. The method of claim 7, further comprising displaying at least one high frequency string associated with the anomalous application.
  - 9. The method of claim 8, further comprising displaying the at least one high frequency string as a selectable link.
  - 10. The method of claim 9, further comprising initiating a search of the World Wide Web for the at least one high frequency string when the link is selected.
  - 11. The method of claim 1, further comprising transmitting the remediation action to an agent installed on the selected computer.
  - 12. The method of claim 1, further comprising monitoring for browser application extensions, toolbars, or modifications to Layered Service Providers (LSPs).
  - 13. The method of claim 1, further comprising identifying statistically significant patterns among the respective snapshots in the aggregated collection of snapshots previously respectively received from a plurality of computers in the computer network.

14. A malware detection system, comprising:
- an agent component installed on a computer in a computer network; and
  
  a state change inspection module associated with the agent component, the state change inspection module configured to inspect a predetermined set of attributes of the computer and initiate a request for an on-demand scan of a state of the computer when a change to one of the attributes is detected;
  
  the agent configured to perform the on-demand scan resulting in a snapshot of the sate of the computer, receive instructions to perform a probe of an identified anomaly determined from an analysis of the snapshot, and perform a remedial action with respect to the anomaly upon receipt of instructions to do so.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, further comprising a support facility, separate from the computer, from which the instructions to perform the probe are received.
  - 16. The system of claim 14, further comprising a user interface configured to display information regarding the anomaly.
  - 17. The system of claim 16, wherein when the anomaly is determined to be an anomalous application, the user interface is configured to display probe results including at least one high frequency string associated with the anomalous application, a risk assessment of the anomalous application, or a list of correlated anomalies.
  - 18. The system of claim 17, wherein the user interface is configured to display the high frequency string as a selectable link.
  - 19. The system of claim 17, wherein the remedial action is based on the correlated anomalies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Triumfant Incorporated
Inventors
Hooks, David E., Quinn, Mitchell N.

Granted Patent

US 8,707,427 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/567 using dedicated hardware

G06F 2221/2115 Third party

Automated Malware Detection and Remediation

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Automated Malware Detection and Remediation

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links