SYSTEM AND METHOD FOR MALWARE ALERTING BASED ON ANALYSIS OF HISTORICAL NETWORK AND PROCESS ACTIVITY

US 20120102568A1
Filed: 10/26/2010
Published: 04/26/2012
Est. Priority Date: 10/26/2010
Status: Abandoned Application

First Claim

Patent Images

1. A method for malware protection, comprising:

receiving detection information for detecting malware on an electronic device;

accessing historical information of an electronic device;

comparing the detection information to the historical information; and

based on the comparison of the detection information with the historical information, alerting a user of the electronic device of risks of malware evidenced by the historical information;

wherein comparing detection information to the historical information comprises;

determining that information from a first category of historical information is associated with a source of malware;

cross-referencing information from a second category of historical information to the information from the first category; and

associating the information from the second category with the malware.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for malware protection includes receiving detection information for detecting malware on an electronic device, accessing historical information of an electronic device, comparing the detection information to the historical information, and based on the comparison of the detection information with the historical information, alerting a user of the electronic device of risks of malware evidenced by the historical information. Comparing detection information to historical information includes determining that information from a first category of historical information is associated with a source of malware, cross-referencing information from a second category of historical information to the information from the first category, and associating the information from the second category with the malware.

285 Citations

30 Claims

1. A method for malware protection, comprising:
- receiving detection information for detecting malware on an electronic device;
  
  accessing historical information of an electronic device;
  
  comparing the detection information to the historical information; and
  
  based on the comparison of the detection information with the historical information, alerting a user of the electronic device of risks of malware evidenced by the historical information;
  
  wherein comparing detection information to the historical information comprises;
  
  determining that information from a first category of historical information is associated with a source of malware;
  
  cross-referencing information from a second category of historical information to the information from the first category; and
  
  associating the information from the second category with the malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - scanning the electronic device for malware; and
      
      determining that the electronic device may have been infected with malware;
      
      wherein the detection information is associated with the malware which may have infected the electronic device.
  - 3. The method of claim 1, further comprising:
    - determining that the electronic device may have been infected with malware, wherein such determination is based upon the comparison of the detection information with the historical information.
  - 4. The method of claim 1, further comprising:
    - including the information from the second category with the alerts sent to the user.
  - 5. The method of claim 1, wherein one of the categories of historical information comprises network activity.
  - 6. The method of claim 1, wherein the second category of historical information comprises data sent to or from a network destination.
  - 7. The method of claim 1, wherein one of the categories of historical information comprises changes to an operating system.
  - 8. The method of claim 1, wherein the second category of historical information comprises a vulnerability status of an application possibly exposed to malware.
  - 9. The method of claim 1, wherein one of the categories of historical information comprises an execution history of an application associated with malware.
  - 10. The method of claim 1, wherein comparing detection information to historical information comprises determining a possible date of malware exposure.
  - 11. The method of claim 1, wherein the first and second categories of historical information comprise network activity.
  - 12. The method of claim 1, wherein:
    - the first category of historical information comprises network activity; and
      
      the second category of historical information comprises an execution history of an application associated with malware.
  - 13. The method of claim 1, wherein:
    - the first category of historical information comprises network activity; and
      
      the second category of historical information comprises a vulnerability status of an application possibly exposed to malware.
  - 14. The method of claim 1, wherein:
    - the first category of historical information comprises network activity; and
      
      the second category of historical information comprises data sent to or from a network destination.
  - 15. The method of claim 1, wherein:
    - the first category of historical information comprises results of behavioral analysis; and
      
      the second category of historical information comprises network activity.

16. An article of manufacture, comprising:
- a computer readable medium; and
  
  computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  receive detection information for detecting malware on an electronic device;
  
  access historical information of an electronic device;
  
  compare detection information to the historical information; and
  
  based on the comparison of the detection information with the historical information, alert a user of the electronic device of risks of malware, the risks evidenced by the historical information.wherein causing the processor to compare detection information to the historical information comprises causing the processor to;
  
  determine that information from a first category of historical information is associated with a source of malware;
  
  cross-reference information from a second category of historical information to the information from the first category; and
  
  associate the information from the second category with the malware.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The article of claim 16, wherein the processor is further configured to:
    - scan the electronic device for malware; and
      
      determine that the electronic device may have been infected with malware;
      
      wherein the detection information is associated with the malware which may have infected the electronic device.
  - 18. The article of claim 16, wherein the processor is further configured to:
    - determine that the electronic device may have been infected with malware, wherein such determination is based upon the comparison of the detection information with the historical information.
  - 19. The article of claim 16, wherein configuring the processor to compare detection information to historical information comprises further configuring the processor to include the information from the second category with the alerts sent to the user.
  - 20. The article of claim 16, wherein one of the categories of historical information comprises network activity.
  - 21. The article of claim 16, wherein the second category of historical information comprises data sent to or from a network destination.
  - 22. The article of claim 16, wherein one of the categories of historical information comprises changes to an operating system.
  - 23. The article of claim 16, wherein the second category of historical information comprises a vulnerability status of an application exposed to malware.
  - 24. The article of claim 16, wherein the second category of historical information comprises an execution history of an application associated with malware.
  - 25. The article of claim 16, wherein configuring the processor to compare detection information to historical information comprises configuring the processor to determine a possible date of malware exposure.
  - 26. The article of claim 16, wherein the first and second categories of historical information comprise network activity.
  - 27. The article of claim 16, wherein:
    - the first category of historical information comprises network activity; and
      
      the second category of historical information comprises an execution history of an application associated with malware.
  - 28. The article of claim 16, wherein:
    - the first category of historical information comprises network activity; and
      
      the second category of historical information comprises a vulnerability status of an application possibly exposed to malware.
  - 29. The article of claim 16, wherein:
    - the first category of historical information comprises network activity; and
      
      the second category of historical information comprises data sent to or from a network destination.
  - 30. The article of claim 16, wherein:
    - the first category of historical information comprises results of behavioral analysis; and
      
      the second category of historical information comprises network activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Hinchliffe, Alex J., Tarbotton, Lee Codel Lawson, Ackroyd, Robert J.

Application Number

US12/911,927
Publication Number

US 20120102568A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

SYSTEM AND METHOD FOR MALWARE ALERTING BASED ON ANALYSIS OF HISTORICAL NETWORK AND PROCESS ACTIVITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

285 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR MALWARE ALERTING BASED ON ANALYSIS OF HISTORICAL NETWORK AND PROCESS ACTIVITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

285 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links