VIRUS INTRUSION ROUTE IDENTIFICATION DEVICE, VIRUS INTRUSION ROUTE IDENTIFICATION METHOD, AND PROGRAM

US 20150264062A1
Filed: 05/28/2015
Published: 09/17/2015
Est. Priority Date: 12/07/2012
Status: Active Grant

First Claim

Patent Images

1. A virus intrusion route determining device for backtracking a virus intrusion route to a terminal device, comprising:

an operation history storage unit configured to store an operation history which is a history of operations executed in the terminal device;

a determining unit configured to determine, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit; and

an output unit configured to output information indicating the virus intrusion route determined by the determining unit,wherein the information indicating the virus intrusion route includes information indicating a route in which the virus moved.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention aims to backtrack a virus infection route with more detail than in the conventional case. CPUs of client devices respectively monitor operations, and cause storage devices to store operation histories. The CPU determines, upon detecting a virus, the time and date at which the virus was first saved in the client device based on the operation history stored in the storage device, and determines a virus intrusion route based on the operation content that was executed at the determined time and date.

67 Citations

View as Search Results

27 Claims

1. A virus intrusion route determining device for backtracking a virus intrusion route to a terminal device, comprising:
- an operation history storage unit configured to store an operation history which is a history of operations executed in the terminal device;
  
  a determining unit configured to determine, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit; and
  
  an output unit configured to output information indicating the virus intrusion route determined by the determining unit,wherein the information indicating the virus intrusion route includes information indicating a route in which the virus moved.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 18)
- - 2. The virus intrusion route determining device according to claim 1,wherein the virus intrusion route determining device is provided in the terminal device.
  - 3. The virus intrusion route determining device according to claim 1,wherein the virus intrusion route determining device is provided in a server device that is connected to the terminal device.
  - 4. The virus intrusion route determining device according to claim 3,wherein the terminal device includes:
    - a virus detection unit configured to detect a virus; and
      
      a request transmitting unit configured to transmit, to the server device, a request for determining a virus intrusion route of the virus detected by the virus detection unit.
  - 5. The virus intrusion route determining device according to claim 3,wherein the terminal device further includesan operation history management unit configured to transfer the operation history stored in the operation history storage unit of the terminal device so that the operation history is stored in the server device, and deleting all or part of the transferred operation history.
  - 6. The virus intrusion route determining device according to claim 1,wherein the determining unit further configured to determine an intrusion entry via which a virus intruded into the terminal device by determining, for each of records constituting the operation history, whether or not an operation content included therein is a specific operation content that is executed at the time of virus intrusion.
  - 7. The virus intrusion route determining device according to claim 1,wherein the determining unit determines the virus intrusion route by additionally searching the operation history for a parent process that called a child process involved in saving of the virus.
  - 8. The virus intrusion route determining device according to claim 3,wherein in the operation history storage unit provided in the server device, the operation history that covers a longer period than the operation history stored in the operation history storage unit provided in the terminal device is stored.
  - 9. The virus intrusion route determining device according to claim 3,wherein in the operation history storage unit provided in the server device, operation histories acquired by a plurality of terminal devices are stored, andthe determining unit provided in the server device searches, when a virus has been found in one of the plurality of terminal devices, the operation histories of the plurality of terminal devices based on a path name or process identification information that are related to the virus, and determines the virus intrusion route.
  - 10. The virus intrusion route determining device according to claim 1,wherein the determining unit is further configured to search, based on the process identification information of a process in which the virus was detected, in the operation history storage unit for a path name of a file operated between activation of the process and detection of the virus, and determine a terminal device that provided the file, based on the path name found by the search.
  - 11. The virus intrusion route determining device according to claim 1,wherein the determining unit is further configured to search, based on the process identification information of a process in which the virus was detected, the operation history storage unit for a path name of a file operated between activation of the process and detection of the virus, and recognize the process itself as a virus when a file operated between activation of the process and detection of the virus is not found.
  - 12. The virus intrusion route determining device according to claim 3,wherein the determining unit is further configured to:
    - determine, based on the process identification information of a process in which a virus was detected, another process in which an executable file of that process was created;
      
      determine whether or not the other process is an e-mail MUA;
      
      determine an operation history indicating that the e-mail MUA received an e-mail to which the executable file of the process is attached;
      
      determine a sender of the e-mail based on the operation history;
      
      determine an operation history indicating that the sender transferred the e-mail;
      
      determine an operation history indicating that the e-mail transferred by the sender was received by yet another sender, anddetermine the virus intrusion route based on the operation history.
  - 13. The virus intrusion route determining device according to claim 3,wherein the determining unit is further configured to:
    - determine, based on the process identification information of a process in which a virus was detected, a path name of a file operated by the process;
      
      determine an operation history indicating that the file was stored in the removable device based on the path name of the file;
      
      determine identification information of the removable device based on the operation history;
      
      determine another terminal device that has ever connected to the removable device, based on the identification information of the removable device, anddetermine the virus intrusion route based on the operation history of the other terminal device.
  - 14. The virus intrusion route determining device according to claim 1,wherein the determining unit is further configured to determine, based on the process identification information of a process in which a virus was detected, a file operated between activation of the process and detection of the virus operation, and when a plurality of files are determined, the determining unit performs narrowing-down to one file that is related to the virus intrusion route by executing weighting with respect to the plurality of files, andthe weighting is executed according to at least one of the time and date at which the file was operated, the execution result of the file, the result obtained by executing virus detection on the file, and information input by a user.
  - 15. The virus intrusion route determining device according to claim 1,wherein the determining unit is further configured to determine a route in which the virus was distributed based on the operation history stored in the operation history storage unit.
  - 18. The virus intrusion route determining device according to claim 1,wherein the determining unit is further configured to search, when a virus has been found in the terminal device, the operation history stored in the operation history storage unit based on the virus-related time and date, a file name or a path name, or process identification information that are related to the virus, and determines the virus intrusion route.

16. A virus intrusion route determining method of backtracking a virus intrusion route to a terminal device, comprising:
- an operation history storing process of storing an operation history, which is a history of operations executed in the terminal device, into an operation history storage unit;
  
  a determining process of determining, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit; and
  
  an outputting process of outputting information indicating the virus intrusion route determined in the determining process,wherein the information indicating the virus intrusion route includes information indicating a route in which the virus moved.

17. A program stored in a non-transitory computer-readable recording medium that causes a computer to execute virus intrusion route determining processing for backtracing a virus intrusion route to a terminal device, wherein the program causes the computer to function as:
- an operation history storage unit configured to store an operation history, which is a history of operations executed in the terminal device;
  
  a determining unit configured to determine, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit; and
  
  an output unit configured to output information indicating the virus intrusion route determined by the determining unit,wherein the information indicating the virus intrusion route includes information indicating a route in which the virus moved.

19. A virus intrusion route determining device for backtracking a virus intrusion route to a terminal device, comprising:
- an operation history storage unit configured to store an operation history, which is a history of operations executed in the terminal device;
  
  a determining unit configured to determine, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit; and
  
  a request transmitting unit configured to transmit, to a server device, a request for determining a virus intrusion route based on the operation history stored in the server device, when the determining unit cannot determine the virus intrusion route based on the operation history stored in the operation history storage unit,wherein the terminal device is provided with the virus intrusion route determining device and the server device connected to the terminal device is also provided with the virus intrusion route determining device, and the virus intrusion route determining device provided in the terminal device and the virus intrusion route determining device provided in the server device cooperate with each other to determine the virus intrusion route to the terminal device.

20. A virus intrusion route determining device for backtracking a virus intrusion route to a terminal device, comprising:
- an operation history storage unit configured to store an operation history, which is a history of operations executed in the terminal device; and
  
  a determining unit configured to determine, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit,wherein the terminal device is provided with the virus intrusion route determining device and a server device connected to the terminal device is also provided with the virus intrusion route determining device, and the determining unit provided in the server device determines the virus intrusion route with respect to an operation history acquired during a time period that is further past than a time period in which the determining unit provided in the terminal device conducted an examination.

21. A virus intrusion route determining device for backtracking a virus intrusion route to a terminal device, comprising:
- an operation history storage unit configured to store an operation history, which is a history of operations executed in the terminal device; and
  
  a determining unit configured to determine, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit,wherein the determining unit is configured to determine, based on the process identification information of a process in which a virus was detected, a file operated between activation of the process and detection of the virus, and when a plurality of files are determined, the determining unit performs narrowing-down to one file that is related to the virus intrusion route by executing weighting with respect to the plurality of files.

22. A method that is executed in a virus intrusion route determining device of backtracking a virus intrusion route to a terminal device, the method comprising the process of:
- storing an operation history, which is a history of operations executed in the terminal device, into operation history storage unit;
  
  determining, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit; and
  
  transmitting, to a server device, a request for determining a virus intrusion route based on the operation history stored in the server device, when the virus intrusion route cannot be determined based on the operation history stored in the operation history storage unit,wherein the terminal device is provided with the virus intrusion route determining device and the server device connected to the terminal device is also provided with the virus intrusion route determining device, and the virus intrusion route determining device provided in the terminal device and the virus intrusion route determining device provided in the server device cooperate with each other to determine the virus intrusion route to the terminal device.

23. A program stored in a non-transitory computer-readable recording medium that causes a computer to function as a virus intrusion route determining device that backtracks a virus intrusion route to a terminal device, the program causing the computer to function as:
- an operation history storage unit configured to store an operation history, which is a history of operations executed in the terminal device;
  
  a determining unit configured to determine, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit; and
  
  a request transmitting unit configured to transmit, to a server device, a request for determining a virus intrusion route based on the operation history stored in the server device, when the determining unit cannot determine the virus intrusion route based on the operation history stored in the operation history storage unit,wherein the terminal device is provided with the virus intrusion route determining device and the server device connected to the terminal device is also provided with the virus intrusion route determining device, and the virus intrusion route determining device provided in the terminal device and the virus intrusion route determining device provided in the server device cooperate with each other to determine the virus intrusion route to the terminal device.

24. A method that is executed in a virus intrusion route determining device that backtracks a virus intrusion route to a terminal device, the method comprising the process of:
- storing an operation history, which is a history of operations executed in the terminal device, into operation history storage unit; and
  
  determining, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit; and
  
  wherein the terminal device is provided with the virus intrusion route determining device and the server device connected to the terminal device is also provided with the virus intrusion route determining device, and the virus intrusion route determining device provided in the server device determines the virus intrusion route with respect to an operation history acquired during a time period that is further past than a time period in which the virus intrusion route determining device provided in the terminal device conducted an examination.

25. A program stored in a non-transitory computer-readable recording medium that causes a computer to function as a virus intrusion route determining device that backtracks a virus intrusion route to a terminal device, the program causing the computer to function as:
- a operation history storage unit configured to store an operation history, which is a history of operations executed in the terminal device; and
  
  a determining unit configured to determine, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit,wherein the terminal device is provided with the virus intrusion route determining device and the server device connected to the terminal device is also provided with the virus intrusion route determining device, and the determining unit provided in the server device determines the virus intrusion route with respect to an operation history acquired during a time period that is further past than a time period in which the determining unit provided in the terminal device conducted an examination.

26. A method in a virus intrusion route determining device for backtracking a virus intrusion route to a terminal device, the method comprising:
- a storing process of storing an operation history, which is a history of operations executed in the terminal device, into operation history storage unit; and
  
  a determining process of determining, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit,wherein the determining process includes the process of;
  
  determining, based on process identification information of a process in which a virus was detected, a file operated between activation of the process and detection of the virus; and
  
  performing, when a plurality of files are determined, narrowing-down to one file that is related to the virus intrusion route by executing weighting with respect to the plurality of files.

27. A program stored in a non-transitory computer-readable recording medium that causes a computer to function as a virus intrusion route determining device for backtracking a virus intrusion route to a terminal device, wherein the program causes the computer to function as:
- an operation history storage unit configured to store an operation history, which is a history of operations executed in the terminal device; and
  
  a determining unit for determining, upon detecting a virus, a virus intrusion route of the virus based on the operation history stored in the operation history storage unit,wherein the determining unit is configured to determine, based on process identification information of a process in which a virus was detected, a file operated between activation of the process and detection of the virus, and when a plurality of files are determined, the determining unit performs narrowing-down to one file that is related to the virus intrusion route by executing weighting with respect to the plurality of files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Canon Hi-Tech Limited (Canon Inc.)
Original Assignee
Canon Hi-Tech Limited (Canon Inc.)
Inventors
Hagiwara, Hiroshi, Yotsuyanagi, Takashi

Granted Patent

US 10,326,792 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/567   using dedicated hardware

H04L 2463/146   Tracing the source of attacks

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

VIRUS INTRUSION ROUTE IDENTIFICATION DEVICE, VIRUS INTRUSION ROUTE IDENTIFICATION METHOD, AND PROGRAM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

67 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

VIRUS INTRUSION ROUTE IDENTIFICATION DEVICE, VIRUS INTRUSION ROUTE IDENTIFICATION METHOD, AND PROGRAM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links