Method and system for a self-heating device

US 7,624,443 B2
Filed: 12/21/2004
Issued: 11/24/2009
Est. Priority Date: 12/21/2004
Status: Active Grant

First Claim

Patent Images

1. A method for restoring a self-healing device, the method comprising:

archiving data associated with the self-healing device into at least one recovery volume, wherein each of the at least one recovery volume contains the data associated with the self-healing device at a particular point in time;

uncovering evidence indicating a presence of an infection in the self-healing device;

determining a time the infection occurred;

determining which one of the at least one recovery volume was created prior and closest in time to the time the infection occurred;

determining a graded level of trustworthiness for the volume determined to be created prior to and closest in time to the time the infection occurred, wherein the determined graded level of trustworthiness is associated with one of a plurality of colors, wherein each color corresponds to a predetermined level of trustworthiness which indicates a degree of confidence that the restoration data is not infected;

receiving an indication from a user indicating that, using the assigned color as guide, the user has decided to proceed with restoring at least a portion of data associated with the self-healing device; and

based on the received indication, restoring the data portion associated with the self-healing device that has changed with respect to data associated with the one of the at least one recovery volume.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A self-healing device is provided in which changes made between the time that an infection resulting from an attack on the device was detected and an earlier point in time to which the device is capable of being restored may be recovered based, at least in part, on what kinds of changes were made, whether the changes were bona fide or malware induced, whether the changes were made after the time that the infection likely occurred, and whether new software was installed.

86 Citations

View as Search Results

16 Claims

1. A method for restoring a self-healing device, the method comprising:
- archiving data associated with the self-healing device into at least one recovery volume, wherein each of the at least one recovery volume contains the data associated with the self-healing device at a particular point in time;
  
  uncovering evidence indicating a presence of an infection in the self-healing device;
  
  determining a time the infection occurred;
  
  determining which one of the at least one recovery volume was created prior and closest in time to the time the infection occurred;
  
  determining a graded level of trustworthiness for the volume determined to be created prior to and closest in time to the time the infection occurred, wherein the determined graded level of trustworthiness is associated with one of a plurality of colors, wherein each color corresponds to a predetermined level of trustworthiness which indicates a degree of confidence that the restoration data is not infected;
  
  receiving an indication from a user indicating that, using the assigned color as guide, the user has decided to proceed with restoring at least a portion of data associated with the self-healing device; and
  
  based on the received indication, restoring the data portion associated with the self-healing device that has changed with respect to data associated with the one of the at least one recovery volume.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein uncovering evidence indicating the presence of the infection includes uncovering evidence indicating the presence of a known virus or the occurrence of unusual disk or network activity.
  - 3. The method of claim 1, further comprising:
    - detecting changes in the state of the self-healing device proximate to a first point in time, wherein uncovering evidence indicating the presence of the infection is based in part on the changes that were detected.
  - 4. The method of claim 3, wherein detecting changes in the state of the self-healing device proximate to the first point in time includes parsing information from a change journal maintained for a file system used by the self-healing device.
  - 5. The method of claim 4, wherein the change journal is a Windows NT File System change journal.
  - 6. The method of claim 3, wherein detecting changes in the state of the self-healing device proximate to the first point in time includes determining differences between remotely located data within one of the at least one recovery volume and live data on the self-healing device.
  - 7. The method of claim 3, wherein detecting changes in the state of the self-healing device proximate to the first point in time includes examining the at least one recovery volume saved locally on the self-healing device.
  - 8. The method of claim 1, wherein the at least one recovery volume is a volume shadow copy generated by Windows Volume Snapshot Services.

9. A method of recovering from a malware attack, the method comprising:
- creating a plurality of saved disk states(s) of a self-healing device at fixed points in time;
  
  obtaining information from at least one of a change journal and from one of the saved disk state(s);
  
  analyzing the information to uncover evidence indicating that an infection has occurred;
  
  localizing the infection to one of the fixed points in time based on the information;
  
  identifying changes occurring since the time of the infection and rolling back the changes to reflect the same data contained the one of the saved disk state(s);
  
  determining a graded level of trustworthiness for the saved disk state(s) determined to be created prior to and closest in time to the time the infection occurred, wherein the determined graded level of trustworthiness is associated with one of a plurality of colors, wherein each color corresponds to a predetermined level of trustworthiness which indicates a degree of confidence that the restoration data is not infected;
  
  presenting the identified changes to a user and receiving authorization from the user before rolling back the identified changes; and
  
  receiving an indication from the user indicating that, using the assigned color as guide, the user has decided to proceed with restoring at least a portion of data associated with the self-healing device.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein the information is parsed from the at least one of the change journal and the one of the saved disk state(s).
  - 11. The method of claim 9, wherein the information is a state change associated with the self-healing device.
  - 12. The method of claim 9, wherein the change journal is a Windows NT File System change journal.
  - 13. The method of claim 9, wherein the one of the saved disk state(s) is a volume shadow copy generated by Windows Volume Snapshot Services.

14. A system for a self-healing device, the system comprising:
- a storage device that stores a plurality of recovery volumes at a plurality of fixed points in time of the data associated with the self-healing device;
  
  a repository of malware information;
  
  a repository of system audit information;
  
  a repository of listed activities that constitute unusual or suspicious disk or network activity;
  
  a processor to;
  
  uncover evidence of infection from a mal ware attack or the presence of unusual or suspicious disk or network activity, or a combination thereof,determine a time in which the infection from a mal ware attack or the presence of unusual or suspicious disk or network activity occurred,determine which one of the a plurality of recovery volumes was created closest and prior to the time in which the infection from a mal ware attack or the presence of unusual or suspicious disk or network activity occurred;
  
  determine a graded level of trustworthiness for the recovery volume determined to be created prior to and closest in time to the time the infection occurred, wherein the determined graded level of trustworthiness is associated with one of a plurality of colors, wherein each color corresponds to a predetermined level of trustworthiness which indicates a degree of confidence that the restoration data is not infected;
  
  receive an indication from a user indicating that, using the assigned color as guide, the user has decided to proceed with restoring at least a portion of data associated with the self-healing device;
  
  restore all changed data between current data associated with the self-healing device and the one of the plurality of recovery volumes; and
  
  analyze a user input authorizing recovery from the mal ware attack or the presence of unusual or suspicious disk or network activity, wherein the processor displays the changed data and recovers the changed data after receiving the user input authorizing recovery.
- View Dependent Claims (15)
- - 15. The system of claim 14, wherein the repository of system audits information includes at least one of a change journal.

16. A method for restoring a self-healing device, the method comprising:
- archiving data associated with the self-healing device into at least one recovery volume, wherein each of the at least one recovery volume contains the data associated with the self-healing device at a particular point in time;
  
  uncovering evidence indicating a presence of an infection in the self-healing device;
  
  determining a time the infection occurred;
  
  determining which one of the at least one recovery volume was created prior and closest in time to the time the infection occurred;
  
  determining a graded level of trustworthiness for the volume determined to be created prior to and closest in time to the time the infection occurred, wherein the determined graded level of trustworthiness is associated with one of a plurality of colors, wherein each color corresponds to a predetermined level of trustworthiness which indicates a degree of confidence that the restoration data is not infected, and wherein the determined graded level of trustworthiness is based on the data'"'"'s intended use;
  
  determining that the graded level of trustworthiness is sufficiently high for the data'"'"'s intended use;
  
  receiving an indication from a user indicating that, using the assigned color as guide, and further based on the determination that the level of trustworthiness is sufficiently high for the data'"'"'s intended use, the user has decided to proceed with restoring at least a portion of data associated with the self-healing device;
  
  based on the received indication, restoring the data portion associated with the self-healing device that has changed with respect to data associated with the one of the at least one recovery volume; and
  
  presenting the identified changes to a user and receiving authorization from the user before rolling back the identified changes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Carter-Schwendler, Carl, Luber, Paul, Marinescu, Adrian M., Kramer, Michael, Field, Scott A., Seinfeld, Marc E.
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US11/018,412
Publication Number

US 20060137010A1
Time in Patent Office

1,799 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/568   eliminating virus, restorin...

Y10S 707/99953   Recoverability

Method and system for a self-heating device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for a self-heating device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links