Malicious code infection cause-and-effect analysis

US 8,117,659 B2
Filed: 12/28/2005
Issued: 02/14/2012
Est. Priority Date: 12/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method in a computer system for performing cause and effect analysis of a malware infection, the method comprising:

monitoring a plurality of activities on a first computer system;

recording the monitored activities;

upon receiving a notification of a suspected malware infection, creating a first pre-infection snapshot by storing an indication of recorded monitored activities as the first pre-infection snapshot, the first pre-infection snapshot indicating the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection;

receiving second pre-infection snapshots from second computer systems, the second pre-infection snapshot for a second computer system being created by storing an indication of recorded monitored activities of the second computer system that were conducted within a time frame prior to that second computer system receiving a notification of the suspected malware infection;

analyzing the first pre-infection snapshot by comparing the monitored activities of the first pre-infection snapshot to the monitored activities of second pre-infection snapshots of second computer systems to identify common activities represented by the first pre-infection snapshot and the second pre-infection snapshots that are similar across the first pre-infection snapshot and the second pre-infection snapshots; and

generating a recommendation for processing the suspected malware infection based on the identified common activities,wherein the first computer system and the second computer systems are on different machines.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.

25 Citations

View as Search Results

20 Claims

1. A method in a computer system for performing cause and effect analysis of a malware infection, the method comprising:
- monitoring a plurality of activities on a first computer system;
  
  recording the monitored activities;
  
  upon receiving a notification of a suspected malware infection, creating a first pre-infection snapshot by storing an indication of recorded monitored activities as the first pre-infection snapshot, the first pre-infection snapshot indicating the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection;
  
  receiving second pre-infection snapshots from second computer systems, the second pre-infection snapshot for a second computer system being created by storing an indication of recorded monitored activities of the second computer system that were conducted within a time frame prior to that second computer system receiving a notification of the suspected malware infection;
  
  analyzing the first pre-infection snapshot by comparing the monitored activities of the first pre-infection snapshot to the monitored activities of second pre-infection snapshots of second computer systems to identify common activities represented by the first pre-infection snapshot and the second pre-infection snapshots that are similar across the first pre-infection snapshot and the second pre-infection snapshots; and
  
  generating a recommendation for processing the suspected malware infection based on the identified common activities,wherein the first computer system and the second computer systems are on different machines.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 20)
- - 2. The method of claim 1 further comprising:
    - upon receiving the notification of the suspected malware infection, creating a post-infection snapshot, the post-infection snapshot containing the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection; and
      
      providing the post-infection snapshot for analysis.
  - 3. The method of claim 2, wherein the post-infection snapshot contains at least one monitored activity that is not contained in the pre-infection snapshot.
  - 4. The method of claim 1, wherein the activities include at least one local computer system activity.
  - 5. The method of claim 1, wherein the activities include at least one network activity.
  - 6. The method of claim 1 further comprising normalizing the activities contained in the pre-infection snapshot into corresponding normalized actions.
  - 7. The method of claim 6 further comprising mapping each normalized activity to a corresponding malware state.
  - 20. The method of claim 1 wherein the analyzing includes detecting that the snapshots indicate that the first computer system and the second computer system visited the same web site and wherein the generated of the recommendation indicates to block that web site.

8. A method in a computer system for performing cause and effect analysis of a malware infection, the method comprising:
- providing a malware state model indicating how malware behaves on an infected computer system, the malware state model having malware states and indications of activities for transitioning from one malware state to another malware state;
  
  providing a mapping of normalized activities to malware states;
  
  receiving a pre-infection snapshot from a plurality of machines, each of the pre-infection snapshots identifying monitored activities that were conducted within a time frame prior to a suspected malware infection on each machine of the plurality of machines;
  
  for each received pre-infection snapshot, normalizing the activities of the pre-infection snapshot by assigning a predetermined category to each monitored activity of the pre-infection snapshot; and
  
  comparing the normalized activities of the pre-infection snapshots to the normalized activities of other pre-infection snapshots to identify normalized activities that are similar, normalized activities being similar when their assigned categories are the same;
  
  when the comparison indicates the normalized activities are similar, tagging similar normalized activities as being suspicious; and
  
  assigning a malware state to the tagged normalized activities based on the provided malware state model and the providing mapping of normalized activities to malware states;
  
  when the comparison indicates that normalized activities are not similar, not tagging the normalized activities as being suspicious; and
  
  generating a recommendation for processing the infection based on the normalized activities that have been tagged as suspicious and the assigned malware states of the normalized activities that have been tagged as suspicious.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 further comprising assigning a malware state to each activity tagged as being suspicious.
  - 10. The method of claim 8 further comprising:
    - receiving a post-infection snapshot from the plurality of machines, each of the post-infection snapshots containing monitored activities that are conducted within a time frame subsequent to the suspected malware infection on each machine of the plurality of machines; and
      
      comparing the monitored activities to each other and tagging similar activities as being suspicious.
  - 11. The method of claim 10 further comprising assigning a malware state to each activity tagged as being suspicious.
  - 12. The method of claim 10 further comprising comparing the monitored activities in the post-infection snapshots to each other and tagging unlike activities as being potentially normal.
  - 13. The method of claim 8 further comprising providing the activities tagged as being suspicious for analysis.
  - 14. The method of claim 10, wherein the recommendation for responding to the at least one activity tagged as being suspicious is generated using an expert system.

15. A computer system for performing analysis of a malware infection to determine a root cause of the malware infection, comprising:
- a memory storing computer-executable instructions ofa component that receives pre-infection snapshots from a plurality of machines suspected ofbeing infected with malware, each of the pre-infection snapshots identifying monitored activities that were conducted at each machine suspected of the plurality of machines suspected of being infectedwith malware within a time frame prior to the machine being suspected of being infected with malware;
  
  a component that compares the monitored activities of the pre-infection snapshot to identify monitored activities that are common across multiple pre-infection snapshots;
  
  a component that tags as being suspicious the monitored activities that are common across multiple pre-infection snapshots; and
  
  a component that provides an indication of the root cause of the malware infection for an infected machine based on the monitored activities that are tagged as being suspicious; and
  
  a processor that executes the computer-executable instructions stored in the memory.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer system of claim 15 wherein the component that compares normalizes the monitored activities before identifying monitored activities that are common.
  - 17. The computer system of claim 16 wherein the component that tags assigns a malware state to each activity tagged as being suspicious.
  - 18. The computer system of claim 15 wherein the component that tags assigns a malware state to each activity tagged as being suspicious.
  - 19. The computer system of claim 15 including:
    - a component that receives post-infection snapshots from the plurality of machines suspected of being infected with malware, each of the post-infection snapshots containing monitored activities that were conducted within a time frame after the suspected infection on the infected machine; and
      
      a component that compares and tags as being suspicious the monitored activities of the post-infection snapshots.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hartrell, Gregory D., Steeves, David J., Hudis, Efim
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Jeudy, Josnel

Application Number

US11/321,754
Publication Number

US 20070150957A1
Time in Patent Office

2,239 Days
Field of Search

726 22- 30, 713/193, 713/194, 713/200, 713187-188, 709227-229, 709217-222, 715734-736, 380/2
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/565   by checking file integrity

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Malicious code infection cause-and-effect analysis

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Malicious code infection cause-and-effect analysis

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links