Malicious code infection cause-and-effect analysis
First Claim
1. A method in a computer system for performing cause and effect analysis of a malware infection, the method comprising:
- monitoring a plurality of activities on a first computer system;
recording the monitored activities;
upon receiving a notification of a suspected malware infection, creating a first pre-infection snapshot by storing an indication of recorded monitored activities as the first pre-infection snapshot, the first pre-infection snapshot indicating the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection;
receiving second pre-infection snapshots from second computer systems, the second pre-infection snapshot for a second computer system being created by storing an indication of recorded monitored activities of the second computer system that were conducted within a time frame prior to that second computer system receiving a notification of the suspected malware infection;
analyzing the first pre-infection snapshot by comparing the monitored activities of the first pre-infection snapshot to the monitored activities of second pre-infection snapshots of second computer systems to identify common activities represented by the first pre-infection snapshot and the second pre-infection snapshots that are similar across the first pre-infection snapshot and the second pre-infection snapshots; and
generating a recommendation for processing the suspected malware infection based on the identified common activities,wherein the first computer system and the second computer systems are on different machines.
3 Assignments
0 Petitions
Accused Products
Abstract
A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.
-
Citations
20 Claims
-
1. A method in a computer system for performing cause and effect analysis of a malware infection, the method comprising:
-
monitoring a plurality of activities on a first computer system; recording the monitored activities; upon receiving a notification of a suspected malware infection, creating a first pre-infection snapshot by storing an indication of recorded monitored activities as the first pre-infection snapshot, the first pre-infection snapshot indicating the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection; receiving second pre-infection snapshots from second computer systems, the second pre-infection snapshot for a second computer system being created by storing an indication of recorded monitored activities of the second computer system that were conducted within a time frame prior to that second computer system receiving a notification of the suspected malware infection; analyzing the first pre-infection snapshot by comparing the monitored activities of the first pre-infection snapshot to the monitored activities of second pre-infection snapshots of second computer systems to identify common activities represented by the first pre-infection snapshot and the second pre-infection snapshots that are similar across the first pre-infection snapshot and the second pre-infection snapshots; and generating a recommendation for processing the suspected malware infection based on the identified common activities, wherein the first computer system and the second computer systems are on different machines. - View Dependent Claims (2, 3, 4, 5, 6, 7, 20)
-
-
8. A method in a computer system for performing cause and effect analysis of a malware infection, the method comprising:
-
providing a malware state model indicating how malware behaves on an infected computer system, the malware state model having malware states and indications of activities for transitioning from one malware state to another malware state; providing a mapping of normalized activities to malware states; receiving a pre-infection snapshot from a plurality of machines, each of the pre-infection snapshots identifying monitored activities that were conducted within a time frame prior to a suspected malware infection on each machine of the plurality of machines; for each received pre-infection snapshot, normalizing the activities of the pre-infection snapshot by assigning a predetermined category to each monitored activity of the pre-infection snapshot; and comparing the normalized activities of the pre-infection snapshots to the normalized activities of other pre-infection snapshots to identify normalized activities that are similar, normalized activities being similar when their assigned categories are the same; when the comparison indicates the normalized activities are similar, tagging similar normalized activities as being suspicious; and assigning a malware state to the tagged normalized activities based on the provided malware state model and the providing mapping of normalized activities to malware states; when the comparison indicates that normalized activities are not similar, not tagging the normalized activities as being suspicious; and generating a recommendation for processing the infection based on the normalized activities that have been tagged as suspicious and the assigned malware states of the normalized activities that have been tagged as suspicious. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system for performing analysis of a malware infection to determine a root cause of the malware infection, comprising:
a memory storing computer-executable instructions of a component that receives pre-infection snapshots from a plurality of machines suspected of being infected with malware, each of the pre-infection snapshots identifying monitored activities that were conducted at each machine suspected of the plurality of machines suspected of being infected with malware within a time frame prior to the machine being suspected of being infected with malware; a component that compares the monitored activities of the pre-infection snapshot to identify monitored activities that are common across multiple pre-infection snapshots; a component that tags as being suspicious the monitored activities that are common across multiple pre-infection snapshots; and a component that provides an indication of the root cause of the malware infection for an infected machine based on the monitored activities that are tagged as being suspicious; and a processor that executes the computer-executable instructions stored in the memory. - View Dependent Claims (16, 17, 18, 19)
Specification