Aggregating the knowledge base of computer systems to proactively protect a computer from malware
First Claim
1. A computer-implemented method comprising:
- operating at least one processor on the computer to perform a method comprising;
implementing an event detection system on a computer by at least;
identifying at least one computer characteristic selected from the group consisting of computer entry points, data streams, computer events, and computer activity occurring on the computer; and
generating metrics based on the identified at least one computer characteristic;
implementing anti-malware services on the computer by at least;
observing an event occurring on the computer;
determining whether the observed event is a positive indicator of a malware infection; and
responsive to a determination that the observed event is not a positive indicator of a malware infection;
determining whether the observed event is potentially indicative of malware; and
responsive to a determination that the observed event is potentially indicative of malware, reporting the observed event to an aggregation routine; and
implementing the aggregation routine on the computer by at least;
analyzing the metrics generated by the event detection system to identify a first suspicious event;
receiving a report of a second suspicious event from at least one anti-malware service of the anti-malware services;
identifying a combination of suspicious events, the combination of suspicious events comprising the first suspicious event and the second suspicious event;
determining whether the combination of suspicious events is indicative of malware; and
responsive to a determination that the combination of suspicious events is indicative of malware, marking an entity associated with the suspicious events in the combination of suspicious events as a malware entity, and applying a restrictive security policy that alters operation of the computer.
2 Assignments
0 Petitions
Accused Products
Abstract
In accordance with the present invention, a system, method, and computer-readable medium for aggregating the knowledge base of a plurality of security services or other event collection systems to protect a computer from malware is provided. One aspect of the present invention is a method that proactively protects a computer from malware by using anti-malware services or other event collection systems to observe suspicious events that are potentially indicative of malware; determining if the suspicious events satisfy a predetermined threshold; and if the suspicious events satisfy the predetermined threshold, implementing a restrictive security policy designed to prevent the spread of malware.
53 Citations
20 Claims
-
1. A computer-implemented method comprising:
operating at least one processor on the computer to perform a method comprising; implementing an event detection system on a computer by at least; identifying at least one computer characteristic selected from the group consisting of computer entry points, data streams, computer events, and computer activity occurring on the computer; and generating metrics based on the identified at least one computer characteristic; implementing anti-malware services on the computer by at least; observing an event occurring on the computer; determining whether the observed event is a positive indicator of a malware infection; and responsive to a determination that the observed event is not a positive indicator of a malware infection; determining whether the observed event is potentially indicative of malware; and responsive to a determination that the observed event is potentially indicative of malware, reporting the observed event to an aggregation routine; and implementing the aggregation routine on the computer by at least; analyzing the metrics generated by the event detection system to identify a first suspicious event; receiving a report of a second suspicious event from at least one anti-malware service of the anti-malware services; identifying a combination of suspicious events, the combination of suspicious events comprising the first suspicious event and the second suspicious event; determining whether the combination of suspicious events is indicative of malware; and responsive to a determination that the combination of suspicious events is indicative of malware, marking an entity associated with the suspicious events in the combination of suspicious events as a malware entity, and applying a restrictive security policy that alters operation of the computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
13. A computer readable storage memory medium storing computer-executable instructions that, when executed by a computer, cause the computer to implement:
an aggregation routine for determining whether an entity associated with the computer is malware, the aggregation routine including; a data collector component operative to collect data from a plurality of anti-malware services, the plurality of anti-malware services configured to execute on the computer to detect malware on the computer, each anti-malware service of the plurality of anti-malware services being configured to; observe events occurring on the computer; determine whether an observed event is a positive indication of malware or whether the observed event is a suspicious event that potentially indicates malware;
take an action against malware when the observed event is determined to comprise a positive indication of malware; andprovide an indication that the observed event is the suspicious event when the observed event is determined to potentially indicate malware and not comprise a positive indication of malware, the data collected identifying the observed event indicated to be potentially indicative of malware; a data analyzer module configured to analyze the data collected by the data collector component to determine whether a threshold was satisfied by a combination of suspicious events indicated by the collected data, the combination of suspicious events comprising at least one first suspicious event indicated in data collected from at least one first anti-malware service and at least one second suspicious event indicated in data collected from at least one second anti-malware service, the at least one first anti-malware service and the at least one second anti-malware service comprising disparate types of anti-malware services, the data analyzer module further configured to mark an entity associated with one or more suspicious events in the combination of suspicious events as a malware entity; and a policy implementer operative to implement a restrictive security policy responsive to a determination by the data analyzer module that the threshold was satisfied. - View Dependent Claims (14, 15, 16, 17, 18)
-
19. A computer readable storage memory storing computer-executable instructions that, when executed on a computer, causes the computer to:
-
analyze metrics generated by an event detection system executing on the computer to identify suspicious events that are potentially indicative of malware on the computer, the event detection system generating metrics based on performance characteristics of the computer; receive from an anti-malware service executing on the computer a notification of suspicious events that are potentially indicative of malware on the computer identified by the anti-malware service and data that describes the suspicious events identified by the anti-malware service; determine whether a combination of suspicious events are indicative of malware, the combination of suspicious events including at least one first suspicious event identified by the anti-malware service and at least one second suspicious event identified based on the metrics generated by the event detection system; and responsive to the combination of suspicious events including an indication of a malware, implement a restrictive security policy configured to restrict an entity associated with the combination of suspicious events from performing actions on the computer. - View Dependent Claims (20)
-
Specification