Aggregating the knowledge base of computer systems to proactively protect a computer from malware

US 8,516,583 B2
Filed: 03/31/2005
Issued: 08/20/2013
Est. Priority Date: 03/31/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

operating at least one processor on the computer to perform a method comprising;

implementing an event detection system on a computer by at least;

identifying at least one computer characteristic selected from the group consisting of computer entry points, data streams, computer events, and computer activity occurring on the computer; and

generating metrics based on the identified at least one computer characteristic;

implementing anti-malware services on the computer by at least;

observing an event occurring on the computer;

determining whether the observed event is a positive indicator of a malware infection; and

responsive to a determination that the observed event is not a positive indicator of a malware infection;

determining whether the observed event is potentially indicative of malware; and

responsive to a determination that the observed event is potentially indicative of malware, reporting the observed event to an aggregation routine; and

implementing the aggregation routine on the computer by at least;

analyzing the metrics generated by the event detection system to identify a first suspicious event;

receiving a report of a second suspicious event from at least one anti-malware service of the anti-malware services;

identifying a combination of suspicious events, the combination of suspicious events comprising the first suspicious event and the second suspicious event;

determining whether the combination of suspicious events is indicative of malware; and

responsive to a determination that the combination of suspicious events is indicative of malware, marking an entity associated with the suspicious events in the combination of suspicious events as a malware entity, and applying a restrictive security policy that alters operation of the computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with the present invention, a system, method, and computer-readable medium for aggregating the knowledge base of a plurality of security services or other event collection systems to protect a computer from malware is provided. One aspect of the present invention is a method that proactively protects a computer from malware by using anti-malware services or other event collection systems to observe suspicious events that are potentially indicative of malware; determining if the suspicious events satisfy a predetermined threshold; and if the suspicious events satisfy the predetermined threshold, implementing a restrictive security policy designed to prevent the spread of malware.

53 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- operating at least one processor on the computer to perform a method comprising;
  
  implementing an event detection system on a computer by at least;
  
  identifying at least one computer characteristic selected from the group consisting of computer entry points, data streams, computer events, and computer activity occurring on the computer; and
  
  generating metrics based on the identified at least one computer characteristic;
  
  implementing anti-malware services on the computer by at least;
  
  observing an event occurring on the computer;
  
  determining whether the observed event is a positive indicator of a malware infection; and
  
  responsive to a determination that the observed event is not a positive indicator of a malware infection;
  
  determining whether the observed event is potentially indicative of malware; and
  
  responsive to a determination that the observed event is potentially indicative of malware, reporting the observed event to an aggregation routine; and
  
  implementing the aggregation routine on the computer by at least;
  
  analyzing the metrics generated by the event detection system to identify a first suspicious event;
  
  receiving a report of a second suspicious event from at least one anti-malware service of the anti-malware services;
  
  identifying a combination of suspicious events, the combination of suspicious events comprising the first suspicious event and the second suspicious event;
  
  determining whether the combination of suspicious events is indicative of malware; and
  
  responsive to a determination that the combination of suspicious events is indicative of malware, marking an entity associated with the suspicious events in the combination of suspicious events as a malware entity, and applying a restrictive security policy that alters operation of the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as recited in claim 1, wherein receiving a report of a second suspicious event from at least one anti-malware service includes receiving metadata that describes the second suspicious event.
  - 3. The method as recited in claim 2, wherein the metadata that describes the second suspicious event is accessible to the at least one anti-malware service for characterizing an entity associated with the suspicious event.
  - 4. The method as recited in claim 2, wherein the metadata that is received that describes the second suspicious event includes:
    - a weighted value generated by the at least one anti-malware service that quantifies a probability that the second suspicious event is indicative of malware; and
      
      a reason the second suspicious event was identified as being potentially indicative of malware.
  - 5. The method as recited in claim 1, wherein determining whether the combination of suspicious events is indicative of malware comprises determining if a number of events in the combination of suspicious events occurring in a given time frame is higher than a given value.
  - 6. The method as recited in claim 1, wherein determining if the combination of suspicious events is indicative of malware, includes:
    - generating a weighted value for each suspicious event in the combination of suspicious events that quantifies a probability that a respective suspicious event is indicative of malware; and
      
      determining whether a summation of weighted values for the suspicious events in the combination of suspicious events is higher than a given value.
  - 7. The method as recited in claim 1, wherein the restrictive security policy prevents the entity associated with the suspicious events in the combination of suspicious events from performing actions and accessing resources on the computer in a way that is contrary to the restrictive security policy.
  - 8. The method as recited in claim 1, wherein applying a restrictive security policy to the computer, includes:
    - determining whether the entity associated with the suspicious events in the combination of suspicious events is capable of being removed from the computer;
      
      responsive to the entity being capable of removal from the computer, causing an anti-malware service to remove the entity from the computer; and
      
      responsive to the entity not being capable of removal, applying a general restrictive security policy designed to prevent a spread of malware.
  - 9. The method as recited in claim 8, wherein causing the anti-malware service to remove the entity from the computer includes applying a restrictive security policy designed to prevent the malware from subsequently infecting the computer.
  - 10. The method as recited in claim 8, wherein causing the anti-malware service to remove the entity includes allowing the anti-malware services to register and identify types of malware that the anti-malware service is configured to remove from the computer.
  - 11. The method as recited in claim 8, wherein implementing the restrictive security policy includes restricting an ability of the computer to access data on a network.
  - 12. The method as recited in claim 11, wherein restricting the ability of the computer to access data on the network, includes:
    - blocking network traffic on specific communication ports;
      
      blocking communications from certain network-base applications;
      
      blocking access to hardware and software components on the computer; and
      
      blocking network traffic on specific communication ports and addresses.

13. A computer readable storage memory medium storing computer-executable instructions that, when executed by a computer, cause the computer to implement:
- an aggregation routine for determining whether an entity associated with the computer is malware, the aggregation routine including;
  
  a data collector component operative to collect data from a plurality of anti-malware services, the plurality of anti-malware services configured to execute on the computer to detect malware on the computer, each anti-malware service of the plurality of anti-malware services being configured to;
  
  observe events occurring on the computer;
  
  determine whether an observed event is a positive indication of malware or whether the observed event is a suspicious event that potentially indicates malware;
  
  take an action against malware when the observed event is determined to comprise a positive indication of malware; and
  
  provide an indication that the observed event is the suspicious event when the observed event is determined to potentially indicate malware and not comprise a positive indication of malware, the data collected identifying the observed event indicated to be potentially indicative of malware;
  
  a data analyzer module configured to analyze the data collected by the data collector component to determine whether a threshold was satisfied by a combination of suspicious events indicated by the collected data, the combination of suspicious events comprising at least one first suspicious event indicated in data collected from at least one first anti-malware service and at least one second suspicious event indicated in data collected from at least one second anti-malware service, the at least one first anti-malware service and the at least one second anti-malware service comprising disparate types of anti-malware services, the data analyzer module further configured to mark an entity associated with one or more suspicious events in the combination of suspicious events as a malware entity; and
  
  a policy implementer operative to implement a restrictive security policy responsive to a determination by the data analyzer module that the threshold was satisfied.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer readable storage memory as recited in claim 13, wherein each anti-malware service in the plurality of anti-malware services is configured to identify and report suspicious events to the data collector component that are potentially indicative of malware.
  - 15. The computer readable storage memory as recited in claim 14, wherein each anti-malware service is further configured to identify the entity that is associated with the suspicious events.
  - 16. The computer readable storage memory as recited in claim 13, further comprising an event collection system for identifying events that occur on the computer and recording the events in a data store that is accessible to the aggregation routine.
  - 17. The computer readable storage memory as recited in claim 13, wherein the aggregation routine, for each anti-malware service in the plurality of anti-malware services, is further configured to:
    - allow at least one anti-malware service to register registration data to identify malware that the at least one anti-malware service is capable of removing from the computer; and
      
      determine from the registration data whether the at least one anti-malware service is capable of removing the malware from the computer in response to a determination by the data analyzer module that the threshold has been satisfied.
  - 18. The computer readable storage memory as recited in claim 13, wherein:
    - for each anti-malware service in the plurality of anti-malware services, the data collector component is configured to receive and store metadata that includes, for observed events indicated as being suspicious events by an anti-malware service;
      
      a weighted value that quantifies a probability that the suspicious event is characteristic of malware; and
      
      a reason that the observed event was indicated as being suspicious by the anti-malware service; and
      
      the data collected by the data collector component is analyzed by determining that a summation of weighted values for the at least one first suspicious event and for the at least one second suspicious event is higher than the threshold.

19. A computer readable storage memory storing computer-executable instructions that, when executed on a computer, causes the computer to:
- analyze metrics generated by an event detection system executing on the computer to identify suspicious events that are potentially indicative of malware on the computer, the event detection system generating metrics based on performance characteristics of the computer;
  
  receive from an anti-malware service executing on the computer a notification of suspicious events that are potentially indicative of malware on the computer identified by the anti-malware service and data that describes the suspicious events identified by the anti-malware service;
  
  determine whether a combination of suspicious events are indicative of malware, the combination of suspicious events including at least one first suspicious event identified by the anti-malware service and at least one second suspicious event identified based on the metrics generated by the event detection system; and
  
  responsive to the combination of suspicious events including an indication of a malware, implement a restrictive security policy configured to restrict an entity associated with the combination of suspicious events from performing actions on the computer.
- View Dependent Claims (20)
- - 20. The computer readable storage memory as recited in claim 19, wherein the restrictive security policy comprises a policy to prevent the computer from transmitting data to one or more additional computers communicatively connected to the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Thomas, Anil Francis, Kramer, Michael, Costea, Mihai, Hudis, Efim, Bahl, Pradeep, Edery, Yigal, Dadhia, Rajesh K
Primary Examiner(s)
McNally, Michael S

Application Number

US11/096,490
Publication Number

US 20060236392A1
Time in Patent Office

3,064 Days
Field of Search

713/150, 726/23
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/577   Assessing vulnerabilities a...

Aggregating the knowledge base of computer systems to proactively protect a computer from malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Aggregating the knowledge base of computer systems to proactively protect a computer from malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links