Malicious code infection cause-and-effect analysis

US 8,955,134 B2
Filed: 02/08/2012
Issued: 02/10/2015
Est. Priority Date: 11/30/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage device containing computer-executable instructions for controlling a computing device to analyze a malware infection by a method comprising:

receiving pre-infection snapshots from a plurality of machines suspected of being infected with malware, the pre-infection snapshot for a machine identifying monitored activities that were conducted at that machine prior to the machine being suspected of being infected with malware, each pre-infection snapshot for a machine being created by a program that monitors and records the activity of that machine;

comparing the monitored activities of the pre-infection snapshots of multiple machines to identify monitored activities that are common across multiple pre-infection snapshots of different machines, wherein the monitored activities of a machine relate to accessing of an operating system resource of an operating system executing on the machine; and

tagging as being suspicious at least some monitored activities that are common across multiple pre-infection snapshots.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.

17 Citations

View as Search Results

19 Claims

1. A computer-readable storage device containing computer-executable instructions for controlling a computing device to analyze a malware infection by a method comprising:
- receiving pre-infection snapshots from a plurality of machines suspected of being infected with malware, the pre-infection snapshot for a machine identifying monitored activities that were conducted at that machine prior to the machine being suspected of being infected with malware, each pre-infection snapshot for a machine being created by a program that monitors and records the activity of that machine;
  
  comparing the monitored activities of the pre-infection snapshots of multiple machines to identify monitored activities that are common across multiple pre-infection snapshots of different machines, wherein the monitored activities of a machine relate to accessing of an operating system resource of an operating system executing on the machine; and
  
  tagging as being suspicious at least some monitored activities that are common across multiple pre-infection snapshots.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-readable storage device of claim 1 including prior to comparing the monitored activities, normalizing the monitored activities.
  - 3. The computer-readable storage device of claim 2 wherein the normalizing includes associating categories with the monitored activities.
  - 4. The computer-readable storage device of claim 3 wherein a first monitored activity of a first machine and a second monitored activity of a second machine are common when associated with the same category.
  - 5. The computer-readable storage device of claim 2 including mapping the normalized activities to a malware state of a malware state model.
  - 6. The computer-readable storage device of claim 1 including:
    - receiving post-infection snapshots from a plurality of machines suspected of being infected with malware, each of the post-infection snapshots identifying monitored activities that were conducted at each machine suspected of being infected with malware subsequent to the machine being suspected of being infected with malware; and
      
      comparing the monitored activities of the post-infection snapshot to identify monitored activities that are common across multiple post-infection snapshots.
  - 7. The computer-readable storage device of claim 6 including tagging as possibly being caused by the infection the monitored activities that are common across multiple post-infection snapshots.

8. A computer-readable storage device containing computer-executable instructions for controlling a computing device to analyze a malware infection by a method comprising:
- receiving snapshots of machines suspected of being infected with malware, the snapshots of a machine identifying monitored activities of that machine during a time frame associated with that machine being suspected of being infected with malware, wherein the snapshots are pre-infection snapshots and/or post-infection snapshots and the monitored activities of that machine relate to accessing of an operating system resource of an operating system executing on that machine; and
  
  comparing the monitored activities of the snapshot of a first machine to the monitored activities of snapshots of multiple other machines to identify monitored activities that are common between the snapshot of the first machine and the snapshot of at least one other machine that may be related to a cause of the malware infection.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer-readable storage device of claim 8 wherein the snapshots are pre-infection snapshots.
  - 10. The computer-readable storage device of claim 8 including prior to comparing the monitored activities, normalizing the monitored activities.
  - 11. The computer-readable storage device of claim 10 wherein the normalizing includes associating categories with the monitored activities.
  - 12. The computer-readable storage device of claim 8 including automatically re-configuring security policies to prevent future malware infections.
  - 13. The computer-readable storage device of claim 8 including after identifying monitored activities that may be related to a cause of the malware infection, providing a recommendation for responding to the malware infection.

14. A computing device for analyzing a malware infection comprising:
- a data store storing pre-infection snapshots of a plurality of machines suspected of being infected with malware, the pre-infection snapshots identifying monitored activities that were performed at machines suspected of being infected with malware prior to the machines being suspected of being infected with malware, wherein the monitored activities of the machines relate to accessing of an operating system resource of an operating system executing on the machines;
  
  a memory storing computer-executable instructions of;
  
  a component that compares the monitored activities of the pre-infection snapshots of different machines to identify monitored activities that are common across multiple pre-infection snapshots of different machines; and
  
  a component that indicates the monitored activities that are common across multiple pre-infection snapshots may be related to the cause of the infection; and
  
  a processor that executes the computer-executable instructions stored in the memory.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computing device of claim 14 including a component that, prior to comparing the monitored activities, normalizes the monitored activities.
  - 16. The computing device of claim 15 wherein the component that normalizes associates categories with the monitored activities.
  - 17. The computing device of claim 16 wherein a first normalized activity of a first machine and a second normalized activity of a second machine are common when associated with the same category.
  - 18. The computing device of claim 15 wherein the computer-executable instructions include an expert system that, after monitored activities are identified, provides a recommendation for responding to the malware infection based on the identified monitored activities.
  - 19. The computing device of claim 14 wherein the data store stores post-infection snapshots of a plurality of machines suspected of being infected with malware, each of the post-infection snapshots identifying monitored activities that were performed at each machine suspected of being infected with malware within a time frame subsequent to the machine being suspected of being infected with malware and wherein the computer-executable instructions stored in the memory include:
    - a component that identifies monitored activities that are common across multiple post-infection snapshots; and
      
      a component that indicates monitored activities that are common across multiple post-infection snapshots may be caused by the malware infection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hartrell, Gregory D., Steeves, David J., Hudis, Efim
Primary Examiner(s)
Jeudy, Josnel

Application Number

US13/369,225
Publication Number

US 20120144490A1
Time in Patent Office

1,098 Days
Field of Search

713187-188, 713193-194, 726 22- 25, 709227-229
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/565   by checking file integrity

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Malicious code infection cause-and-effect analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Malicious code infection cause-and-effect analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links