Malicious code infection cause-and-effect analysis
First Claim
1. A computer-readable storage device containing computer-executable instructions for controlling a computing device to analyze a malware infection by a method comprising:
- receiving pre-infection snapshots from a plurality of machines suspected of being infected with malware, the pre-infection snapshot for a machine identifying monitored activities that were conducted at that machine prior to the machine being suspected of being infected with malware, each pre-infection snapshot for a machine being created by a program that monitors and records the activity of that machine;
comparing the monitored activities of the pre-infection snapshots of multiple machines to identify monitored activities that are common across multiple pre-infection snapshots of different machines, wherein the monitored activities of a machine relate to accessing of an operating system resource of an operating system executing on the machine; and
tagging as being suspicious at least some monitored activities that are common across multiple pre-infection snapshots.
2 Assignments
0 Petitions
Accused Products
Abstract
A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.
17 Citations
19 Claims
-
1. A computer-readable storage device containing computer-executable instructions for controlling a computing device to analyze a malware infection by a method comprising:
-
receiving pre-infection snapshots from a plurality of machines suspected of being infected with malware, the pre-infection snapshot for a machine identifying monitored activities that were conducted at that machine prior to the machine being suspected of being infected with malware, each pre-infection snapshot for a machine being created by a program that monitors and records the activity of that machine; comparing the monitored activities of the pre-infection snapshots of multiple machines to identify monitored activities that are common across multiple pre-infection snapshots of different machines, wherein the monitored activities of a machine relate to accessing of an operating system resource of an operating system executing on the machine; and tagging as being suspicious at least some monitored activities that are common across multiple pre-infection snapshots. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable storage device containing computer-executable instructions for controlling a computing device to analyze a malware infection by a method comprising:
-
receiving snapshots of machines suspected of being infected with malware, the snapshots of a machine identifying monitored activities of that machine during a time frame associated with that machine being suspected of being infected with malware, wherein the snapshots are pre-infection snapshots and/or post-infection snapshots and the monitored activities of that machine relate to accessing of an operating system resource of an operating system executing on that machine; and comparing the monitored activities of the snapshot of a first machine to the monitored activities of snapshots of multiple other machines to identify monitored activities that are common between the snapshot of the first machine and the snapshot of at least one other machine that may be related to a cause of the malware infection. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computing device for analyzing a malware infection comprising:
-
a data store storing pre-infection snapshots of a plurality of machines suspected of being infected with malware, the pre-infection snapshots identifying monitored activities that were performed at machines suspected of being infected with malware prior to the machines being suspected of being infected with malware, wherein the monitored activities of the machines relate to accessing of an operating system resource of an operating system executing on the machines; a memory storing computer-executable instructions of; a component that compares the monitored activities of the pre-infection snapshots of different machines to identify monitored activities that are common across multiple pre-infection snapshots of different machines; and a component that indicates the monitored activities that are common across multiple pre-infection snapshots may be related to the cause of the infection; and a processor that executes the computer-executable instructions stored in the memory. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification