Malicious code infection cause-and-effect analysis
First Claim
1. A computer-readable storage device containing computer-executable instructions to control a computing device to analyze effects of a malware infection by a method comprising:
- receiving post-infection snapshots from a plurality of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of machines suspected of being infected with malware subsequent to the machines being suspected of being infected with malware, wherein the monitored activities of a machine relate to accessing of an operating system resource of an operating system executing on the machine;
comparing the monitored activities of the post-infection snapshot of a first machine to the post-infection snapshots of other machines to identify monitored activities that are common across multiple post-infection snapshots of different machines; and
tagging as possibly being caused by the malware infection the monitored activities that are common across multiple post-infection snapshots.
2 Assignments
0 Petitions
Accused Products
Abstract
A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.
17 Citations
20 Claims
-
1. A computer-readable storage device containing computer-executable instructions to control a computing device to analyze effects of a malware infection by a method comprising:
-
receiving post-infection snapshots from a plurality of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of machines suspected of being infected with malware subsequent to the machines being suspected of being infected with malware, wherein the monitored activities of a machine relate to accessing of an operating system resource of an operating system executing on the machine; comparing the monitored activities of the post-infection snapshot of a first machine to the post-infection snapshots of other machines to identify monitored activities that are common across multiple post-infection snapshots of different machines; and tagging as possibly being caused by the malware infection the monitored activities that are common across multiple post-infection snapshots. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-readable storage device containing computer-executable instructions for controlling a computing device to analyze a malware infection by a method comprising:
-
receiving post-infection snapshots from a plurality of machines suspected of being infected with malware, the post-infection snapshot of a machine identifying monitored activities of the machine subsequent to the machine being suspected of being infected with malware, wherein the monitored activities of the machine relate to accessing of an operating system resource of an operating system executing on the machine; and comparing the monitored activities of the post-infection snapshots of different machines to identify monitored activities that are common across multiple post-infection snapshots of different machines that may be related to the malware infection. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
-
-
14. A computing device for analyzing a malware infection comprising:
-
a data store storing post-infection snapshots of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of machines suspected of being infected with malware subsequent to the machine being suspected of being infected with malware, wherein the monitored activities relate to accessing of an operating system resource of an operating system executing on the machine; a memory storing computer-executable instructions of; a component that compares the monitored activities of the post-infection snapshots of different machines to identify monitored activities that are common across multiple post-infection snapshots of different machines; and a component that indicates that the identified monitored activities may be related to the malware infection; and a processor that executes the computer-executable instructions stored in the memory. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification