Aggregating the knowledge base of computer systems to proactively protect a computer from malware
First Claim
Patent Images
1. A computer system, comprising:
- a memory and a processor configured to execute instructions in the memory to cause the computer system to implement an aggregation routine, the aggregation routine configured to;
identify a first suspicious event by analyzing metrics that are generated based on performance characteristics of the computer system;
receive a report of a second suspicious event from at least one of multiple anti-malware services executing on the computer system;
determine whether a combination of suspicious events is indicative of malware, the combination of suspicious events including at least the first suspicious event and the second suspicious event; and
responsive to a determination that the combination of suspicious events is indicative of malware, apply a restrictive security policy configured to restrict an entity associated with the combination of suspicious events from performing actions on the computer system.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for aggregating a knowledge base of a plurality of security services or other event collection systems to protect a computer from malware are provided. In embodiments, a computer is protected from malware by using anti-malware services or other event collection systems to observe suspicious events that are potentially indicative of malware. A determination is made as to whether a combination of the suspicious events is indicative of malware. If the combination of suspicious events is indicative of malware, a restrictive security policy designed to prevent the spread of malware is implemented.
29 Citations
20 Claims
-
1. A computer system, comprising:
a memory and a processor configured to execute instructions in the memory to cause the computer system to implement an aggregation routine, the aggregation routine configured to; identify a first suspicious event by analyzing metrics that are generated based on performance characteristics of the computer system; receive a report of a second suspicious event from at least one of multiple anti-malware services executing on the computer system; determine whether a combination of suspicious events is indicative of malware, the combination of suspicious events including at least the first suspicious event and the second suspicious event; and responsive to a determination that the combination of suspicious events is indicative of malware, apply a restrictive security policy configured to restrict an entity associated with the combination of suspicious events from performing actions on the computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
15. A method comprising:
-
identifying a suspicious event by analyzing metrics generated by an event detection system executing on a computer, the metrics generated based on performance characteristics of the computer; receiving a notification of an additional suspicious event from an anti-malware service executing on the computer; determining that a combination of suspicious events is indicative of malware, the combination of suspicious events including at least the suspicious event and the additional suspicious event; and responsive to the determining, applying a restrictive security policy to restrict an entity associated with the combination of suspicious events from performing actions on the computer. - View Dependent Claims (16, 17, 18)
-
-
19. A computing device comprising:
one or more computer readable storage memory storing computer-executable instructions that, responsive to execution by the computing device, cause the computing device to implement; a data collector configured to receive reports of suspicious events from at least one of multiple anti-malware services executing on the computing device, the suspicious events comprising observed events occurring on the computing device that are identified as suspicious based on performance characteristics of the computing device; an aggregation routine configured to determine whether a combination of the suspicious events is indicative of malware; and a policy implementer operative to implement a restrictive security policy to restrict an entity associated with the combination of suspicious events from performing actions on the computing device. - View Dependent Claims (20)
Specification