Aggregating the knowledge base of computer systems to proactively protect a computer from malware

US 9,043,869 B2
Filed: 08/14/2013
Issued: 05/26/2015
Est. Priority Date: 03/31/2005
Status: Active Grant

First Claim

Patent Images

1. A computer system, comprising:

a memory and a processor configured to execute instructions in the memory to cause the computer system to implement an aggregation routine, the aggregation routine configured to;

identify a first suspicious event by analyzing metrics that are generated based on performance characteristics of the computer system;

receive a report of a second suspicious event from at least one of multiple anti-malware services executing on the computer system;

determine whether a combination of suspicious events is indicative of malware, the combination of suspicious events including at least the first suspicious event and the second suspicious event; and

responsive to a determination that the combination of suspicious events is indicative of malware, apply a restrictive security policy configured to restrict an entity associated with the combination of suspicious events from performing actions on the computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for aggregating a knowledge base of a plurality of security services or other event collection systems to protect a computer from malware are provided. In embodiments, a computer is protected from malware by using anti-malware services or other event collection systems to observe suspicious events that are potentially indicative of malware. A determination is made as to whether a combination of the suspicious events is indicative of malware. If the combination of suspicious events is indicative of malware, a restrictive security policy designed to prevent the spread of malware is implemented.

29 Citations

20 Claims

1. A computer system, comprising:
- a memory and a processor configured to execute instructions in the memory to cause the computer system to implement an aggregation routine, the aggregation routine configured to;
  
  identify a first suspicious event by analyzing metrics that are generated based on performance characteristics of the computer system;
  
  receive a report of a second suspicious event from at least one of multiple anti-malware services executing on the computer system;
  
  determine whether a combination of suspicious events is indicative of malware, the combination of suspicious events including at least the first suspicious event and the second suspicious event; and
  
  responsive to a determination that the combination of suspicious events is indicative of malware, apply a restrictive security policy configured to restrict an entity associated with the combination of suspicious events from performing actions on the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. A computer system as described in claim 1, wherein the first suspicious event is a potential indicator of the malware infection.
  - 3. A computer system as described in claim 1, wherein the processor is further configured to execute instructions in the memory to cause the computer system to implement an event detection service, the event detection service configured to identify the performance characteristics of the computer system.
  - 4. A computer system as described in claim 3, wherein the performance characteristics include one or more of a computer entry point, a data stream, a computer event, or a computer activity occurring on the computer system.
  - 5. A computer system as described in claim 1, wherein the processor is further configured to execute instructions in the memory to cause the computer system to implement anti-malware services, the anti-malware services configured to:
    - observe an event occurring on the computer system; and
      
      determine whether the observed event is a positive indicator of a malware infection.
  - 6. A computer system as described in claim 5, wherein the anti-malware services are further configured to:
    - determine that the observed event is not a positive indicator of the malware infection;
      
      responsive to a determination that the observed event is not a positive indicator of the malware infection, determine whether the observed event is potentially indicative of malware; and
      
      responsive to a determination that the observed event is potentially indicative of malware, report the observed event to the aggregation routine as a suspicious event.
  - 7. A computer system as described in claim 1, wherein the report of the second suspicious event includes metadata that describes the second suspicious event.
  - 8. A computer system as described in claim 1, wherein the report of the second suspicious event includes metadata that describes the second suspicious event, wherein the metadata is accessible to the at least one of multiple anti-malware services for characterizing the entity associated with the second suspicious event.
  - 9. A computer system as described in claim 1, wherein the report of the second suspicious event describes:
    - a weighted value generated by the at least one anti-malware service that quantifies a probability that the second suspicious event is indicative of malware; and
      
      a reason the second suspicious event was identified as being potentially indicative of malware.
  - 10. A computer system as described in claim 1, wherein the aggregation routine is further configured to determine whether the combination of suspicious events is indicative of malware based on a determination of whether a number of events in the combination of suspicious events occurring in a given time frame is higher than a given value.
  - 11. A computer system as described in claim 1, wherein the aggregation routine is further configured to determine whether the combination of suspicious events is indicative of malware based on:
    - a weighted value for each suspicious event in the combination of suspicious events that quantifies a probability that a respective suspicious event is indicative of malware; and
      
      a determination of whether a summation of weighted values for the suspicious events in the combination of suspicious events is higher than a given value.
  - 12. A computer system as described in claim 1, wherein the restrictive security policy prevents the entity associated with the suspicious events in the combination of suspicious events from performing actions and accessing resources on the computer system in a way that is contrary to the restrictive security policy.
  - 13. A computer system as described in claim 1, wherein the restrictive security policy is configured to prevent the malware from subsequently infecting the computer system.
  - 14. A computer system as described in claim 1, wherein the restrictive security policy is configured to restrict an ability of the computer system to access data on a network, wherein restriction of the ability of the computer system to access data on the network includes one or more of:
    - a block of network traffic on specific communication ports;
      
      a block of communications from certain network-based applications;
      
      a block of access to hardware and software components on the computer system;
      
      ora block of network traffic on specific communication addresses.

15. A method comprising:
- identifying a suspicious event by analyzing metrics generated by an event detection system executing on a computer, the metrics generated based on performance characteristics of the computer;
  
  receiving a notification of an additional suspicious event from an anti-malware service executing on the computer;
  
  determining that a combination of suspicious events is indicative of malware, the combination of suspicious events including at least the suspicious event and the additional suspicious event; and
  
  responsive to the determining, applying a restrictive security policy to restrict an entity associated with the combination of suspicious events from performing actions on the computer.
- View Dependent Claims (16, 17, 18)
- - 16. A method as described in claim 15, wherein determining that the combination of suspicious events is indicative of malware includes determining that a threshold is satisfied by the combination of suspicious events.
  - 17. A method as described in claim 15, further comprising identifying the entity associated with the combination of suspicious events.
  - 18. A method as described in claim 15, further comprising:
    - receiving metadata for an observed event indicated as being suspicious by the anti-malware service, the metadata including;
      
      a weighted value that quantifies a probability that the observed event indicated as being suspicious is characteristic of malware; and
      
      a reason that the observed event was indicated as being suspicious by the anti-malware service.

19. A computing device comprising:
- one or more computer readable storage memory storing computer-executable instructions that, responsive to execution by the computing device, cause the computing device to implement;
  
  a data collector configured to receive reports of suspicious events from at least one of multiple anti-malware services executing on the computing device, the suspicious events comprising observed events occurring on the computing device that are identified as suspicious based on performance characteristics of the computing device;
  
  an aggregation routine configured to determine whether a combination of the suspicious events is indicative of malware; and
  
  a policy implementer operative to implement a restrictive security policy to restrict an entity associated with the combination of suspicious events from performing actions on the computing device.
- View Dependent Claims (20)
- - 20. A computing device as described in claim 19, wherein the reports indicate that one or more of the suspicious events are potentially indicative of malware and not positively indicative of malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Thomas, Anil Francis, Kramer, Michael, Costea, Mihai, Hudis, Efim, Bahl, Pradeep, Dadhia, Rajesh K., Edery, Yigal
Primary Examiner(s)
McNally, Michael S

Application Number

US13/967,221
Publication Number

US 20130332988A1
Time in Patent Office

650 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/577   Assessing vulnerabilities a...

Aggregating the knowledge base of computer systems to proactively protect a computer from malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Aggregating the knowledge base of computer systems to proactively protect a computer from malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others