Systems and methods for reporting security vulnerabilities

US 9,323,930 B1
Filed: 08/19/2014
Issued: 04/26/2016
Est. Priority Date: 08/19/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for reporting security vulnerabilities, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

detecting that a malware application is present on an endpoint computing system;

determining a window of time during which the malware application was present in a specified condition on the endpoint computing system;

logging a list of sensitive data items accessed during the window of time;

performing a security action to report the list of sensitive data items based on a determination that both;

a length of the window of time is longer than a security threshold length and is indicative of the malware application being located on the endpoint computing system long enough to potentially compromise a sensitive data item;

the malware application was accessed during the window of time.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for reporting security vulnerabilities may include (1) detecting that a malware application is present on an endpoint computing system, (2) determining a window of time during which the malware application was present in a specified condition on the endpoint computing system, (3) logging a list of sensitive data items accessed during the window of time, and (4) conditioning performance of a security action to report the list of sensitive data items on a determination that both (A) a length of the window of time is longer than a security threshold length and is indicative of the malware application being located on the endpoint computing system long enough to potentially compromise a sensitive data item and (B) the malware application was accessed during the window of time. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for reporting security vulnerabilities, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- detecting that a malware application is present on an endpoint computing system;
  
  determining a window of time during which the malware application was present in a specified condition on the endpoint computing system;
  
  logging a list of sensitive data items accessed during the window of time;
  
  performing a security action to report the list of sensitive data items based on a determination that both;
  
  a length of the window of time is longer than a security threshold length and is indicative of the malware application being located on the endpoint computing system long enough to potentially compromise a sensitive data item;
  
  the malware application was accessed during the window of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer-implemented method of claim 1, wherein a beginning point of the window of time marks when at least one of:
    - a message containing the malware application was sent to the endpoint computing system;
      
      the malware application was stored to memory;
      
      the malware application was installed;
      
      the malware application was executed.
  - 3. The computer-implemented method of claim 1, wherein an end point of the window of time marks when at least one of:
    - the malware application was stopped from executing;
      
      the malware application was removed;
      
      the malware application was neutralized;
      
      the malware application was deleted;
      
      the malware application was uninstalled.
  - 4. The computer-implemented method of claim 1, wherein logging the list of sensitive data items comprises logging authentication events for a set of resources that each provides an authentication procedure for security.
  - 5. The computer-implemented method of claim 1, wherein determining the window of time comprises determining when the malware application arrived at the endpoint computing device.
  - 6. The computer-implemented method of claim 1, whereindetermining the window of time comprises determining how long the malware application was present before being neutralized.
  - 7. The computer-implemented method of claim 1, wherein the list of sensitive data items comprises a list of protected resources into which a user logged.
  - 8. The computer-implemented method of claim 7, wherein the security action to report the list of sensitive data items comprises informing the user to change security credentials for each of the protected resources into which the user logged.
  - 9. The computer-implemented method of claim 1, wherein the list of sensitive data items comprises a list of documents with which a user interacted.
  - 10. The computer-implemented method of claim 9, wherein the security action to report the list of sensitive data items comprises informing the user that the documents in the list of documents were potentially compromised by the malware application.
  - 11. The computer-implemented method of claim 9, wherein the security action to report the list of sensitive data items comprises scanning documents in the list of documents for personally identifiable information.
  - 12. The computer-implemented method of claim 11, wherein scanning documents in the list of documents for personally identifiable information comprises scanning the documents for information that is structured according to a format for at least one type of personally identifiable information.
  - 13. The computer-implemented method of claim 12, wherein the format for the type of personally identifiable information comprises at least one of:
    - a structure of a credit card number;
      
      a structure of a social security number;
      
      a structure of an address;
      
      a structure of a phone number;
      
      a structure of a date of birth.
  - 14. The computer-implemented method of claim 11, wherein scanning documents in the list of documents for personally identifiable information comprises scanning the documents for specific personally identifiable information known to apply to the user.
  - 15. The computer-implemented method of claim 1, wherein the security action to report the list of sensitive data items comprises reporting a list of remedial actions that a user may take to protect the user in response to detection of the malware application.

16. A system for reporting security vulnerabilities, the system comprising:
- a detection module, stored in memory, that detects that a malware application is present on an endpoint computing system;
  
  a determination module, stored in memory, that determines a window of time during which the malware application was present in a specified condition on the endpoint computing system;
  
  a logging module, stored in memory, that logs a list of sensitive data items accessed during the window of time;
  
  a conditioning module, stored in memory, that performs a security action to report the list of sensitive data items based on a determination that both;
  
  a length of the window of time is longer than a security threshold length and is indicative of the malware application being located on the endpoint computing system long enough to potentially compromise a sensitive data item;
  
  the malware application was accessed during the window of time;
  
  at least one physical processor configured to execute the detection module, the determination module, the logging module, and the conditioning module.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein a beginning point of the window of time marks when at least one of:
    - a message containing the malware application was sent to the endpoint computing system;
      
      the malware application was stored to memory;
      
      the malware application was installed;
      
      the malware application was executed.
  - 18. The system of claim 16, wherein an end point of the window of time marks when at least one of:
    - the malware application was stopped from executing;
      
      the malware application was removed;
      
      the malware application was neutralized;
      
      the malware application was deleted;
      
      the malware application was uninstalled.
  - 19. The system of claim 16, wherein the logging module logs the list of sensitive data items at least in part by logging authentication events for a set of resources that each provides an authentication procedure for security.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- detect that a malware application is present on an endpoint computing system;
  
  determine a window of time during which the malware application was present in a specified condition on the endpoint computing system;
  
  log a list of sensitive data items accessed during the window of time;
  
  performs a security action to report the list of sensitive data items based on a determination that both;
  
  a length of the window of time is longer than a security threshold length and is indicative of the malware application being located on the endpoint computing system long enough to potentially compromise a sensitive data item;
  
  the malware application was accessed during the window of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Satish, Sourabh
Primary Examiner(s)
Turchen, James

Application Number

US14/462,833
Time in Patent Office

616 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/308   retaining data, e.g. retain...

Systems and methods for reporting security vulnerabilities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for reporting security vulnerabilities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links