Systems and methods for detecting malware-induced crashes

US 9,665,715 B1
Filed: 12/23/2013
Issued: 05/30/2017
Est. Priority Date: 12/23/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malware-induced crashes, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying, by analyzing a health log associated with a previously stable computing device, an occurrence of an unexpected stability problem on the previously stable computing device, wherein the health log tracks at least one of;

the overall stability of the previously stable computing device over time;

the stability, over time, of application software installed on the previously stable computing device; and

the stability, over time, of system software installed on the previously stable computing device;

identifying, by analyzing an event log associated with the previously stable computing device, an event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device;

identifying a community of computing devices operating within at least one of a particular enterprise and a particular industry, the community of computing devices comprising the previously stable computing device;

determining that the event is potentially malicious based at least on;

the event being potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device;

a determination that other computing devices within the community of computing devices have also experienced the unexpected stability problem;

a determination that computing devices outside of the community of computing devices have not experienced the unexpected stability problem; and

a determination that the event is potentially part of an advanced persistent threat targeted at the community of computing devices; and

performing a security action in response to determining that the event is potentially malicious that improves at least one of the security, performance, and stability of at least one of the previously stable computing device and one or more additional computing devices.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for detecting malware-induced crashes may include (1) identifying, by analyzing a health log associated with a previously stable computing device, the occurrence of an unexpected stability problem on the previously stable computing device, (2) identifying, by analyzing an event log associated with the previously stable computing device, an event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, (3) determining, due at least in part to the event being potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, that the event is potentially malicious, and (4) performing a security action in response to determining that the event is potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.

10 Citations

View as Search Results

20 Claims

1. A computer-implemented method for detecting malware-induced crashes, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, by analyzing a health log associated with a previously stable computing device, an occurrence of an unexpected stability problem on the previously stable computing device, wherein the health log tracks at least one of;
  
  the overall stability of the previously stable computing device over time;
  
  the stability, over time, of application software installed on the previously stable computing device; and
  
  the stability, over time, of system software installed on the previously stable computing device;
  
  identifying, by analyzing an event log associated with the previously stable computing device, an event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device;
  
  identifying a community of computing devices operating within at least one of a particular enterprise and a particular industry, the community of computing devices comprising the previously stable computing device;
  
  determining that the event is potentially malicious based at least on;
  
  the event being potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device;
  
  a determination that other computing devices within the community of computing devices have also experienced the unexpected stability problem;
  
  a determination that computing devices outside of the community of computing devices have not experienced the unexpected stability problem; and
  
  a determination that the event is potentially part of an advanced persistent threat targeted at the community of computing devices; and
  
  performing a security action in response to determining that the event is potentially malicious that improves at least one of the security, performance, and stability of at least one of the previously stable computing device and one or more additional computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, wherein identifying the occurrence of the unexpected stability problem on the previously stable computing device comprises identifying, by analyzing the health log, at least one of:
    - an unexpected stability problem with previously stable application software; and
      
      an unexpected stability problem with previously stable system software.
  - 3. The computer-implemented method of claim 1, wherein the health log is created by security software installed on the previously stable computing device.
  - 4. The computer-implemented method of claim 1, wherein identifying the occurrence of the unexpected stability problem on the previously stable computing device comprises identifying, by analyzing the health log, at least one of:
    - a decrease in the overall stability of the previously stable computing device;
      
      a decrease in the stability of application software installed on the previously stable computing device; and
      
      a decrease in the stability of system software installed on the previously stable computing device.
  - 5. The computer-implemented method of claim 1, further comprising, prior to analyzing the health log, at least one of:
    - creating the health log; and
      
      retrieving the health log.
  - 6. The computer-implemented method of claim 1, wherein identifying the event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device comprises at least one of:
    - determining, by analyzing the event log and the health log, that the event occurred contemporaneously with respect to the start of the unexpected stability problem; and
      
      determining that the event involved a software component, installed on the previously stable computing device, that experienced the unexpected stability problem.
  - 7. The computer-implemented method of claim 1, wherein the determination that the event is potentially malicious is further based at least in part on a determination that the event is potentially indicative of infection by a non-process threat.
  - 8. The computer-implemented method of claim 7, wherein the determination that the event is potentially indicative of infection by a non-process threat comprises determining that the event involves at least one of:
    - code injection;
      
      creating or modifying a shared library;
      
      creating or modifying registry entries; and
      
      installing or modifying a kernel component.
  - 9. The computer-implemented method of claim 1, wherein performing the security action comprises quarantining at least one of:
    - a file associated with the event;
      
      an object associated with the event; and
      
      a process associated with the event.
  - 10. The computer-implemented method of claim 1, wherein performing the security action comprises at least one of:
    - transmitting a notification to at least one additional computing device that indicates that the event is potentially malicious; and
      
      blacklisting the event.
  - 11. The computer-implemented method of claim 1, wherein the computing device that performs the method comprises at least one of:
    - the previously stable computing device; and
      
      a server-side computing device.

12. A system for detecting malware-induced crashes, the system comprising:
- an identification module, stored in memory, that;
  
  identifies, by analyzing a health log associated with a previously stable computing device, an occurrence of an unexpected stability problem on the previously stable computing device, wherein the health log tracks at least one of;
  
  the overall stability of the previously stable computing device over time;
  
  the stability, over time, of application software installed on the previously stable computing device; and
  
  the stability, over time, of system software installed on the previously stable computing device;
  
  identifies, by analyzing an event log associated with the previously stable computing device, an event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device; and
  
  identifies a community of computing devices operating within at least one of a particular enterprise and a particular industry, the community of computing devices comprising the previously stable computing device;
  
  a determination module, stored in memory, that determines that the event is potentially malicious based at least on;
  
  the event being potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device;
  
  a determination that other computing devices within the community of computing devices have also experienced the unexpected stability problem;
  
  a determination that computing devices outside of the community of computing devices have not experienced the unexpected stability problem; and
  
  a determination that the event is potentially part of an advanced persistent threat targeted at the community of computing devices; and
  
  ;
  
  a security module, stored in memory, that performs a security action in response to determining that the event is potentially malicious that improves at least one of the security, performance, and stability of at least one of the previously stable computing device and one or more additional computing devices; and
  
  at least one physical processor that executes the identification module, the determination module, and the security module.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the identification module identifies the occurrence of the unexpected stability problem on the previously stable computing device by identifying, by analyzing the health log, at least one of:
    - an unexpected stability problem with previously stable application software; and
      
      an unexpected stability problem with previously stable system software.
  - 14. The system of claim 12, wherein the identification module identifies the occurrence of the unexpected stability problem on the previously stable computing device by identifying, by analyzing the health log, at least one of:
    - a decrease in the overall stability of the previously stable computing device;
      
      a decrease in the stability of application software installed on the previously stable computing device; and
      
      a decrease in the stability of system software installed on the previously stable computing device.
  - 15. The system of claim 12, wherein the identification module identifies the event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device by at least one of:
    - determining, by analyzing the event log and the health log, that the event occurred contemporaneously with respect to the start of the unexpected stability problem; and
      
      determining that the event involved a software component, installed on the previously stable computing device, that experienced the unexpected stability problem.
  - 16. The system of claim 12, wherein the determination that the event is potentially malicious is further based at least in part on a determination that the event is potentially indicative of infection by a non-process threat.
  - 17. The system of claim 16, wherein the determination module determines that the event is potentially indicative of infection by a non-process threat by determining that the event involves at least one of:
    - code injection;
      
      creating or modifying a shared library;
      
      creating or modifying registry entries; and
      
      installing or modifying a kernel component.
  - 18. The system of claim 12, wherein the security module performs the security action by quarantining at least one of:
    - a file associated with the event;
      
      an object associated with the event; and
      
      a process associated with the event.
  - 19. The system of claim 12, wherein the security module performs the security action by at least one of:
    - transmitting a notification to at least one additional computing device that indicates that the event is potentially malicious; and
      
      blacklisting the event.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify, by analyzing a health log associated with a previously stable computing device, an occurrence of an unexpected stability problem on the previously stable computing device, wherein the health log tracks at least one of;
  
  the overall stability of the previously stable computing device over time;
  
  the stability, over time, of application software installed on the previously stable computing device; and
  
  the stability, over time, of system software installed on the previously stable computing device;
  
  identify, by analyzing an event log associated with the previously stable computing device, an event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device;
  
  identify a community of computing devices operating within at least one of a particular enterprise and a particular industry, the community of computing devices comprising the previously stable computing device;
  
  determine that the event is potentially malicious based at least on;
  
  the event being potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device;
  
  a determination that other computing devices within the community of computing devices have also experienced the unexpected stability problem;
  
  a determination that computing devices outside of the community of computing devices have not experienced the unexpected stability problem; and
  
  a determination that the event is potentially part of an advanced persistent threat targeted at the community of computing devices; and
  
  perform a security action in response to determining that the event is potentially malicious that improves at least one of the security, performance, and stability of at least one of the previously stable computing device and one or more additional computing devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Roundy, Kevin, Bhatkar, Sandeep, Marino, Daniel, Guo, Fanglu
Primary Examiner(s)
Mehrmanesh, Amir
Assistant Examiner(s)
Taylor, Sakinah W.

Application Number

US14/138,130
Time in Patent Office

1,254 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 11/0775   Content or structure detail...

G06F 11/079   Root cause analysis, i.e. e...

G06F 21/552   involving long-term monitor...

G06F 21/561   Virus type analysis

G06F 21/562   Static detection

Systems and methods for detecting malware-induced crashes

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting malware-induced crashes

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links