Outbreak pathology inference

US 9,679,140 B2
Filed: 12/27/2014
Issued: 06/13/2017
Est. Priority Date: 12/27/2014
Status: Active Grant

First Claim

Patent Images

1. A computing apparatus comprising:

a network interface; and

one or more logic elements, including at least a processor and a memory, comprising an outbreak pathology inference engine, operable for;

receiving network telemetry data from a client device via the network interface;

receiving out-of-network telemetry data from the client device via the network interface; and

inferring, based at least in part on the network telemetry data and out-of-network data, a predictive malware outbreak hypothesis.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a system and method for outbreak pathology inference are described. In certain computational ecosystems, malware programs and other malicious objects may infect a machine, and then attempt to infect additional machines that are “networked” to the first machine. In some cases, the network may be a physical or logical network, such as an enterprise network. However, “social networking” may also connect one machine to another, because users may share files or data with one another over social networks. In that case, client devices may be equipped with a telemetry engine to gather and report data about the machine, while a system management server receives reported telemetry. The system management server may use both logical networks and social networks to infer potential outbreak paths and behaviors of malware.

Citations

25 Claims

1. A computing apparatus comprising:
- a network interface; and
  
  one or more logic elements, including at least a processor and a memory, comprising an outbreak pathology inference engine, operable for;
  
  receiving network telemetry data from a client device via the network interface;
  
  receiving out-of-network telemetry data from the client device via the network interface; and
  
  inferring, based at least in part on the network telemetry data and out-of-network data, a predictive malware outbreak hypothesis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computing apparatus of claim 1, wherein the out-of-network data comprise social networking data.
  - 3. The computing apparatus of claim 2, wherein the social network data comprise data selected from the group consisting of online social networking data, professional association data, e-mail sender data, e-mail recipient data, address book data, contacts data, social association data, religious congregation data.
  - 4. The computing apparatus of claim 1, wherein the pathology inference engine is further operable for constructing an out-of-network graph at least partly from the out-of-network data.
  - 5. The computing apparatus of claim 4, wherein inferring the malware outbreak hypothesis comprises constructing a Markov model of the out-of-network graph and a network graph.
  - 6. The computing apparatus of claim 5, wherein inferring the malware outbreak hypothesis further comprises identifying a bridge state between the out-of-network graph and the network graph.
  - 7. The computing apparatus of claim 6, wherein inferring the malware outbreak hypothesis further comprises dynamically redefining the out-of-network graph and network graph to enable evaluation across the graphs at the bridge state.
  - 8. The computing apparatus of claim 1, wherein inferring the malware outbreak hypothesis comprises constructing a dynamic state model to identify a plurality of outbreak scenarios.
  - 9. The computing apparatus of claim 1, wherein the pathology inference engine is further operable for constructing an outbreak scenario, and constructing a containment strategy to target specific endpoints for mitigation.
  - 10. The computing apparatus of claim 1, wherein the pathology inference engine is further operable for:
    - constructing telemetry graph at least partly from the telemetry data;
      
      constructing an out-of-network graph at least partly from the out-of-network data; and
      
      formulating a pandemic hypothesis based at least in part on the telemetry graph and the out-of-network graph.
  - 11. The computing apparatus of claim 10, wherein the pathology inference engine is further operable for simulating the pandemic hypothesis.
  - 12. The computing apparatus of claim 10, wherein the pathology inference engine is further operable for formulating a pandemic countermeasure.
  - 13. The computing apparatus of claim 12, wherein the pathology inference engine is further operable for simulating the pandemic countermeasure.

14. One or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions operable for instructing a processor to provide a pathology inference engine operable for:
- receiving network telemetry data from a client device;
  
  receiving out-of-network telemetry data from the client device; and
  
  inferring, based at least in part on the network telemetry data and out-of-network data, a predictive malware outbreak hypothesis.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The one or more computer-readable mediums of claim 14, wherein the out-of-network data comprise social networking data.
  - 16. The one or more computer-readable mediums of claim 15, wherein the social network data comprise data selected from the group consisting of online social networking data, professional association data, e-mail sender data, e-mail recipient data, address book data, contacts data, social association data, religious congregation data.
  - 17. The one or more computer-readable mediums of claim 14, wherein the pathology inference engine is further operable for constructing an out-of-network graph at least partly from the out-of-network data.
  - 18. The one or more computer-readable mediums of claim 17, wherein inferring the malware outbreak hypothesis comprises constructing a Markov model of the out-of-network graph and a network graph.
  - 19. The one or more computer-readable mediums of claim 18, wherein inferring the malware outbreak hypothesis further comprises identifying a bridge state between the out-of-network graph and the network graph.
  - 20. The one or more computer-readable mediums of claim 19, wherein inferring the malware outbreak hypothesis further comprises dynamically redefining the out-of-network graph and network graph to enable evaluation across the graphs at the bridge state.
  - 21. The one or more computer-readable mediums of claim 14, wherein inferring the malware outbreak hypothesis comprises constructing a dynamic state model to identify a plurality of outbreak scenarios.
  - 22. The one or more computer-readable mediums of claim 14, wherein the pathology inference engine is further operable for constructing an outbreak scenario, and constructing a containment strategy to target specific endpoints for mitigation.
  - 23. The one or more computer-readable mediums of claim 14, wherein the pathology inference engine is further operable for:
    - constructing telemetry graph at least partly from the telemetry data;
      
      constructing an out-of-network graph at least partly from the out-of-network data; and
      
      formulating a pandemic hypothesis based at least in part on the telemetry graph and the out-of-network graph.

24. A computer-implemented method of providing pathology inference, comprising:
- receiving network telemetry data from a client device;
  
  receiving out-of-network telemetry data from the client device; and
  
  inferring, based at least in part on the network telemetry data and out-of-network data, a predictive malware outbreak hypothesis.
- View Dependent Claims (25)
- - 25. The method of claim 24, further comprising:
    - constructing an out-of-network graph at least partly from the out-of-network telemetry data;
      
      constructing a network graph at least partly from the network telemetry data; and
      
      constructing a Markov model of the out-of-network graph and the network graph.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Gutierrez, Esteban, Kapoor, Aditya, Smith, Ned M., Woodruff, Andrew
Primary Examiner(s)
SHEHNI, GHAZAL B

Application Number

US14/583,632
Publication Number

US 20160188880A1
Time in Patent Office

899 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/567   using dedicated hardware

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Outbreak pathology inference

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Outbreak pathology inference

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links