Systems and methods for time-shifted detection of security threats
First Claim
1. A computer-implemented method for time-shifted detection of security threats, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- collecting, from a computing system, history data that describes activity of the computing system during a past time period;
archiving the history data in association with the past time period;
identifying, by a software security system that protects the computing system, a potential security threat to the computing system that;
was unknown to the software security system during the past time period;
is not currently present on the computing system; and
wherein the potential security threat comprises a security threat caused by malicious activity that removed evidence of the malicious activity before the software security became aware of the potential threat; and
in response to identifying the potential security threat, replaying the history data through the software security system to enable the software security system to determine whether the computing system was affected by the potential security threat during the past time period.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for time-shifted detection of security threats may include (1) collecting history data that describes activity of the computing system during a past time period, (2) archiving the history data in association with the past time period, (3) identifying a potential security threat to the computing system that was unknown to a software security system during the past time period, and (4) in response to identifying the potential security threat, replaying the history data through the software security system to enable the software security system to determine whether the computing system was affected by the potential security threat during the past time period. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
18 Claims
-
1. A computer-implemented method for time-shifted detection of security threats, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
collecting, from a computing system, history data that describes activity of the computing system during a past time period; archiving the history data in association with the past time period; identifying, by a software security system that protects the computing system, a potential security threat to the computing system that; was unknown to the software security system during the past time period; is not currently present on the computing system; and wherein the potential security threat comprises a security threat caused by malicious activity that removed evidence of the malicious activity before the software security became aware of the potential threat; and in response to identifying the potential security threat, replaying the history data through the software security system to enable the software security system to determine whether the computing system was affected by the potential security threat during the past time period. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for time-shifted detection of security threat, the system comprising:
-
a collection module, stored in memory, that collects, from a computing system, history data that describes activity of the computing system during a past time period; an archiving module, stored in memory, that archives the history data in association with the past time period; an identification module, stored in memory, that identifies, by a software security system that protects the computing system, a potential security threat to the computing system that; was unknown to the software security system during the past time period; is not currently present on the computing system; and wherein the potential security threat comprises a security threat caused by malicious activity that removed evidence of the malicious activity before the software security became aware of the potential threat; a replaying module that, in response to identifying the potential security threat, replays the history data through the software security system to enable the software security system to determine whether the computing system was affected by the potential security threat during the past time period; and at least one physical processor configured to execute the collection module, the archiving module, the identification module, and the replaying module. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable medium comprising one or more computer-readable instruction that, when executed by at least one processor of a computing device, cause the computing device to:
-
collect, from a computing system, history data that describes activity of the computing system during a past time period; archive the history data in association with the past time period; identify, by a software security system that protects the computing system, a potential security threat to the computing system that; was unknown to the software security system during the past time period; is not currently present on the computing system; and wherein the potential security threat comprises a security threat caused by malicious activity that removed evidence of the malicious activity before the software security became aware of the potential threat; and in response to identifying the potential security threat, replay the history data through the software security system to enable the software security system to determine if the computing system was affected by the potential security threat during the past time period.
-
Specification