Malicious code infection cause-and-effect analysis
First Claim
1. A computer-readable memory storing computer-executable instructions for controlling a computing device to analyze a malware infection, the computer-executable instructions comprising instructions that:
- receive a pre-infection snapshot from each of a plurality of machines suspected of being infected with malware, the pre-infection snapshots identifying monitored activities that were conducted at machines suspected of being infected with malware prior to the machine being suspected of being infected with malware;
compare the monitored activities of the pre-infection snapshots of each of the plurality of machines to the monitored activities of the pre-infection snapshots of other machines to identify monitored activities that are common across multiple machines; and
automatically re-configure security policies of the plurality of machines based on analysis of the monitored activities that are common to prevent a future infection caused by malware.
2 Assignments
0 Petitions
Accused Products
Abstract
A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.
22 Citations
18 Claims
-
1. A computer-readable memory storing computer-executable instructions for controlling a computing device to analyze a malware infection, the computer-executable instructions comprising instructions that:
-
receive a pre-infection snapshot from each of a plurality of machines suspected of being infected with malware, the pre-infection snapshots identifying monitored activities that were conducted at machines suspected of being infected with malware prior to the machine being suspected of being infected with malware; compare the monitored activities of the pre-infection snapshots of each of the plurality of machines to the monitored activities of the pre-infection snapshots of other machines to identify monitored activities that are common across multiple machines; and automatically re-configure security policies of the plurality of machines based on analysis of the monitored activities that are common to prevent a future infection caused by malware. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method performed by a computing device to analyze a malware infection, the method comprising:
-
receiving a snapshot of each of a plurality of machines suspected of being infected with malware, each snapshot identifying monitored activities of a machine suspected of being infected with malware during a time frame associated with the machines being suspected of being infected with malware; comparing the monitored activities of the snapshots of one or more of the plurality of machines to the monitored activities of the snapshots of other machines to identify monitored activities that are common to multiple machines and that are candidates for being related to a cause of the malware infection; indicating that the monitored activities that are common as a possible cause of the malware infection; and providing a recommendation for responding to the malware infection. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computing device for analyzing a malware infection comprising:
-
a data store storing pre-infection snapshots of a plurality of machines suspected of being infected with malware, the pre-infection snapshots identifying monitored activities that were performed at machines suspected of being infected with malware prior to the machines being suspected of being infected with malware, a memory storing computer-executable instructions that; indicate monitored activities of the pre-infection snapshots that are common to the machines and that are candidates for being related to the cause of the infection by comparing the monitored activities of the pre-infection snapshots of machines to the monitored activities of the pre-infection snapshots of other machines; and provide an alert and a recommendation for responding to the malware infection based on the identified monitored activities so that security policies can be changed to prevent a future malware infection; and a processor that executes the computer-executable instructions stored in the memory. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification