Aggregating the knowledge base of computer systems to proactively protect a computer from malware

US 20060236392A1
Filed: 03/31/2005
Published: 10/19/2006
Est. Priority Date: 03/31/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of collecting local machine events and aggregating the knowledge base of anti-malware services and other event detection systems to proactively protect a computer from malware, the method comprising:

(a) using the anti-malware services and other event detection systems to observe suspicious events that are potentially indicative of malware;

(b) determining whether the suspicious events satisfy a predetermined threshold; and

(c) if the suspicious events satisfy the predetermined threshold, applying a restrictive security policy to the computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with the present invention, a system, method, and computer-readable medium for aggregating the knowledge base of a plurality of security services or other event collection systems to protect a computer from malware is provided. One aspect of the present invention is a method that proactively protects a computer from malware. More specifically, the method comprises: using anti-malware services or other event collection systems to observe suspicious events that are potentially indicative of malware; determining if the suspicious events satisfy a predetermined threshold; and if the suspicious events satisfy the predetermined threshold, implementing a restrictive security policy designed to prevent the spread of malware.

130 Citations

View as Search Results

20 Claims

1. A computer-implemented method of collecting local machine events and aggregating the knowledge base of anti-malware services and other event detection systems to proactively protect a computer from malware, the method comprising:
- (a) using the anti-malware services and other event detection systems to observe suspicious events that are potentially indicative of malware;
  
  (b) determining whether the suspicious events satisfy a predetermined threshold; and
  
  (c) if the suspicious events satisfy the predetermined threshold, applying a restrictive security policy to the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as recited in claim 1, wherein using the anti-malware services and other event detection systems to observe suspicious events that are potentially indicative of malware includes receiving metadata that describes a suspicious event.
  - 3. The method as recited in claim 2, wherein the metadata that describes the suspicious event is accessible to the anti-malware services for characterizing an entity.
  - 4. The method as recited in claim 2, wherein the metadata that is received that describes the suspicious event includes:
    - (a) a weighted value generated by an anti-malware service that quantifies the probability that the suspicious event is indicative of malware; and
      
      (b) the reason the event was identified as being suspicious.
  - 5. The method as recited in claim 1, wherein determining if the suspicious events satisfy the threshold includes determining if the number of events for a given time frame is higher than a given value.
  - 6. The method as recited in claim 1, wherein determining if the events satisfy a threshold indicative of malware, includes:
    - (a) generating a weighted value for each suspicious event that quantifies the probability that the suspicious event is indicative of malware; and
      
      (b) determining whether the summation of the weighted values for the suspicious events is higher than a given value.
  - 7. The method as recited in claim 1, wherein the restrictive security policy prevents the entity associated with the observed suspicious events from performing actions and accessing resources on the computer in a way that is contrary to the policy.
  - 8. The method as recited in claim 1, wherein applying a restrictive security policy to the computer, includes:
    - (a) determining whether the entity is capable of being removed from the computer;
      
      (b) if the entity is capable of being removed from the computer, causing an anti-malware service to remove the entity from the computer. (c) conversely, if the entity is not capable of being removed, applying a general restrictive security policy designed to prevent the spread of malware.
  - 9. The method as recited in claim 8, wherein causing an anti-malware service to remove the entity from the computer includes applying a restrictive security policy designed to prevent the malware from subsequently infecting the computer.
  - 10. The method as recited in claim 8, wherein causing an anti-malware service to remove the entity includes allowing the anti-malware services to register and identify the types of malware that the anti-malware service is configured to remove from a computer.
  - 11. The method as recited in claim 8, wherein implementing a restrictive security policy includes restricting the ability of the computer to access data on a network.
  - 12. The method as recited in claim 11, wherein restricting the ability of the computer to access data on the network, includes:
    - (a) blocking network traffic on specific communication ports;
      
      (b) blocking communications from certain network-base applications;
      
      (c) blocking access to hardware and software components on the computer; and
      
      (d) blocking network traffic on specific communication ports and addresses.

13. A software system that proactively protects a computer from malware, the software system comprising:
- (a) an aggregation routine for determining whether an entity associated with the computer is malware, wherein the aggregation routine includes;
  
  (i) a data collector component operative to collect data that identifies suspicious events potentially indicative of malware;
  
  (ii) a data analyzer module that analyzes data collected by the data collector component to determine whether a threshold was satisfied; and
  
  (iii) a policy implementer operative to implement a restrictive security policy when the data analyzer component module determines that the threshold was satisfied; and
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The software system as recited in claim 13, further comprising an anti-malware service for identifying and reporting suspicious events to the data collector component that are potentially indicative of malware.
  - 15. The software system as recited in claim 14, wherein the anti-malware service is further configured to identify the entity that is associated with the suspicious events.
  - 16. The software system as recited in claim 13, further comprising in the event collection system for identifying events that occur on a computer and recording the events in a data store that is accessible to the aggregation routine.
  - 17. The software system as recited in claim 13, wherein the aggregation routine is further configured to:
    - (a) allow the anti-malware service to register to identify malware that the service is capable of removing from the computer; and
      
      (b) determine from the registration data whether the anti-malware service is capable of removing the malware from the computer when the data analyzer module determines that the threshold has been satisfied.
  - 18. The software system as recited in claim 13, wherein the data collector component is configured to receive and store metadata that:
    - (a) describes the probability that a suspicious event is characteristic of malware; and
      
      (b) identifies the reason that an event was marked as suspicious by the anti-malware service.

19. A computer-readable medium bearing computer-executable instructions that, when executed on a computer that includes an anti-malware service, causes the computer to:
- (a) use the anti-malware service to observe suspicious events that are potentially indicative of malware;
  
  (b) receive data from the anti-malware service that describes the suspicious events;
  
  (c) determine whether the suspicious events observed are indicative of malware; and
  
  (c) if the suspicious events are indicative of a malware, implement a restrictive security policy that restricts an entity associated with suspicious events from performing actions on the computer.
- View Dependent Claims (20)
- - 20. The computer readable medium as recited in claim 19, wherein the computer is further configured to:
    - (a) determine whether a malware infection exists; and
      
      (b) if a malware infection exists, prevent the computer from transmitting data to computers communicatively connected to the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dadhia, Rajesh K., Hudis, Efim, Bahl, Pradeep, Kramer, Michael, Costea, Mihai, Thomas, Anil Francis, Edery, Yigal

Granted Patent

US 8,516,583 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/577   Assessing vulnerabilities a...

Aggregating the knowledge base of computer systems to proactively protect a computer from malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

130 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Aggregating the knowledge base of computer systems to proactively protect a computer from malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

130 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links