MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS
First Claim
1. A computer-readable storage device containing computer-executable instructions to control a computing device to analyze effects a malware infection by a method comprising:
- receiving post-infection snapshots from a plurality of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of machines suspected of being infected with malware subsequent to the machines being suspected of being infected with malware;
comparing the monitored activities of the post-infection snapshots to identify monitored activities that are common across multiple post-infection snapshots; and
tagging as being possibly being caused by the malware infection the monitored activities that are common across multiple post-infection snapshots.
2 Assignments
0 Petitions
Accused Products
Abstract
A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.
66 Citations
20 Claims
-
1. A computer-readable storage device containing computer-executable instructions to control a computing device to analyze effects a malware infection by a method comprising:
-
receiving post-infection snapshots from a plurality of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of machines suspected of being infected with malware subsequent to the machines being suspected of being infected with malware; comparing the monitored activities of the post-infection snapshots to identify monitored activities that are common across multiple post-infection snapshots; and tagging as being possibly being caused by the malware infection the monitored activities that are common across multiple post-infection snapshots. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-readable storage device containing computer-executable instructions for controlling a computing device to analyze a malware infection by a method comprising:
-
receiving post-infection snapshots from a plurality of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of the machines suspected of being infected with malware subsequent to the machines being suspected of being infected with malware; and comparing the monitored activities of the post-infection snapshots to identify monitored activities that may be related to the malware infection. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
-
-
14. A computing device for analyzing a malware infection comprising:
-
a data store storing post-infection snapshots of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of machines suspected of being infected with malware subsequent to the machine being suspected of being infected with malware; a memory storing computer-executable instructions of; a component that identifies monitored activities that are common across multiple post-infection snapshots; and a component that indicates that the monitored activities may be related to the malware infection; and a processor that executes the computer-executable instructions stored in the memory. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification