MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS
First Claim
1. A computer-readable storage device containing computer-executable instructions for controlling a computing device to analyze a malware infection by a method comprising:
- receiving pre-infection snapshots from a plurality of machines suspected of being infected with malware, the pre-infection snapshots identifying monitored activities that were conducted at machines suspected of being infected with malware prior to the machine being suspected of being infected with malware;
comparing the monitored activities of the pre-infection snapshots to identify monitored activities that are common across multiple pre-infection snapshots; and
tagging as being suspicious at least some monitored activities that are common across multiple pre-infection snapshots.
2 Assignments
0 Petitions
Accused Products
Abstract
A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.
17 Citations
20 Claims
-
1. A computer-readable storage device containing computer-executable instructions for controlling a computing device to analyze a malware infection by a method comprising:
-
receiving pre-infection snapshots from a plurality of machines suspected of being infected with malware, the pre-infection snapshots identifying monitored activities that were conducted at machines suspected of being infected with malware prior to the machine being suspected of being infected with malware; comparing the monitored activities of the pre-infection snapshots to identify monitored activities that are common across multiple pre-infection snapshots; and tagging as being suspicious at least some monitored activities that are common across multiple pre-infection snapshots. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable storage device containing computer-executable instructions for controlling a computing device to analyze a malware infection by a method comprising:
-
receiving snapshots of machines suspected of being infected with malware, the snapshots identifying monitored activities of machines suspected of being infected with malware during a time frame associated with the machines being suspected of being infected with malware; and comparing the monitored activities of the snapshots to identify monitored activities that may be related to a cause of the malware infection. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computing device for analyzing a malware infection comprising:
-
a data store storing pre-infection snapshots of a plurality of machines suspected of being infected with malware, the pre-infection snapshots identifying monitored activities that were performed at machines suspected of being infected with malware prior to the machines being suspected of being infected with malware; a memory storing computer-executable instructions of; a component that identifies monitored activities that are common across multiple pre-infection snapshots; and a component that indicates the monitored activities that are common across multiple pre-infection snapshots may be related to the cause of the infection; and a processor that executes the computer-executable instructions stored in the memory. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification