MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS

US 20150101010A1
Filed: 09/09/2014
Published: 04/09/2015
Est. Priority Date: 12/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computing device for analyzing a malware infection, the method comprising:

receiving post-infection snapshots from a plurality of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of machines suspected of being infected with malware subsequent to the machines being suspected of being infected with malware; and

comparing the monitored activities of the post-infection snapshots to identify monitored activities that are common across multiple post-infection snapshots and that may be caused by the malware.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.

13 Citations

View as Search Results

20 Claims

1. A method performed by a computing device for analyzing a malware infection, the method comprising:
- receiving post-infection snapshots from a plurality of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of machines suspected of being infected with malware subsequent to the machines being suspected of being infected with malware; and
  
  comparing the monitored activities of the post-infection snapshots to identify monitored activities that are common across multiple post-infection snapshots and that may be caused by the malware.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 including prior to comparing the monitored activities, normalizing the monitored activities.
  - 3. The method of claim 2 wherein the normalizing includes associating categories with the monitored activities.
  - 4. The method of claim 3 wherein a first monitored activity and a second monitored activity are common when associated with the same category.
  - 5. The method of claim 1 including automatically re-configuring security policies to prevent future malware infections.

6. A computer-readable memory containing computer-executable instructions for controlling a computing device to analyze a malware infection, the computer-executable instructions comprising instructions that:
- receive post-infection snapshots from a plurality of machines suspected of being infected with malware, the post-infection snapshot of a machine identifying monitored activities of the machine that occurred subsequent to the machine being suspected of being infected with malware; and
  
  compare the monitored activities of the post-infection snapshots to identify monitored activities that are common across multiple post-infection snapshots.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The computer-readable memory of claim 6 wherein the computer-executable instructions further comprise instructions that tag as possibly being caused by the malware infection the monitored activities that are common across multiple post-infection snapshots.
  - 8. The computer-readable memory of claim 6 wherein the computer-executable instructions further comprise instructions that, prior to comparing the monitored activities, normalize the monitored activities.
  - 9. The computer-readable memory of claim 8 wherein the instructions that normalize associate categories with the monitored activities.
  - 10. The computer-readable memory of claim 8 wherein monitored activities associated with the same category are common.
  - 11. The computer-readable memory of claim 10 wherein the computer-executable instructions further comprise instructions that map the normalized activities to malware states of a malware state model.
  - 12. The computer-readable memory of claim 6 wherein the computer-executable instructions further comprise instructions that automatically re-configure security policies to prevent malware infections.
  - 13. The computer-readable memory of claim 6 wherein the computer-executable instructions further comprise instructions that, after identifying monitored activities that may be related to the malware infection, provide a recommendation for responding to the malware infection.

14. A computing device for analyzing a malware infection comprising:
- a data store storing post-infection snapshots of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of machines suspected of being infected with malware subsequent to the machine being suspected of being infected with malware;
  
  a memory storing computer-executable instructions of a component that identifies monitored activities that are common across multiple post-infection snapshots and that may be related to the malware infection; and
  
  a processor that executes the computer-executable instructions stored in the memory.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computing device of claim 14 wherein the memory further stores computer-executable instructions of a component that, prior to comparing the monitored activities, normalizes the monitored activities.
  - 16. The computing device of claim 15 wherein the component that normalizes associates categories with the monitored activities.
  - 17. The computing device of claim 16 wherein a first normalized activity of a first machine and a second normalized activity of a second machine are common when associated with the same category.
  - 18. The computing device of claim 16 wherein the memory further stores computer-executable instructions of a component that maps the normalized activities to malware states of a malware state model.
  - 19. The computing device of claim 14 wherein the memory further stores computer-executable instructions of an expert system that, after monitored activities are identified, provides a recommendation for responding to the malware infection based on the identified monitored activities.
  - 20. The computing device of claim 14 wherein the memory further stores computer-executable instructions of a component that automatically re-configures security policies to prevent malware infections.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hartrell, Gregory D., Steeves, David J., Hudis, Efim

Granted Patent

US 9,910,981 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/565   by checking file integrity

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links