MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS
First Claim
1. A method performed by a computing device for analyzing a malware infection, the method comprising:
- receiving post-infection snapshots from a plurality of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of machines suspected of being infected with malware subsequent to the machines being suspected of being infected with malware; and
comparing the monitored activities of the post-infection snapshots to identify monitored activities that are common across multiple post-infection snapshots and that may be caused by the malware.
4 Assignments
0 Petitions
Accused Products
Abstract
A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.
13 Citations
20 Claims
-
1. A method performed by a computing device for analyzing a malware infection, the method comprising:
-
receiving post-infection snapshots from a plurality of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of machines suspected of being infected with malware subsequent to the machines being suspected of being infected with malware; and comparing the monitored activities of the post-infection snapshots to identify monitored activities that are common across multiple post-infection snapshots and that may be caused by the malware. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-readable memory containing computer-executable instructions for controlling a computing device to analyze a malware infection, the computer-executable instructions comprising instructions that:
-
receive post-infection snapshots from a plurality of machines suspected of being infected with malware, the post-infection snapshot of a machine identifying monitored activities of the machine that occurred subsequent to the machine being suspected of being infected with malware; and compare the monitored activities of the post-infection snapshots to identify monitored activities that are common across multiple post-infection snapshots. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
-
-
14. A computing device for analyzing a malware infection comprising:
-
a data store storing post-infection snapshots of machines suspected of being infected with malware, the post-infection snapshots identifying monitored activities of machines suspected of being infected with malware subsequent to the machine being suspected of being infected with malware; a memory storing computer-executable instructions of a component that identifies monitored activities that are common across multiple post-infection snapshots and that may be related to the malware infection; and a processor that executes the computer-executable instructions stored in the memory. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification