IDENTIFYING SUSPECTED MALWARE FILES AND SITES BASED ON PRESENCE IN KNOWN MALICIOUS ENVIRONMENT

US 20150341372A1
Filed: 05/20/2014
Published: 11/26/2015
Est. Priority Date: 05/20/2014
Status: Active Grant

First Claim

Patent Images

1. A method for identifying potentially malware comprising:

identifying an anchor event in a first telemetry data stream having a plurality of events, wherein the anchor event is an event previously identified as a potentially suspicious event; and

identifying at least one satellite event in a second telemetry data stream that corresponds to one of the plurality of events in the first telemetry data stream wherein the at least one satellite event is different from the anchor event, but has a relationship to the anchor event;

wherein the preceding steps are executed by at least one processor.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a system and method for identifying potential sources of malicious activity as well as identifying potentially malicious files that originated from suspected malicious sources. Using an anchor event and telemetry data from devices known to have been infected by malicious activity similar events in the telemetry data between two devices can be identified. These satellite events are then used to identify other files that may have been deposited by the satellite event such that those files can be highlighted to a malware researcher. Additionally, the malware protection may be updated based on this analysis to label an associated site with the satellite event as a malicious site such that the site may be blocked or quarantined.

3 Citations

View as Search Results

20 Claims

1. A method for identifying potentially malware comprising:
- identifying an anchor event in a first telemetry data stream having a plurality of events, wherein the anchor event is an event previously identified as a potentially suspicious event; and
  
  identifying at least one satellite event in a second telemetry data stream that corresponds to one of the plurality of events in the first telemetry data stream wherein the at least one satellite event is different from the anchor event, but has a relationship to the anchor event;
  
  wherein the preceding steps are executed by at least one processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - receiving telemetry data from a plurality of devices, the telemetry data including at least one event identified as an anchor event.
  - 3. The method of claim 1 further comprising:
    - identifying the at least one satellite event in at least a third telemetry data steam; and
      
      identifying an unreported anchor event in the at least third telemetry data stream, wherein the unreported anchor event appears in the at least third telemetry data stream with an anchor timeframe associated with the anchor event.
  - 4. The method of claim 3 wherein the unreported anchor event is classified as malicious.
  - 5. The method of claim 1 further comprising:
    - identifying the at least one satellite event in at least a third telemetry data stream; and
      
      classifying the at least one satellite event as a malicious event.
  - 6. The method of claim 5 wherein classifying further comprising:
    - comparing the at least one satellite event to a whitelist of known safe events; and
      
      classifying the at least one satellite event as the malicious event if the at least one satellite event does not appear in the whitelist.
  - 7. The method of claim 5 further comprising:
    - updating a malware protection system with an indication that the at least one satellite event is malicious.
  - 8. The method of claim 7 wherein updating comprises causing the malware protection system to block access to a site associated with the at least one satellite event.
  - 9. The method of claim 5 wherein classifying the at least one satellite event as a malicious event classifies when the at least one satellite event is present in more than a threshold number of telemetry data streams.
  - 10. The method of claim 1 further comprising:
    - treating at least one satellite event as a second anchor event; and
      
      identifying in the first telemetry data stream and the second telemetry data stream a second satellite event occurring within an anchor timeframe from the satellite event, wherein the second satellite event has a relationship to the at least one satellite event.

11. A system for identifying malicious activity comprising:
- a telemetry gathering component configured to receive a plurality of telemetry data streams from a plurality of devices, each of the plurality of telemetry data streams having a plurality of events;
  
  an anchor identification component configured to identify an anchor event in a first telemetry data stream; and
  
  a satellite identification component configured to identify a satellite event in at least a second telemetry data stream, the satellite event corresponding to an event in the first telemetry data stream within an anchor timeframe from the anchor event.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11 wherein the anchor event corresponds to a potential malicious event.
  - 13. The system of claim 11 further comprising:
    - a malware protection component configured to identify potential malicious activity on at least one of the plurality of devices and provide telemetry data streams to the telemetry gathering component.
  - 14. The system of claim 11 wherein the satellite identification component is further configured to identify the satellite event in a third telemetry data stream and to identify an unidentified anchor event in the third telemetry data stream, the unidentified anchor event having a relationship to the satellite event and occurring within the anchor timeframe.
  - 15. The system of claim 14 wherein the satellite identification component is configured to flag the unidentified anchor event as potential malware.
  - 16. The system of claim 11 wherein the satellite identification component is further configured to identify in both the first and the second telemetry data streams a second satellite event, the second satellite event having a relationship to the satellite event and occurring within a second anchor timeframe from the satellite event in both the first and the second telemetry data streams.
  - 17. The system of claim 11 wherein the second telemetry data stream is a telemetry data stream known to include malicious activity.
  - 18. The system of claim 11 wherein the first telemetry data stream is known to contain malicious activity and the second telemetry data stream is not known to contain malicious activity.
  - 19. The system of claim 11 wherein the satellite identification component is configured to generate an update for a malware protection component such that the malware protection component blocks access to a site associated with the satellite event.

20. A computer readable storage medium having computer executable instructions that when executed by at least one processor cause at least one computing device to:
- receive a plurality of telemetry data streams from a plurality of devices, each of the plurality of telemetry data streams having information related to events that occurred on an associated device;
  
  identify in a first telemetry data stream an anchor event, the anchor event indicative of a potential malicious event in the first telemetry data stream;
  
  compare the first telemetry data stream with a second telemetry data stream to identify a satellite event occurring in both the first and the second telemetry data streams wherein the satellite event is related to the anchor event in the first data stream and occurs within an anchor timeframe from the anchor event; and
  
  update a malware protection component to block access to a site associated with the satellite event based on the satellite event appearing in at least two different telemetry data streams.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Brand, Tomer, Michelson, Dan

Granted Patent

US 10,282,544 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

IDENTIFYING SUSPECTED MALWARE FILES AND SITES BASED ON PRESENCE IN KNOWN MALICIOUS ENVIRONMENT

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

3 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFYING SUSPECTED MALWARE FILES AND SITES BASED ON PRESENCE IN KNOWN MALICIOUS ENVIRONMENT

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

3 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links