IDENTIFYING SUSPECTED MALWARE FILES AND SITES BASED ON PRESENCE IN KNOWN MALICIOUS ENVIRONMENT
First Claim
1. A method for identifying potentially malware comprising:
- identifying an anchor event in a first telemetry data stream having a plurality of events, wherein the anchor event is an event previously identified as a potentially suspicious event; and
identifying at least one satellite event in a second telemetry data stream that corresponds to one of the plurality of events in the first telemetry data stream wherein the at least one satellite event is different from the anchor event, but has a relationship to the anchor event;
wherein the preceding steps are executed by at least one processor.
3 Assignments
0 Petitions
Accused Products
Abstract
Disclosed herein is a system and method for identifying potential sources of malicious activity as well as identifying potentially malicious files that originated from suspected malicious sources. Using an anchor event and telemetry data from devices known to have been infected by malicious activity similar events in the telemetry data between two devices can be identified. These satellite events are then used to identify other files that may have been deposited by the satellite event such that those files can be highlighted to a malware researcher. Additionally, the malware protection may be updated based on this analysis to label an associated site with the satellite event as a malicious site such that the site may be blocked or quarantined.
3 Citations
20 Claims
-
1. A method for identifying potentially malware comprising:
-
identifying an anchor event in a first telemetry data stream having a plurality of events, wherein the anchor event is an event previously identified as a potentially suspicious event; and identifying at least one satellite event in a second telemetry data stream that corresponds to one of the plurality of events in the first telemetry data stream wherein the at least one satellite event is different from the anchor event, but has a relationship to the anchor event; wherein the preceding steps are executed by at least one processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for identifying malicious activity comprising:
-
a telemetry gathering component configured to receive a plurality of telemetry data streams from a plurality of devices, each of the plurality of telemetry data streams having a plurality of events; an anchor identification component configured to identify an anchor event in a first telemetry data stream; and a satellite identification component configured to identify a satellite event in at least a second telemetry data stream, the satellite event corresponding to an event in the first telemetry data stream within an anchor timeframe from the anchor event. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer readable storage medium having computer executable instructions that when executed by at least one processor cause at least one computing device to:
-
receive a plurality of telemetry data streams from a plurality of devices, each of the plurality of telemetry data streams having information related to events that occurred on an associated device; identify in a first telemetry data stream an anchor event, the anchor event indicative of a potential malicious event in the first telemetry data stream; compare the first telemetry data stream with a second telemetry data stream to identify a satellite event occurring in both the first and the second telemetry data streams wherein the satellite event is related to the anchor event in the first data stream and occurs within an anchor timeframe from the anchor event; and update a malware protection component to block access to a site associated with the satellite event based on the satellite event appearing in at least two different telemetry data streams.
-
Specification