Systems and methods for time-shifted detection of security threats

US 9,811,659 B1
Filed: 08/25/2015
Issued: 11/07/2017
Est. Priority Date: 08/25/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for time-shifted detection of security threats, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

collecting, from a computing system, history data that describes activity of the computing system during a past time period;

archiving the history data in association with the past time period;

identifying, by a software security system that protects the computing system, a potential security threat to the computing system that;

was unknown to the software security system during the past time period;

is not currently present on the computing system; and

wherein the potential security threat comprises a security threat caused by malicious activity that removed evidence of the malicious activity before the software security became aware of the potential threat; and

in response to identifying the potential security threat, replaying the history data through the software security system to enable the software security system to determine whether the computing system was affected by the potential security threat during the past time period.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for time-shifted detection of security threats may include (1) collecting history data that describes activity of the computing system during a past time period, (2) archiving the history data in association with the past time period, (3) identifying a potential security threat to the computing system that was unknown to a software security system during the past time period, and (4) in response to identifying the potential security threat, replaying the history data through the software security system to enable the software security system to determine whether the computing system was affected by the potential security threat during the past time period. Various other methods, systems, and computer-readable media are also disclosed.

16 Citations

View as Search Results

18 Claims

1. A computer-implemented method for time-shifted detection of security threats, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- collecting, from a computing system, history data that describes activity of the computing system during a past time period;
  
  archiving the history data in association with the past time period;
  
  identifying, by a software security system that protects the computing system, a potential security threat to the computing system that;
  
  was unknown to the software security system during the past time period;
  
  is not currently present on the computing system; and
  
  wherein the potential security threat comprises a security threat caused by malicious activity that removed evidence of the malicious activity before the software security became aware of the potential threat; and
  
  in response to identifying the potential security threat, replaying the history data through the software security system to enable the software security system to determine whether the computing system was affected by the potential security threat during the past time period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein replaying the history data through the software security system is performed in response to an update to the software security system.
  - 3. The method of claim 1, wherein:
    - archiving the history data comprises;
      
      storing a remote copy of the history data to a remote storage device that is not part of the computing system; and
      
      storing a local copy of the history data to a local storage device that is part of the computing system; and
      
      replaying the history data through the software security system comprises comparing the local copy of the history data to the remote copy of the history data to detect tampering with the local copy of the history data.
  - 4. The method of claim 1, wherein:
    - collecting the history data comprises collecting information that describes the state of the computing system; and
      
      the information that describes the state of the computing system comprises at least one of;
      
      settings for an application installed on the computing system;
      
      information that identifies applications installed on the computing system;
      
      information that identifies files present on the computing system;
      
      information that identifies hardware installed on the computing system;
      
      a memory dump of the computing system; and
      
      information that identifies active processes on the computing system.
  - 5. The method of claim 1, wherein:
    - collecting the history data comprises collecting information that describes actions taken by the computing system during the past time period; and
      
      the information that describes actions taken by the computing system comprises at least one of;
      
      an event log;
      
      an error log;
      
      an auditing log;
      
      a configuration file;
      
      a registry entry; and
      
      metadata of the registry entry.
  - 6. The method of claim 1, wherein collecting the history data comprises filtering the actions taken by the computing system to exclude particular types of events from being recorded in the history data.
  - 7. The method of claim 1, further comprising:
    - determining, in response to replaying the history data through the software security system, that the computing system was affected by the potential security threat during the past time period; and
      
      performing a security action in response to determining that the computing system was affected by the potential security threat during the past time period.
  - 8. The method of claim 7, wherein performing the security action comprises at least one of:
    - alerting a user of the computing system that the computing system was affected by the potential security threat during the past time period;
      
      performing a scan of the computing system to determine if the computing system is still affected by the potential security threat; and
      
      creating a log entry indicating that the computing system was affected by the potential security threat.
  - 9. The method of claim 1, wherein identifying the potential security threat comprises receiving, at the software security system, information that enables the software security system to identify the potential security threat.

10. A system for time-shifted detection of security threat, the system comprising:
- a collection module, stored in memory, that collects, from a computing system, history data that describes activity of the computing system during a past time period;
  
  an archiving module, stored in memory, that archives the history data in association with the past time period;
  
  an identification module, stored in memory, that identifies, by a software security system that protects the computing system, a potential security threat to the computing system that;
  
  was unknown to the software security system during the past time period;
  
  is not currently present on the computing system; and
  
  wherein the potential security threat comprises a security threat caused by malicious activity that removed evidence of the malicious activity before the software security became aware of the potential threat;
  
  a replaying module that, in response to identifying the potential security threat, replays the history data through the software security system to enable the software security system to determine whether the computing system was affected by the potential security threat during the past time period; and
  
  at least one physical processor configured to execute the collection module, the archiving module, the identification module, and the replaying module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the replaying module replays the history data through the software security system in response to an update to the software security system.
  - 12. The system of claim 10, wherein:
    - the archiving module archives the history data by;
      
      storing a remote copy of the history data to a remote storage device that is not part of the computing system; and
      
      storing a local copy of the history data to a local storage device that is part of the computing system; and
      
      the replaying module replays the history data through the software security system by comparing the local copy of the history data to the remote copy of the history data to detect tampering with the local copy of the history data.
  - 13. The system of claim 10, wherein:
    - the collection module collects the history data by collecting information that describes the state of the computing system; and
      
      the information that describes the state of the computing system comprises at least one of;
      
      settings for an application installed on the computing system;
      
      information that identifies applications installed on the computing system;
      
      information that identifies files present on the computing system;
      
      information that identifies hardware installed on the computing system;
      
      a memory dump of the computing system; and
      
      information that identifies active processes on the computing system.
  - 14. The system of claim 10, wherein:
    - the collection module collects the history data by collecting information that describes actions taken by the computing system during the past time period; and
      
      the information that describes actions taken by the computing system comprises at least one of;
      
      an event log;
      
      an error log;
      
      an auditing log;
      
      a configuration file;
      
      a registry entry; and
      
      metadata of the registry entry.
  - 15. The system of claim 10, wherein the collection module collects the history data by filtering the actions taken by the computing system to exclude particular types of events from being recorded in the history data.
  - 16. The system of claim 10, wherein the software security system:
    - determines, in response to the replaying module replaying the history data through the software security system, that the computing system was affected by the potential security threat during the past time period; and
      
      performs a security action in response to determining that the computing system was affected by the potential security threat during the past time period.
  - 17. The system of claim 16, wherein the software security system performs the security action by at least one of:
    - alerting a user of the computing system that the computing system was affected by the potential security threat during the past time period;
      
      performing a scan of the computing system to determine if the computing system is still affected by the potential security threat; and
      
      creating a log entry indicating that the computing system was affected by the potential security threat.

18. A non-transitory computer-readable medium comprising one or more computer-readable instruction that, when executed by at least one processor of a computing device, cause the computing device to:
- collect, from a computing system, history data that describes activity of the computing system during a past time period;
  
  archive the history data in association with the past time period;
  
  identify, by a software security system that protects the computing system, a potential security threat to the computing system that;
  
  was unknown to the software security system during the past time period;
  
  is not currently present on the computing system; and
  
  wherein the potential security threat comprises a security threat caused by malicious activity that removed evidence of the malicious activity before the software security became aware of the potential threat; and
  
  in response to identifying the potential security threat, replay the history data through the software security system to enable the software security system to determine if the computing system was affected by the potential security threat during the past time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Asheghian, Daniel
Primary Examiner(s)
Chen, Eric

Application Number

US14/834,988
Time in Patent Office

805 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/113   Details of archiving lifecy...

G06F 21/552   involving long-term monitor...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Systems and methods for time-shifted detection of security threats

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for time-shifted detection of security threats

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links