Malicious code infection cause-and-effect analysis

US 9,886,578 B2
Filed: 09/09/2014
Issued: 02/06/2018
Est. Priority Date: 11/30/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-readable memory storing computer-executable instructions for controlling a computing device to analyze a malware infection, the computer-executable instructions comprising instructions that:

receive a pre-infection snapshot from each of a plurality of machines suspected of being infected with malware, the pre-infection snapshots identifying monitored activities that were conducted at machines suspected of being infected with malware prior to the machine being suspected of being infected with malware;

compare the monitored activities of the pre-infection snapshots of each of the plurality of machines to the monitored activities of the pre-infection snapshots of other machines to identify monitored activities that are common across multiple machines; and

automatically re-configure security policies of the plurality of machines based on analysis of the monitored activities that are common to prevent a future infection caused by malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.

22 Citations

18 Claims

1. A computer-readable memory storing computer-executable instructions for controlling a computing device to analyze a malware infection, the computer-executable instructions comprising instructions that:
- receive a pre-infection snapshot from each of a plurality of machines suspected of being infected with malware, the pre-infection snapshots identifying monitored activities that were conducted at machines suspected of being infected with malware prior to the machine being suspected of being infected with malware;
  
  compare the monitored activities of the pre-infection snapshots of each of the plurality of machines to the monitored activities of the pre-infection snapshots of other machines to identify monitored activities that are common across multiple machines; and
  
  automatically re-configure security policies of the plurality of machines based on analysis of the monitored activities that are common to prevent a future infection caused by malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-readable memory of claim 1 wherein the computer-executable instructions further comprise instructions that normalize the monitored activities.
  - 3. The computer-readable memory of claim 2 wherein the instructions that normalize further associate categories with the monitored activities.
  - 4. The computer-readable memory of claim 3 wherein a first monitored activity of a first machine and a second monitored activity of a second machine are common when associated with the same category.
  - 5. The computer-readable memory of claim 2 wherein the computer-executable instructions further comprise instructions that map the normalized activities to a malware state of a malware state model.
  - 6. The computer-readable memory of claim 1 wherein the computer-executable instructions further comprise instructions that:
    - receive post-infection snapshots from a plurality of machines suspected of being infected with malware, each of the post-infection snapshots identifying monitored activities that were conducted at each machine suspected of being infected with malware subsequent to the machine being suspected of being infected with malware, andcompare the monitored activities of the post-infection snapshots to identify monitored activities that are common across multiple pre-infection snapshots.
  - 7. The computer-readable memory of claim 6 wherein the computer-executable instructions further comprise instructions that tag, as a candidate for being caused by the infection, the monitored activities that are common across multiple post-infection snapshots.

8. A method performed by a computing device to analyze a malware infection, the method comprising:
- receiving a snapshot of each of a plurality of machines suspected of being infected with malware, each snapshot identifying monitored activities of a machine suspected of being infected with malware during a time frame associated with the machines being suspected of being infected with malware;
  
  comparing the monitored activities of the snapshots of one or more of the plurality of machines to the monitored activities of the snapshots of other machines to identify monitored activities that are common to multiple machines and that are candidates for being related to a cause of the malware infection;
  
  indicating that the monitored activities that are common as a possible cause of the malware infection; and
  
  providing a recommendation for responding to the malware infection.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8 wherein the snapshots are pre-infection snapshots.
  - 10. The method of claim 8 including prior to comparing the monitored activities, normalizing the monitored activities.
  - 11. The method of claim 10 wherein the normalizing includes associating categories with the monitored activities.
  - 12. The method of claim 8 including automatically re-configuring security policies to prevent future malware infections.

13. A computing device for analyzing a malware infection comprising:
- a data store storing pre-infection snapshots of a plurality of machines suspected of being infected with malware, the pre-infection snapshots identifying monitored activities that were performed at machines suspected of being infected with malware prior to the machines being suspected of being infected with malware,a memory storing computer-executable instructions that;
  
  indicate monitored activities of the pre-infection snapshots that are common to the machines and that are candidates for being related to the cause of the infection by comparing the monitored activities of the pre-infection snapshots of machines to the monitored activities of the pre-infection snapshots of other machines; and
  
  provide an alert and a recommendation for responding to the malware infection based on the identified monitored activities so that security policies can be changed to prevent a future malware infection;
  
  anda processor that executes the computer-executable instructions stored in the memory.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computing device of claim 13 wherein the memory stores computer-executable instructions that normalize the monitored activities.
  - 15. The computing device of claim 14 wherein the instructions that normalize associate categories with the monitored activities.
  - 16. The computing device of claim 15 wherein a first normalized activity of a first machine and a second normalized activity of a second machine are common when associated with the same category.
  - 17. The computing device of claim 13 wherein the memory stores computer-executable instructions of an expert system that generates the recommendation.
  - 18. The computing device of claim 15 wherein the categories includes file transfer, web file transfer, instant messaging, remote authentication, remote control access, outbound network connection, application launch, file copy from media, file created, and configuration change.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Hartrell, Gregory D., Steeves, David J., Hudis, Efim
Primary Examiner(s)
Jeudy, Josnel

Application Number

US14/481,873
Publication Number

US 20150013007A1
Time in Patent Office

1,246 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/565   by checking file integrity

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Malicious code infection cause-and-effect analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Malicious code infection cause-and-effect analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links