التفاصيل البيبلوغرافية
| العنوان: |
COLLECTING AND ANALYZING MALWARE DATA |
| Document Number: |
20100077481 |
| تاريخ النشر: |
March 25, 2010 |
| Appl. No: |
12/234717 |
| Application Filed: |
September 22, 2008 |
| مستخلص: |
A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior. |
| Inventors: |
Polyakov, Alexey (Sammamish, WA, US); Seinfeld, Marc (Fort Lauderdale, FL, US); Mody, Jigar J. (Bellevue, WA, US); Sun, Ning (Houston, TX, US); Lee, Tony (Sammamish, WA, US); Chu, Chengyun (Rdmond, WA, US) |
| Assignees: |
Microsoft Corporation (Redmond, WA, US) |
| Claim: |
1. A computer-implemented method for tracking malware execution on a client computer, the method comprising: detecting at the client computer a potential malware application; collecting threat information about the potential malware application, wherein the threat information includes information identifying at least one resource of the client computer accessed by the potential malware application; submitting the threat information to a back-end service for further analysis; receiving a threat signature and mitigation information from the back-end service, wherein the signature includes data for detecting a threat confirmed by the back-end service; and applying one or more mitigation actions to the detected potential malware application based on the signature received from the back-end service. |
| Claim: |
2. The method of claim 1 wherein detecting a potential malware application comprises detecting a request to connect to a known malicious URL. |
| Claim: |
3. The method of claim 1 wherein detecting a potential malware application comprises detecting an attempt to access an operating system file. |
| Claim: |
4. The method of claim 1 wherein collecting threat information comprises collecting information about at least one of a file, directory, registry key, and network port accessed by the potential malware application. |
| Claim: |
5. The method of claim 1 wherein the threat signature identifies a particular file associated with the malware application. |
| Claim: |
6. The method of claim 1 wherein the mitigation actions include deleting a file associated with the potential malware application from the client computer. |
| Claim: |
7. The method of claim 1 further comprising providing information to the back-end service about a threat detected based on the received signature, so that the back-end can collect statistical information about the occurrence of particular threats to improve the threat mitigation process. |
| Claim: |
8. A computer system for detecting and removing malicious applications, the system comprising: a threat detection component configured to detect events on a client computer that indicate a potential malicious application; an information collection component configured to collect at the client computer information about the potential malicious application; a communication component configured to communicate threat reports from the client computer to a back-end service and signatures for detecting malicious applications from the back-end service to the client computer; a threat data store configured to store information about potential malicious applications reported by client computers, a queue of potential malicious applications waiting to be analyzed, signatures for detecting malicious applications, and mitigation instructions for removing malicious applications from client computers; a threat analysis component configured to analyze received threat reports; a signature builder component configured to receive information about analyzed threats from the threat analysis component and create a signature for detecting instances of the threat; and a mitigation component configured to apply signatures and mitigation instructions to identify known threats and carry out mitigation actions in response to identified threat instances. |
| Claim: |
9. The system of claim 8 wherein the threat detection component comprises a kernel-mode driver that collects information about the potential malicious applications' execution. |
| Claim: |
10. The system of claim 8 wherein the information collection component stores a browsing history of a user of the client computer. |
| Claim: |
11. The system of claim 8 wherein the threat analysis component is further configured to reproduce an execution environment for received threat reports, execute received potential malicious applications, and classify the potential malicious applications. |
| Claim: |
12. The system of claim 8 wherein the mitigation component is further configured to receive signature updates from the back-end service, scan the client computer for each signature received, and carry out mitigation actions for any detected threat. |
| Claim: |
13. The system of claim 8 wherein the mitigation component is further configured to gather additional information about the potential malicious application based on a request received from the back-end service. |
| Claim: |
14. The system of claim 8 further comprising a feedback component configured to provide threat detection information from the client computer to the back-end service and to prioritize threat report analysis on the back-end service. |
| Claim: |
15. The system of claim 8 further comprising a user interface component configured to provide an interface for a technician to guide threat analysis. |
| Claim: |
16. A computer-readable storage medium encoded with instructions for controlling a computer system providing a back-end service to collect and analyze malware threats reported by client computers, by a method comprising: receiving a threat report from a client computer that identifies a malware threat; classifying the malware threat based on previously analyzed threats; building a signature for detecting the malware threat; determining mitigation actions for neutralizing the malware threat and producing a mitigation script based on the mitigation actions; and providing the signature and mitigation script to the client computer. |
| Claim: |
17. The computer-readable medium of claim 16 wherein the received threat report includes historical execution information related to the malware threat. |
| Claim: |
18. The computer-readable medium of claim 16 further comprising configuring an execution environment to reproduce the malware threat and executing the malware threat to gather additional information about the malware threat. |
| Claim: |
19. The computer-readable medium of claim 16 wherein classifying the malware threat comprises identifying a family of malware that contains malware with matching characteristics to the malware threat. |
| Claim: |
20. The computer-readable medium of claim 16 wherein providing the signature and mitigation script to the client computer comprises responding to a periodic request of the client computer for updated signature information. |
| Current U.S. Class: |
726/24 |
| Current International Class: |
06 |
| رقم الانضمام: |
edspap.20100077481 |
| قاعدة البيانات: |
USPTO Patent Applications |