Dynamic throughput ingestion of backup sources
US-10298680-B1 · May 21, 2019 · US
Malware analysis and recovery
US10931685B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10931685-B2 |
| Application number | US-201715837942-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 11, 2017 |
| Priority date | Dec 12, 2016 |
| Publication date | Feb 23, 2021 |
| Grant date | Feb 23, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system and method detects malware by processing notifications from an intrusion detection system and baseline snapshots from an image capture utility. The image capture utility constructs an image of the suspected malware intrusion and links the suspected malware intrusion to the baseline snapshots. The system and method propagates the image of the suspected malware intrusion across multiple networks before it distinguishes malicious code, device state, and files from benign code, device state, and files. Some systems and methods include a malware recovery system that executes machine learning instructions and heuristics to revert a client and/or a remote server to one or more baseline snapshots.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving baseline snapshots of a client and/or a server from an image capture utility remote from a malware system; storing the baseline snapshots in the malware system remote from the client and/or the server and remote from the image capture utility; receiving from the client and/or the server a notification of a suspected malware intrusion on the client and/or the server; constructing an image of the suspected malware intrusion at the client and/or the server; linking by a pointer and the image capture utility the image of the suspected malware intrusion to the baseline snapshots stored in the malware system at the client before the malware intrusion is confirmed; generating a consensus alert state of the client and/or the server consisting of statuses of a plurality of devices that are remote from the malware system; propagating the image of the suspected malware intrusion across a first network and a second network; and processing the suspected malware intrusion distinguishing malicious code, device state, and files from benign code, device state, and files; where the notification comprises data indicating a confidence level of the suspected malware intrusion and its priority, where the priority and consensus alert state determines when the suspected malware intrusion is processed. 2. The method of claim 1 wherein the receiving baseline snapshots of the client and/or the server occurs in response to an asynchronous event. 3. The method of claim 1 wherein receiving baseline snapshots of the client and/or the server occurs in response to a synchronous schedule. 4. The method of claim 1 wherein the notification of the suspected malware intrusion is generated by a remote intrusion detection system. 5. The method of claim 1 wherein the notification of the suspected malware intrusion is generated by a distributed intrusion detection system. 6. The method of claim 1 wherein the notification of the suspected malware intrusion is generated by a network intrusion detection system that detects the suspected malware intrusion by monitoring only network traffic. 7. The method of claim 1 further comprising evaluating the notification of the suspected malware intrusion based on state information from other clients and/or other servers. 8. A non-transitory machine-readable medium encoded with machine-executable instructions, wherein execution of the machine-executable instructions is for: receiving baseline snapshots of a client and/or a server from an image capture utility remote from a malware system; receiving from the client and/or the server a notification of a suspected malware intrusion on the client and/or the server; constructing an image of the suspected malware intrusion at the client and/or the server; linking by a pointer and the remote image capture utility the image of the suspected malware intrusion to the baseline snapshots stored in the malware system at the client before the malware intrusion is confirmed; generating a consensus alert state of the client and/or the server consisting of statuses of a plurality of devices that are remote from the malware system; propagating the image of the suspected malware intrusion across a first network and a second network; and processing the suspected malware intrusion including distinguishing malicious code and files from benign code and files; where the notification comprises data indicating a confidence level of the suspected malware intrusion and its priority, where the priority and consensus alert state determines when the suspected malware intrusion is processed on the second network. 9. The non-transitory machine-readable medium of claim 8 wherein receiving baseline snapshots of the client and/or the server occurs in response to an asynchronous event. 10. The non-transitory machine readable medium of claim 8 wherein receiving baseline snapshots of the client and/or the server occurs in response to a synchronous schedule. 11. The non-transitory machine-readable medium of claim 8 wherein the notification of the suspected malware intrusion is generated by a remote intrusion detection system. 12. The non-transitory machine-readable medium of claim 8 wherein the notification of the suspected malware intrusion is generated by a distributed intrusion detection system. 13. The non-transitory machine-readable medium of claim 8 wherein the notification of the suspected malware intrusion is generated by a network intrusion detection system that detects the suspected malware intrusion by monitoring only network traffic. 14. The non-transitory machine-readable medium of claim 8 further comprising evaluating the notification of the suspected malware intrusion on the client and/or the server based on state information from other clients and/or servers. 15. A system comprising: an application program interface of a malware system configured to receive baseline snapshots of a client and/or a server remote from the malware system; an intrusion detection system configured to transmit a notification of a suspected malware intrusion on the client and/or the server; a remote image capture utility stored in a memory of the client and/or server configured to construct an image of the suspected malware intrusion at the client and/or the server when executed by a processor; and a malware impact engine configured to receive the image of the suspected malware attack from a first network and a second network; an occurrence system configured to generate a consensus alert state of the client and/or server consisting of statuses of a plurality of devices that are remote from the malware system; where the malware impact engine is configured to process the suspected malware intrusion including distinguishing malicious code and files from benign code and files; and where the remote image capture utility is further configured to link via a pointer the image of the suspected malware intrusion to the baseline snapshots of the client on the client; and where the notification comprises data indicating a confidence level of the suspected malware intrusion and its priority, where the priority and consensus alert state determines when the suspected malware intrusion is processed on the second network. 16. The system of claim 15 wherein the notification of the suspected malware intrusion is generated by a network intrusion detection system that detects the suspected malware intrusion by monitoring only network traffic. 17. The system of claim 15 further comprising a malware recovery system that executes machine learning, a heuristic and includes a malware recovery system that reverts the client and/or the server to the baseline snapshots.
Assignees
Inventors
Classifications
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
- G06N20/00Primary
Machine learning · CPC title
Traffic logging, e.g. anomaly detection · CPC title
Detecting local intrusion or implementing counter-measures · CPC title
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10931685B2 cover?
- A system and method detects malware by processing notifications from an intrusion detection system and baseline snapshots from an image capture utility. The image capture utility constructs an image of the suspected malware intrusion and links the suspected malware intrusion to the baseline snapshots. The system and method propagates the image of the suspected malware intrusion across multiple …
- Who is the assignee on this patent?
- Ut Battelle Llc
- What technology area does this patent fall under?
- Primary CPC classification G06N20/00. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Feb 23 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).