Systems and methods for estimating confidence scores of unverified signatures
US-9485272-B1 · Nov 1, 2016 · US
Systems and methods for determining types of malware infections on computing devices
US9838405B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9838405-B1 |
| Application number | US-201514947878-A |
| Country | US |
| Kind code | B1 |
| Filing date | Nov 20, 2015 |
| Priority date | Nov 20, 2015 |
| Publication date | Dec 5, 2017 |
| Grant date | Dec 5, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The disclosed computer-implemented method for determining types of malware infections on computing devices may include (1) identifying multiple types of security events generated by a group of endpoint devices that describe suspicious activities on the endpoint devices, each of the endpoint devices having one or more types of malware infections, (2) determining correlations between each type of security event generated by the group of endpoint devices and each type of malware infection within the group of endpoint devices, (3) identifying a set of security events generated on a target endpoint device that potentially has a malware infection, and (4) detecting, based on both the set of security events generated on the target endpoint device and the correlations between the types of malware infections and the types of security events, at least one type of malware infection likely present on the target endpoint device.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method for determining types of malware infections on computing devices, at least a portion of the method being performed by one or more computer devices each comprising at least one processor, the method comprising: identifying, by the one or more computer devices, a plurality of types of security events generated by a group of endpoint computer devices that describe suspicious activities on the endpoint computer devices, each of the endpoint computer devices having one or more types of malware infections; determining, by the one or more computer devices, correlations between each type of security event generated by the group of endpoint computer devices and each type of malware infection within the group of endpoint computer devices, wherein each correlation indicates a probability that an endpoint computer device with a certain type of malware infection will generate a certain type of security event; identifying, by the one or more computer devices, a set of security events generated on a target endpoint computer device that potentially has a malware infection; detecting, by the one or more computer devices, based on both the set of security events generated on the target endpoint computer device and the correlations between the types of malware infections and the types of security events, at least one type of malware infection that is more likely to be present on the target endpoint computer device than at least one additional type of malware infection; and performing, by the one or more computer devices, based on the type of malware infection that is more likely to be present on the target endpoint computer device than the additional type of malware infection, a security action designed to prevent the type of malware infection from harming the target endpoint computer device, the security action comprising at least one of: running a malware scan on the target endpoint computer device to confirm the presence of the malware infection on the target endpoint computer device; and attempting to remove the malware infection from the target endpoint computer device. 2. The method of claim 1 , wherein determining the correlation between the certain type of security event and the certain type of malware infection comprises determining a percentage of endpoint computer devices with the certain type of malware infection that have generated the certain type of security event. 3. The method of claim 1 , wherein detecting the type of malware infection that is more likely to be present on the target endpoint computer device than the additional type of malware infection comprises: for each type of malware infection, determining a probability that the target endpoint computer device has the type of malware infection; and identifying the type of malware infection most likely to be present on the target endpoint computer device based on the determined probabilities. 4. The method of claim 1 , wherein detecting the type of malware infection that is more likely to be present on the target endpoint computer device than the additional type of malware infection comprises performing a naïve Bayes classification. 5. The method of claim 1 , further comprising, for at least one type of malware infection, identifying: pre-infection security events that are likely to be generated by an endpoint computer device before the endpoint computer device is infected with the type of malware infection; and post-infection security events that are likely to be generated by the endpoint computer device after the endpoint computer device is infected with the type of malware infection. 6. The method of claim 5 , wherein detecting the type of malware infection that is more likely to be present on the target endpoint computer device than the additional type of malware infection comprises determining, based on the pre-infection security events, that the target endpoint computer device is at an elevated risk of being infected with the type of malware infection but is not yet infected. 7. The method of claim 6 , wherein performing the security action designed to prevent the type of malware infection from harming the target endpoint computer device further comprises increasing security measures on the target endpoint computer device to reduce the risk of the target endpoint computer device being infected with the type of malware infection. 8. The method of claim 5 , wherein detecting the type of malware infection that is more likely to be present on the target endpoint computer device than the additional type of malware infection comprises determining, based on the post-infection security events, that the target endpoint computer device has likely already been infected with the type of malware infection. 9. The method of claim 1 , further comprising: identifying at least one type of security event generated by an endpoint computer device that does not have any malware infections; and determining, based on the security event generated by the endpoint computer device that does not have any malware infections and a set of security events generated by an additional target endpoint computer device, that the additional target endpoint computer device is likely to not have any malware infections. 10. A system for determining types of malware infections on computing devices, the system comprising: an identification module, stored in memory, that identifies a plurality of types of security events generated by a group of endpoint computer devices that describe suspicious activities on the endpoint computer devices, each of the endpoint computer devices having one or more types of malware infections; a determination module, stored in memory, that determines correlations between each type of security event generated by the group of endpoint computer devices and each type of malware infection within the group of endpoint computer devices, wherein: each correlation indicates a probability that an endpoint computer device with a certain type of malware infection will generate a certain type of security event; and the identification module further identifies a set of security events generated on a target endpoint computer device that potentially has a malware infection; a detection module, stored in memory, that detects, based on both the set of security events generated on the target endpoint computer device and the correlations between the types of malware infections and the types of security events, at least one type of malware infection that is more likely to be present on the target endpoint computer device than at least one additional type of malware infection; a security module, stored in memory, that performs, based on the type of malware infection that is more likely to be present on the target endpoint computer device than the additional type of malware infection, a security action designed to prevent the type of malware infection from harming the target endpoint computer device, the security action comprising at least one of: running a malware scan on the target endpoint computer device to confirm the presence of the malware infection on the target endpoint computer device; and attempting to remove the malware infection from the target endpoint computer device; and one or more computer devices each comprising at least one hardware processor that is configured to execute the identification module, the determination module, the detection module, and the security module. 11. The system of claim 10 , wherein the determination module determines the correlation between the certain type of security event and the certain type of malware infection by determining a percentage of endpoint computer
Assignees
Inventors
Classifications
Vulnerability analysis · CPC title
- H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
Virus type analysis · CPC title
Auditing as a secondary aspect · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9838405B1 cover?
- The disclosed computer-implemented method for determining types of malware infections on computing devices may include (1) identifying multiple types of security events generated by a group of endpoint devices that describe suspicious activities on the endpoint devices, each of the endpoint devices having one or more types of malware infections, (2) determining correlations between each type of…
- Who is the assignee on this patent?
- Symantec Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 05 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 9 related publications on this page (citations in our corpus or others sharing the same primary CPC).