US2014237607A1PendingUtilityA1

Identifying exploitation of vulnerabilities using error reports

48
Assignee: MICROSOFT CORPPriority: Jun 24, 2008Filed: Apr 25, 2014Published: Aug 21, 2014
Est. expiryJun 24, 2028(~2 yrs left)· nominal 20-yr term from priority
G06F 2221/2123G06F 21/577G06F 11/36G06F 21/554G06F 21/56G06F 21/552G06F 2221/2101G06F 21/566H04L 63/1433
48
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A tool and method examine error report information from a computer to determine not only whether a virus or other malware may be present on the computer but also may determine what vulnerability a particular exploit was attempting to use to subvert security mechanism to install the virus. A system monitor may collect both error reports and information about the error report, such as geographic location, hardware configuration, and software/operating system version information to build a profile of the spread of an attack and to be able to issue notifications related to increased data collection for errors, including crashes related to suspected services under attack.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computer-implemented method comprising:
 obtaining an error report generated by a computing system that includes error data related to one or more errors within the computing system;   analyzing, with a computer processor, the error report to identify information indicative of an attempt to subvert a security mechanism of the computing system;   analyzing the error report for information indicative of a point of attack within the computing system of the attempt to subvert the security mechanism; and   storing data associated with the attempt to subvert the security mechanism.   
     
     
         2 . The method of  claim 1 , and further comprising:
 analyzing, at a system monitor, a collection of error report data to determine a pattern of attack.   
     
     
         3 . The method of  claim 2 , and further comprising instructing, using the system monitor, the computing system to adjust an amount of data obtained when experiencing an error related to the pattern of attack. 
     
     
         4 . The method of  claim 3 , and further comprising adjusting, using the system monitor, a computing system policy that governs parameters concerning one or more of error reporting, response actions, and reporting configuration within the computing system. 
     
     
         5 . The method of  claim 1 , and further comprising:
 determining, based on the error data, one or more of a type of service under attack, a geographic region under attack, or a system configuration under attack.   
     
     
         6 . The method of  claim 1 , and further comprising updating intrusion detection settings based on the error data. 
     
     
         7 . The method of  claim 1 , wherein analyzing the error report for information indicative of a point of attack comprises:
 identifying a hijacked control structure; and   identifying a location of a vulnerability as indicated by the point of attack.   
     
     
         8 . The method of  claim 1 , and further comprising:
 modifying an exploit detection and deterrence process based on analysis of the error report.   
     
     
         9 . A system for analyzing error report data, the system comprising:
 a network connection for receiving error reports from a plurality of networked computers;   a data store that stores error report data, from the error reports, related to errors that occurred on one or more of the networked computers;   a system monitor that analyzes the error report data to identify an attempted exploit in a service of the one or more networked computers, and determines one or more of a location of attack, a type of service under attack, or a system configuration under attack; and   a computer processor that is a functional part of the system and is activated by the system monitor to facilitate analyzing the error report data.   
     
     
         10 . The system of  claim 9 , wherein the plurality of networked computers comprise an enterprise network. 
     
     
         11 . The system of  claim 10 , wherein the system monitor and the plurality of networked computers communicate through a local area network. 
     
     
         12 . The system of  claim 9 , wherein the system monitor identifies a particular service that was targeted in an attempt to subvert a security mechanism and, in response, sends a request to one or more of the networked computers for error data associated with the particular service. 
     
     
         13 . The system of  claim 9 , wherein the system monitor obtains state data regarding the service from the one or more networked computers. 
     
     
         14 . The system of  claim 13 , wherein the state data comprises one or more of a security update, a firewall setting, or an intrusion detection setting on the one or more networked computers. 
     
     
         15 . The system of  claim 9 , wherein the system monitor sends an alert to an operator based on the attempted exploit in the service. 
     
     
         16 . The system of  claim 9 , wherein the system monitor updates intrusion detection settings based on the error data. 
     
     
         17 . The system of  claim 16 , wherein the system monitor identifies a pattern of attack from the error data and instructs the plurality of networked computers to adjust an amount of data obtained when experiencing an error related to the pattern of attack. 
     
     
         18 . The system of  claim 17 , wherein the system monitor adjusts a system policy that governs parameters concerning one or more of error reporting, response actions, and reporting configuration. 
     
     
         19 . A computer-implemented method of determining whether an error report contains evidence of an exploit, the method comprising:
 receiving an error report including error data related to one or more errors within a computing system;   performing, with a computer processor, exploit analysis on the error report, comprising at least one of:
 identifying, from the error report, information indicative of a known exploit at an executable memory location; 
 identifying, from the error report, information indicative of NOPSleds; 
 identifying, from the error report, information indicative of a decoder loop; 
 identifying, from the error report, information indicative of a malicious text, a malicious string, or a malicious binary sequence; 
 identifying, from the error report, information indicative of a disabled defense program; or 
 identifying, from the error report, information indicative of a hijacked control structure; and 
   identifying, from the error report, a location of a vulnerability that indicates a point of attack.   
     
     
         20 . The method of  claim 19 , wherein identifying a location comprises identifying an attempted exploit in a particular service of the computing system, and sending a request for error data associated with the particular service.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.