FORENSIC ANALYSIS OF COMPUTING ACTIVITY AND MALWARE DETECTION USING AN EVENT GRAPH

摘要

A data recorder stores endpoint activity on an ongoing basis as sequences ofevents that causally relate computerobjects such as processes and files. When a security event is detected, anevent graph may be generated based on these causalrelationships among the computing objects. For a root cause analysis, theevent graph may be traversed in a reverse order from the point ofan identified security event (e.g., a malware detection event) to precedingcomputing objects, while applying one or more causeidentification rules to identify a root cause of the security event. Once aroot cause is identified, the event graph may be traversedforward from the root cause to identify other computing objects that arepotentially compromised by the root cause. Further, patternswithin the event graph can be used to detect the presence of malware on theendpoint.