| CPC G06F 21/568 (2013.01) [G06F 11/1415 (2013.01); G06F 2201/84 (2013.01); G06F 2221/034 (2013.01)] | 20 Claims |
|
1. A system for creating a backup copy of a computing system and restoring a system state of the computing system preceding the loading of an element causing malicious program execution, the system comprising:
a microprocessor coupled to a nontransitory storage medium;
a system event monitor, under microprocessor control, for intercepting and collecting one or more application activity events corresponding to the computing system in accordance with a predefined security policy;
a system dump capture driver, under microprocessor control, configured to:
capture a first memory dump and a second memory dump in response to the one or more application activity events in accordance with a predefined security policy, wherein the first memory dump corresponds to memory before application activity corresponding to intercepted application activity events, and the second memory dump corresponds to memory after application activity corresponding to intercepted application activity events, and
generate a differential memory dump, wherein the differential memory dump is indicative of the difference between the first memory dump and the second memory dump;
a rootkit detection engine, under microprocessor control, configured to:
receive a system dump sequence as a first data input, and a system event sequence from the system event monitor as a second data input, wherein the system dump sequence comprises at least two differential memory dumps generated by the system dump capture driver and the system event sequence comprises intercepted application activity events corresponding to differential memory dumps in system dump sequence, classify a system state by executing a machine learning model based on the first data input and the second data input as a suspicious state;
a backup unit, under microprocessor control, configured to:
create sequential backup copies of the system memory dumps;
index each sequential backup copy;
store the sequential backup copies;
retrieve, from the indexed sequential backup copies, a sequential backup copy corresponding to an event preceding an event characterizing the suspicious state of the system; and
restore the computing system from a sequential backup copy comprising the system state preceding the detection of a malware using the index and without scanning to locate the sequential backup copy.
|