Systems and methods for event detection

Abstract

A system accesses a log of events on more than one computing system and scans these logs in an effort to determine the likely cause of various items of interest, events, or problems. These items of interest often include improper or frustrating behavior of a computer system, but may also include delightful or beneficial behaviors for which a user, group of users, company, service, or help desk seeks a cause. Once the likely source of the item of interest is found, a test may be performed to confirm the source of the problem and warning or corrective action taken.

Description

CROSS REFERENCE TO RELATED APPLICATIONS[0001]This application is a continuation application of copending U.S. patent application Ser. No. 11 / 096,659 filed on Mar. 31, 2005, the contents of which are hereby fully incorporated by reference in its entiretyFIELD OF THE INVENTION[0002]The present invention relates generally to systems and methods for event detection and analysis. More specifically, this invention relates to determining causes of concerns encountered by users of computing systems.BACKGROUND OF THE INVENTION[0003]Computer use is becoming increasingly complex, as traditional operating systems are under continual attack by a panoply of malicious software agents including viruses, nonviral “malware,” adware, spyware, and Web browser hijackers. Viral and nonviral threats are very serious concerns for consumers, service providers, help desks, and computer and software manufacturers. Additionally, operating systems may contain inefficiencies and errors that cause them to fail wh...

AI Technical Summary

Benefits of technology

[0008]In accordance with at least one presently preferred embodiment of the present invention, a system accesses a log of events on more than one computing system and scans these logs in an effort to determine the likely cause of various items of interest, events, or problems. These “items of interest” often include improper or frustrating behavior of a computer system, but may also include delightful or beneficial behaviors for which a user, group of users, company, service, or help desk seeks a cause. The term “delightful” may refer to any useful, helpful, or beneficial items of interest, for example, a system (or software) feature or behavior that a user or group of users finds useful and for which the user or group of users seeks a cause. Examples of these delightful or beneficial features include: a pleasing sound, image, response, font, keyboard shortcut, mouse behavior, or any useful software application feature associated with a user's interactions with a computing device. Users may be delighted when a task is easy to perform, if a graphical user interface is pleasing to the eye, if a problem or frustrating feature improves or is no longer encountered, and when the system or software behaves in a useful, efficient, easy-to-understand, or otherwise pleasing manner.

[0012]Correlating an item of interest with a particular cause may be done automatically, without human intervention, by the detection service scanning for a common event or action on a plurality of machines prior to an item of interest. For example, if five users accessed a web page within a four-minute time window prior to the observation of intrusive pop-ads, and subsequently their web browsers crashed, then the event of browsing this web page is a likely cause of the item of interest, in this case, the production of intrusive pop-up ads. In other cases, likely causes of items of interest, such as computer problems, are less easy to find. In these cases, it is possible for a separate test computer to play back a sequence of events prior to an item of interest, to determine if the item of interest can be replicated. For example, the test computer can browse to the web site to determine if the pop-up ads are generated after browsing to this site. These kinds of tests or experiments may be performed in an automated fashion, without human intervention. These experiments may often concern infection of the test machine and may be conducted in a controlled and isolated manner on the test machine so that the entire machine is not infected or rendered inoperable. One way in which to create this isolation is through the use of a virtual machine in which the testing and experimenting is done. In this context, a virtual machine provides one or more execution environments on a single computer, isolated from one another. The host software which provides this capability is often referred to as a virtual machine monitor or hypervisor. Through the use of a virtual machine, which is computer software that isolates the experimentation from the rest of the computer, the detection service may test a sequence of steps without harming the test computer. Once the tests are conducted, the virtual machine can be terminated and any infections discarded. In this way, the virtual machine may execute the scenarios leading up to the problem. It gathers statistics and attempts to correlate the data from two or more systems to pinpoint the cause. Once the cause for item of interest (e.g. a problem) is determined, a fix for this problem may be supplied to the computing systems exhibiting the item of interest. Alternatively, the computer experiencing the problem may be “rolled back” to a state prior to the problem occurring. The concept of system “roll back” is well known to users of computers and often plays an integral part in modern operating systems. For example, sometimes a computer user installs a driver that renders a computing system unstable. Windows XP allows users to “roll back” a driver installation to the previously installed driver. More generally the System Restore feature of Microsoft Windows XP enables users, in the event of a problem, to restore their PCs to a previous state without losing personal data files.

Problems solved by technology

Computer use is becoming increasingly complex, as traditional operating systems are under continual attack by a panoply of malicious software agents including viruses, nonviral “malware,” adware, spyware, and Web browser hijackers.

Viral and nonviral threats are very serious concerns for consumers, service providers, help desks, and computer and software manufacturers.

Additionally, operating systems may contain inefficiencies and errors that cause them to fail when a user runs a program or takes other seemingly innocuous actions.

Consumer phone calls to help centers regarding spyware adware typically require significant troubleshooting time.

Usually the complaint is that the computer is performing slowly.

Consumers often do not understand the differences among adware, spyware, worms, and viruses—and the lack of knowledge costs Internet service providers significant money.

Problems may arise on certain computer systems as a result of various kinds of user actions that trigger the installation of malicious software or computer registry changes.

The problem may not appear when the user visits a web site, but might appear when the user clicks a link from that web site that redirects the browser to another site, in a nonobvious manner, that contains the offending software.

However, it is not always clear as to which one of a number of steps or events prior to a problem is the true cause of the problem.

Computer terrorism may involve attacks that modify the logic of a computing system in order to introduce delays or to make the system unpredictable.

Images