Detecting unknown software vulnerabilities and system compromises
First Claim
Patent Images
1. A method, comprising:
- during a learning period, recording in a memory of at least one of one or more computing devices, an indication of which of a plurality of portions of an imported software package are invoked by a service during execution of the service in the learning period, individual ones of the plurality of portions selected from at least one of;
a class, a function, a file, or a library;
determining, via at least one monitoring service executed by at least one of the one or more computing devices, that a different portion of the imported software package is invoked by the service subsequent to the learning period, the different portion being different than those invoked by the service during the learning period;
blocking, via the at least one monitoring service executed by at least one of the one or more computing devices, execution of the different portion of the imported software package in response to determining that the different portion of the imported software package is invoked by the service; and
causing a re-initiation of the learning period for the imported software package, via at least one of the one or more computing devices, the re-initiation of the learning period updating, in the memory, the indication of the plurality of portions of the imported software package invoked by the service, in response to at least one of;
determining, via at least one of the one or more computing devices, that the service has changed;
determining, via at least one of the one or more computing devices, that the imported software package has changed;
ordetermining, via at least one of the one or more computing devices, that a customer of the service has changed.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are various embodiments for detecting unknown software vulnerabilities and system compromises. In a first implementation, a monitoring service records an indication of which portions of an imported software package are invoked by a service during a learning period. After the learning period, the monitoring service determines that a different portion of the imported software package is invoked by the service. The portion is different than those invoked by the service during the learning period. An action is then performed in response to determining that the different portion of the imported software package is invoked by the service.
43 Citations
23 Claims
-
1. A method, comprising:
-
during a learning period, recording in a memory of at least one of one or more computing devices, an indication of which of a plurality of portions of an imported software package are invoked by a service during execution of the service in the learning period, individual ones of the plurality of portions selected from at least one of;
a class, a function, a file, or a library;determining, via at least one monitoring service executed by at least one of the one or more computing devices, that a different portion of the imported software package is invoked by the service subsequent to the learning period, the different portion being different than those invoked by the service during the learning period; blocking, via the at least one monitoring service executed by at least one of the one or more computing devices, execution of the different portion of the imported software package in response to determining that the different portion of the imported software package is invoked by the service; and causing a re-initiation of the learning period for the imported software package, via at least one of the one or more computing devices, the re-initiation of the learning period updating, in the memory, the indication of the plurality of portions of the imported software package invoked by the service, in response to at least one of; determining, via at least one of the one or more computing devices, that the service has changed; determining, via at least one of the one or more computing devices, that the imported software package has changed;
ordetermining, via at least one of the one or more computing devices, that a customer of the service has changed. - View Dependent Claims (2, 3)
-
-
4. A system, comprising:
-
at least one computing device including at least one memory and at least one processor; and at least one monitoring service executed by the at least one processor of the at least one computing device, wherein when executed the at least one monitoring service causes the at least one computing device to at least; receive an indication of which of a plurality of portions of an imported software package are invoked by a service during a learning period, individual ones of the plurality of portions selected from at least one of;
a class, a function, a file, or a library;after the learning period, determine that a different portion of the imported software package is invoked by the service executed by the at least one processor, the different portion being different than those invoked by the service during the learning period; and perform an action in response to determining that the different portion of the imported software package is invoked by the service, wherein the action includes; blocking the execution of the different portion of the imported software package, and updating the received indication of the plurality of portions of the imported software package invoked by the service. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method, comprising:
-
during a learning period, recording in a memory of at least one of one or more computing devices, a plurality of process execution trees invoking one or more programs during execution of the one or more programs in the learning period; after the learning period, determining, via at least one monitoring service executed by at least one of the one or more computing devices, that at least one program of the one or more programs has been invoked by a process execution tree; determining, via the at least one monitoring service executed by at least one of the one or more computing devices, that the invoking process execution tree does not match any of the plurality of recorded process execution trees; and performing, via the at least one monitoring service executed by at least one of the one or more computing devices, an action with respect to the invoked program in response to determining that the invoking process execution tree does not match any of the plurality of recorded process execution trees, wherein the action comprises; blocking the invoking process execution tree, and updating the memory to include the invoking process execution tree. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A system, comprising:
-
at least one computing device including at least one memory and at least one processor; and at least one monitoring service executed by the at least one processor of the at least one computing device, wherein when executed the at least one monitoring service causes the at least one computing device to at least; identify at least one portion of an imported software package that is not invoked by a service during a learning period, wherein during the learning period the monitoring service records one or more portions of the imported software package invoked during execution of the imported software package; block the at least one portion of the imported software package from being executed by the service after the learning period; and cause a re-initiation of the learning period for the imported software package. - View Dependent Claims (22, 23)
-
Specification