System and method for detecting interpreter-based exploit attacks
First Claim
1. A computerized method for detecting exploit attacks on an interpreter, comprising:
- configuring a virtual machine including a user mode and a kernel mode;
processing an object by an application operating in the user mode of the virtual machine;
detecting a loading of an interpreter by the application;
responsive to the loading of the interpreter during processing of the object within the virtual machine, inserting one or more intercept points for detecting one or more types of software calls associated with an activity being conducted by the interpreter; and
detecting an exploit attack being conducted by the object in response to the interpreter conducting any of the one or more types of software calls being monitored by the one or more intercept points.
7 Assignments
0 Petitions
Accused Products
Abstract
For one embodiment, a computerized method for detecting exploit attacks on an interpreter comprises configuring a virtual machine including a user mode and a kernel mode and processing an object by an application operating in the user mode of the virtual machine. Responsive to the processing of the object, detecting a loading of an interpreter. Furthermore, responsive to the loading of the interpreter, inserting one or more intercept points for detecting one or more types of software calls from the interpreter or for detecting a certain type or certain types of activities occurring within the interpreter. Thereafter, an exploit attack is detected as being conducted by the object in response to the interpreter invoking a software call that corresponds to the one or more types of software calls that is considered anomalous when invoked by the interpreter or an anomalous activity being conducted within the interpreter.
-
Citations
24 Claims
-
1. A computerized method for detecting exploit attacks on an interpreter, comprising:
-
configuring a virtual machine including a user mode and a kernel mode; processing an object by an application operating in the user mode of the virtual machine; detecting a loading of an interpreter by the application; responsive to the loading of the interpreter during processing of the object within the virtual machine, inserting one or more intercept points for detecting one or more types of software calls associated with an activity being conducted by the interpreter; and detecting an exploit attack being conducted by the object in response to the interpreter conducting any of the one or more types of software calls being monitored by the one or more intercept points. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An electronic device, comprising:
-
one or more hardware processors; and a memory communicatively coupled to the one or more hardware processors, the memory includes software, when executed by the one or more hardware processors, to (i) configure a virtual machine including a user mode and a kernel mode, (ii) process an object by an application operating in the user mode of the virtual machine, (iii) detect a loading of an interpreter by the application, (iv) responsive to the loading of the interpreter during processing of the object within the virtual machine, insert one or more intercept points for detecting one or more types of software calls from and within the interpreter, and (v) detect an exploit attack is being conducted by the object in response to the interpreter invoking a software call that corresponds to the one or more types of software calls. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory storage medium including software that, when executed by a hardware processor, runs a virtual machine including a user mode and a kernel mode for detection of an exploit attack on an interpreter and causes the hardware processor to perform operations, comprising:
-
processing an object by an application operating in the user mode of the virtual machine; loading of the interpreter by the application processing the object; responsive to the loading of the interpreter and performed during processing of the object within the virtual machine, inserting one or more intercept points for detecting either (i) one or more types of Application Programming Interface (API) calls from the interpreter or (ii) one or more types of activities by the interpreter; and detecting an exploit attack being conducted by the object in response to the interpreter either (i) invoking an API call that corresponds to the one or more types of API calls associated with the one or more intercept points being an anomalous API call by the interpreter or (ii) conducting a certain type of activity that is anomalous for the interpreter.
-
-
22. A computerized method for detecting exploit attacks on a software component, comprising:
-
configuring a virtual machine including a user mode and a kernel mode; processing an object by an application in the virtual machine; responsive to the processing of the object, detecting a loading of an interpreter by the application; responsive to the loading of the interpreter during processing of the object within the virtual machine, inserting one or more intercept points for detecting one or more types of software calls associated with an activity being conducted by the interpreter by at least setting one or more trap instructions into particular code of the interpreter to divert control to a hypervisor operating to detect an exploit attack being conducted by the interpreter; and detecting the exploit attack being conducted by the object in response to the interpreter conducting any of the one or more types of software calls being monitored by the one or more intercept points. - View Dependent Claims (23, 24)
-
Specification