System and method for detecting interpreter-based exploit attacks

US 10,033,747 B1
Filed: 09/29/2015
Issued: 07/24/2018
Est. Priority Date: 09/29/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method for detecting exploit attacks on an interpreter, comprising:

configuring a virtual machine including a user mode and a kernel mode;

processing an object by an application operating in the user mode of the virtual machine;

detecting a loading of an interpreter by the application;

responsive to the loading of the interpreter during processing of the object within the virtual machine, inserting one or more intercept points for detecting one or more types of software calls associated with an activity being conducted by the interpreter; and

detecting an exploit attack being conducted by the object in response to the interpreter conducting any of the one or more types of software calls being monitored by the one or more intercept points.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For one embodiment, a computerized method for detecting exploit attacks on an interpreter comprises configuring a virtual machine including a user mode and a kernel mode and processing an object by an application operating in the user mode of the virtual machine. Responsive to the processing of the object, detecting a loading of an interpreter. Furthermore, responsive to the loading of the interpreter, inserting one or more intercept points for detecting one or more types of software calls from the interpreter or for detecting a certain type or certain types of activities occurring within the interpreter. Thereafter, an exploit attack is detected as being conducted by the object in response to the interpreter invoking a software call that corresponds to the one or more types of software calls that is considered anomalous when invoked by the interpreter or an anomalous activity being conducted within the interpreter.

Citations

24 Claims

1. A computerized method for detecting exploit attacks on an interpreter, comprising:
- configuring a virtual machine including a user mode and a kernel mode;
  
  processing an object by an application operating in the user mode of the virtual machine;
  
  detecting a loading of an interpreter by the application;
  
  responsive to the loading of the interpreter during processing of the object within the virtual machine, inserting one or more intercept points for detecting one or more types of software calls associated with an activity being conducted by the interpreter; and
  
  detecting an exploit attack being conducted by the object in response to the interpreter conducting any of the one or more types of software calls being monitored by the one or more intercept points.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computerized method of claim 1, wherein the detecting of the exploit attack being conducted by the object comprises detecting whether the interpreter is invoking a selected Application Programming Interface (API) call that corresponds to a selected software call of the one or more types of software calls monitored through the one or more intercept points, the API call being an anomalous activity by the interpreter.
  - 3. The computerized method of claim 1, wherein the inserting of the one or more intercept points comprises inserting one or more intercept points at certain locations by a monitor logic accessible to the application processing a script that utilizes the interpreter.
  - 4. The computerized method of claim 1, wherein the interpreter is operating in the kernel mode and as a font interpreter.
  - 5. The computerized method of claim 1, wherein the interpreter is operating in the user mode.
  - 6. The computerized method of claim 2 further comprising:
    - loading a kernel driver into the kernel mode of the virtual machine, the kernel driver comprises (i) hook framework logic to intercept at least the selected API call of the one or more types of software calls, (ii) instrumentation framework logic to intercept a certain type of activity being conducted by the interpreter and the certain type of activity being anomalous for the interpreter; and
      
      (iii) monitoring logic to track usage of the selected API call or conducting of the anomalous activity by the interpreter.
  - 7. The computerized method of claim 6, wherein the kernel driver further comprises a correlation logic to aggregate and categorize the monitored data from the monitoring logic in order to determine whether any detected anomalous activities denote an exploit attack on the interpreter.
  - 8. The computerized method of claim 2 further comprising:
    - loading a monitor logic within the application being processed within the virtual machine or within the virtual machine for operating in cooperation with the application, the monitor logic comprises (i) hook framework logic to intercept at least the selected API call of the one or more software calls, (ii) instrumentation framework logic to intercept a certain type of activity being conducted within the interpreter and the activity being anomalous for the interpreter; and
      
      (iii) monitoring logic to track usage of the selected API call or conducting of the anomalous activity by the interpreter.
  - 9. The computerized method of claim 1, wherein the detecting of the exploit attack being conducted by the object in response to the interpreter conducting any of the one or more types of software calls comprises detecting whether the interpreter is invoking a selected activity that corresponds to the one or more types of software calls, the selected activity being an anomalous activity by the interpreter that is monitored by the one or more intercept points.
  - 10. The computerized method of claim 1, wherein the inserting of the one or more intercept points for detecting the one or more types of software calls from the interpreter comprises setting trap instructions into particular code of the interpreter to divert control to a hypervisor that operates to detect the exploit attack being conducted by the interpreter in response to the interpreter, operating in combination with the application and the object being processed, invoking the software call.

11. An electronic device, comprising:
- one or more hardware processors; and
  
  a memory communicatively coupled to the one or more hardware processors, the memory includes software, when executed by the one or more hardware processors, to (i) configure a virtual machine including a user mode and a kernel mode, (ii) process an object by an application operating in the user mode of the virtual machine, (iii) detect a loading of an interpreter by the application, (iv) responsive to the loading of the interpreter during processing of the object within the virtual machine, insert one or more intercept points for detecting one or more types of software calls from and within the interpreter, and (v) detect an exploit attack is being conducted by the object in response to the interpreter invoking a software call that corresponds to the one or more types of software calls.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The electronic device of claim 11, wherein the software call includes an Application Programming Interface (API) call invoked by the interpreter being an anomalous activity by the interpreter.
  - 13. The electronic device of claim 12, wherein the software, when executed by the one or more hardware processors, inserts the one or more intercept points by inserting one or more intercept points at certain locations by monitor logic accessible to the application processing a script that utilizes the interpreter.
  - 14. The electronic device of claim 12, wherein the interpreter operates in the kernel mode.
  - 15. The electronic device of claim 14, wherein the interpreter includes a font interpreter.
  - 16. The electronic device of claim 12, wherein the interpreter operates in the user mode.
  - 17. The electronic device of claim 12 further comprising:
    - a kernel driver that is loaded into the kernel mode of the virtual machine, the kernel driver comprises (i) hook framework logic to intercept at least one selected API call of the one or more types of API calls, (ii) instrumentation framework logic to intercept a certain type of activity that is anomalous for the interpreter; and
      
      (iii) monitoring logic to track usage of the selected API call or conducting of the anomalous activity by the interpreter.
  - 18. The electronic device of claim 17, wherein the kernel driver further comprises a correlation logic to aggregate and categorize the monitored data from the monitoring logic in order to determine whether any detected anomalous activities denote the exploit attack on the interpreter.
  - 19. The electronic device of claim 12 further comprising:
    - monitor logic being loaded into or operating in combination with the application, the monitor logic comprises (i) hook framework logic to intercept at least the selected API call of the one or more software calls, (ii) instrumentation framework logic to intercept a certain type of activity being conducted within the interpreter and the activity being anomalous for the interpreter; and
      
      (iii) monitoring logic to track usage of the selected API call or conducting of the anomalous activity by the interpreter.
  - 20. The electronic device of claim 11, wherein the software, when executed by the one or more hardware processors, inserting the one or more intercept points by setting trap instructions into particular code of the interpreter to divert control to a hypervisor that operates to detect the exploit attack being conducted by the interpreter in response to the interpreter, operating in combination with the application and the object being processed, invoking the software call.

21. A non-transitory storage medium including software that, when executed by a hardware processor, runs a virtual machine including a user mode and a kernel mode for detection of an exploit attack on an interpreter and causes the hardware processor to perform operations, comprising:
- processing an object by an application operating in the user mode of the virtual machine;
  
  loading of the interpreter by the application processing the object;
  
  responsive to the loading of the interpreter and performed during processing of the object within the virtual machine, inserting one or more intercept points for detecting either (i) one or more types of Application Programming Interface (API) calls from the interpreter or (ii) one or more types of activities by the interpreter; and
  
  detecting an exploit attack being conducted by the object in response to the interpreter either (i) invoking an API call that corresponds to the one or more types of API calls associated with the one or more intercept points being an anomalous API call by the interpreter or (ii) conducting a certain type of activity that is anomalous for the interpreter.

22. A computerized method for detecting exploit attacks on a software component, comprising:
- configuring a virtual machine including a user mode and a kernel mode;
  
  processing an object by an application in the virtual machine;
  
  responsive to the processing of the object, detecting a loading of an interpreter by the application;
  
  responsive to the loading of the interpreter during processing of the object within the virtual machine, inserting one or more intercept points for detecting one or more types of software calls associated with an activity being conducted by the interpreter by at least setting one or more trap instructions into particular code of the interpreter to divert control to a hypervisor operating to detect an exploit attack being conducted by the interpreter; and
  
  detecting the exploit attack being conducted by the object in response to the interpreter conducting any of the one or more types of software calls being monitored by the one or more intercept points.
- View Dependent Claims (23, 24)
- - 23. The computerized method of claim 22, wherein the inserting of the one or more intercept points comprises inserting one or more intercept points at certain locations by a monitor logic accessible to the application processing a script that utilizes the interpreter.
  - 24. The computerized method of claim 22 further comprising:
    - loading a kernel driver into the kernel mode of the virtual machine, the kernel driver comprises (i) hook framework logic to intercept at least the selected API call of the one or more types of software calls, (ii) instrumentation framework logic to intercept a certain type of activity being conducted by the interpreter and the certain type of activity being anomalous for the interpreter; and
      
      (iii) monitoring logic to track usage of the selected API call or conducting of the anomalous activity by the interpreter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Paithane, Sushant, Vashisht, Sai Omkar
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Zhu, Zhimei

Application Number

US14/869,901
Time in Patent Office

1,029 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

System and method for detecting interpreter-based exploit attacks

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting interpreter-based exploit attacks

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links