Automated runtime detection of malware
First Claim
Patent Images
1. A computer-implemented method comprising:
- extracting a model of a computer application during load time, the extracting includes;
identifying address transitions that map instruction addresses to respective target addresses, andadding an identified address transition to the model when a respective target address is indeterminable and adding the respective target address to the model when the respective target address is determinable;
storing the model of the computer application;
inserting one or more collection instructions into the computer application, including at the instruction addresses and respective determinable target addresses in the extracted model, to collect data at runtime;
analyzing the data collected at runtime against the stored model of the computer application, including address transitions and target addresses, to detect one or more security events; and
tracking the one or more security events using a state machine, the tracking automatically detecting a security attack of the computer application.
1 Assignment
0 Petitions
Accused Products
Abstract
One example method and correspond apparatus extracts a model of a computer application during load time and stores the model of the computer application in a database. This example method and corresponding apparatus also inserts instructions into the computer application to collect data at runtime. This example method and corresponding apparatus then analyzes the data collected at runtime against the stored model of the computer application to detect one or more security events and tracks the one or more security events using a state machine.
162 Citations
115 Claims
-
1. A computer-implemented method comprising:
-
extracting a model of a computer application during load time, the extracting includes; identifying address transitions that map instruction addresses to respective target addresses, and adding an identified address transition to the model when a respective target address is indeterminable and adding the respective target address to the model when the respective target address is determinable; storing the model of the computer application; inserting one or more collection instructions into the computer application, including at the instruction addresses and respective determinable target addresses in the extracted model, to collect data at runtime; analyzing the data collected at runtime against the stored model of the computer application, including address transitions and target addresses, to detect one or more security events; and tracking the one or more security events using a state machine, the tracking automatically detecting a security attack of the computer application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer-implemented method comprising:
-
extracting a model of a computer application during load time, the extracting includes; identifying address transitions that map instruction addresses to respective target addresses, and adding an identified address transition to the model when a respective target address is indeterminable and adding the respective target address to the model when the respective target address is determinable; storing the model of the computer application; inserting one or more collection instructions into the computer application, including at the instruction addresses and respective determinable target addresses in the extracted model, to collect data at runtime; and automatically detecting a security attack of the computer application based on comparing the stored model to the collected data. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A computer-implemented method comprising:
-
analyzing data collected at runtime for a computer application against a stored model of the computer application to detect one or more security events, (i) the stored model includes address transitions that map instruction addresses to respective target addresses when the respective target addresses are indeterminable at load time, and (ii) the stored model includes the respective target addresses when the respective target addresses are determinable at load time; and tracking the one or more security events using a state machine, the tracking automatically detecting a security attack of the computer application. - View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
-
-
55. The method of 42 wherein tracking the one or more security events further comprises adding one or more new security events with associated severity and actions for tracking using the state machine.
-
56. A system comprising:
-
at least one processor configured to implement; a client configured to extract a model of a computer application during load time, wherein the extracting includes the client; identifying address transitions that map instruction addresses to respective target addresses, and adding an identified address transition to the model when a respective target address is indeterminable and adding the respective target address to the model when the respective target address is determinable; the client further configured to store the model of the computer application, the client further configured to insert one or more collection instructions into the computer application, including at the instruction addresses and respective determinable target addresses in the extracted model, to collect data at runtime; and an analysis engine configured to analyze data collected at runtime against the stored model of the computer application, including address transitions and target addresses, to detect one or more security events; the analysis engine configured to track the one or more security events using a state machine, the tracking automatically detecting a security attack of the computer application. - View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86)
-
-
87. An apparatus comprising:
-
a processor configured to execute a first process and a second process; the first process configured to extract a model of a computer application during load time, wherein the extracting includes the first process; identifying address transitions that map instruction addresses to respective target addresses, and adding an identified address transition to the model when a respective target address is indeterminable and adding the respective target address to the model when the respective target address is determinable; the first process further configured to store the model of the computer application; the second process configured to insert one or more collection instructions into the computer application, including at the instruction addresses and respective determinable target addresses in the extracted model, to collect data at runtime; and the second process further configured to automatically detect a security attack of the computer application based on comparing the stored model to the collected data. - View Dependent Claims (88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101)
-
-
102. An apparatus comprising:
-
a processor configured to execute a first process and a second process; the first process configured to analyze data collected at runtime for a computer application against a stored model of the computer application to detect one or more security events, (i) the stored model includes address transitions that map instruction addresses to respective target addresses when the respective target addresses are indeterminable at load time, and (ii) the stored model includes the respective target addresses when the respective target addresses are determinable at load time; and the second process configured to track the one or more security events using a state machine, the tracking automatically detecting a security attack of the computer application. - View Dependent Claims (103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115)
-
Specification