Inferential exploit attempt detection

US 10,216,934 B2
Filed: 07/18/2016
Issued: 02/26/2019
Est. Priority Date: 07/18/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a call stack actor (CSA) executing on one or more processors, a request to examine a context of an action of interest (AoI);

determining an object associated with the AoI and one or more addresses associated with the object;

generating, by the CSA and based at least in part on the request, a characterization of a call stack associated with the AoI, the generating based at least in part on walking through the call stack and determining that a return address in a frame of the call stack is associated with memory outside the one or more addresses; and

determining, by a security agent executing on the one or more processors and based at least in part on the characterization, that the AoI includes a security exploit.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security agent implemented on a monitored computing device is described herein. The security agent is configured to detect an action of interest (AoI) that may be probative of a security exploit and to determine a context in which that AoI occurred. Based on that context, the security agent is further configured to decide whether the AoI is a security exploit and can take preventative action to prevent the exploit from being completed.

6 Citations

18 Claims

1. A method comprising:
- receiving, by a call stack actor (CSA) executing on one or more processors, a request to examine a context of an action of interest (AoI);
  
  determining an object associated with the AoI and one or more addresses associated with the object;
  
  generating, by the CSA and based at least in part on the request, a characterization of a call stack associated with the AoI, the generating based at least in part on walking through the call stack and determining that a return address in a frame of the call stack is associated with memory outside the one or more addresses; and
  
  determining, by a security agent executing on the one or more processors and based at least in part on the characterization, that the AoI includes a security exploit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as claim 1 recites, the determining that the AoI includes the security exploit further comprises determining that the characterization meets at least a portion of a heuristic defining characteristics of security exploits.
  - 3. A method as claim 1 recites, the call stack including multiple frames and the characterization of a frame of the call stack including at least one of:
    - a module identifier of a module associated with an address of the frame;
      
      a return address;
      
      the indicator of whether the return address is associated with memory previously allocated for the object, the object including one of a function, a module, a process, or a thread;
      
      a memory region associated with the frame;
      
      an object identifier of a process or a thread associated with a memory region;
      
      permissions of the memory region;
      
      ora size of the memory region.
  - 4. A method as claim 3 recites, the determining that the AoI includes the security exploit is based at least in part on at least one of:
    - determining that the return address is outside memory previously allocated for an object;
      
      determining that the object identifier is associated with a vulnerable object;
      
      determining that permissions of the memory region include two or more of read, write, and execute;
      
      ordetermining that the memory region is one page in length.
  - 5. A method as claim 1 recites, the determining including determining that the return address is outside memory previously allocated for the object and the method further including treating code that the return address points to as malicious code.
  - 6. A method as claim 1 recites, further comprising committing a preventative action without receiving input from a user and based at least in part on the determining that the AoI includes the security exploit.
  - 7. A method as claim 6 recites, the preventative action including at least one of:
    - stopping or preventing execution of the AoI,stopping or preventing execution of an object associated with the AoI,stopping or preventing an input/output operation,stopping or prevention network operations, orcausing a computing device that committed the AoI to reboot.
  - 8. A method as claim 1 recites, the determining including:
    - calculating a confidence score based at least in part on the characterization; and
      
      determining that AoI includes a security exploit based at least in part on the confidence score exceeding a threshold confidence score.

9. A computing device including:
- one or more processors;
  
  one or more computer-readable media storing instructions executable by the one or more processors, wherein the instructions, when executed, cause the computing system to perform operations comprising;
  
  receiving a request to perform analysis of an action of interest (AoI);
  
  identifying one or more addresses of memory allocated to one or more objects;
  
  walking a call stack, starting at a frame in the call stack corresponding to the AoI, until;
  
  the walking reaches a stack frame that is associated with a return address that is not associated with a module loaded on the one or more computer-readable media and continuing to walk the call stack until the walking reaches at least one of an end of the call stack, a root thread, or a root process, orthe walking reaches at least one of an end of the call stack, a root thread, or a root thread process; and
  
  comparing the return address with one or more addresses associated with the root thread or the root process;
  
  anddetermining that the AoI is a security exploit of the computing device based at least in part on determining that the return address is outside the one or more addresses.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. A computing device as claim 9 recites, wherein the operations further comprise preventing at least one of the AoI or the security exploit from being completed without receiving user input.
  - 11. A computing device as claim 9 recites, wherein the operations are conducted in a kernel mode of the computing device, the call stack being accessible by a kernel of the computing device.
  - 12. A computing device as claim 9 recites, wherein generating the characterization comprises fuzzy walking the call stack to obtain an object identifier of a function, module, process, or thread that initiated a chain of functions reflected in the call stack that resulted in the AoI and including the object identifier in the characterization.
  - 13. A computing device as claim 9 recites, wherein the call stack is accessible by a kernel of the computing device and fuzzy walking is conducted in kernel mode.
  - 14. A computing device as claim 9 recites, the generating the characterization of the call stack including:
    - obtaining a list of addresses of the memory associated with the call stack and the AoI, the list of addresses being associated with frames of the call stack;
      
      querying a kernel of the computing device for details related to at least one frame of the frames, the details including at least one of;
      
      a function associated with the frame,a stack pointer associated with the frame,a return address associated with the frame,a location in the memory associated with the return address or the stack pointer,memory allocation information regarding the location, the memory allocation information including an indication of whether the location is within a memory range that has been allocated to an object, the object including a function, module, process, or thread,an object identifier associated with the object to which the memory range is allocated if the location is within a memory range that has been allocated to an object,permissions of the location or memory associated with the object,a size of the location, ora size of code associated with the object.
  - 15. A computing device as claim 14 recites, wherein the operations further comprise selecting at least one of the details to include in the characterization based at least in part on at least one of the request to perform analysis or a type of the AoI from among identified types of AoIs.
  - 16. A computing device as claim 9 recites, wherein the operations further comprise:
    - responsive to determining that the AoI is the security exploit of the computing device, treating as malicious code a portion of code stored on the memory and referred to in the characterization;
      
      storing in the memory or transmitting to a remote memory a copy of the malicious code;
      
      associating at least one of a vulnerability identifier, offset identifier, or an exploit name with the copy of the malicious code;
      
      storing in the memory or transmit to the remote memory the characterization; and
      
      gather and store in the memory or transmit to the remote memory additional information, the additional information including at least one of a name, version, or address ranges of the malicious code loaded in the memory.
  - 17. A computing device as claim 16 recites, the logic being further configured to use at least one of copies of malicious code, vulnerability identifiers, offset identifiers, exploit names, characterizations, or additional information to improve accuracy of determining whether the AoI is the security exploit.

18. A system including:
- a processor;
  
  a memory having stored thereon computer-executable instructions that, when executed by the one or more processors, cause the system to perform operations including;
  
  detecting an action of interest (AoI) from among actions taken by the system;
  
  determining a frame of a call stack associated with the AoI;
  
  walking the call stack, starting at the frame in the call stack corresponding to the AoI, until;
  
  the walking reaches a stack frame that is associated with a return address that is not associated with a module loaded on the one or more computer-readable media and continuing to walk the call stack until the walking reaches at least one of an end of the call stack, a root thread, or a root process, orthe walking reaches at least one of an end of the call stack, a root thread, or a root thread process; and
  
  anddetermining, based at least in part on the walking, a confidence score that indicates that the AoI is an exploit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Brown, Daniel W., Ionescu, Ion-Alexandru, Robinson, Loren C.
Primary Examiner(s)
Okeke, Izunna

Application Number

US15/213,004
Publication Number

US 20180018460A1
Time in Patent Office

953 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

Inferential exploit attempt detection

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Inferential exploit attempt detection

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links