Inferential exploit attempt detection
First Claim
Patent Images
1. A method comprising:
- receiving, by a call stack actor (CSA) executing on one or more processors, a request to examine a context of an action of interest (AoI);
determining an object associated with the AoI and one or more addresses associated with the object;
generating, by the CSA and based at least in part on the request, a characterization of a call stack associated with the AoI, the generating based at least in part on walking through the call stack and determining that a return address in a frame of the call stack is associated with memory outside the one or more addresses; and
determining, by a security agent executing on the one or more processors and based at least in part on the characterization, that the AoI includes a security exploit.
4 Assignments
0 Petitions
Accused Products
Abstract
A security agent implemented on a monitored computing device is described herein. The security agent is configured to detect an action of interest (AoI) that may be probative of a security exploit and to determine a context in which that AoI occurred. Based on that context, the security agent is further configured to decide whether the AoI is a security exploit and can take preventative action to prevent the exploit from being completed.
6 Citations
18 Claims
-
1. A method comprising:
-
receiving, by a call stack actor (CSA) executing on one or more processors, a request to examine a context of an action of interest (AoI); determining an object associated with the AoI and one or more addresses associated with the object; generating, by the CSA and based at least in part on the request, a characterization of a call stack associated with the AoI, the generating based at least in part on walking through the call stack and determining that a return address in a frame of the call stack is associated with memory outside the one or more addresses; and determining, by a security agent executing on the one or more processors and based at least in part on the characterization, that the AoI includes a security exploit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computing device including:
-
one or more processors; one or more computer-readable media storing instructions executable by the one or more processors, wherein the instructions, when executed, cause the computing system to perform operations comprising; receiving a request to perform analysis of an action of interest (AoI); identifying one or more addresses of memory allocated to one or more objects; walking a call stack, starting at a frame in the call stack corresponding to the AoI, until; the walking reaches a stack frame that is associated with a return address that is not associated with a module loaded on the one or more computer-readable media and continuing to walk the call stack until the walking reaches at least one of an end of the call stack, a root thread, or a root process, or the walking reaches at least one of an end of the call stack, a root thread, or a root thread process; and comparing the return address with one or more addresses associated with the root thread or the root process; and determining that the AoI is a security exploit of the computing device based at least in part on determining that the return address is outside the one or more addresses. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system including:
-
a processor; a memory having stored thereon computer-executable instructions that, when executed by the one or more processors, cause the system to perform operations including; detecting an action of interest (AoI) from among actions taken by the system; determining a frame of a call stack associated with the AoI; walking the call stack, starting at the frame in the call stack corresponding to the AoI, until; the walking reaches a stack frame that is associated with a return address that is not associated with a module loaded on the one or more computer-readable media and continuing to walk the call stack until the walking reaches at least one of an end of the call stack, a root thread, or a root process, or the walking reaches at least one of an end of the call stack, a root thread, or a root thread process; and and determining, based at least in part on the walking, a confidence score that indicates that the AoI is an exploit.
-
Specification