Anomaly detection using sequences of system calls

US 10,241,847 B2
Filed: 07/19/2016
Issued: 03/26/2019
Est. Priority Date: 07/19/2016
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a call sequence anomaly, the method comprising:

receiving a message indicating an invocation of a programmatic procedure of an operating system, the message including a programmatic procedure identifier, a sender process identifier, and a receiver process identifier, wherein the invocation of the programmatic procedure is one invocation in a series of invocations of operating system programmatic procedures made from a process identified by the sender process identifier;

generating an invocation hash based on at least a portion of the message;

translating the invocation hash to an invocation identifier;

including the invocation identifier in a translated call sequence that comprises invocation identifiers for the series of invocations;

determining that the translated call sequence is not included in a plurality of predetermined call sequences, each of the predetermined call sequences comprising corresponding invocation identifiers, wherein each of the corresponding invocation identifiers is mapped to invocation hashes;

identifying the translated call sequence as an anomaly based on the determining; and

as a result the translated call sequence being identified as an anomaly, causing an action.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of detecting a call sequence anomaly in a message-based operating system are provided. A message may be received that indicates a programmatic procedure of an operating system was invoked. The message may include a programmatic procedure identifier, a sender process identifier, and a receiver process identifier. An invocation hash may be generated based on the message. The invocation hash may be translated to a smaller invocation identifier. The invocation identifier may be included in a translated call sequence that comprises invocation identifiers for a series of invocations. Depending on whether the translated call sequence is included in previously generated predetermined call sequences, the translated call sequence may be determined as an anomaly or not an anomaly.

26 Citations

20 Claims

1. A method of detecting a call sequence anomaly, the method comprising:
- receiving a message indicating an invocation of a programmatic procedure of an operating system, the message including a programmatic procedure identifier, a sender process identifier, and a receiver process identifier, wherein the invocation of the programmatic procedure is one invocation in a series of invocations of operating system programmatic procedures made from a process identified by the sender process identifier;
  
  generating an invocation hash based on at least a portion of the message;
  
  translating the invocation hash to an invocation identifier;
  
  including the invocation identifier in a translated call sequence that comprises invocation identifiers for the series of invocations;
  
  determining that the translated call sequence is not included in a plurality of predetermined call sequences, each of the predetermined call sequences comprising corresponding invocation identifiers, wherein each of the corresponding invocation identifiers is mapped to invocation hashes;
  
  identifying the translated call sequence as an anomaly based on the determining; and
  
  as a result the translated call sequence being identified as an anomaly, causing an action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the invocation hash is based on at least the receiver process identifier.
  - 3. The method of claim 1, wherein the message includes an indication of parameters passed to the programmatic procedure, and wherein the invocation hash is also based on the indication of parameters passed to the programmatic procedure.
  - 4. The method of claim 1, wherein the message includes a channel identifier, and wherein the invocation hash is also based on the channel identifier.
  - 5. The method of claim 1, wherein the message includes a receiver node identifier, and wherein the invocation hash is also based on the receiver node identifier.
  - 6. The method of claim 1, wherein translating the invocation hash comprises searching for the invocation hash in a translation table comprising invocation hashes associated with the invocation identifiers.
  - 7. The method of claim 6, wherein the invocation identifier is a row number in the translation table that includes the invocation hash.
  - 8. The method of claim 1, wherein the invocation hash is based on at least the sender process identifier and the receiver process identifier.

9. A non-transitory computer readable storage medium comprising computer executable instructions, the computer executable instructions executable by a processor, the computer executable instructions comprising:
- instructions executable to receive a message indicating an invocation of a programmatic procedure of an operating system, the message including a programmatic procedure identifier, a sender process identifier, and a receiver process identifier, wherein the invocation of the programmatic procedure is one invocation in a series of invocations of operating system programmatic procedures made from a process identified by the sender process identifier;
  
  instructions executable to generate an invocation hash based on at least a portion of the message;
  
  instructions executable to translate the invocation hash to an invocation identifier;
  
  instructions executable to include the invocation identifier in a translated call sequence that comprises invocation identifiers for the series of invocations;
  
  instructions executable to determine whether the translated call sequence is included in a plurality of predetermined call sequences, each of the predetermined call sequences comprising corresponding invocation identifiers, wherein each of the corresponding invocation identifiers is mapped to invocation hashes;
  
  instructions executable to identify the translated call sequence as an anomaly if the translated call sequence is not included in the predetermined call sequences and, otherwise, to determine the translated call sequence is not an anomaly; and
  
  instructions executable to, when the translated call sequence is identified as an anomaly, cause an action.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The non-transitory computer readable storage medium of claim 9, wherein a determination of whether the translated call sequence is included in the predetermined call sequences is based on a search for the translated call sequence in a table, wherein the table comprises rows of sets of invocation identifiers, each of the invocation identifiers is associated in a translation data structure with a corresponding invocation hash.
  - 11. The non-transitory computer readable storage medium of claim 9, wherein receipt of the message comprises a read of information about the invocation of the programmatic procedure from a trace file.
  - 12. The non-transitory computer readable storage medium of claim 9, wherein receipt of the message comprises receipt of the message in the form of a registered callback from the operating system.
  - 13. The non-transitory computer readable storage medium of claim 9, wherein the generation of the invocation hash comprises an application of a hash function that maps data of arbitrary size to data of a fixed size, the hash function applied to data comprising the programmatic procedure identifier, the sender process identifier, and the receiver process identifier.

14. A system to detect a call sequence anomaly, the system comprising:
- a processor configured to;
  
  receive a message indicating an invocation of a programmatic procedure of an operating system, the message including a programmatic procedure identifier, a sender process identifier, and a receiver process identifier, wherein the invocation of the programmatic procedure is one invocation in a series of invocations of operating system programmatic procedures made from a process identified by the sender process identifier;
  
  generate an invocation hash based on at least a portion of the message;
  
  translate the invocation hash to an invocation identifier;
  
  include the invocation identifier in a translated call sequence that comprises invocation identifiers for the series of invocations;
  
  determine whether the translated call sequence is included in a plurality of predetermined call sequences, each of the predetermined call sequences comprising corresponding invocation identifiers, wherein each of the corresponding invocation identifiers is mapped to invocation hashes;
  
  identify the translated call sequence as an anomaly if the translated call sequence is not included in the predetermined call sequences and, otherwise, to determine the translated call sequence is not an anomaly; and
  
  when the translated call sequence is identified as an anomaly, cause an action.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein the processor is configured to generate the invocation hash based on at least the receiver process identifier.
  - 16. The system of claim 14, wherein the processor is configured to generate the invocation hash based on at least the sender process identifier and the receiver process identifier.
  - 17. The system of claim 14, wherein the message comprises the programmatic procedure identifier, the sender process identifier, the receiver process identifier, a channel identifier, a receiver node identifier, parameters of the programmatic procedure, and/or an indication of the parameters passed to the programmatic procedure.
  - 18. The system of claim 17, wherein the processor is configured to generate the invocation hash based on at least one of the programmatic procedure identifier, the sender process identifier, the receiver process identifier, the channel identifier, the receiver node identifier, the parameters of the programmatic procedure, and/or the indication of the parameters passed to the programmatic procedure.
  - 19. The system of claim 14, wherein the processor is configured to cause the action by changing a security level in response to identification of the translated call sequence as an anomaly.
  - 20. The system of claim 19, wherein the processor is configured to change the security level in response to a determination that the identification of the translated call sequence as an anomaly exceeds a threshold number of anomalies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Blackberry Limited
Original Assignee
2236008 Ontario Inc. (Blackberry Limited)
Inventors
Al Sharnouby, Mohamed
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/213,874
Publication Number

US 20180024874A1
Time in Patent Office

980 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/4812   by interrupt, e.g. masked

G06F 9/4843   by program, e.g. task dispa...

G06F 9/546   Message passing systems or ...

Anomaly detection using sequences of system calls

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Anomaly detection using sequences of system calls

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links