×

Identification of malicious execution of a process

  • US 10,467,409 B2
  • Filed: 12/23/2014
  • Issued: 11/05/2019
  • Est. Priority Date: 12/23/2014
  • Status: Active Grant
First Claim
Patent Images

1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, cause the at least one processor to:

  • intercept a process;

    determine that the process involves a privileged resource or a privileged operation;

    store execution profiling for the process;

    analyze code involved in each stack frame for the process to determine malicious activity and whether the process involves a privileged resource or a privileged operation, wherein each stack frame is analyzed as it unwinds;

    determine an origin of the code involved in each stack frame;

    determine whether the code involved in each stack frame is trusted, wherein the code is not trusted if the code resides in memory that is writeable or if the code resides in memory that is part of the stack frame;

    persist data between sessions based on a determination that the code is trusted, wherein persisting data between sessions includes persisting at least a portion of the data in a protected region of memory; and

    trigger a security violation based on a determination that the code is not trusted.

View all claims
  • 10 Assignments
Timeline View
Assignment View
    ×
    ×