Identification of malicious execution of a process

US 10,467,409 B2
Filed: 12/23/2014
Issued: 11/05/2019
Est. Priority Date: 12/23/2014
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, cause the at least one processor to:

intercept a process;

determine that the process involves a privileged resource or a privileged operation;

store execution profiling for the process;

analyze code involved in each stack frame for the process to determine malicious activity and whether the process involves a privileged resource or a privileged operation, wherein each stack frame is analyzed as it unwinds;

determine an origin of the code involved in each stack frame;

determine whether the code involved in each stack frame is trusted, wherein the code is not trusted if the code resides in memory that is writeable or if the code resides in memory that is part of the stack frame;

persist data between sessions based on a determination that the code is trusted, wherein persisting data between sessions includes persisting at least a portion of the data in a protected region of memory; and

trigger a security violation based on a determination that the code is not trusted.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to intercept a process, store execution profiling for the process if the process involves a privileged resource or a privileged operation, and analyze the code involved in each stack frame to determine malicious activity. If the process does not involve a privileged resource or a privileged operation, then the process is not analyzed.

Citations

14 Claims

1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, cause the at least one processor to:
- intercept a process;
  
  determine that the process involves a privileged resource or a privileged operation;
  
  store execution profiling for the process;
  
  analyze code involved in each stack frame for the process to determine malicious activity and whether the process involves a privileged resource or a privileged operation, wherein each stack frame is analyzed as it unwinds;
  
  determine an origin of the code involved in each stack frame;
  
  determine whether the code involved in each stack frame is trusted, wherein the code is not trusted if the code resides in memory that is writeable or if the code resides in memory that is part of the stack frame;
  
  persist data between sessions based on a determination that the code is trusted, wherein persisting data between sessions includes persisting at least a portion of the data in a protected region of memory; and
  
  trigger a security violation based on a determination that the code is not trusted.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The at least one computer-readable medium of claim 1, further comprising one or more instructions that, when executed by at least one processor, further cause the at least one processor to:
    - determine if the code involved for the process is signed by a trusted source.
  - 3. The at least one computer-readable medium of claim 1, further comprising one or more instructions that, when executed by at least one processor, further cause the at least one processor to:
    - determine if the code matches a hash of a trusted executable processes.
  - 4. The at least one computer-readable medium of claim 1, further comprising one or more instructions that, when executed by at least one processor, further cause the at least one processor to:
    - determine if an in memory image of the process matches an on disk image of the process.
  - 5. The at least one computer-readable medium of claim 1, further comprising one or more instructions that, when executed by at least one processor, further cause the at least one processor to:
    - compare behavioral events with in memory behavioral events to determine that the process shows evidence of tampering.

6. An apparatus comprising:
- memory;
  
  a hardware processor configured to;
  
  intercept a process;
  
  determine that the process involves a privileged resource or a privileged operation;
  
  store execution profiling for the process;
  
  analyze code involved in each stack frame for the process to determine malicious activity and whether the process involves a privileged resource or a privileged operation, wherein each stack frame is analyzed as it unwinds;
  
  determine an origin of the code involved in each stack frame;
  
  determine whether the code involved in each stack frame is trusted, wherein the code is not trusted if the code resides in memory that is writeable or if the code resides in memory that is part of the stack frame;
  
  persist data between sessions based on the determination that the code is trusted, wherein persisting data between sessions includes persisting at least a portion of the data in a protected region of memory; and
  
  trigger a security violation based on a determination that the code is not trusted.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6, wherein the processor is further configured to:
    - determine if the code involved for the process is signed by a trusted source.
  - 8. The apparatus of claim 6, wherein the processor is further configured to:
    - determine if the process matches a hash of a trusted executable processes.
  - 9. The apparatus of claim 6, wherein the processor is further configured to:
    - determine if an in memory image of the process matches an on disk image of the process.
  - 10. The apparatus of claim 6, wherein the processor is further configured to:
    - compare behavioral events with in memory behavioral events to determine if the process shows evidence of tampering.

11. A method comprising:
- intercepting a process;
  
  determining that the process involves a privileged resource or a privileged operation;
  
  storing execution profiling for the process in memory;
  
  analyzing, using a hardware processor, code involved in each stack frame for the process to determine malicious activity and whether the process involves a privileged resource or a privileged operation, wherein each stack frame is analyzed as it unwinds;
  
  determining an origin of the code involved in each stack frame;
  
  determining whether the code involved in each stack frame is trusted, wherein the code is not trusted if the code resides in memory that is writeable or if the code resides in memory that is part of the stack frame;
  
  persisting data between sessions based on the determination that the code is trusted, wherein persisting data between sessions includes persisting at least a portion of the data in a protected region of memory; and
  
  triggering a security violation based on the determination that the code is not trusted.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, further comprising:
    - determining if the process is signed by a trusted source.
  - 13. The method of claim 11, further comprising:
    - determining if the process matches a hash of a trusted executable processes.

14. A system for identification of malicious execution of a process, the system comprising:
- memory;
  
  a hardware processor configured for;
  
  intercepting a process;
  
  determining that the process involves a privileged resource or a privileged operation;
  
  storing execution profiling for the process;
  
  analyzing code involved in each stack frame for the process to determine malicious activity and whether the process involves a privileged resource or a privileged operation, wherein each stack frame is examined as it unwinds;
  
  determining an origin of the code involved in each stack frame;
  
  determining whether the code involved in each stack frame is trusted, wherein the code is not trusted if the code resides in memory that is writeable or if the code resides in memory that is part of the stack frame;
  
  persisting data between sessions based on a determination that the code is trusted, wherein persisting data between sessions includes persisting at least a portion of the data in a protected region of memory; and
  
  triggering a security violation based on a determination that the code is not trusted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Dalcher, Greg W.
Primary Examiner(s)
Rahim, Monjur

Application Number

US14/581,528
Publication Number

US 20160180089A1
Time in Patent Office

1,778 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

Identification of malicious execution of a process

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Identification of malicious execution of a process

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links