Exploit of privilege detection framework
First Claim
Patent Images
1. A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including:
- responsive to detecting creation of a first process, adding data to a privilege list, the data including (i) identification information of the first process and (ii) an initial privilege of the first process, wherein the data added to the privilege list is set forth in a first token associated with the first process, and the first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list;
detecting performance of one or more operations and a modification of the first token that is associated with the first process, wherein the modification of the first token alters a current privilege of the first process to be greater than the initial privilege;
responsive to detecting the performance of the one or more operations and the modification of the first token, comparing a current privilege of the first process with the initial privilege of the first process recorded in the privilege list;
determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold;
responsive to determining the change exists between the current privilege of the first process and the initial privilege of the first process that is greater than the predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack; and
responsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack.
7 Assignments
0 Petitions
Accused Products
Abstract
A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including comparing a current privilege of a first process with an initial privilege of the first process recorded in a privilege list, and responsive to determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack is shown.
-
Citations
27 Claims
-
1. A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including:
-
responsive to detecting creation of a first process, adding data to a privilege list, the data including (i) identification information of the first process and (ii) an initial privilege of the first process, wherein the data added to the privilege list is set forth in a first token associated with the first process, and the first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list; detecting performance of one or more operations and a modification of the first token that is associated with the first process, wherein the modification of the first token alters a current privilege of the first process to be greater than the initial privilege; responsive to detecting the performance of the one or more operations and the modification of the first token, comparing a current privilege of the first process with the initial privilege of the first process recorded in the privilege list; determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold; responsive to determining the change exists between the current privilege of the first process and the initial privilege of the first process that is greater than the predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack; and responsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system comprising:
-
one or more processors; and a non-transitory storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including; responsive to detecting creation of a first process, adding data to a privilege list, the data including (i) identification information of the first process and (ii) an initial privilege of the first process, wherein the data added to the privilege list is set forth in a first token associated with the first process, and the first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list; detecting performance of one or more operations and a modification of the first token that is associated with the first process, wherein the modification of the first token alters a current privilege of the first process to be greater than the initial privilege; responsive to detecting the performance of the one or more operations and the modification of the first token, comparing a current privilege of the first process with the initial privilege of the first process recorded in the privilege list; determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold; responsive to determining the change exists between the current privilege of the first process and the initial privilege of the first process that is greater than the predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack; and responsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for detecting an exploit of privilege attack comprising:
-
responsive to detecting creation of a first process, adding data to a privilege list, the data including (i) identification information of the first process and (ii) an initial privilege of the first process, wherein the data added to the privilege list is set forth in a first token associated with the first process, and the first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list; detecting performance of one or more operations and a modification of the first token that is associated with the first process, wherein the modification of the first token alters a current privilege of the first process to be greater than the initial privilege; responsive to detecting the performance of the one or more operations and the modification of the first token, comparing a current privilege of the first process with the initial privilege of the first process recorded in the privilege list; determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold; responsive to determining the change exists between the current privilege of the first process and the initial privilege of the first process that is greater than the predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack; and responsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
-
Specification