Detection of exploitative program code
First Claim
1. A method for detecting potentially exploitative code, the method comprising:
- running potentially exploitative code as a child process, the potentially exploitative code associated with a set of program code;
receiving computer information that is associated with the set of program code, the computer information including data and information associated with internal structures associated with the set of program code;
analyzing the data and the information associated with the internal structures associated with the set of program code as the potentially exploitative code is run as the child process;
identifying that the data and the information associated with the internal structures is consistent with suspicious activity based on identifying that a region of memory allocated for storing non-executable program data has been associated with an executable function; and
classifying the computer information as being suspicious based on the identification that the region of memory allocated for storing the non-executable program data has been associated with the executable function.
1 Assignment
0 Petitions
Accused Products
Abstract
The present disclosure is directed to monitoring internal process memory of a computer at a time with program code executes. Methods and apparatus consistent with the present disclosure monitor the operation of program code with the intent of detecting whether received program inputs may exploit vulnerabilities that may exist in the program code at runtime. By detecting suspicious activity or malicious code that may affect internal process memory at run-time, methods and apparatus described herein identify suspected malware based on suspicious actions performed as program code executes. Runtime exploit detection may detect certain anomalous activities or chain of events in a potentially vulnerable application during execution. These events may be detected using instrumentation code when a regular code execution path of an application is deviated from.
-
Citations
20 Claims
-
1. A method for detecting potentially exploitative code, the method comprising:
-
running potentially exploitative code as a child process, the potentially exploitative code associated with a set of program code; receiving computer information that is associated with the set of program code, the computer information including data and information associated with internal structures associated with the set of program code; analyzing the data and the information associated with the internal structures associated with the set of program code as the potentially exploitative code is run as the child process; identifying that the data and the information associated with the internal structures is consistent with suspicious activity based on identifying that a region of memory allocated for storing non-executable program data has been associated with an executable function; and classifying the computer information as being suspicious based on the identification that the region of memory allocated for storing the non-executable program data has been associated with the executable function. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer readable storage medium having embodied thereon a program executable by a processor for implementing a method for detecting potentially exploitative code, the method comprising:
-
running potentially exploitative code as a child process, the potentially exploitative code associated with a set of program code; receiving computer information that is associated with the set of program code, the computer information including data and information associated with internal structures associated with the set of program code; analyzing the data and the information associated with the internal structures associated with the set of program code as the potentially exploitative code is run as the child process; identifying that the data and the information associated with the internal structures is consistent with suspicious activity based on identifying that a region of memory allocated for storing non-executable program data has been associated with an executable function; and classifying the computer information as being suspicious based on the identification that the region of memory allocated for storing the non-executable program data has been associated with the executable function. - View Dependent Claims (18, 19)
-
-
20. An apparatus for detecting potentially exploitative code, the apparatus comprising:
-
a memory; and a processor executing instructions out of the memory to; run potentially exploitative code as a child process, the potentially exploitative code associated with a set of program code, receive computer information that is associated with the set of program code, the computer information including data and information associated with internal structures associated with the set of program code, analyze the data and the information associated with the internal structures associated with the set of program code as the potentially exploitative code is run as the child process, identify that the data and the information associated with the internal structures is consistent with suspicious activity based on identifying that a region of memory allocated for storing non-executable program data has been associated with a executable function, and classify the computer information as being suspicious based on the identification that the region of memory allocated for storing the non-executable program data has been associated with the executable function.
-
Specification