Method and system for tracking access to application data and preventing data exploitation by malicious programs
First Claim
Patent Images
1. A method of detecting a malicious program on a computer system, the method comprising:
- shimming into a running process of the system to create at least one monitoring hook to monitor a program;
building at least one execution path of the monitored program; and
monitoring a behavior of the at least one execution path for malicious behavior using the monitoring hook.
11 Assignments
0 Petitions
Accused Products
Abstract
Provided are a method and system for tracking access to application data and preventing data exploitation by malicious programs. In one example, the method includes shimming into a running process of the system to create at least one monitoring hook to monitor a program, building an execution path of the monitored program, and monitoring a behavior of the execution path for malicious behavior using the monitoring hook.
-
Citations
25 Claims
-
1. A method of detecting a malicious program on a computer system, the method comprising:
-
shimming into a running process of the system to create at least one monitoring hook to monitor a program;
building at least one execution path of the monitored program; and
monitoring a behavior of the at least one execution path for malicious behavior using the monitoring hook. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. The method of claim I, wherein the building comprises:
-
responsive to receiving input from a user of the computer system, identifying a plurality of state transitions in a logical state machine triggered by the input;
identifying a sequence of calls to functions and application programming interfaces triggered by the plurality of state transitions; and
building the at least one execution path based on the sequence of calls.
-
-
16. A method of monitoring a program to detect malicious activity, the method comprising:
-
replacing an operating system message dispatcher function with a detection program dispatcher function;
detecting at least one function of interest using the detection program dispatcher function;
replacing the at least one function of interest with a monitoring function;
identifying a sequence of calls to functions and application programming interfaces triggered by the program'"'"'s execution;
building at least one execution path based on the sequence of calls; and
monitoring for malicious behavior in the at least one execution path using the monitoring function. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A malicious program detection system comprising:
-
a client; and
a server coupled to the client via a network, wherein the server includes a processor and a memory for executing and storing a detection program, respectively, the detection program configured to perform the steps of;
shimming into a running process of the client to create monitoring hooks in response to detecting a user login from the client;
building execution paths of a program to be monitored; and
monitoring behavior of the execution paths for malicious behavior using the monitoring hooks.
-
Specification