METHODS, MEDIA AND SYSTEMS FOR DETECTING ANOMALOUS PROGRAM EXECUTIONS
First Claim
1. A method for detecting anomalous program executions, comprising:
- executing at least a part of a program in an emulator;
comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and
identifying the function call as anomalous based on the comparison.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
-
Citations
42 Claims
-
1. A method for detecting anomalous program executions, comprising:
-
executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting anomalous program executions, comprising:
-
executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system for detecting anomalous program executions, comprising:
a digital processing device that;
executes at least a part of a program in an emulator;
compares a function call made in the emulator to a model of function calls for the at least a part of the program; and
identifies the function call as anomalous based on the comparison.
-
22. A method for detecting anomalous program executions, comprising:
-
modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting anomalous program executions, comprising:
-
modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A system for detecting anomalous program executions, comprising:
a digital processing device that;
modifies a program to include indicators of program-level function calls being made during execution of the program;
compares at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and
identifies a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
Specification