METHODS AND APPARATUS FOR CONTROL AND DETECTION OF MALICIOUS CONTENT USING A SANDBOX ENVIRONMENT
First Claim
1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
- receive a set of indications of allowed behavior associated with an application;
initiate an instance of the application within a sandbox environment;
receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment; and
send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior.
8 Assignments
0 Petitions
Accused Products
Abstract
A non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to cause the processor to receive a set of indications of allowed behavior associated with an application. The processor is also caused to initiate an instance of the application within a sandbox environment. The processor is further caused to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment. The processor is also caused to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior.
143 Citations
22 Claims
-
1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
-
receive a set of indications of allowed behavior associated with an application; initiate an instance of the application within a sandbox environment; receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment; and send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
a control module implemented in at least one of a memory or a processing device, the control module configured to initiate an instance of a first application and an instance of a second application within a sandbox environment, the control module configured to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the first application and a set of indications of actual behavior of the instance of the second application, an indication of a behavior being within both the set of indications of actual behavior of the instance of the first application and the set of indications of actual behavior of the instance of the second application, the control module configured to classify the behavior as an anomalous behavior for the first application based on a baseline behavior set for the first application, the control module configured to not classify the behavior as an anomalous behavior for the second application based on a baseline behavior set for the second application, the control module configured to send a signal in response to classifying the behavior as an anomalous behavior for the first application. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. An apparatus, comprising:
-
a control module implemented in at least one of a memory or a processing device, the control module configured to receive a set of indications of allowed behavior associated with a first application, the control module configured to initiate an instance of the first application within a sandbox environment such that the instance of the first application initiates an instance of a second application within the sandbox environment, the control module configured to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the second application in response to the instance of the first application initiating the instance of the second application, the control module configured to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior of the instance of the second application does not correspond to an indication from the set of indications of allowed behavior associated with the first application. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
Specification