SOFTWARE PROTECTION MECHANISM
First Claim
Patent Images
1. A method for monitoring executing software, the method comprising:
- monitoring behavior of software during execution;
based on comparison of the monitored behavior and corresponding expected behavior derived from analysis of the software, determining that the monitored behavior deviates from the expected behavior in accordance with a predetermined trigger; and
automatically initiating an action in response to the determining.
3 Assignments
0 Petitions
Accused Products
Abstract
Techniques for detecting malware activity are described. In some examples, a method for monitoring executing software for malware may include monitoring behavior of software during execution. Based on comparison of the monitored behavior and corresponding expected behavior derived from analysis of the software, it may be determined that the monitored behavior deviates from the expected behavior in accordance with a predetermined trigger. An appropriate action may be initiated in response.
-
Citations
23 Claims
-
1. A method for monitoring executing software, the method comprising:
-
monitoring behavior of software during execution; based on comparison of the monitored behavior and corresponding expected behavior derived from analysis of the software, determining that the monitored behavior deviates from the expected behavior in accordance with a predetermined trigger; and automatically initiating an action in response to the determining. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computing system comprising:
-
a computing device comprising at least one processor; a memory communicatively coupled to the processor when the system is operational, the memory having stored therein computer instructions that upon execution by the at least one processor cause; monitoring behavior of software during execution; based on comparison of the monitored behavior and corresponding modeled behavior derived from analysis of the software, determining that the monitored behavior deviates from the modeled behavior; and initiating a response based on the determining.
-
-
23. A computer readable storage medium storing thereon computer executable instructions for monitoring executing software, the computer readable storage medium comprising:
-
instructions for determining expected runtime behavior of source code or executable code; and instructions for generating a misbehavior/threat database and a binary program graph based on the determining, wherein an indication that monitored runtime behavior of the source code or executable code deviates from the expected runtime behavior can be generated based on comparison of the misbehavior/threat database and binary program graph with corresponding monitored runtime behavior.
-
Specification