SOFTWARE PROTECTION MECHANISM

US 20130333033A1
Filed: 06/06/2012
Published: 12/12/2013
Est. Priority Date: 06/06/2012
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring executing software, the method comprising:

monitoring behavior of software during execution;

based on comparison of the monitored behavior and corresponding expected behavior derived from analysis of the software, determining that the monitored behavior deviates from the expected behavior in accordance with a predetermined trigger; and

automatically initiating an action in response to the determining.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detecting malware activity are described. In some examples, a method for monitoring executing software for malware may include monitoring behavior of software during execution. Based on comparison of the monitored behavior and corresponding expected behavior derived from analysis of the software, it may be determined that the monitored behavior deviates from the expected behavior in accordance with a predetermined trigger. An appropriate action may be initiated in response.

Citations

23 Claims

1. A method for monitoring executing software, the method comprising:
- monitoring behavior of software during execution;
  
  based on comparison of the monitored behavior and corresponding expected behavior derived from analysis of the software, determining that the monitored behavior deviates from the expected behavior in accordance with a predetermined trigger; and
  
  automatically initiating an action in response to the determining.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the analysis comprises decompilation of executable software into source code.
  - 3. The method of claim 1, wherein the analysis comprises processing of information received via an Application Programming Interface (API).
  - 4. The method of claim 1, wherein the analysis comprises parsing of source code prior to execution of the software.
  - 5. The method of claim 1, wherein the analysis comprises generation of a misbehavior/threat database based on source code conversion and information received via an API.
  - 6. The method of claim 3, wherein the analysis comprises generation of a binary program graph based on source code conversion and the received information.
  - 7. The method of claim 6, wherein the binary program graph corresponds to software program flow and comprises data structures, connectors, and pointers to executable machine commands.
  - 8. The method of claim 6, wherein the comparison is based on information received from the binary program graph and a misbehavior/threat database.
  - 9. The method of claim 1, wherein the analysis comprises generation of a first binary program graph representative of the expected behavior, and wherein the determining comprises creating a second binary program graph representative of the monitored behavior.
  - 10. The method of claim 9, wherein the determining comprises comparing the first binary program graph and its associated data structures or values with the second binary program graph and its associated data structures or values.
  - 11. The method of claim 1, wherein the expected behavior comprises interaction between system or other program calls and corresponding variables ranges, data structure ranges, and timing constraints.
  - 12. The method of claim 6, wherein the determining comprises matching software program flow and associated data structures or values against the binary program graph.
  - 13. The method of claim 1, wherein the predetermined trigger comprises a change in the program flow.
  - 14. The method of claim 1, wherein the predetermined trigger comprises an unexpected change in value of a system call variable.
  - 15. The method of claim 1, wherein the predetermined trigger comprises a variable value that is out of range.
  - 16. The method of claim 1, wherein the predetermined trigger comprises a response timeout.
  - 17. The method of claim 1, wherein the action comprises sending an alert.
  - 18. The method of claim 1, wherein the action comprises generating a programming patch and inserting the programming patch into the software.
  - 19. The method of claim 6, wherein the action comprises reconfiguring the binary program graph.
  - 20. The method of claim 1, wherein the action comprises blocking further execution of the software.
  - 21. The method of claim 1, wherein the software implements a virtual machine manager (VMM).

22. A computing system comprising:
- a computing device comprising at least one processor;
  
  a memory communicatively coupled to the processor when the system is operational, the memory having stored therein computer instructions that upon execution by the at least one processor cause;
  
  monitoring behavior of software during execution;
  
  based on comparison of the monitored behavior and corresponding modeled behavior derived from analysis of the software, determining that the monitored behavior deviates from the modeled behavior; and
  
  initiating a response based on the determining.

23. A computer readable storage medium storing thereon computer executable instructions for monitoring executing software, the computer readable storage medium comprising:
- instructions for determining expected runtime behavior of source code or executable code; and
  
  instructions for generating a misbehavior/threat database and a binary program graph based on the determining, wherein an indication that monitored runtime behavior of the source code or executable code deviates from the expected runtime behavior can be generated based on comparison of the misbehavior/threat database and binary program graph with corresponding monitored runtime behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Empire Technology Development LLC (Allied Inventors Management, LLC)
Original Assignee
Empire Technology Development LLC (Allied Inventors Management, LLC)
Inventors
Khesin, Oscar

Granted Patent

US 9,405,899 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

G06F 21/566 Dynamic detection, i.e. det...

SOFTWARE PROTECTION MECHANISM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

SOFTWARE PROTECTION MECHANISM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links