IDENTIFICATION OF MALICIOUS EXECUTION OF A PROCESS

US 20160180089A1
Filed: 12/23/2014
Published: 06/23/2016
Est. Priority Date: 12/23/2014
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, cause the at least one processor to:

intercept a process;

upon a determine that the process involves a privileged resource or a privileged operation;

store execution profiling for the process;

analyze code involved in each stack frame for the process to determine malicious activity;

allow for persistence of data between sessions if the process is not determined as malicious; and

trigger a security violation if malicious activity is determined.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to intercept a process, store execution profiling for the process if the process involves a privileged resource or a privileged operation, and analyze the code involved in each stack frame to determine malicious activity. If the process does not involve a privileged resource or a privileged operation, then the process is not analyzed.

Citations

25 Claims

1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, cause the at least one processor to:
- intercept a process;
  
  upon a determine that the process involves a privileged resource or a privileged operation;
  
  store execution profiling for the process;
  
  analyze code involved in each stack frame for the process to determine malicious activity;
  
  allow for persistence of data between sessions if the process is not determined as malicious; and
  
  trigger a security violation if malicious activity is determined.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The at least one computer-readable medium of claim 1, further comprising one or more instructions that, when executed by at least one processor, further cause the at least one processor to:
    - allow the process and persistence of data between sessions if the process does not involve a privileged resource or a privileged operation.
  - 3. The at least one computer-readable medium of claim 1, wherein an origin of the code involved in each stack frame is determined and analyzed.
  - 4. The at least one computer-readable medium of claim 1, further comprising one or more instructions that, when executed by at least one processor, further cause the at least one processor to:
    - determine if the code involved for the process is signed by a trusted source.
  - 5. The at least one computer-readable medium of claim 1, further comprising one or more instructions that, when executed by at least one processor, further cause the at least one processor to:
    - determine if the code matches a hash of a trusted executable processes.
  - 6. The at least one computer-readable medium of claim 1, wherein each stack frame is analyzed as it unwinds.
  - 7. The at least one computer-readable medium of claim 1, further comprising one or more instructions that, when executed by at least one processor, further cause the at least one processor to:
    - determine if an in memory image of the process matches an on disk image of the process.
  - 8. The at least one computer-readable medium of claim 1, further comprising one or more instructions that, when executed by at least one processor, further cause the at least one processor to:
    - compare behavioral events with in memory behavioral events to determine if the process shows evidence of tampering.

9. An apparatus comprising:
- memory;
  
  a hardware processor; and
  
  an execution profiling module configured to;
  
  intercept a process;
  
  upon a determine that the process involves a privileged resource or a privileged operation;
  
  store execution profiling for the process if the process involves a privileged resource or a privileged operation;
  
  analyze code involved in each stack frame for the process to determine malicious activity;
  
  allow for persistence of data between sessions if the process is not determined as malicious; and
  
  trigger a security violation if malicious activity is determined.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, wherein the execution profiling module is further configured to:
    - allow the process and persistence of data between sessions if the process does not involve a privileged resource or a privileged operation.
  - 11. The apparatus of claim 9, wherein an origin of the code involved in each stack frame is determined and analyzed.
  - 12. The apparatus of claim 9, wherein the execution profiling module is further configured to:
    - determine if the code involved for the process is signed by a trusted source.
  - 13. The apparatus of claim 9, wherein the execution profiling module is further configured to:
    - determine if the process matches a hash of a trusted executable processes.
  - 14. The apparatus of claim 9, wherein each stack frame is analyzed as it unwinds.
  - 15. The apparatus of claim 9, wherein the execution profiling module is further configured to:
    - determine if an in memory image of the process matches an on disk image of the process.
  - 16. The apparatus of claim 9, wherein the execution profiling module is further configured to:
    - compare behavioral events with in memory behavioral events to determine if the process shows evidence of tampering.

17. A method comprising:
- intercepting a process;
  
  upon a determine that the process involves a privileged resource or a privileged operation;
  
  storing execution profiling for the process in memory;
  
  analysing, using a hardware processor, code involved in each stack frame for the process to determine malicious activity;
  
  allowing for persistence of data between sessions if the process is not determined as malicious; and
  
  triggering a security violation if malicious activity is determined.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The method of claim 17, further comprising:
    - allowing the process and persistence of data between sessions if the process does not involve a privileged resource or a privileged operation.
  - 19. The method of claim 17, wherein an origin of the code involved in each stack frame is determined and analyzed.
  - 20. The method of claim 17, further comprising:
    - determining if the process is signed by a trusted source.
  - 21. The method of claim 17, further comprising:
    - determining if the process matches a hash of a trusted executable processes.
  - 22. The method of claim 17, further comprising:
    - determining if the code involved in each stack frame resides in memory that is writeable.
  - 23. The method of claim 17, wherein each stack frame is analyzed as it unwinds.

24. A system for identification of malicious execution of a process, the system comprising:
- memory;
  
  a hardware processor; and
  
  an execution profiling module configured for;
  
  intercepting a process;
  
  upon a determine that the process involves a privileged resource or a privileged operation;
  
  storing execution profiling for the process;
  
  analyzing code involved in each stack frame for the process to determine malicious activity, wherein each stack frame is examined as it unwinds;
  
  allowing for persistence of data between sessions if the process is not determined as malicious; and
  
  triggering a security violation if malicious activity is determined.
- View Dependent Claims (25)
- - 25. The system of claim 24, wherein an origin of the code involved in each stack frame is determined and analyzed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Dalcher, Greg W.

Granted Patent

US 10,467,409 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

IDENTIFICATION OF MALICIOUS EXECUTION OF A PROCESS

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFICATION OF MALICIOUS EXECUTION OF A PROCESS

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links