IDENTIFICATION OF MALICIOUS EXECUTION OF A PROCESS
First Claim
Patent Images
1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, cause the at least one processor to:
- intercept a process;
upon a determine that the process involves a privileged resource or a privileged operation;
store execution profiling for the process;
analyze code involved in each stack frame for the process to determine malicious activity;
allow for persistence of data between sessions if the process is not determined as malicious; and
trigger a security violation if malicious activity is determined.
10 Assignments
0 Petitions
Accused Products
Abstract
Particular embodiments described herein provide for an electronic device that can be configured to intercept a process, store execution profiling for the process if the process involves a privileged resource or a privileged operation, and analyze the code involved in each stack frame to determine malicious activity. If the process does not involve a privileged resource or a privileged operation, then the process is not analyzed.
-
Citations
25 Claims
-
1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, cause the at least one processor to:
-
intercept a process; upon a determine that the process involves a privileged resource or a privileged operation; store execution profiling for the process; analyze code involved in each stack frame for the process to determine malicious activity; allow for persistence of data between sessions if the process is not determined as malicious; and trigger a security violation if malicious activity is determined. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus comprising:
-
memory; a hardware processor; and an execution profiling module configured to; intercept a process; upon a determine that the process involves a privileged resource or a privileged operation; store execution profiling for the process if the process involves a privileged resource or a privileged operation; analyze code involved in each stack frame for the process to determine malicious activity; allow for persistence of data between sessions if the process is not determined as malicious; and trigger a security violation if malicious activity is determined. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method comprising:
-
intercepting a process; upon a determine that the process involves a privileged resource or a privileged operation; storing execution profiling for the process in memory; analysing, using a hardware processor, code involved in each stack frame for the process to determine malicious activity; allowing for persistence of data between sessions if the process is not determined as malicious; and triggering a security violation if malicious activity is determined. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. A system for identification of malicious execution of a process, the system comprising:
-
memory; a hardware processor; and an execution profiling module configured for; intercepting a process; upon a determine that the process involves a privileged resource or a privileged operation; storing execution profiling for the process; analyzing code involved in each stack frame for the process to determine malicious activity, wherein each stack frame is examined as it unwinds; allowing for persistence of data between sessions if the process is not determined as malicious; and triggering a security violation if malicious activity is determined. - View Dependent Claims (25)
-
Specification