COMPARING STRUCTURAL INFORMATION OF A SNAPSHOT OF SYSTEM MEMORY
First Claim
Patent Images
1. A non-transitory computer readable storage medium storing instructions executable by a processor to:
- obtain structural information of a process extracted from a snapshot of system memory wherein the structural information includes a hash or fuzzy hash of each executable region of the process;
compare the structural information of the process with a process model which includes hashes or fuzzy hashes of executable regions of the same process in a previous snapshot of system memory;
determine there is a structural anomaly in response to a determination that the structural information includes a hash or fuzzy hash which is inconsistent with the process model; and
in response to determining that there is a structural anomaly, generate a malware alert.
1 Assignment
0 Petitions
Accused Products
Abstract
Examples relate to snapshots of system memory. In an example implementation, structural information of a process in a snapshot of system memory is compared with hashes or fuzzy hashes of executable regions of the same process in a previous snapshot of system memory to determine whether there is a structural anomaly.
11 Citations
20 Claims
-
1. A non-transitory computer readable storage medium storing instructions executable by a processor to:
-
obtain structural information of a process extracted from a snapshot of system memory wherein the structural information includes a hash or fuzzy hash of each executable region of the process; compare the structural information of the process with a process model which includes hashes or fuzzy hashes of executable regions of the same process in a previous snapshot of system memory; determine there is a structural anomaly in response to a determination that the structural information includes a hash or fuzzy hash which is inconsistent with the process model; and in response to determining that there is a structural anomaly, generate a malware alert. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
obtaining a first snapshot of system memory including a first process; after obtaining the first snapshot, launching a second process; after launching the second process obtaining a second snapshot of system memory; making a comparison of structural information of the first snapshot with structural information of the second snapshot; and determining, based on the comparison, whether there is a structural anomaly which indicates that a structure of the first process has changed between the first snapshot and the second snapshot; wherein making a comparison of the structural information of the first snapshot with the structural information of the second snapshot includes comparing hashes or fuzzy hashes of executable regions of the first process in the first snapshot with hashes or fuzzy hashes of executable regions of the first process in the second snapshot. - View Dependent Claims (7, 8, 9, 10, 11, 13, 14)
-
-
12. The method of 6 further comprising, in response to determining that there is a structural anomaly, generating an indicator of compromise for use in a malware detection system, said indicator of compromise including information relating to the structural anomaly.
-
15. A non-transitory machine readable medium storing instructions which are executable by a processor to:
-
obtain a snapshot of system memory of a computer system, the snapshot including a plurality of shared libraries; for each shared library in the snapshot, perform at least one of; (a) make a comparison of code of the shared library in the snapshot with code of a corresponding shared library in a previous snapshot of the system memory to determine whether there is a difference; (b) obtain, from metadata included in the snapshot, a pathname from which the shared library was loaded and make a comparison of code of the shared library in the snapshot with code of the shared library at the pathname to determine whether there is a difference; (c) determine whether there is a difference between a pathname of the shared library according to a module list included in the snapshot and a pathname of the shared library according to a memory mapped file of a kernel included in the snapshot; and generate a malware alert, in response to a determination that there is a difference. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification