COMPARING STRUCTURAL INFORMATION OF A SNAPSHOT OF SYSTEM MEMORY

US 20180218153A1
Filed: 01/31/2017
Published: 08/02/2018
Est. Priority Date: 01/31/2017
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable storage medium storing instructions executable by a processor to:

obtain structural information of a process extracted from a snapshot of system memory wherein the structural information includes a hash or fuzzy hash of each executable region of the process;

compare the structural information of the process with a process model which includes hashes or fuzzy hashes of executable regions of the same process in a previous snapshot of system memory;

determine there is a structural anomaly in response to a determination that the structural information includes a hash or fuzzy hash which is inconsistent with the process model; and

in response to determining that there is a structural anomaly, generate a malware alert.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples relate to snapshots of system memory. In an example implementation, structural information of a process in a snapshot of system memory is compared with hashes or fuzzy hashes of executable regions of the same process in a previous snapshot of system memory to determine whether there is a structural anomaly.

11 Citations

20 Claims

1. A non-transitory computer readable storage medium storing instructions executable by a processor to:
- obtain structural information of a process extracted from a snapshot of system memory wherein the structural information includes a hash or fuzzy hash of each executable region of the process;
  
  compare the structural information of the process with a process model which includes hashes or fuzzy hashes of executable regions of the same process in a previous snapshot of system memory;
  
  determine there is a structural anomaly in response to a determination that the structural information includes a hash or fuzzy hash which is inconsistent with the process model; and
  
  in response to determining that there is a structural anomaly, generate a malware alert.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The medium of claim 1 wherein the malware alert triggers instructions to analyse at least a portion of the code of an executable region that includes the structural anomaly to determine whether the executable region is infected with malware.
  - 3. The medium of claim 1 wherein the instructions include instructions to match the process in the snapshot of system memory with one process model of a plurality of process models, in response to an identifier of the process matching an identifier of said one of the plurality of process models.
  - 4. The medium of claim 1 wherein the structural information of the process includes a fuzzy hash of at least one executable region of the process and the instructions include instructions to determine that said fuzzy hash is inconsistent with the process model in response to determining that the process model does not include a matching fuzzy hash.
  - 5. The medium of claim 1 wherein the instructions include instructions to determine that a hash or fuzzy hash of an executable region of the process is inconsistent with the process model in response to determining that the process includes an executable region which has the same name, but a different hash or fuzzy hash, compared to the executable region in the process model.

6. A method comprising:
- obtaining a first snapshot of system memory including a first process;
  
  after obtaining the first snapshot, launching a second process;
  
  after launching the second process obtaining a second snapshot of system memory;
  
  making a comparison of structural information of the first snapshot with structural information of the second snapshot; and
  
  determining, based on the comparison, whether there is a structural anomaly which indicates that a structure of the first process has changed between the first snapshot and the second snapshot;
  
  wherein making a comparison of the structural information of the first snapshot with the structural information of the second snapshot includes comparing hashes or fuzzy hashes of executable regions of the first process in the first snapshot with hashes or fuzzy hashes of executable regions of the first process in the second snapshot.
- View Dependent Claims (7, 8, 9, 10, 11, 13, 14)
- - 7. The method of claim 6 comprising determining that there is a structural anomaly, in response to determining that a hash or fuzzy hash of the first process exists in the second snapshot and does not exist in the first snapshot.
  - 8. The method of claim 6 comprising determining that there is a structural anomaly, in response to determining that an executable region of the first process has a different hash or different fuzzy hash in the second snapshot compared to the first snapshot.
  - 9. The method of claim 6 comprising determining that there is a structural anomaly, in response to determining, based on a fuzzy hash, that an anonymous executable region of the first process exists in the second snapshot and that there is no corresponding anonymous executable region in the first snapshot.
  - 10. The method of claim 6 further comprising, in response to determining that there is a structural anomaly, analysing code of an executable region which corresponds to the structural anomaly.
  - 11. The method of claim 6 further comprising, in response to determining that there is a structural anomaly, generating a malware alert.
  - 13. The method of claim 6 comprising launching a plurality of first processes before obtaining the first snapshot of system memory and comparing structural information of each of said first processes in the first snapshot with structural information of a corresponding process in the second snapshot.
  - 14. The method of claim 6, comprising obtaining structural information of the first process in the first snapshot and the second snapshot by identifying structural features of the first process in each of the first snapshot and the second snapshot and determining a name, hash or fuzzy hash for each identified structural feature.

12. The method of 6 further comprising, in response to determining that there is a structural anomaly, generating an indicator of compromise for use in a malware detection system, said indicator of compromise including information relating to the structural anomaly.

15. A non-transitory machine readable medium storing instructions which are executable by a processor to:
- obtain a snapshot of system memory of a computer system, the snapshot including a plurality of shared libraries;
  
  for each shared library in the snapshot, perform at least one of;
  
  (a) make a comparison of code of the shared library in the snapshot with code of a corresponding shared library in a previous snapshot of the system memory to determine whether there is a difference;
  
  (b) obtain, from metadata included in the snapshot, a pathname from which the shared library was loaded and make a comparison of code of the shared library in the snapshot with code of the shared library at the pathname to determine whether there is a difference;
  
  (c) determine whether there is a difference between a pathname of the shared library according to a module list included in the snapshot and a pathname of the shared library according to a memory mapped file of a kernel included in the snapshot;
  
  and generate a malware alert, in response to a determination that there is a difference.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The medium of claim 15 wherein the instructions to make a comparison include instructions to compare an initial portion of the shared library in the snapshot with an initial portion of the corresponding shared library from the previous snapshot, or with an initial portion of the shared library at the pathname, without comparing the whole content of the shared library.
  - 17. The medium of claim 15 wherein the instructions include instructions to, in response to a determination that there is a difference, conduct a byte-wise analysis to determine whether the shared library in the snapshot includes a sequence of bytes which is indicative of a hook to an executable.
  - 18. The medium of claim 16 wherein the instructions include instructions to generate the malware alert in response to determining that the shared library in the snapshot includes a hook to an unsigned executable.
  - 19. The medium of claim 15 wherein the instructions to obtain, from metadata included in the snapshot, a pathname from which the shared library was loaded comprises one of:
    - instructions to determine a pathname of the shared library from a process list included in the snapshot and instructions to determine a pathname of the shared library from a memory mapped file relating to the shared library in a kernel.
  - 20. The medium of claim 15 wherein the instructions to make a comparison of the shared library, with a corresponding shared library in a previous snapshot or with a shared library at a pathname, include instructions to make a byte-wise comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Edwards, Nigel, Wray, Michael John

Granted Patent

US 10,783,246 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

COMPARING STRUCTURAL INFORMATION OF A SNAPSHOT OF SYSTEM MEMORY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

COMPARING STRUCTURAL INFORMATION OF A SNAPSHOT OF SYSTEM MEMORY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others