MEMORY LAYOUT BASED MONITORING
First Claim
1. A method, comprising:
- accessing information indicative of a memory layout for an application executing on a first computer, wherein the memory layout includes a memory region specifically allocated for the application in association with the application being launched on the first computer, wherein the memory layout specifies one or more attributes associated with the memory region;
generating a current memory layout fingerprint for the application, while it is executing on the first computer, based on at least one of the one or more attributes of the memory region;
comparing the current memory layout fingerprint for the application to a previous memory layout fingerprint for the application, wherein the previous memory layout fingerprint was generated based on a previous memory layout associated with a previous execution of the application; and
in response to the comparing indicating a difference between the current memory layout fingerprint for the application and the previous memory layout fingerprint, generating a discrepancy indicator regarding the application.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques for monitoring based on a memory layout of an application are disclosed. A memory layout may be received, obtained, and/or generated from an application executing on a computer. Based on one or more attributes of a plurality of memory regions of the memory layout a memory layout fingerprint is generated. Additionally, memory region fingerprints are generated based on the one or more attributes for respective memory regions. The memory layout fingerprint and the memory region fingerprints are compared to respective previous memory layout fingerprints and the memory region fingerprints in order to determine whether malicious code and/or application drifting has occurred.
-
Citations
20 Claims
-
1. A method, comprising:
-
accessing information indicative of a memory layout for an application executing on a first computer, wherein the memory layout includes a memory region specifically allocated for the application in association with the application being launched on the first computer, wherein the memory layout specifies one or more attributes associated with the memory region; generating a current memory layout fingerprint for the application, while it is executing on the first computer, based on at least one of the one or more attributes of the memory region; comparing the current memory layout fingerprint for the application to a previous memory layout fingerprint for the application, wherein the previous memory layout fingerprint was generated based on a previous memory layout associated with a previous execution of the application; and in response to the comparing indicating a difference between the current memory layout fingerprint for the application and the previous memory layout fingerprint, generating a discrepancy indicator regarding the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-readable medium having stored thereon instructions that are executable by a computer system to cause the computer system to perform operations comprising:
-
accessing information indicative of a memory layout for an application executing on a first computer, wherein the memory layout includes a memory region dynamically allocated for the application in association with the application being launched on the first computer, wherein the memory layout specifies one or more attributes associated with the memory region; generating a current memory layout fingerprint for the application, while it is executing on the first computer, based on at least one of the one or more attributes of the memory region; comparing the current memory layout fingerprint for the application to a previous memory layout fingerprint for the application, wherein the previous memory layout fingerprint was generated based on a previous memory layout associated with a previous execution of the application; and in response to the comparing indicating, a difference between the current memory layout fingerprint for the application and the previous memory layout fingerprint, generating a discrepancy indicator regarding the application. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A system, comprising:
-
a processor; and a non-transitory computer-readable medium having stored thereon instructions that are executable by the system to cause the system to perform operations comprising; accessing information indicative of a memory layout for an application executing on a first computer, wherein the memory layout includes a memory region specifically allocated for the application subsequent to execution of a command to open the application on the first computer, wherein the memory layout specifies one or more attributes associated with the memory region; generating a current memory layout fingerprint for the application, while it is executing on the first computer, based on, at least one of the one or more attributes of the memory region; comparing the current memory layout fingerprint for the application to a previous memory layout fingerprint for the application, wherein the previous memory layout fingerprint was generated based on a previous memory layout associated with a previous execution of the application; and in response to the comparing indicating a difference between the current memory layout fingerprint for the application and the previous memory layout fingerprint, generating a discrepancy indicator regarding the application. - View Dependent Claims (18, 19, 20)
-
Specification