MEMORY LAYOUT BASED MONITORING

US 20200134181A1
Filed: 12/24/2019
Published: 04/30/2020
Est. Priority Date: 06/30/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

accessing information indicative of a memory layout for an application executing on a first computer, wherein the memory layout includes a memory region specifically allocated for the application in association with the application being launched on the first computer, wherein the memory layout specifies one or more attributes associated with the memory region;

generating a current memory layout fingerprint for the application, while it is executing on the first computer, based on at least one of the one or more attributes of the memory region;

comparing the current memory layout fingerprint for the application to a previous memory layout fingerprint for the application, wherein the previous memory layout fingerprint was generated based on a previous memory layout associated with a previous execution of the application; and

in response to the comparing indicating a difference between the current memory layout fingerprint for the application and the previous memory layout fingerprint, generating a discrepancy indicator regarding the application.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for monitoring based on a memory layout of an application are disclosed. A memory layout may be received, obtained, and/or generated from an application executing on a computer. Based on one or more attributes of a plurality of memory regions of the memory layout a memory layout fingerprint is generated. Additionally, memory region fingerprints are generated based on the one or more attributes for respective memory regions. The memory layout fingerprint and the memory region fingerprints are compared to respective previous memory layout fingerprints and the memory region fingerprints in order to determine whether malicious code and/or application drifting has occurred.

Citations

20 Claims

1. A method, comprising:
- accessing information indicative of a memory layout for an application executing on a first computer, wherein the memory layout includes a memory region specifically allocated for the application in association with the application being launched on the first computer, wherein the memory layout specifies one or more attributes associated with the memory region;
  
  generating a current memory layout fingerprint for the application, while it is executing on the first computer, based on at least one of the one or more attributes of the memory region;
  
  comparing the current memory layout fingerprint for the application to a previous memory layout fingerprint for the application, wherein the previous memory layout fingerprint was generated based on a previous memory layout associated with a previous execution of the application; and
  
  in response to the comparing indicating a difference between the current memory layout fingerprint for the application and the previous memory layout fingerprint, generating a discrepancy indicator regarding the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein generating the current memory layout fingerprint includes executing a hash function on the information indicative of the memory layout to create the current memory layout fingerprint, and wherein generation of the previous memory layout fingerprint also used the same hash function.
  - 3. The method of claim 1, wherein the difference corresponds to a code library used by the application, and indicates a change has occurred to binary executable content within the code library.
  - 4. The method of claim 1, wherein generating the discrepancy indicator includes transmitting an electronic notification to one or more system administrators for the first computer.
  - 5. The method of claim 1, wherein generating the discrepancy indicator includes storing, in a log, information regarding the difference between the current memory layout fingerprint for the application and the previous memory layout fingerprint.
  - 6. The method of claim 1, wherein the memory region is one of a plurality of memory regions allocated to the application.
  - 7. The method of claim 1, wherein the difference is caused by unauthorized software that is executing on the first computer.
  - 8. The method of claim 1, wherein the previous memory layout fingerprint was generated for a second computer that is different from the first computer.
  - 9. The method of claim 1, wherein the one or more attributes of the memory region include a size of a memory address of each memory region of a plurality of memory regions, and wherein generating the memory layout fingerprint for the application includes:
    - calculating, for each memory region, the size of the memory region based on a starting memory address of the memory region and an ending memory address of the memory region.
  - 10. The method of claim 1, further comprising:
    - in response to the comparing indicating a difference between the current memory layout fingerprint for the application and the previous memory layout fingerprint, determining whether one or more software libraries on the first computer are of a different version than one or more software libraries on a second computer.
  - 11. The method of claim 10, wherein the one or more software libraries on the first computer and the one or more software libraries on the second computer each include a respective library configured to provide encrypted communication capability.

12. A non-transitory computer-readable medium having stored thereon instructions that are executable by a computer system to cause the computer system to perform operations comprising:
- accessing information indicative of a memory layout for an application executing on a first computer, wherein the memory layout includes a memory region dynamically allocated for the application in association with the application being launched on the first computer, wherein the memory layout specifies one or more attributes associated with the memory region;
  
  generating a current memory layout fingerprint for the application, while it is executing on the first computer, based on at least one of the one or more attributes of the memory region;
  
  comparing the current memory layout fingerprint for the application to a previous memory layout fingerprint for the application, wherein the previous memory layout fingerprint was generated based on a previous memory layout associated with a previous execution of the application; and
  
  in response to the comparing indicating, a difference between the current memory layout fingerprint for the application and the previous memory layout fingerprint, generating a discrepancy indicator regarding the application.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The non-transitory computer-readable medium of claim 12, wherein the comparing includes determining if the difference between the current memory layout fingerprint for the application and the previous memory layout fingerprint exceeds a threshold;
    - andwherein the discrepancy indicator is generated when the difference exceeds the threshold, and is not generated when the difference does not exceed the threshold.
  - 14. The non-transitory computer-readable medium of claim 12, wherein the difference is a size difference.
  - 15. The non-transitory computer-readable medium of claim 12, wherein the memory region was dynamically allocated based on an address space layout randomization (ASLR) technique used by the first computer.
  - 16. The non-transitory computer-readable medium of claim 12, wherein the computer system includes the first computer.

17. A system, comprising:
- a processor; and
  
  a non-transitory computer-readable medium having stored thereon instructions that are executable by the system to cause the system to perform operations comprising;
  
  accessing information indicative of a memory layout for an application executing on a first computer, wherein the memory layout includes a memory region specifically allocated for the application subsequent to execution of a command to open the application on the first computer, wherein the memory layout specifies one or more attributes associated with the memory region;
  
  generating a current memory layout fingerprint for the application, while it is executing on the first computer, based on, at least one of the one or more attributes of the memory region;
  
  comparing the current memory layout fingerprint for the application to a previous memory layout fingerprint for the application, wherein the previous memory layout fingerprint was generated based on a previous memory layout associated with a previous execution of the application; and
  
  in response to the comparing indicating a difference between the current memory layout fingerprint for the application and the previous memory layout fingerprint, generating a discrepancy indicator regarding the application.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the one or more attributes of the memory region include a size of a memory address of each memory region of a plurality of memory regions and an access permission level of the memory region.
  - 19. The system of claim 18, wherein the access permission level indicates whether data in the memory region is permitted to be executed by an operating system of the first computer.
  - 20. The system of claim 17, wherein the comparing includes determining if the difference between the current memory layout fingerprint for the application and the previous memory layout fingerprint exceeds a threshold;
    - andwherein the discrepancy indicator is generated when the difference exceeds the threshold, and is not generated when the difference does not exceed the threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Inventors
Boutnaru, Shlomi

Granted Patent

US 11,314,864 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

MEMORY LAYOUT BASED MONITORING

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MEMORY LAYOUT BASED MONITORING

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links