Methods, media, and systems for detecting anomalous program executions
DC CAFCFirst Claim
1. A method for detecting anomalous program executions, comprising:
- executing at least a portion of a program in an emulator;
comparing a function call made in the emulator to a model of function calls for the at least a portion of the program, wherein the model is a combined model created from at least two models created at different times; and
identifying the function call as anomalous based on the comparison.
1 Assignment
Litigations
1 Petition
Accused Products
Abstract
Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
-
Citations
27 Claims
-
1. A method for detecting anomalous program executions, comprising:
-
executing at least a portion of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a portion of the program, wherein the model is a combined model created from at least two models created at different times; and identifying the function call as anomalous based on the comparison. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
-
-
2. A method for detecting anomalous program executions, comprising:
-
executing at least a portion of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a portion of the program, wherein the model is a combined model created from at least two models created using different computers; and identifying the function call as anomalous based on the comparison.
-
-
10. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting anomalous program executions, comprising:
-
executing at least a portion of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a portion of the program, wherein the model is a combined model created from at least two models created at different times; and identifying the function call as anomalous based on the comparison. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
11. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting anomalous program executions, comprising:
-
executing at least a portion of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a portion of the program, wherein the model is a combined model created from at least two models created using different computers; and identifying the function call as anomalous based on the comparison.
-
-
19. A system for detecting anomalous program executions, comprising:
a processor that; executes at least a portion of a program in an emulator; compares a function call made in the emulator to a model of function calls for the at least a portion of the program, wherein the model is a combined model created from at least two models created at different times; and identifies the function call as anomalous based on the comparison. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
27. A system for detecting anomalous program executions, comprising:
a processor that; executes at least a portion of a program in an emulator; compares a function call made in the emulator to a model of function calls for the at least a portion of the program, wherein the model is a combined model created from at least two models created using different computers; and identifies the function call as anomalous based on the comparison.
Specification