System, method, and computer program product for detecting at least potentially unwanted activity based on execution profile monitoring
First Claim
Patent Images
1. A method of detecting at least potentially unwanted activity, comprising:
- monitoring, with a processor, an execution profile of code by utilizing call frame monitoring;
noting, with the processor, a call frame associated with the code;
identifying, with the processor, executable memory associated with the noted call frame, wherein the executable memory is backed by a loaded executable;
identifying, with the processor, an owner of the executable memory by determining a file path of the loaded executable;
determining, with the processor, whether the owner of the executable memory is legitimate; and
identifying unwanted activity based on a determination that the owner of the executable memory is not legitimate.
10 Assignments
0 Petitions
Accused Products
Abstract
A system, method, and computer program product are provided for detecting at least potentially unwanted activity based on execution profile monitoring. In use, an execution profile of code is monitored utilizing call frame monitoring. Further, at least potentially unwanted activity is detected based on the monitoring of the execution profile.
-
Citations
17 Claims
-
1. A method of detecting at least potentially unwanted activity, comprising:
-
monitoring, with a processor, an execution profile of code by utilizing call frame monitoring; noting, with the processor, a call frame associated with the code; identifying, with the processor, executable memory associated with the noted call frame, wherein the executable memory is backed by a loaded executable; identifying, with the processor, an owner of the executable memory by determining a file path of the loaded executable; determining, with the processor, whether the owner of the executable memory is legitimate; and identifying unwanted activity based on a determination that the owner of the executable memory is not legitimate. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer program product embodied on a non-transitory computer readable storage medium, comprising instructions stored thereon that when executed by one or more processors cause the one or more processors to:
-
monitor an execution profile of code by utilizing call frame monitoring; note a call frame associated with the code; identify executable memory associated with the noted call frame, wherein the executable memory is backed by a loaded executable; identify an owner of the executable memory by determining a file path of the loaded executable; determine whether the owner of executable memory associated with the noted call frame is legitimate; and identify unwanted activity based on a determination that the owner of the executable memory is not legitimate.
-
-
17. A system, comprising:
-
a memory; and a processor operatively coupled to the memory, the processor adapted to execute program code stored in the memory to; monitor an execution profile of code by utilizing call frame monitoring, detect at least potentially unwanted activity based on the monitoring of the execution profile, wherein detecting the at least potentially unwanted activity comprises; noting a call frame associated with the code, identifying executable memory associated with the noted call frame, wherein the executable memory is backed by a loaded executable, identifying an owner of the executable memory by determining a file path of the loaded executable, determining whether the owner of executable memory associated with the noted call frame is legitimate; and identifying unwanted activity based on a determination that the owner of the executable memory is not legitimate.
-
Specification