System and method for detecting malicious code executed by virtual machine
First Claim
1. An automated computer-implemented method for protecting against a malicious set of program instructions that are executable by a process virtual machine, the process virtual machine comprising program instructions executable on a computer system having a hardware platform and an operating system, the method comprising:
- augmenting, by an automated augmentation process executing on the computer system, the program instructions of the process virtual machine to establish an exception monitoring module within the process virtual machine;
executing, via the process virtual machine, the subject set of program instructions;
detecting, by the exception monitoring module, an exception occurring as a result of the execution of the subject set of program instructions, wherein the exception represents an occurrence of an event determined as having potential to violate a predefined security policy;
in response to a detection of an occurrence of the exception, gathering, by the exception monitoring module, context information from the process virtual machine, the context information representing circumstances surrounding the occurrence of the exception;
providing, by the exception monitoring module, the context information to be subjected to analysis for a presence of the malicious set of program instructions; and
determining, by the exception monitoring module, based on a result of the analysis, whether to permit further execution of the subject set of program instructions by the process virtual machine.
2 Assignments
0 Petitions
Accused Products
Abstract
Protection against a malicious set of program instructions (e.g., a malicious program) executable by a process virtual machine. The program instructions of process virtual machine are augmented to establish an exception monitoring module within the process virtual machine. When the process virtual machine executes a subject set of program instructions, the exception monitoring module detects a security policy violation exception occurring as a result. In response thereto, the exception monitoring module gathers context information representing circumstances surrounding the occurrence of the exception, and provides the context information for analysis of a presence of malicious code. The exception monitoring module determines, based on a result of the analysis, whether to permit further execution of the subject set of program instructions by the process virtual machine.
-
Citations
23 Claims
-
1. An automated computer-implemented method for protecting against a malicious set of program instructions that are executable by a process virtual machine, the process virtual machine comprising program instructions executable on a computer system having a hardware platform and an operating system, the method comprising:
-
augmenting, by an automated augmentation process executing on the computer system, the program instructions of the process virtual machine to establish an exception monitoring module within the process virtual machine; executing, via the process virtual machine, the subject set of program instructions; detecting, by the exception monitoring module, an exception occurring as a result of the execution of the subject set of program instructions, wherein the exception represents an occurrence of an event determined as having potential to violate a predefined security policy; in response to a detection of an occurrence of the exception, gathering, by the exception monitoring module, context information from the process virtual machine, the context information representing circumstances surrounding the occurrence of the exception; providing, by the exception monitoring module, the context information to be subjected to analysis for a presence of the malicious set of program instructions; and determining, by the exception monitoring module, based on a result of the analysis, whether to permit further execution of the subject set of program instructions by the process virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for protecting against malicious functionality of a subject set of program instructions, the system comprising:
-
a computer system having a hardware platform and an operating system executable on the hardware platform; a process virtual machine module executable on the computer system that, when executed, forms a virtual execution environment in which the subject set of program instructions are executable; and a control module executable on the computer system that, when executed, augments the process virtual machine to insert an exception monitoring module configured to; detect an exception occurring as a result of execution of the subject set of program instructions, wherein the exception represents an occurrence of an event determined as having potential to violate a predefined security policy; in response to a detection of an occurrence of the exception, gather context information from operation of the process virtual machine representing circumstances surrounding the occurrence of the exception; provide the context information to be subjected to analysis for a presence of the malicious code; and determine, based on a result of the analysis, whether to permit further execution of the subject set of program instructions by the process virtual machine. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An automated computer-implemented system for protecting against a malicious set of program instructions that are executable by a process virtual machine, the process virtual machine comprising program instructions executable on a hardware platform via an operating system, the system comprising:
-
means for augmenting, by an automated augmentation process executing on the computer system, the program instructions of the process virtual machine to establish an exception monitoring module within the process virtual machine; means for detecting, by the exception monitoring module, an exception occurring as a result of execution of the subject set of program instructions via the process virtual machine, wherein the exception represents an occurrence of an event determined as having potential to violate a predefined security policy; means for gathering, in response to a detection of an occurrence of the exception, context information from the process virtual machine, the context information representing circumstances surrounding the occurrence of the exception; means for providing the context information for analysis to determine a presence of the malicious code; and means for determining, based on a result of the analysis, whether to permit further execution of the subject set of program instructions by the process virtual machine.
-
Specification