Detection of code injection attacks

US 9,213,807 B2
Filed: 09/04/2013
Issued: 12/15/2015
Est. Priority Date: 09/04/2013
Status: Active Grant

First Claim

Patent Images

1. A method for detecting foreign code injected into a computer program executed by a heterogeneous computer system comprising a plurality of different processors each with different architecture and different native instruction set, and memory, the plurality of different processors being configured to execute instructions stored in the memory, the method comprising:

executing a first portion of the computer program by a first processor having a first architecture and a first instruction set;

executing a second portion of the computer program by a second processor having a second architecture and a second instruction set different than the first instruction set;

detecting, on the heterogeneous computer system, an illegal instruction error;

recording the illegal instruction error;

determining whether a threshold condition for an attack on the heterogeneous computer system is met based on patterns of multiple previous attacks clustered together and the number of different architectures; and

generating an alert if the threshold condition for the attack on the heterogeneous computer system is met, wherein the illegal instruction error is triggered by an instruction encoded in a third instruction set different from the first and second instruction sets.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting foreign code injected into a computer system including a processor and memory, the processor being configured to execute instructions stored in the memory, includes: detecting, on the computer system, an illegal instruction error; recording the illegal instruction error; determining whether a threshold condition is met; and generating an alert if the threshold condition is met.

Citations

16 Claims

1. A method for detecting foreign code injected into a computer program executed by a heterogeneous computer system comprising a plurality of different processors each with different architecture and different native instruction set, and memory, the plurality of different processors being configured to execute instructions stored in the memory, the method comprising:
- executing a first portion of the computer program by a first processor having a first architecture and a first instruction set;
  
  executing a second portion of the computer program by a second processor having a second architecture and a second instruction set different than the first instruction set;
  
  detecting, on the heterogeneous computer system, an illegal instruction error;
  
  recording the illegal instruction error;
  
  determining whether a threshold condition for an attack on the heterogeneous computer system is met based on patterns of multiple previous attacks clustered together and the number of different architectures; and
  
  generating an alert if the threshold condition for the attack on the heterogeneous computer system is met, wherein the illegal instruction error is triggered by an instruction encoded in a third instruction set different from the first and second instruction sets.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the threshold condition further comprises exceeding a particular number of illegal instruction errors over a particular time period.
  - 3. The method of claim 1, wherein determining whether the threshold condition is met comprises detecting the patterns using a neural network.
  - 4. The method of claim 1, wherein the threshold condition comprises detecting the patterns using a Bayesian network.
  - 5. The method of claim 1, further comprising:
    - loading a plurality of instruction streams, each of the plurality of instruction streams being equivalent and being encoded in a different instruction set of a plurality of instruction sets;
      
      executing, in a context, a first stream of the plurality of instruction streams;
      
      stopping execution of the first stream at a first location of the first stream; and
      
      executing, in the context, a second stream of the plurality of instruction streams at a second location of the second stream, the second location corresponding to the first location of the first stream,wherein the first stream and the second stream are encoded in instruction sets different from the second instruction set.
  - 6. The method of claim 1, wherein generating the alert comprises sending an email message or a text message.
  - 7. The method of claim 1, further comprising shutting down the computer system when the threshold condition is met.

8. A computer system comprising a plurality of different processors each with different architecture and different native instruction set, and memory storing program instructions, the computer system being configured to execute instructions stored in the memory, the computer system being configured to:
- execute a first portion of the computer program by a first processor having a first architecture and a first instruction set;
  
  execute a second portion of the computer program by a second processor having a second architecture and a second instruction set different than the first instruction set;
  
  detect an illegal instruction error;
  
  record the illegal instruction error;
  
  determine whether a threshold condition for an attack on the heterogeneous computer system is met based on patterns of multiple previous attacks clustered together and the number of different architectures; and
  
  generate an alert if the threshold condition for the attack on the heterogeneous computer system is met, wherein the illegal instruction error is triggered by an instruction encoded in a third instruction set different from the first and second instruction sets.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system of claim 8, wherein the threshold condition further comprises exceeding a particular number of illegal instruction errors over a particular time period.
  - 10. The computer system of claim 8, wherein the computer system is configured to determine whether the threshold condition is met by detecting the patterns using a neural network.
  - 11. The computer system of claim 8, wherein the computer system is configured to determine whether the threshold condition is met by detecting the patterns using a Bayesian network.
  - 12. The computer system of claim 8, wherein the computer system is further configured to:
    - load a plurality of instruction streams, each of the plurality of instruction streams being equivalent and being encoded in a different instruction set of a plurality of instruction sets;
      
      execute, in a context, a first stream of the plurality of instruction streams;
      
      stop execution of the first stream at a first location of the first stream; and
      
      execute, in the context, a second stream of the plurality of instruction streams at a second location of the second stream, the second location corresponding to the first location of the first stream,wherein the first stream and the second stream are encoded in instruction sets different from the second instruction set.
  - 13. The computer system of claim 8, wherein the computer system is configured to generate the alert by sending an email message or a text message.
  - 14. The computer system of claim 8, wherein the computer system is further configured to shut down the computer system when the threshold condition is met.

15. A non-transitory computer readable medium embodying program instructions for execution by a heterogeneous computer system, the program instructions adapting the heterogeneous computer system for:
- executing a first portion of the computer program by a first processor having a first architecture and a first instruction set;
  
  executing a second portion of the computer program by a second processor having a second architecture and a second instruction set different than the first instruction set;
  
  detecting, on the heterogeneous computer system, an illegal instruction error;
  
  recording the illegal instruction error;
  
  determining whether a threshold condition for an attack on the heterogeneous computer system is met based on patterns of multiple previous attacks clustered together and the number of different architectures; and
  
  generating an alert if the threshold condition for the attack on the heterogeneous computer system is met, wherein the illegal instruction error is triggered by an instruction encoded in a third instruction set different from the first and second instruction sets.
- View Dependent Claims (16)
- - 16. The non-transitory computer readable medium of claim 15, wherein the program instructions further adapt the processing apparatus for:
    - loading a plurality of instruction streams, each of the plurality of instruction streams being equivalent and being encoded in a different instruction set of a plurality of instruction sets;
      
      executing, in a context, a first stream of the plurality of instruction streams;
      
      stopping execution of the first stream at a first location of the first stream; and
      
      executing, in the context, a second stream of the plurality of instruction streams at a second location of the second stream, the second location corresponding to the first location of the first stream,wherein the illegal instruction error is triggered by a program instruction encoded in a first instruction set, the first instruction set being different from the instruction sets of the first stream and the second stream.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Francisco Partners Management LLC)
Original Assignee
Raytheon Cyber Products, LLC (Everfox Holdings LLC)
Inventors
Martz, Robert, Matthews, David, Edmison, Joshua, Vorsanger, Greg
Primary Examiner(s)
Schwartz, Darren B

Application Number

US14/018,234
Publication Number

US 20150067409A1
Time in Patent Office

832 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/52   during program execution, e...

G06F 21/554   involving event detection a...

Detection of code injection attacks

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of code injection attacks

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links