Methods and apparatus for control and detection of malicious content using a sandbox environment
First Claim
1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
- initiate an instance of a first application within a sandbox environment;
receive a set of indications of actual behavior of the instance of the first application including an indication that the instance of the first application is associating with an instance of a second application within the sandbox environment by at least one of (1) initiating the instance of the second application or (2) initiating a thread injection event with the instance of the second application;
identify the instance of the first application associating with the instance of the second application as an anomalous behavior of the instance of the first application in response to an indication that the first application is allowed to associate with the second application not being within a set of indications of allowed behavior specific to the first application,send an indication associated with the anomalous behavior in response to identifying the anomalous behavior.
6 Assignments
0 Petitions
Accused Products
Abstract
A non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to cause the processor to receive a set of indications of allowed behavior associated with an application. The processor is also caused to initiate an instance of the application within a sandbox environment. The processor is further caused to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment. The processor is also caused to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior.
-
Citations
23 Claims
-
1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
-
initiate an instance of a first application within a sandbox environment; receive a set of indications of actual behavior of the instance of the first application including an indication that the instance of the first application is associating with an instance of a second application within the sandbox environment by at least one of (1) initiating the instance of the second application or (2) initiating a thread injection event with the instance of the second application; identify the instance of the first application associating with the instance of the second application as an anomalous behavior of the instance of the first application in response to an indication that the first application is allowed to associate with the second application not being within a set of indications of allowed behavior specific to the first application, send an indication associated with the anomalous behavior in response to identifying the anomalous behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An apparatus, comprising:
-
a memory; and a hardware processor operatively coupled to the memory, the hardware processor configured to receive a set of indications of actual behavior of an instance of a first application within a sandbox environment, the hardware processor configured to compare the set of indications of actual behavior of the instance of the first application to a set of indications of allowed behavior specific to the first application to identify a behavior from the set of indications of actual behavior not within the set of indications of allowed behavior, the hardware processor configured to classify the behavior from the set of indications of actual behavior as an anomalous behavior of the instance of the first application in response to the behavior not being within the set of indications of allowed behavior, the anomalous behavior including at least one of the instance of the first application initiating an instance of a second application or the instance of the first application initiating a thread injection event with the instance of the second application, the hardware processor configured to send an indication (1) associated with the anomalous behavior of the instance of the first application and (2) including an identifier of the second application. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method, comprising:
-
initiating an instance of a first application within a sandbox environment; monitoring behavior of the instance of the first application based on a list of approved behaviors specific to the first application; identifying that the instance of the first application is associating with an instance of a second application within the sandbox environment by at least one of (1) initiating the instance of the second application or (2) initiating a thread injection event with the instance of the second application; classifying the instance of the first application associating with the instance of the second application as an anomalous behavior of the instance of the first application in response to an indication that the first application is allowed to associate with the second application not being on the list of approved behaviors specific to the first application; and sending an indication associated with the anomalous behavior. - View Dependent Claims (19, 20, 21, 22, 23)
-
Specification