Preventing the successful exploitation of software application vulnerability for malicious purposes
First Claim
Patent Images
1. A method for identifying malicious behavior of a protected process of a protected application, the method comprising:
- storing a plurality of application profiles, each of the plurality of application profiles associated with a different group of related applications of a particular application type, each of the plurality of application profiles including a different list of application programming interface (API) calls;
detecting an API call originating from the protected process;
determining an application profile applicable to the protected application based on an application type of the protected application;
comparing the API call against a list of API calls included in the application profile corresponding to the protected application;
determining to intercept the API call based on its presence in the list of API calls included in the application profile; and
responsive to determining to intercept the API call;
capturing a memory address associated with the API call and one or more parameters associated with the API call;
applying, by a computing system, a memory analysis to determine if the memory address associated with the API call lacks execute access;
applying, by the computing system, an element analysis to determine if a malicious characteristic associated with the API call is present based on the one or more parameters associated with the API call; and
responsive to detecting that the memory address associated with the API call lacks execute access or determining that the malicious characteristic associated with the API call is present, terminating the protected process.
6 Assignments
0 Petitions
Accused Products
Abstract
An anti-exploit system monitors and identifies malicious behavior related to one or more protected applications or processes. The anti-exploit system intercepts API calls associated with the protected application or process including parameters passed on to the operating system functions as well as a memory address associated with the caller to the API calls. Based on the characteristics associated with the intercepted API call a Behavioral Analysis Component determines whether the API call is malicious in nature.
-
Citations
17 Claims
-
1. A method for identifying malicious behavior of a protected process of a protected application, the method comprising:
-
storing a plurality of application profiles, each of the plurality of application profiles associated with a different group of related applications of a particular application type, each of the plurality of application profiles including a different list of application programming interface (API) calls; detecting an API call originating from the protected process; determining an application profile applicable to the protected application based on an application type of the protected application; comparing the API call against a list of API calls included in the application profile corresponding to the protected application; determining to intercept the API call based on its presence in the list of API calls included in the application profile; and responsive to determining to intercept the API call; capturing a memory address associated with the API call and one or more parameters associated with the API call; applying, by a computing system, a memory analysis to determine if the memory address associated with the API call lacks execute access; applying, by the computing system, an element analysis to determine if a malicious characteristic associated with the API call is present based on the one or more parameters associated with the API call; and responsive to detecting that the memory address associated with the API call lacks execute access or determining that the malicious characteristic associated with the API call is present, terminating the protected process. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium configured to store executable computer code that when executed by a processor causes the processor to perform steps including:
-
storing a plurality of application profiles, each of the plurality of application profiles associated with a different group of related applications of a particular application type, each of the plurality of application profiles including a different list of application programming interface (API) calls; detecting an API call originating from the protected process; determining an application profile applicable to the protected application based on an application type of the protected application; comparing the API call against a list of API calls included in the application profile corresponding to the protected application; determining to intercept the API call based on its presence in the list of API calls included in the application profile; and responsive to determining to intercept the API call; capturing a memory address associated with the API call and one or more parameters associated with the API call; applying, by a computing system, a memory analysis to determine if the memory address associated with the API call lacks execute access; applying, by the computing system, an element analysis to determine if a malicious characteristic associated with the API call is present based on the one or more parameters associated with the API call; and responsive to detecting that the memory address associated with the API call lacks execute access or determining that the malicious characteristic associated with the API call is present, terminating the protected process. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
a processor; a non-transitory computer-readable storage medium comprising instructions configured to be executed by the processor to perform a process comprising; storing a plurality of application profiles, each of the plurality of application profiles associated with a different group of related applications of a particular application type, each of the plurality of application profiles including a different list of application programming interface (API) calls; detecting an API call originating from the protected process; determining an application profile applicable to the protected application based on an application type of the protected application; comparing the API call against a list of API calls included in the application profile corresponding to the protected application; determining to intercept the API call based on its presence in the list of API calls included in the application profile; and responsive to determining to intercept the API call; capturing a memory address associated with the API call and one or more parameters associated with the API call; applying, by a computing system, a memory analysis to determine if the memory address associated with the API call lacks execute access; applying, by the computing system, an element analysis to determine if a malicious characteristic associated with the API call is present based on the one or more parameters associated with the API call; and responsive to detecting that the memory address associated with the API call lacks execute access or determining that the malicious characteristic associated with the API call is present, terminating the protected process. - View Dependent Claims (16, 17)
-
Specification