Execution profiling detection of malicious objects
First Claim
Patent Images
1. A computing apparatus, comprising:
- a memory including a locally-executing software process; and
one or more logic elements, including at least a processor, comprising an execution profiling engine configured for;
concurrent with the locally-executing software process, inspecting a segment of the software process;
before executing the segment, determining that the segment will produce an exception condition when the segment runs;
checking transfer target addresses against a list of addresses and address ranges commonly used by malware;
validating that the software process is owned by a legitimate software module;
subjecting the software process to additional security analysis to identify malicious behavior;
designating the software process as potentially malicious; and
taking a security action related to the software process, comprising designating the software process for additional analysis.
10 Assignments
0 Petitions
Accused Products
Abstract
In an example, there is provided a system and method for execution profiling detection of malicious software objects. An execution profiling (EXP) engine may be provided in conjunction with a binary translation engine (BTE). Both may operate within a trusted execution environment (TEE). Because many malware objects make assumptions about memory usage of host applications, they may cause exceptions when those assumptions prove untrue. The EXP engine may proactively detect such exceptions via the BTE when the BTE performs its translation function. Thus, malicious behavior may be detected before a binary runs on a system, and remedial measures may be provided.
-
Citations
25 Claims
-
1. A computing apparatus, comprising:
-
a memory including a locally-executing software process; and one or more logic elements, including at least a processor, comprising an execution profiling engine configured for; concurrent with the locally-executing software process, inspecting a segment of the software process; before executing the segment, determining that the segment will produce an exception condition when the segment runs; checking transfer target addresses against a list of addresses and address ranges commonly used by malware; validating that the software process is owned by a legitimate software module; subjecting the software process to additional security analysis to identify malicious behavior; designating the software process as potentially malicious; and taking a security action related to the software process, comprising designating the software process for additional analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. One or more tangible, non-transitory computer-readable mediums having stored thereon instructions that, when executed, instruct a processor for providing an execution profiling engine configured for:
-
inspecting a segment of a concurrent locally-executing software process; before executing the segment, determining that the segment will produce an exception condition when the segment runs; checking transfer target addresses against a list of addresses and address ranges commonly used by malware; validating that the software process is owned by a legitimate software module; subjecting the software process to additional security analysis to identify malicious behavior; designating the software process as potentially malicious; and taking a security action related to the software process, comprising designating the software process for additional analysis. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-implemented method, comprising:
-
inspecting a segment of a concurrent locally-executing computational process; before executing the segment, determining that the segment will produce an exception condition when the segment runs; checking transfer target addresses against a list of addresses and address ranges commonly used by malware; validating that the computational process is owned by a legitimate software module; subjecting the computational process to additional security analysis to identify malicious behavior; designating the computational process as potentially malicious; and taking a security action related to the computational process, comprising designating the software process for additional analysis. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
Specification