Execution profiling detection of malicious objects

US 9,934,380 B2
Filed: 12/23/2014
Issued: 04/03/2018
Est. Priority Date: 12/23/2014
Status: Active Grant

First Claim

Patent Images

1. A computing apparatus, comprising:

a memory including a locally-executing software process; and

one or more logic elements, including at least a processor, comprising an execution profiling engine configured for;

concurrent with the locally-executing software process, inspecting a segment of the software process;

before executing the segment, determining that the segment will produce an exception condition when the segment runs;

checking transfer target addresses against a list of addresses and address ranges commonly used by malware;

validating that the software process is owned by a legitimate software module;

subjecting the software process to additional security analysis to identify malicious behavior;

designating the software process as potentially malicious; and

taking a security action related to the software process, comprising designating the software process for additional analysis.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, there is provided a system and method for execution profiling detection of malicious software objects. An execution profiling (EXP) engine may be provided in conjunction with a binary translation engine (BTE). Both may operate within a trusted execution environment (TEE). Because many malware objects make assumptions about memory usage of host applications, they may cause exceptions when those assumptions prove untrue. The EXP engine may proactively detect such exceptions via the BTE when the BTE performs its translation function. Thus, malicious behavior may be detected before a binary runs on a system, and remedial measures may be provided.

Citations

25 Claims

1. A computing apparatus, comprising:
- a memory including a locally-executing software process; and
  
  one or more logic elements, including at least a processor, comprising an execution profiling engine configured for;
  
  concurrent with the locally-executing software process, inspecting a segment of the software process;
  
  before executing the segment, determining that the segment will produce an exception condition when the segment runs;
  
  checking transfer target addresses against a list of addresses and address ranges commonly used by malware;
  
  validating that the software process is owned by a legitimate software module;
  
  subjecting the software process to additional security analysis to identify malicious behavior;
  
  designating the software process as potentially malicious; and
  
  taking a security action related to the software process, comprising designating the software process for additional analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computing apparatus of claim 1, wherein the execution profiling engine is provided at least partly in a trusted execution environment.
  - 3. The computing apparatus of claim 1, wherein subjecting the software process to additional security analysis comprises subjecting the software process to computerized deep inspection.
  - 4. The computing apparatus of claim 1, wherein subjecting the software process to additional security analysis comprises designating the software process for analysis by a human security analyzer.
  - 5. The computing apparatus of claim 1, wherein the execution profiling engine is implemented at least partly in hardware.
  - 6. The computing apparatus of claim 1, further comprising a binary translation engine configured for translating the software process from a first form into a second form.
  - 7. The computing apparatus of claim 6, wherein the second form excludes direct manipulation of memory.
  - 8. The computing apparatus of claim 6, wherein the binary translation engine is provided at least partly in a trusted execution environment.
  - 9. The computing apparatus of claim 6, wherein the binary translation engine is configured for translating the software process into an instrumentable form.
  - 10. The computing apparatus of claim 6, wherein at least one of the execution profiling engine and the binary translation engine is at least partly virtualized.

11. One or more tangible, non-transitory computer-readable mediums having stored thereon instructions that, when executed, instruct a processor for providing an execution profiling engine configured for:
- inspecting a segment of a concurrent locally-executing software process;
  
  before executing the segment, determining that the segment will produce an exception condition when the segment runs;
  
  checking transfer target addresses against a list of addresses and address ranges commonly used by malware;
  
  validating that the software process is owned by a legitimate software module;
  
  subjecting the software process to additional security analysis to identify malicious behavior;
  
  designating the software process as potentially malicious; and
  
  taking a security action related to the software process, comprising designating the software process for additional analysis.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the instructions are further configured for providing the execution profiling engine at least partly in a trusted execution environment.
  - 13. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein subjecting the software process to additional security analysis comprises subjecting the software process to computerized deep inspection.
  - 14. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein subjecting the software process to additional security analysis comprises designating the software process for analysis by a human security analyzer.
  - 15. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the instructions are further configured for providing a binary translation engine operable for translating the software process from a first form into a second form.
  - 16. The one or more tangible, non-transitory computer-readable mediums of claim 15, wherein the second form excludes direct manipulation of memory.
  - 17. The one or more tangible, non-transitory computer-readable mediums of claim 15, wherein the binary translation engine is provided at least partly in a trusted execution environment.
  - 18. The one or more tangible, non-transitory computer-readable mediums of claim 15, wherein the binary translation engine is configured for translating the software process into an instrumentable form.

19. A computer-implemented method, comprising:
- inspecting a segment of a concurrent locally-executing computational process;
  
  before executing the segment, determining that the segment will produce an exception condition when the segment runs;
  
  checking transfer target addresses against a list of addresses and address ranges commonly used by malware;
  
  validating that the computational process is owned by a legitimate software module;
  
  subjecting the computational process to additional security analysis to identify malicious behavior;
  
  designating the computational process as potentially malicious; and
  
  taking a security action related to the computational process, comprising designating the software process for additional analysis.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The computer-implemented method of claim 19, further comprising:
    - translating the computational process from a first form into a second form, wherein the second form is instrumentable.
  - 21. The computer-implemented method of claim 19, further comprising:
    - subjecting the computational process to additional security analysis, comprising subjecting the computational process to computerized deep inspection.
  - 22. The computer-implemented method of claim 19, further comprising:
    - subjecting the computational process to additional security analysis, comprising designating the computational process for analysis by a human security analyzer.
  - 23. The computer-implemented method of claim 19, further comprising:
    - implementing an execution profiling engine at least partly in hardware.
  - 24. The computer-implemented method of claim 20, wherein the second form excludes direct manipulation of memory.
  - 25. The method of claim 20, wherein translating the computational process from a first form into a second form is provided at least partly in a trusted execution environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Dalcher, Greg W., Yamada, Koichi, Shanmugavelayutham, Palanivel Rajan, Singh, Jitendra P.
Primary Examiner(s)
LE, KHOI V

Application Number

US14/582,163
Publication Number

US 20160180090A1
Time in Patent Office

1,197 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/57   Certifying or maintaining t...

G06F 2221/033   Test or assess software

Execution profiling detection of malicious objects

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Execution profiling detection of malicious objects

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links