Profiling event based exploit detection

US 9,984,230 B2
Filed: 06/26/2015
Issued: 05/29/2018
Est. Priority Date: 06/26/2015
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor, cause the processor to:

execute an application in a system;

perform event tracing for the application;

analyze each instruction pointer from the event tracing; and

determine if an instruction pointer points to an orphan page of memory, wherein the orphan page of memory is a region of memory outside of loaded modules or memory regions associated with the application.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to execute an application in a system with an operating system, perform event tracing for the application, analyze each instruction pointer from the event tracing, and determine if an instruction pointer points to an orphan page of memory. The orphan page can be a region of code that is not associated with the application, a region of code that is unidentified, or unusual code that is not associated with the application. In addition, the event tracing can be an embedded application that is part of the operating system.

17 Citations

View as Search Results

25 Claims

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor, cause the processor to:
- execute an application in a system;
  
  perform event tracing for the application;
  
  analyze each instruction pointer from the event tracing; and
  
  determine if an instruction pointer points to an orphan page of memory, wherein the orphan page of memory is a region of memory outside of loaded modules or memory regions associated with the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The at least one non-transitory computer-readable medium of claim 1, wherein the orphan page is a region of code that is not associated with the application.
  - 3. The at least one non-transitory computer-readable medium of claim 1, wherein the orphan page is a region of code that is unidentified.
  - 4. The at least one non-transitory computer-readable medium of claim 1, wherein the system includes an operating system and an embedded application that is part of the operating system performs the event tracing.
  - 5. The at least one non-transitory computer-readable medium of claim 1, further comprising one or more instructions that when executed by the processor:
    - determine if the instruction pointer points to unusual code that is not associated with the application.
  - 6. The at least one non-transitory computer-readable medium of claim 1, wherein the event tracing is transparent to the application.
  - 7. The at least one non-transitory computer-readable medium of claim 1, wherein the event tracing is asynchronous with the application such that the target application continues execution without being blocked.
  - 8. The at least one non-transitory computer-readable medium of claim 1, further comprising one or more instructions that when executed by the processor:
    - flag the application as malicious if the instruction pointer points to an orphan page of memory or the instruction pointer points to unusual code that is not associated with the application.

9. An apparatus comprising:
- a detection module, wherein the detection module is configured to;
  
  execute an application in a system;
  
  perform event tracing for the application;
  
  analyze each instruction pointer from the event tracing; and
  
  determine if an instruction pointer points to an orphan page of memory, wherein the orphan page of memory is a region of memory outside of loaded modules or memory regions associated with the application.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9, wherein the orphan page is a region of code that is not associated with the application.
  - 11. The apparatus of claim 9, wherein the orphan page is a region of code that is unidentified.
  - 12. The apparatus of claim 9, wherein the system includes an operating system and an embedded application that is part of the operating system performs the event tracing.
  - 13. The apparatus of claim 9, wherein the detection module is further configured to:
    - determine if the instruction pointer points to unusual code that is not associated with the application.
  - 14. The apparatus of claim 9, wherein the event tracing is transparent to the application.
  - 15. The apparatus of claim 9, wherein the event tracing is asynchronous with the application such that the target application continues execution without being blocked.

16. A method comprising:
- executing an application in a system;
  
  performing event tracing for the application;
  
  analyzing each instruction pointer from the event tracing; and
  
  determining if an instruction pointer points to an orphan page of memory, wherein the orphan page of memory is a region of memory outside of loaded modules or memory regions associated with the application.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16, wherein the orphan page is a region of code that is not associated with the application.
  - 18. The method of claim 16, wherein the orphan page is a region of code that is unidentified.
  - 19. The method of claim 16, wherein the system includes an operating system and an embedded application that is part of the operating system performs the event tracing.
  - 20. The method of claim 16, further comprising:
    - determining if the instruction pointer points to unusual code that is not associated with the application.
  - 21. The method of claim 16, wherein the event tracing is transparent to the application.
  - 22. The method of claim 16, wherein the event tracing is asynchronous with the application such that the target application continues execution without being blocked.

23. A system for profiling event based exploit detection, the system comprising:
- a detection module, wherein the detection module is configured to;
  
  execute an application in a system;
  
  perform event tracing for the application;
  
  analyze each instruction pointer from the event tracing; and
  
  determine if an instruction pointer points to an orphan page of memory, wherein the orphan page of memory is a region of memory outside of loaded modules or memory regions associated with the application.
- View Dependent Claims (24, 25)
- - 24. The system of claim 23, wherein the orphan page is a region of code that is not associated with the application.
  - 25. The system of claim 23, wherein the system includes an operating system and an embedded application that is part of the operating system performs the event tracing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Pikhur, Volodymyr, Mathur, Rachit
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Anderson, Michael D

Application Number

US14/751,762
Publication Number

US 20160378975A1
Time in Patent Office

1,068 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/52 during program execution, e...

G06F 21/554 involving event detection a...

Profiling event based exploit detection

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Profiling event based exploit detection

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others