Profiling event based exploit detection
First Claim
1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor, cause the processor to:
- execute an application in a system;
perform event tracing for the application;
analyze each instruction pointer from the event tracing; and
determine if an instruction pointer points to an orphan page of memory, wherein the orphan page of memory is a region of memory outside of loaded modules or memory regions associated with the application.
10 Assignments
0 Petitions
Accused Products
Abstract
Particular embodiments described herein provide for an electronic device that can be configured to execute an application in a system with an operating system, perform event tracing for the application, analyze each instruction pointer from the event tracing, and determine if an instruction pointer points to an orphan page of memory. The orphan page can be a region of code that is not associated with the application, a region of code that is unidentified, or unusual code that is not associated with the application. In addition, the event tracing can be an embedded application that is part of the operating system.
17 Citations
25 Claims
-
1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor, cause the processor to:
-
execute an application in a system; perform event tracing for the application; analyze each instruction pointer from the event tracing; and determine if an instruction pointer points to an orphan page of memory, wherein the orphan page of memory is a region of memory outside of loaded modules or memory regions associated with the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus comprising:
-
a detection module, wherein the detection module is configured to; execute an application in a system; perform event tracing for the application; analyze each instruction pointer from the event tracing; and determine if an instruction pointer points to an orphan page of memory, wherein the orphan page of memory is a region of memory outside of loaded modules or memory regions associated with the application. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method comprising:
-
executing an application in a system; performing event tracing for the application; analyzing each instruction pointer from the event tracing; and determining if an instruction pointer points to an orphan page of memory, wherein the orphan page of memory is a region of memory outside of loaded modules or memory regions associated with the application. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A system for profiling event based exploit detection, the system comprising:
-
a detection module, wherein the detection module is configured to; execute an application in a system; perform event tracing for the application; analyze each instruction pointer from the event tracing; and determine if an instruction pointer points to an orphan page of memory, wherein the orphan page of memory is a region of memory outside of loaded modules or memory regions associated with the application. - View Dependent Claims (24, 25)
-
Specification