SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DETECTING AT LEAST POTENTIALLY UNWANTED ACTIVITY BASED ON EXECUTION PROFILE MONITORING

US 20130276110A1
Filed: 09/18/2007
Published: 10/17/2013
Est. Priority Date: 09/18/2007
Status: Active Grant

First Claim

Patent Images

1. A method of detecting at least potentially unwanted activity, comprising:

monitoring, with a processor, an execution profile of code utilizing call frame monitoring;

noting, with the processor, a call frame associated with the code utilizing the call frame monitoring;

identifying, with the processor, executable memory associated with the noted call frame, wherein the executable memory is backed by a loaded executable;

identifying, with the processor, an owner of the executable memory by determining a file path of the loaded executable; and

determining, with the processor, whether the owner of the executable memory is legitimate.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for detecting at least potentially unwanted activity based on execution profile monitoring. In use, an execution profile of code is monitored utilizing call frame monitoring. Further, at least potentially unwanted activity is detected based on the monitoring of the execution profile.

3 Citations

24 Claims

1. A method of detecting at least potentially unwanted activity, comprising:
- monitoring, with a processor, an execution profile of code utilizing call frame monitoring;
  
  noting, with the processor, a call frame associated with the code utilizing the call frame monitoring;
  
  identifying, with the processor, executable memory associated with the noted call frame, wherein the executable memory is backed by a loaded executable;
  
  identifying, with the processor, an owner of the executable memory by determining a file path of the loaded executable; and
  
  determining, with the processor, whether the owner of the executable memory is legitimate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 15, 21, 22, 23, 24)
- - 2. The method of claim 1, wherein the code includes executable code.
  - 3. The method of claim 1, wherein the code is associated with an event.
  - 4. The method of claim 3, wherein the event includes invocation of a hooked interface.
  - 5. The method of claim 3, wherein the event includes generation of an interrupt.
  - 6. The method of claim 1, wherein the execution profile includes event handling associated with the code.
  - 7. The method of claim 1, wherein the execution profile includes components executed by the code.
  - 8. The method of claim 1, wherein the call frame monitoring includes monitoring call frames associated with the code that are added to an execution stack.
  - 9. The method of claim 1, wherein the call frame monitoring includes monitoring call frames associated with the code that are removed from an execution stack.
  - 10. The method of claim 1, further comprising holding an event associated with the code during initiation of the call frame monitoring.
  - 15. The method of claim 1, wherein the at least potentially unwanted activity involves malware.
  - 21. The method of claim 1, wherein the call frame is noted utilizing an inline hook.
  - 22. The method of claim 1, wherein the call frame is noted utilizing virtualization.
  - 23. The method of claim 1, wherein the loaded executable is an executable application file.
  - 24. The method of claim 1, wherein the loaded executable is a loadable library.

11-14. -14. (canceled)

16-17. -17. (canceled)

18. A computer program product embodied on a non-transitory computer readable storage medium, comprising:
- computer code for monitoring an execution profile of code utilizing call frame monitoring;
  
  computer code for noting a call frame associated with the code utilizing the call frame monitoring;
  
  computer code for identifying executable memory associated with the noted call frame, wherein the executable memory is backed by a loaded executable;
  
  computer code for identifying an owner of the executable memory by determining a file path of the loaded executable; and
  
  computer code for determining whether an owner of executable memory associated with the noted call frame is legitimate.

19. A system, comprising:
- a memory; and
  
  a processor operatively coupled to the memory, the processor adapted to execute program code stored in the memory to;
  
  monitor an execution profile of code utilizing call frame monitoring,detect at least potentially unwanted activity based on the monitoring of the execution profile, wherein detecting the at least potentially unwanted activity comprises;
  
  noting a call frame associated with the code utilizing the call frame monitoring,identifying executable memory associated with the noted call frame, wherein the executable memory is backed by a loaded executable,identifying an owner of the executable memory by determining a file path of the loaded executable, anddetermining whether an owner of executable memory associated with the noted call frame is legitimate.

20. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Dalcher, Gregory William

Granted Patent

US 8,613,084 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 63/1425   Traffic logging, e.g. anoma...

SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DETECTING AT LEAST POTENTIALLY UNWANTED ACTIVITY BASED ON EXECUTION PROFILE MONITORING

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

3 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DETECTING AT LEAST POTENTIALLY UNWANTED ACTIVITY BASED ON EXECUTION PROFILE MONITORING

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

3 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links