METHODS, MEDIA, AND SYSTEMS FOR DETECTING ANOMALOUS PROGRAM EXECUTIONS

US 20120151270A1
Filed: 11/21/2011
Published: 06/14/2012
Est. Priority Date: 10/25/2005
Status: Active Grant

First Claim

Patent Images

1-42. -42. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.

22 Citations

View as Search Results

63 Claims

1-42. -42. (canceled)

43. A method for detecting anomalous program executions, the method comprising:
- executing at least a portion of a program in an emulator;
  
  comparing a function call made in the emulator to a model of function calls for the at least a portion of the program; and
  
  identifying the function call as anomalous based on the comparison.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 44. The method of claim 43, wherein the model is a combined model created from at least two models created using different computers.
  - 45. The method of claim 43, wherein the Model is a combined model created from at least two models created at different times.
  - 46. The method of claim 43, further comprising modifying the function call so that the function call becomes non-anomalous.
  - 47. The method of claim 43, further comprising generating a virtualized error in response to the function call being identified as being anomalous.
  - 48. The method of claim 43, wherein the comparing compares the function call name and arguments to the model.
  - 49. The method of claim 43, wherein the model reflects normal activity of the at least a portion of the program.
  - 50. The method of claim 43, wherein the model reflects attacks against the at least a portion of the program.
  - 51. The method of claim 43, further comprising randomly selecting at least a portion of the model to be used in the comparison from a plurality of different models relating to the program.
  - 52. The method of claim 43, further comprising notifying another computer of the anomalous function call upon the function call being identified as anomalous.

53. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting anomalous program executions, comprising:
- executing at least a portion of a program in an emulator;
  
  comparing a function call made in the emulator to a model of function calls for the at least a portion of the program; and
  
  identifying the function call as anomalous based on the comparison.
- View Dependent Claims (54, 55, 56, 57, 58, 59, 60, 61, 62)
- - 54. The non-transitory computer-readable medium of claim 53, wherein the model is combined model created from at least two models created using different computers.
  - 55. The non-transitory computer-readable medium of claim 53, wherein the model is a combined model created from at least two models created at different times.
  - 56. The non-transitory computer-readable medium of claim 53, wherein the method further comprises modifying the function call so that the function call becomes non-anomalous.
  - 57. The non-transitory computer-readable medium of claim 53, wherein the method further comprises generating a virtualized error in response to the function call being identified as being anomalous.
  - 58. The non-transitory computer-readable medium of claim 53, wherein the comparing compares the function call name and arguments to the model.
  - 59. The non-transitory computer-readable medium of claim 53, wherein the model reflects normal activity of the at least a portion of the program.
  - 60. The non-transitory computer-readable medium of claim 53, wherein the model reflects attacks against the at least a portion of the program.
  - 61. The non-transitory computer-readable medium of claim 53, wherein the method further comprises randomly selecting at least a portion of the model to be used in the comparison from a plurality of different models relating to the program.
  - 62. The non-transitory computer-readable medium of claim 53, wherein the method further comprises notifying another computer of the anomalous function call upon the function call being identified as anomalous.

63. A system for detecting anomalous program executions, comprising:
- a processor that;
  
  executes at least a portion of a program in an emulator;
  
  compares a function call made in the emulator to a model of function calls for the at least a portion of the program; and
  
  identifies the function call as anomalous based on the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Angelos D. Keromytis, Salvatore J. Stolfo, Stylianos Sidiroglou
Original Assignee
Angelos D. Keromytis, Salvatore J. Stolfo, Stylianos Sidiroglou
Inventors
Stolfo, Salvatore J., Keromytis, Angelos D., Sidiroglou, Stylianos

Granted Patent

US 8,601,322 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/38.1
CPC Class Codes

G06F 11/0718   in an object-oriented system

G06F 11/0751   Error or fault detection no...

G06F 11/0772   Means for error signaling, ...

G06F 11/079   Root cause analysis, i.e. e...

G06F 11/3652   in-circuit-emulation [ICE] ...

METHODS, MEDIA, AND SYSTEMS FOR DETECTING ANOMALOUS PROGRAM EXECUTIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

63 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS, MEDIA, AND SYSTEMS FOR DETECTING ANOMALOUS PROGRAM EXECUTIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

63 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links