US2019250978A1PendingUtilityA1

Methods, media, and systems for detecting anomalous program executions

65
Assignee: UNIV COLUMBIAPriority: Oct 25, 2005Filed: Oct 30, 2018Published: Aug 15, 2019
Est. expiryOct 25, 2025(expired)· nominal 20-yr term from priority
G06F 11/0718G06F 11/0751G06F 11/079G06F 11/0772G06F 11/3652
65
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.

Claims

exact text as granted — not AI-modified
1 . A method for detecting anomalous program executions, comprising:
 using an emulator to monitor and selectively execute at least a part of a program;   comparing a function call made in the emulator to a model of function calls for the at least a part of the program;   identifying the function call as anomalous based on the comparison, wherein the function call is identified as an anomalous function call in response to the comparison indicating behavior that deviates from normal and may correspond to an attack; and   upon identifying the anomalous function call, notifying members of a community, which includes a plurality of computers running at least a selected portion of the program, of the anomalous function call.   
     
     
         2 . The method of  claim 1 , wherein the emulator is an instruction-level emulator that executes one or more function calls in the at least a part of the program. 
     
     
         3 . The method of  claim 1 , wherein the emulator is an instruction-level emulator that selectively executes the at least a part of the program prior to the function call within the at least a part of the program being executed outside of the instruction-level emulator. 
     
     
         4 . The method of  claim 1 , wherein the model of function calls is a combined model created from at least two models created at different times. 
     
     
         5 . The method of  claim 1 , wherein the model of function calls is a combined model created from at least two models created using different computers from the plurality of computers within the community. 
     
     
         6 . The method of  claim 1 , wherein the model reflects normal activity of the at least a part of the program. 
     
     
         7 . The method of  claim 1 , wherein the model reflects attacks against the at least a part of the program. 
     
     
         8 . The method of  claim 1 , wherein the comparison determines a probability that the behavior corresponds to the attack. 
     
     
         9 . The method of  claim 1 , wherein a first computer of the plurality of computers runs a first portion of the program and a second computer of the plurality of computers runs a second portion of the program, wherein the first portion of the program and the second portion of the program are different portions of the program. 
     
     
         10 . The method of  claim 1 , wherein a first computer of the plurality of computers runs a first portion of the program and a second computer of the plurality of computers runs a second portion of the program, wherein the first portion of the program and the second portion of the program are the same portion of the program. 
     
     
         11 . A method for detecting anomalous program executions, comprising:
 modifying a program to include indicators of program-level function calls being made during execution of the program;   comparing at least one of the indicators of program-level function calls made in an emulator that monitors and selectively executes at least a part of the program to a model of function calls for the at least a part of the program;   identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison, wherein the function call is identified as an anomalous function call in response to the comparison indicating behavior that deviates from normal and may correspond to an attack; and   upon identifying the anomalous function call, notifying members of a community, which includes a plurality of computers running at least a selected portion of the program, of the anomalous function call.   
     
     
         12 . The method of  claim 11 , wherein the emulator is an instruction-level emulator that executes one or more function calls in the at least a part of the program. 
     
     
         13 . The method of  claim 11 , wherein the emulator is an instruction-level emulator that selectively executes the at least a part of the program prior to the function call within the at least a part of the program being executed outside of the instruction-level emulator. 
     
     
         14 . The method of  claim 11 , wherein the model of function calls is a combined model created from at least two models created at different times. 
     
     
         15 . The method of  claim 11 , wherein the model of function calls is a combined model created from at least two models created using different computers from the plurality of computers within the community. 
     
     
         16 . The method of  claim 11 , wherein the model reflects normal activity of the at least a part of the program. 
     
     
         17 . The method of  claim 11 , wherein the model reflects attacks against the at least a part of the program. 
     
     
         18 . The method of  claim 11 , wherein the comparison determines a probability that the behavior corresponds to the attack. 
     
     
         19 . The method of  claim 11 , wherein a first computer of the plurality of computers runs a first portion of the program and a second computer of the plurality of computers runs a second portion of the program, wherein the first portion of the program and the second portion of the program are different portions of the program. 
     
     
         20 . The method of  claim 11 , wherein a first computer of the plurality of computers runs a first portion of the program and a second computer of the plurality of computers runs a second portion of the program, wherein the first portion of the program and the second portion of the program are the same portion of the program. 
     
     
         21 . The method of  claim 1 , wherein the model of function calls is generated in whole or in part from executing function calls. 
     
     
         22 . The method of  claim 21 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         23 . The method of  claim 21 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         24 . The method of  claim 21 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         25 . The method of  claim 21 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         26 . The method of  claim 21 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         27 . The method of  claim 1 , wherein the model of function calls is generated in whole or in part from executing function calls and wherein the comparison indicating behavior that deviates from normal and may correspond to the attack is based on a statistical analysis. 
     
     
         28 . The method of  claim 27 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         29 . The method of  claim 27 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         30 . The method of  claim 27 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         31 . The method of  claim 27 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         32 . The method of  claim 27 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         33 . The method of  claim 1 , wherein the model of function calls is generated in whole or in part from executing function calls, wherein the comparison indicating behavior that deviates from normal and may correspond to an attack is based on a statistical analysis, and wherein the model of function calls incorporates information about known or suspected attacks against the at least a part of the program. 
     
     
         34 . The method of  claim 33 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         35 . The method of  claim 33 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         36 . The method of  claim 33 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         37 . The method of  claim 33 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         38 . The method of  claim 33 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         39 . The method of  claim 1 , wherein the model of function calls incorporates information about normal program execution stack behavior. 
     
     
         40 . The method of  claim 39 , wherein the normal program execution stack behavior includes behavior of the stack during program execution, which contains information about executed function calls. 
     
     
         41 . The method of  claim 1 , wherein the model incorporates information about known attacks against the at least a part of the program. 
     
     
         42 . The method of  claim 1 , wherein the model incorporates information about suspected attacks against the at least a part of the program. 
     
     
         43 . The method of  claim 1 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         44 . The method of  claim 1 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         45 . The method of  claim 1 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         46 . The method of  claim 1 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         47 . The method of  claim 1 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         48 . The method of  claim 11 , wherein the model of function calls is generated in whole or in part from executing function calls. 
     
     
         49 . The method of  claim 48 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         50 . The method of  claim 48 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         51 . The method of  claim 48 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         52 . The method of  claim 48 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         53 . The method of  claim 11 , wherein the model of function calls is generated in whole or in part from executing function calls and wherein the comparison indicating behavior that deviates from normal and may correspond to the attack is based on a statistical analysis. 
     
     
         54 . The method of  claim 53 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         55 . The method of  claim 53 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         56 . The method of  claim 53 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         57 . The method of  claim 53  wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         58 . The method of  claim 11 , wherein the model of function calls is generated in whole or in part from executing function calls, wherein the comparison indicating behavior that deviates from normal and may correspond to an attack is based on a statistical analysis, and wherein the model of function calls incorporates information about known or suspected attacks against the at least a part of the program. 
     
     
         59 . The method of  claim 58 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         60 . The method of  claim 58 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         61 . The method of  claim 58 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         62 . The method of  claim 58 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         63 . The method of  claim 11 , wherein the model of function calls incorporates information about normal program execution stack behavior. 
     
     
         64 . The method of  claim 63 , wherein the normal program execution stack behavior includes behavior of the stack during program execution, which contains information about executed function calls. 
     
     
         65 . The method of  claim 11 , wherein the model incorporates information about known attacks against the at least a part of the program. 
     
     
         66 . The method of  claim 11 , wherein the model incorporates information about suspected attacks against the at least a part of the program. 
     
     
         67 . The method of  claim 11 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         68 . The method of  claim 11 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         69 . The method of  claim 11 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         70 . The method of  claim 11 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         71 . The method of  claim 11 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         72 . A system for detecting anomalous program executions, comprising:
 a hardware processor; and   a memory that stores instructions which, when executed by the hardware processor, cause the hardware processor to:
 use an emulator to monitor and selectively execute at least a part of a program; 
 compare a function call made in the emulator to a model of function calls for the at least a part of the program; 
 identify the function call as anomalous based on the comparison, wherein the function call is identified as an anomalous function call in response to the comparison indicating behavior that deviates from normal and may correspond to an attack; and 
 upon identifying the anomalous function call, notify members of a community, which includes a plurality of computers running at least a selected portion of the program, of the anomalous function call. 
   
     
     
         73 . The system of  claim 72 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         74 . The system of  claim 72 , wherein the model of function calls is generated in whole or in part from executing function calls. 
     
     
         75 . The system of  claim 74 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         76 . The system of  claim 74 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         77 . The system of  claim 74 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         78 . The system of  claim 74 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         79 . The system of  claim 74 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         80 . The system of  claim 72 , wherein the model of function calls is generated in whole or in part from executing function calls and wherein the comparison indicating behavior that deviates from normal and may correspond to the attack is based on a statistical analysis. 
     
     
         81 . The system of  claim 80 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         82 . The system of  claim 80 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         83 . The system of  claim 80 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         84 . The system of  claim 80 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         85 . The system of  claim 80 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         86 . The system of  claim 72 , wherein the model of function calls is generated in whole or in part from executing function calls, wherein the comparison indicating behavior that deviates from normal and may correspond to an attack is based on a statistical analysis, and wherein the model of function calls incorporates information about known or suspected attacks against the at least a part of the program. 
     
     
         87 . The system of  claim 86 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         88 . The system of  claim 86 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         89 . The system of  claim 86 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         90 . The system of  claim 86 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         91 . The system of  claim 86 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         92 . The system of  claim 72 , wherein the model of function calls incorporates information about normal program execution stack behavior. 
     
     
         93 . The system of  claim 92 , wherein the normal program execution stack behavior includes behavior of the stack during program execution, which contains information about executed function calls. 
     
     
         94 . The system of  claim 72 , wherein the model incorporates information about known attacks against the at least a part of the program. 
     
     
         95 . The system of  claim 72 , wherein the model incorporates information about suspected attacks against the at least a part of the program. 
     
     
         96 . The system of  claim 72 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         97 . The system of  claim 72 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         98 . The system of  claim 72 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         99 . The system of  claim 72 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         100 . A system for detecting anomalous program executions, comprising:
 a hardware processor; and   a memory that stores instructions which, when executed by the hardware processor, cause the hardware processor to:
 modify a program to include indicators of program-level function calls being made during execution of the program; 
 compare at least one of the indicators of program-level function calls made in an emulator that monitors and selectively executes at least a part of the program to a model of function calls for the at least a part of the program; 
 identify a function call corresponding to the at least one of the indicators as anomalous based on the comparison, wherein the function call is identified as an anomalous function call in response to the comparison indicating behavior that deviates from normal and may correspond to an attack; and 
 upon identifying the anomalous function call, notify members of a community, which includes a plurality of computers running at least a selected portion of the program, of the anomalous function call. 
   
     
     
         101 . The system of  claim 100 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         102 . The system of  claim 100 , wherein the model of function calls is generated in whole or in part from executing function calls. 
     
     
         103 . The system of  claim 102 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         104 . The system of  claim 102 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         105 . The system of  claim 102 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         106 . The system of  claim 102 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         107 . The system of  claim 100 , wherein the model of function calls is generated in whole or in part from executing function calls and wherein the comparison indicating behavior that deviates from normal and may correspond to the attack is based on a statistical analysis. 
     
     
         108 . The system of  claim 107 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         109 . The system of  claim 107 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         110 . The system of  claim 107 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         111 . The system of  claim 107 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         112 . The system of  claim 100 , wherein the model of function calls is generated in whole or in part from executing function calls, wherein the comparison indicating behavior that deviates from normal and may correspond to an attack is based on a statistical analysis, and wherein the model of function calls incorporates information about known or suspected attacks against the at least a part of the program. 
     
     
         113 . The system of  claim 112 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         114 . The system of  claim 112 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         115 . The system of  claim 112 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         116 . The system of  claim 112 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         117 . The system of  claim 100 , wherein the model of function calls incorporates information about normal program execution stack behavior. 
     
     
         118 . The system of  claim 117 , wherein the normal program execution stack behavior includes behavior of the stack during program execution, which contains information about executed function calls. 
     
     
         119 . The system of  claim 100 , wherein the model incorporates information about known attacks against the at least a part of the program. 
     
     
         120 . The system of  claim 100 , wherein the model incorporates information about suspected attacks against the at least a part of the program. 
     
     
         121 . The system of  claim 100 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         122 . The system of  claim 100 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         123 . The system of  claim 100 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         124 . A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting anomalous program executions, the method comprising:
 using an emulator to monitor and selectively execute at least a part of a program;   comparing a function call made in the emulator to a model of function calls for the at least a part of the program;   identifying the function call as anomalous based on the comparison, wherein the function call is identified as an anomalous function call in response to the comparison indicating behavior that deviates from normal and may correspond to an attack; and   upon identifying the anomalous function call, notifying members of a community, which includes a plurality of computers running at least a selected portion of the program, of the anomalous function call.   
     
     
         125 . The non-transitory computer-readable medium of  claim 124 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         126 . The non-transitory computer-readable medium of  claim 124 , wherein the model of function calls is generated in whole or in part from executing function calls. 
     
     
         127 . The non-transitory computer-readable medium of  claim 126 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         128 . The non-transitory computer-readable medium of  claim 126 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         129 . The non-transitory computer-readable medium of  claim 126 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         130 . The non-transitory computer-readable medium of  claim 126 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         131 . The non-transitory computer-readable medium of  claim 126 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         132 . The non-transitory computer-readable medium of  claim 124 , wherein the model of function calls is generated in whole or in part from executing function calls and wherein the comparison indicating behavior that deviates from normal and may correspond to the attack is based on a statistical analysis. 
     
     
         133 . The non-transitory computer-readable medium of  claim 132 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         134 . The non-transitory computer-readable medium of  claim 132 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         135 . The non-transitory computer-readable medium of  claim 132 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         136 . The non-transitory computer-readable medium of  claim 132 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         137 . The non-transitory computer-readable medium of  claim 132 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         138 . The non-transitory computer-readable medium of  claim 124 , wherein the model of function calls is generated in whole or in part from executing function calls, wherein the comparison indicating behavior that deviates from normal and may correspond to an attack is based on a statistical analysis, and wherein the model of function calls incorporates information about known or suspected attacks against the at least a part of the program. 
     
     
         139 . The non-transitory computer-readable medium of  claim 138 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         140 . The non-transitory computer-readable medium of  claim 138 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         141 . The non-transitory computer-readable medium of  claim 138 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         142 . The non-transitory computer-readable medium of  claim 138 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         143 . The non-transitory computer-readable medium of  claim 138 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         144 . The non-transitory computer-readable medium of  claim 124 , wherein the model of function calls incorporates information about normal program execution stack behavior. 
     
     
         145 . The non-transitory computer-readable medium of  claim 144 , wherein the normal program execution stack behavior includes behavior of the stack during program execution, which contains information about executed function calls. 
     
     
         146 . The non-transitory computer-readable medium of  claim 124 , wherein the model incorporates information about known attacks against the at least a part of the program. 
     
     
         147 . The non-transitory computer-readable medium of  claim 124 , wherein the model incorporates information about suspected attacks against the at least a part of the program. 
     
     
         148 . The non-transitory computer-readable medium of  claim 124 , wherein the members of the community include the plurality of computers running the same program. 
     
     
         149 . The non-transitory computer-readable medium of  claim 124 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         150 . The non-transitory computer-readable medium of  claim 124 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         151 . The non-transitory computer-readable medium of  claim 124 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         152 . A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting anomalous program executions, the method comprising:
 modifying a program to include indicators of program-level function calls being made during execution of the program;   comparing at least one of the indicators of program-level function calls made in an emulator that monitors and selectively executes at least a part of the program to a model of function calls for the at least a part of the program;   identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison, wherein the function call is identified as an anomalous function call in response to the comparison indicating behavior that deviates from normal and may correspond to an attack; and   upon identifying the anomalous function call, notifying members of a community, which includes a plurality of computers running at least a selected portion of the program, of the anomalous function call.   
     
     
         153 . The non-transitory computer-readable medium of  claim 152 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         154 . The non-transitory computer-readable medium of  claim 152 , wherein the model of function calls is generated in whole or in part from executing function calls. 
     
     
         155 . The non-transitory computer-readable medium of  claim 154 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         156 . The non-transitory computer-readable medium of  claim 154 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         157 . The non-transitory computer-readable medium of  claim 154 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         158 . The non-transitory computer-readable medium of  claim 154 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         159 . The non-transitory computer-readable medium of  claim 152 , wherein the model of function calls is generated in whole or in part from executing function calls and wherein the comparison indicating behavior that deviates from normal and may correspond to the attack is based on a statistical analysis. 
     
     
         160 . The non-transitory computer-readable medium of  claim 159 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         161 . The non-transitory computer-readable medium of  claim 159 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         162 . The non-transitory computer-readable medium of  claim 159 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         163 . The non-transitory computer-readable medium of  claim 159 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         164 . The non-transitory computer-readable medium of  claim 152 , wherein the model of function calls is generated in whole or in part from executing function calls, wherein the comparison indicating behavior that deviates from normal and may correspond to an attack is based on a statistical analysis, and wherein the model of function calls incorporates information about known or suspected attacks against the at least a part of the program. 
     
     
         165 . The non-transitory computer-readable medium of  claim 164 , wherein the emulator monitors and selectively executes all of the program. 
     
     
         166 . The non-transitory computer-readable medium of  claim 164 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program. 
     
     
         167 . The non-transitory computer-readable medium of  claim 164 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         168 . The non-transitory computer-readable medium of  claim 164 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         169 . The non-transitory computer-readable medium of  claim 152 , wherein the model of function calls incorporates information about normal program execution stack behavior. 
     
     
         170 . The non-transitory computer-readable medium of  claim 169 , wherein the normal program execution stack behavior includes behavior of the stack during program execution, which contains information about executed function calls. 
     
     
         171 . The non-transitory computer-readable medium of  claim 152 , wherein the model incorporates information about known attacks against the at least a part of the program. 
     
     
         172 . The non-transitory computer-readable medium of  claim 152 , wherein the model incorporates information about suspected attacks against the at least a part of the program. 
     
     
         173 . The non-transitory computer-readable medium of  claim 152 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program. 
     
     
         174 . The non-transitory computer-readable medium of  claim 152 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program. 
     
     
         175 . The non-transitory computer-readable medium of  claim 152 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.