Methods, media, and systems for detecting anomalous program executions
Abstract
Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
Claims
exact text as granted — not AI-modified1 . A method for detecting anomalous program executions, comprising:
using an emulator to monitor and selectively execute at least a part of a program; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; identifying the function call as anomalous based on the comparison, wherein the function call is identified as an anomalous function call in response to the comparison indicating behavior that deviates from normal and may correspond to an attack; and upon identifying the anomalous function call, notifying members of a community, which includes a plurality of computers running at least a selected portion of the program, of the anomalous function call.
2 . The method of claim 1 , wherein the emulator is an instruction-level emulator that executes one or more function calls in the at least a part of the program.
3 . The method of claim 1 , wherein the emulator is an instruction-level emulator that selectively executes the at least a part of the program prior to the function call within the at least a part of the program being executed outside of the instruction-level emulator.
4 . The method of claim 1 , wherein the model of function calls is a combined model created from at least two models created at different times.
5 . The method of claim 1 , wherein the model of function calls is a combined model created from at least two models created using different computers from the plurality of computers within the community.
6 . The method of claim 1 , wherein the model reflects normal activity of the at least a part of the program.
7 . The method of claim 1 , wherein the model reflects attacks against the at least a part of the program.
8 . The method of claim 1 , wherein the comparison determines a probability that the behavior corresponds to the attack.
9 . The method of claim 1 , wherein a first computer of the plurality of computers runs a first portion of the program and a second computer of the plurality of computers runs a second portion of the program, wherein the first portion of the program and the second portion of the program are different portions of the program.
10 . The method of claim 1 , wherein a first computer of the plurality of computers runs a first portion of the program and a second computer of the plurality of computers runs a second portion of the program, wherein the first portion of the program and the second portion of the program are the same portion of the program.
11 . A method for detecting anomalous program executions, comprising:
modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in an emulator that monitors and selectively executes at least a part of the program to a model of function calls for the at least a part of the program; identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison, wherein the function call is identified as an anomalous function call in response to the comparison indicating behavior that deviates from normal and may correspond to an attack; and upon identifying the anomalous function call, notifying members of a community, which includes a plurality of computers running at least a selected portion of the program, of the anomalous function call.
12 . The method of claim 11 , wherein the emulator is an instruction-level emulator that executes one or more function calls in the at least a part of the program.
13 . The method of claim 11 , wherein the emulator is an instruction-level emulator that selectively executes the at least a part of the program prior to the function call within the at least a part of the program being executed outside of the instruction-level emulator.
14 . The method of claim 11 , wherein the model of function calls is a combined model created from at least two models created at different times.
15 . The method of claim 11 , wherein the model of function calls is a combined model created from at least two models created using different computers from the plurality of computers within the community.
16 . The method of claim 11 , wherein the model reflects normal activity of the at least a part of the program.
17 . The method of claim 11 , wherein the model reflects attacks against the at least a part of the program.
18 . The method of claim 11 , wherein the comparison determines a probability that the behavior corresponds to the attack.
19 . The method of claim 11 , wherein a first computer of the plurality of computers runs a first portion of the program and a second computer of the plurality of computers runs a second portion of the program, wherein the first portion of the program and the second portion of the program are different portions of the program.
20 . The method of claim 11 , wherein a first computer of the plurality of computers runs a first portion of the program and a second computer of the plurality of computers runs a second portion of the program, wherein the first portion of the program and the second portion of the program are the same portion of the program.
21 . The method of claim 1 , wherein the model of function calls is generated in whole or in part from executing function calls.
22 . The method of claim 21 , wherein the emulator monitors and selectively executes all of the program.
23 . The method of claim 21 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
24 . The method of claim 21 , wherein the members of the community include the plurality of computers running the same program.
25 . The method of claim 21 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
26 . The method of claim 21 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
27 . The method of claim 1 , wherein the model of function calls is generated in whole or in part from executing function calls and wherein the comparison indicating behavior that deviates from normal and may correspond to the attack is based on a statistical analysis.
28 . The method of claim 27 , wherein the emulator monitors and selectively executes all of the program.
29 . The method of claim 27 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
30 . The method of claim 27 , wherein the members of the community include the plurality of computers running the same program.
31 . The method of claim 27 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
32 . The method of claim 27 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
33 . The method of claim 1 , wherein the model of function calls is generated in whole or in part from executing function calls, wherein the comparison indicating behavior that deviates from normal and may correspond to an attack is based on a statistical analysis, and wherein the model of function calls incorporates information about known or suspected attacks against the at least a part of the program.
34 . The method of claim 33 , wherein the emulator monitors and selectively executes all of the program.
35 . The method of claim 33 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
36 . The method of claim 33 , wherein the members of the community include the plurality of computers running the same program.
37 . The method of claim 33 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
38 . The method of claim 33 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
39 . The method of claim 1 , wherein the model of function calls incorporates information about normal program execution stack behavior.
40 . The method of claim 39 , wherein the normal program execution stack behavior includes behavior of the stack during program execution, which contains information about executed function calls.
41 . The method of claim 1 , wherein the model incorporates information about known attacks against the at least a part of the program.
42 . The method of claim 1 , wherein the model incorporates information about suspected attacks against the at least a part of the program.
43 . The method of claim 1 , wherein the emulator monitors and selectively executes all of the program.
44 . The method of claim 1 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
45 . The method of claim 1 , wherein the members of the community include the plurality of computers running the same program.
46 . The method of claim 1 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
47 . The method of claim 1 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
48 . The method of claim 11 , wherein the model of function calls is generated in whole or in part from executing function calls.
49 . The method of claim 48 , wherein the emulator monitors and selectively executes all of the program.
50 . The method of claim 48 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
51 . The method of claim 48 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
52 . The method of claim 48 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
53 . The method of claim 11 , wherein the model of function calls is generated in whole or in part from executing function calls and wherein the comparison indicating behavior that deviates from normal and may correspond to the attack is based on a statistical analysis.
54 . The method of claim 53 , wherein the emulator monitors and selectively executes all of the program.
55 . The method of claim 53 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
56 . The method of claim 53 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
57 . The method of claim 53 wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
58 . The method of claim 11 , wherein the model of function calls is generated in whole or in part from executing function calls, wherein the comparison indicating behavior that deviates from normal and may correspond to an attack is based on a statistical analysis, and wherein the model of function calls incorporates information about known or suspected attacks against the at least a part of the program.
59 . The method of claim 58 , wherein the emulator monitors and selectively executes all of the program.
60 . The method of claim 58 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
61 . The method of claim 58 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
62 . The method of claim 58 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
63 . The method of claim 11 , wherein the model of function calls incorporates information about normal program execution stack behavior.
64 . The method of claim 63 , wherein the normal program execution stack behavior includes behavior of the stack during program execution, which contains information about executed function calls.
65 . The method of claim 11 , wherein the model incorporates information about known attacks against the at least a part of the program.
66 . The method of claim 11 , wherein the model incorporates information about suspected attacks against the at least a part of the program.
67 . The method of claim 11 , wherein the emulator monitors and selectively executes all of the program.
68 . The method of claim 11 , further comprising, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
69 . The method of claim 11 , wherein the members of the community include the plurality of computers running the same program.
70 . The method of claim 11 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
71 . The method of claim 11 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
72 . A system for detecting anomalous program executions, comprising:
a hardware processor; and a memory that stores instructions which, when executed by the hardware processor, cause the hardware processor to:
use an emulator to monitor and selectively execute at least a part of a program;
compare a function call made in the emulator to a model of function calls for the at least a part of the program;
identify the function call as anomalous based on the comparison, wherein the function call is identified as an anomalous function call in response to the comparison indicating behavior that deviates from normal and may correspond to an attack; and
upon identifying the anomalous function call, notify members of a community, which includes a plurality of computers running at least a selected portion of the program, of the anomalous function call.
73 . The system of claim 72 , wherein the emulator monitors and selectively executes all of the program.
74 . The system of claim 72 , wherein the model of function calls is generated in whole or in part from executing function calls.
75 . The system of claim 74 , wherein the emulator monitors and selectively executes all of the program.
76 . The system of claim 74 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
77 . The system of claim 74 , wherein the members of the community include the plurality of computers running the same program.
78 . The system of claim 74 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
79 . The system of claim 74 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
80 . The system of claim 72 , wherein the model of function calls is generated in whole or in part from executing function calls and wherein the comparison indicating behavior that deviates from normal and may correspond to the attack is based on a statistical analysis.
81 . The system of claim 80 , wherein the emulator monitors and selectively executes all of the program.
82 . The system of claim 80 , wherein the members of the community include the plurality of computers running the same program.
83 . The system of claim 80 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
84 . The system of claim 80 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
85 . The system of claim 80 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
86 . The system of claim 72 , wherein the model of function calls is generated in whole or in part from executing function calls, wherein the comparison indicating behavior that deviates from normal and may correspond to an attack is based on a statistical analysis, and wherein the model of function calls incorporates information about known or suspected attacks against the at least a part of the program.
87 . The system of claim 86 , wherein the emulator monitors and selectively executes all of the program.
88 . The system of claim 86 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
89 . The system of claim 86 , wherein the members of the community include the plurality of computers running the same program.
90 . The system of claim 86 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
91 . The system of claim 86 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
92 . The system of claim 72 , wherein the model of function calls incorporates information about normal program execution stack behavior.
93 . The system of claim 92 , wherein the normal program execution stack behavior includes behavior of the stack during program execution, which contains information about executed function calls.
94 . The system of claim 72 , wherein the model incorporates information about known attacks against the at least a part of the program.
95 . The system of claim 72 , wherein the model incorporates information about suspected attacks against the at least a part of the program.
96 . The system of claim 72 , wherein the members of the community include the plurality of computers running the same program.
97 . The system of claim 72 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
98 . The system of claim 72 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
99 . The system of claim 72 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
100 . A system for detecting anomalous program executions, comprising:
a hardware processor; and a memory that stores instructions which, when executed by the hardware processor, cause the hardware processor to:
modify a program to include indicators of program-level function calls being made during execution of the program;
compare at least one of the indicators of program-level function calls made in an emulator that monitors and selectively executes at least a part of the program to a model of function calls for the at least a part of the program;
identify a function call corresponding to the at least one of the indicators as anomalous based on the comparison, wherein the function call is identified as an anomalous function call in response to the comparison indicating behavior that deviates from normal and may correspond to an attack; and
upon identifying the anomalous function call, notify members of a community, which includes a plurality of computers running at least a selected portion of the program, of the anomalous function call.
101 . The system of claim 100 , wherein the emulator monitors and selectively executes all of the program.
102 . The system of claim 100 , wherein the model of function calls is generated in whole or in part from executing function calls.
103 . The system of claim 102 , wherein the emulator monitors and selectively executes all of the program.
104 . The system of claim 102 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
105 . The system of claim 102 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
106 . The system of claim 102 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
107 . The system of claim 100 , wherein the model of function calls is generated in whole or in part from executing function calls and wherein the comparison indicating behavior that deviates from normal and may correspond to the attack is based on a statistical analysis.
108 . The system of claim 107 , wherein the emulator monitors and selectively executes all of the program.
109 . The system of claim 107 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
110 . The system of claim 107 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
111 . The system of claim 107 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
112 . The system of claim 100 , wherein the model of function calls is generated in whole or in part from executing function calls, wherein the comparison indicating behavior that deviates from normal and may correspond to an attack is based on a statistical analysis, and wherein the model of function calls incorporates information about known or suspected attacks against the at least a part of the program.
113 . The system of claim 112 , wherein the emulator monitors and selectively executes all of the program.
114 . The system of claim 112 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
115 . The system of claim 112 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
116 . The system of claim 112 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
117 . The system of claim 100 , wherein the model of function calls incorporates information about normal program execution stack behavior.
118 . The system of claim 117 , wherein the normal program execution stack behavior includes behavior of the stack during program execution, which contains information about executed function calls.
119 . The system of claim 100 , wherein the model incorporates information about known attacks against the at least a part of the program.
120 . The system of claim 100 , wherein the model incorporates information about suspected attacks against the at least a part of the program.
121 . The system of claim 100 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
122 . The system of claim 100 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
123 . The system of claim 100 , wherein the hardware processor is further configured to, in addition to monitoring and selectively executing the at least a part of the program, perform a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
124 . A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting anomalous program executions, the method comprising:
using an emulator to monitor and selectively execute at least a part of a program; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; identifying the function call as anomalous based on the comparison, wherein the function call is identified as an anomalous function call in response to the comparison indicating behavior that deviates from normal and may correspond to an attack; and upon identifying the anomalous function call, notifying members of a community, which includes a plurality of computers running at least a selected portion of the program, of the anomalous function call.
125 . The non-transitory computer-readable medium of claim 124 , wherein the emulator monitors and selectively executes all of the program.
126 . The non-transitory computer-readable medium of claim 124 , wherein the model of function calls is generated in whole or in part from executing function calls.
127 . The non-transitory computer-readable medium of claim 126 , wherein the emulator monitors and selectively executes all of the program.
128 . The non-transitory computer-readable medium of claim 126 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
129 . The non-transitory computer-readable medium of claim 126 , wherein the members of the community include the plurality of computers running the same program.
130 . The non-transitory computer-readable medium of claim 126 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
131 . The non-transitory computer-readable medium of claim 126 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
132 . The non-transitory computer-readable medium of claim 124 , wherein the model of function calls is generated in whole or in part from executing function calls and wherein the comparison indicating behavior that deviates from normal and may correspond to the attack is based on a statistical analysis.
133 . The non-transitory computer-readable medium of claim 132 , wherein the emulator monitors and selectively executes all of the program.
134 . The non-transitory computer-readable medium of claim 132 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
135 . The non-transitory computer-readable medium of claim 132 , wherein the members of the community include the plurality of computers running the same program.
136 . The non-transitory computer-readable medium of claim 132 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
137 . The non-transitory computer-readable medium of claim 132 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
138 . The non-transitory computer-readable medium of claim 124 , wherein the model of function calls is generated in whole or in part from executing function calls, wherein the comparison indicating behavior that deviates from normal and may correspond to an attack is based on a statistical analysis, and wherein the model of function calls incorporates information about known or suspected attacks against the at least a part of the program.
139 . The non-transitory computer-readable medium of claim 138 , wherein the emulator monitors and selectively executes all of the program.
140 . The non-transitory computer-readable medium of claim 138 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
141 . The non-transitory computer-readable medium of claim 138 , wherein the members of the community include the plurality of computers running the same program.
142 . The non-transitory computer-readable medium of claim 138 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
143 . The non-transitory computer-readable medium of claim 138 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
144 . The non-transitory computer-readable medium of claim 124 , wherein the model of function calls incorporates information about normal program execution stack behavior.
145 . The non-transitory computer-readable medium of claim 144 , wherein the normal program execution stack behavior includes behavior of the stack during program execution, which contains information about executed function calls.
146 . The non-transitory computer-readable medium of claim 124 , wherein the model incorporates information about known attacks against the at least a part of the program.
147 . The non-transitory computer-readable medium of claim 124 , wherein the model incorporates information about suspected attacks against the at least a part of the program.
148 . The non-transitory computer-readable medium of claim 124 , wherein the members of the community include the plurality of computers running the same program.
149 . The non-transitory computer-readable medium of claim 124 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
150 . The non-transitory computer-readable medium of claim 124 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
151 . The non-transitory computer-readable medium of claim 124 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
152 . A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting anomalous program executions, the method comprising:
modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in an emulator that monitors and selectively executes at least a part of the program to a model of function calls for the at least a part of the program; identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison, wherein the function call is identified as an anomalous function call in response to the comparison indicating behavior that deviates from normal and may correspond to an attack; and upon identifying the anomalous function call, notifying members of a community, which includes a plurality of computers running at least a selected portion of the program, of the anomalous function call.
153 . The non-transitory computer-readable medium of claim 152 , wherein the emulator monitors and selectively executes all of the program.
154 . The non-transitory computer-readable medium of claim 152 , wherein the model of function calls is generated in whole or in part from executing function calls.
155 . The non-transitory computer-readable medium of claim 154 , wherein the emulator monitors and selectively executes all of the program.
156 . The non-transitory computer-readable medium of claim 154 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
157 . The non-transitory computer-readable medium of claim 154 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
158 . The non-transitory computer-readable medium of claim 154 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
159 . The non-transitory computer-readable medium of claim 152 , wherein the model of function calls is generated in whole or in part from executing function calls and wherein the comparison indicating behavior that deviates from normal and may correspond to the attack is based on a statistical analysis.
160 . The non-transitory computer-readable medium of claim 159 , wherein the emulator monitors and selectively executes all of the program.
161 . The non-transitory computer-readable medium of claim 159 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
162 . The non-transitory computer-readable medium of claim 159 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
163 . The non-transitory computer-readable medium of claim 159 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
164 . The non-transitory computer-readable medium of claim 152 , wherein the model of function calls is generated in whole or in part from executing function calls, wherein the comparison indicating behavior that deviates from normal and may correspond to an attack is based on a statistical analysis, and wherein the model of function calls incorporates information about known or suspected attacks against the at least a part of the program.
165 . The non-transitory computer-readable medium of claim 164 , wherein the emulator monitors and selectively executes all of the program.
166 . The non-transitory computer-readable medium of claim 164 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.
167 . The non-transitory computer-readable medium of claim 164 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
168 . The non-transitory computer-readable medium of claim 164 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
169 . The non-transitory computer-readable medium of claim 152 , wherein the model of function calls incorporates information about normal program execution stack behavior.
170 . The non-transitory computer-readable medium of claim 169 , wherein the normal program execution stack behavior includes behavior of the stack during program execution, which contains information about executed function calls.
171 . The non-transitory computer-readable medium of claim 152 , wherein the model incorporates information about known attacks against the at least a part of the program.
172 . The non-transitory computer-readable medium of claim 152 , wherein the model incorporates information about suspected attacks against the at least a part of the program.
173 . The non-transitory computer-readable medium of claim 152 , wherein the plurality of computers run the program or a portion thereof to build the model of function calls for the at least a part of the program.
174 . The non-transitory computer-readable medium of claim 152 , wherein the plurality of computers run an application that shares information that is used to build the model of function calls for the at least a part of the program.
175 . The non-transitory computer-readable medium of claim 152 , wherein the method further comprises, in addition to monitoring and selectively executing the at least a part of the program, performing a simulation that continues to execute the program and that is separate from the monitoring and selectively executing the at least a part of the program, wherein the simulation returns an error return from a function of the program.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.