What technology area does this patent fall under?

Primary CPC classification G06Q20/4016. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Apr 27 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 9 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Detecting malware by monitoring client-side memory stacks

US10990975B2 · US · B2

Patent metadata
Field	Value
Publication number	US-10990975-B2
Application number	US-201715806965-A
Country	US
Kind code	B2
Filing date	Nov 8, 2017
Priority date	Nov 8, 2017
Publication date	Apr 27, 2021
Grant date	Apr 27, 2021

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Methods and systems for detecting malware by monitoring client-side memory stacks are described. A request for a payment process is received and a client-side memory stack is populated with a series of functions corresponding to the requested payment process. The execution of each function is monitored to determine whether the series of functions and an order of execution of the functions from the client-side memory stack are the same as an expected series of functions and in an expected order corresponding to the payment process. The monitoring also determines whether the number and types of parameters called by the functions are the same as the expected number and types of parameters. The monitoring further determines whether the timing of the execution of the functions is the same as an expected timing. Remedial action is performed when the any of these factors is determined to be different than what is expected.

First claim

Opening claim text (preview).

What is claimed is: 1. A system comprising: a non-transitory memory storing instructions; and one or more hardware processors coupled to the non-transitory memory and configured to read the instructions from the non-transitory memory to cause the system to perform operations comprising: receiving, from a first application of a user device, a request for initiating a payment process and first authentication data associated with an account; in response to receiving the request, causing a second application of the user device to begin monitoring a client-side memory stack of the user device, wherein the client-side memory stack is populated with a set of functions corresponding to the payment process; analyzing an execution of the set of functions based on the monitoring of the client-side memory stack; determining an order in which the set of functions from the client-side memory stack is executed by the user device based on the analyzing; determining whether a malware is present on the user device based on a comparison between the order in which the set of functions is executed by the user device and a predetermined order; in response to determining that the malware is present on the user device, interrupting the execution of the set of functions on the user device by presenting, on the user device, a re-authentication challenge; receiving second authentication data from the user device; and causing the user device to resume or abort the execution of the set of functions based on the second authentication data. 2. The system of claim 1 , wherein the client-side memory stack is a JavaScript stack. 3. The system of claim 1 , wherein the operations further comprise in response to authenticating a user for using the account based on the second authentication data, causing the user device to resume the execution of the set of functions. 4. The system of claim 1 , wherein the operations further comprise in response to determining that the malware is present on the user device, transmitting an alert to a device associated with one of an administrator or an owner of the account. 5. The system of claim 1 , wherein the operations further comprise determining that the set of functions in the client-side memory stack matches a predetermined set of functions associated with the payment process. 6. The system of claim 1 , wherein the operations further comprise determining that a corresponding set of parameters required by each corresponding function of the set of functions in the client-side memory stack matches an expected number of parameters associated with the corresponding function. 7. The system of claim 1 , wherein the re-authentication challenge requires an input from a human. 8. A method comprising: receiving, by one or more hardware processors from a first application of a user device, a request for initiating a payment process and first authentication data associated with an account; in response to receiving the request, causing a second application of the user device to begin monitoring a client-side memory stack of the user device, wherein the client-side memory stack is populated with a set of functions corresponding to the payment process; determining a corresponding set of parameters retrieved by each function of the set of functions based on the monitoring of the client-side memory stack; determining, by the one or more hardware processors, whether a malware is present on the user device based on a comparison between the corresponding set of parameters retrieved by each function of the set of functions and a corresponding expected set of parameters; in response to determining that the malware is present on the user device, interrupting an execution of the set of functions on the user device by presenting, on the user device, a re-authentication challenge; receiving second authentication data from the user device; and causing the user device to resume or abort the execution of the set of functions based on the second authentication data. 9. The method of claim 8 , wherein the client-side memory stack is a JavaScript stack. 10. The method of claim 8 , further comprising: in response to determining that a user of the user device is not authenticated based on the second authentication data, causing the user device to abort the execution of the set of functions. 11. The method of claim 8 , wherein an execution of each function of the set of functions causes the user device to retrieve a different set of parameters corresponding to the function. 12. The method of claim 8 , wherein the determining whether the malware is present on the user device comprises: identifying a corresponding number of parameters retrieved by each of the set of functions being executed by the user device; and comparing the identified corresponding number to an expected number of parameters corresponding to the function. 13. The method of claim 8 , wherein the determining whether the malware is present on the user device comprises: identifying corresponding types of parameters retrieved by each of the set of functions being executed by the user device; and comparing the identified corresponding types to expected types of parameters corresponding to the function. 14. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising: receiving, from a first application of a user device, a request for initiating a payment process and first authentication data associated with an account; in response to receiving the request, causing a second application of the user device to begin monitoring a client-side memory stack of the user device, wherein the client-side memory stack is populated with a set of functions corresponding to the payment process; determining, based on the monitoring, a corresponding execution time of each function of the set of functions; determining whether a malware is present on the user device based on a comparison between the corresponding execution time of each function of the set of functions and an expected execution time corresponding to the function; in response to determining that the malware is present on the user device, modifying a security level associated with processing the payment process by presenting, on the user device, a re-authentication challenging; receiving second authentication data from the user device; and causing the user device to resume or abort an execution of the set of functions based on the second authentication data. 15. The non-transitory machine-readable medium of claim 14 , wherein the client-side memory stack is a JavaScript stack. 16. The non-transitory machine-readable medium of claim 14 , wherein the operations further comprise in response to determining that the malware is present on the user device, flagging the payment process for review. 17. The non-transitory machine-readable medium of claim 14 , wherein the operations further comprise in response to determining that the malware is present on the user device, transmitting an alert to a device associated with one of an administrator or an owner of the account. 18. The non-transitory machine-readable medium of claim 14 , wherein the operations further comprise: authenticating a user of the user device based on the second authentication data; and in response to authenticating the user, causing the user device to resume the execution of the set of functions. 19. The non-transitory machine-readable medium of claim 14 , wherein the

Assignees

Paypal Inc

Inventors

Boutnaru Shlomi

Classifications

G06Q20/4016Primary
involving fraud or risk level assessment in transaction processing · CPC title
G06F21/566
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
H04L63/145
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
H04L63/1425
Traffic logging, e.g. anomaly detection · CPC title
G06Q20/4014Primary
Identity check for transactions · CPC title

Patent family

Related publications grouped by family.

View patent family 66328805

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US10990975B2 cover?: Methods and systems for detecting malware by monitoring client-side memory stacks are described. A request for a payment process is received and a client-side memory stack is populated with a series of functions corresponding to the requested payment process. The execution of each function is monitored to determine whether the series of functions and an order of execution of the functions from …
Who is the assignee on this patent?: Paypal Inc
What technology area does this patent fall under?: Primary CPC classification G06Q20/4016. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Apr 27 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 9 related publications on this page (citations in our corpus or others sharing the same primary CPC).