Profile Guided Indirect Function Call Check for Control Flow Integrity
US-2018060209-A1 · Mar 1, 2018 · US
Learned control flow monitoring and enforcement of unobserved transitions
US12585771B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12585771-B2 |
| Application number | US-202218084045-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 19, 2022 |
| Priority date | Jul 22, 2022 |
| Publication date | Mar 24, 2026 |
| Grant date | Mar 24, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow diagram for a process on a computing system and monitoring execution of the process on the computing system using the control flow diagram. An unobserved transition is determined based on the learned control flow diagram and the unobserved transition is classified as safe or unsafe based on a monitoring component analysis. An action is performed based on the safety classification and the learned control flow diagram.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method for monitoring a computing system, comprising: determining a learned control flow diagram for a process executed on a computing system by observing executions of transitions during an observation period during which safe executions of transitions are permitted to execute and be observed; monitoring execution of the process on the computing system using the learned control flow diagram; determining an unobserved transition of the process based at least in part on the unobserved transition not being represented in the learned control flow diagram; determining a classification of the unobserved transition as being safe by analyzing, using a monitoring component, the unobserved transition; and performing an action based at least in part on the classification and the learned control flow diagram, the action including adding the unobserved transition to the learned control flow diagram. 2 . The method of claim 1 , wherein analyzing the unobserved transition comprises statically analyzing the transition. 3 . The method of claim 1 , wherein determining the classification for the unobserved transition comprises: determining a context for the transition; performing a static analysis of the unobserved transition; and determining the unobserved transition is safe in response to determining a reason for the transition based at least in part on the context and the static analysis. 4 . The method of claim 1 , wherein determining the classification for the unobserved transition comprises: determining a type of transition for the unobserved transition; determining a destination for the unobserved transition; determining a characteristic of the destination; and determining the classification using a machine learned model using inputs of the type of transition, the destination, the characteristic of the destination, and the learned control flow diagram. 5 . The method of claim 1 , wherein determining the classification for the unobserved transition comprises: determining a destination linked by the unobserved transition; and determining a risk score associated with the destination, and wherein the classification is based at least in part on the risk score of the destination. 6 . The method of claim 5 , wherein the risk score is further based on at least one of: a presence of a system call at the destination; permissions associated with the destination; a presence of propagating transitions to additional destinations; or a presence of the destination within the learned control flow diagram. 7 . A system comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: determining a learned control flow diagram for a process executed on a computing system by observing executions of transitions during an observation period during which safe executions of transitions are permitted to execute and be observed; monitoring execution of the process on the computing system using learned control flow diagram; determining an unobserved transition of the process based at least in part on the unobserved transition not being represented in the learned control flow diagram; determining a classification of the unobserved transition as being safe by analyzing, using a monitoring component, the unobserved transition; and performing an action based at least in part on the classification and the learned control flow diagram, the action including adding the unobserved transition to the learned control flow diagram. 8 . The system of claim 7 , wherein determining the classification for the unobserved transition comprises: determining a context for the transition; performing a static analysis of the unobserved transition; and determining the unobserved transition is safe in response to determining a reason for the transition based at least in part on the context and the static analysis. 9 . The system of claim 7 , wherein determining the classification for the unobserved transition comprises: determining a type of transition for the unobserved transition; determining a destination for the unobserved transition; determining a characteristic of the destination; and determining the classification using a set of heuristics defining the classification in response to the type of transition, the destination, the characteristic of the destination, and the learned control flow diagram. 10 . The system of claim 7 , wherein determining the classification for the unobserved transition comprises: determining a destination linked by the unobserved transition; and determining a risk score associated with the destination, and wherein the classification is based at least in part on the risk score of the destination. 11 . The system of claim 7 , wherein determining the classification for the unobserved transition comprises: determining a type of transition for the unobserved transition; determining a destination for the unobserved transition; determining a characteristic of the destination; and determining the classification using a machine learned model using inputs of the type of transition, the destination, the characteristic of the destination, and the learned control flow diagram. 12 . The system of claim 7 , wherein analyzing the unobserved transition comprises statically analyzing the transition. 13 . One or more non-transitory computer-readable media storing computer-readable instructions that, when executed by one or more processors, cause the one or more processors to: determine a learned control flow diagram for a process executed on a computing system by observing executions of transitions during an observation period during which safe executions of transitions are permitted to execute and be observed; monitor execution of the process on the computing system using the learned control flow diagram; determine an unobserved transition of the process based at least in part on the unobserved transition not being represented in the learned control flow diagram; determine a classification of the unobserved transition as being safe by analyzing, using a monitoring component, the unobserved transition; and performing an action based at least in part on the classification and the learned control flow diagram, the action adding the unobserved transition to the learned control flow diagram. 14 . The one or more non-transitory computer-readable media of claim 13 , wherein: the action comprises allowing execution of the unobserved transition in response to the classification being safe. 15 . The one or more non-transitory computer-readable media of claim 13 , wherein the instructions to determine the classification for the unobserved transition comprises further instructions to: determine a context for the transition; perform a static analysis of the unobserved transition; and determine the unobserved transition is safe in response to determining a reason for the transition based at least in part on the context and the static analysis. 16 . The one or more non-transitory computer-readable media of claim 13 , wherein the instructions to determine the classification for the unobserved transition comprises further instructions to: determine a type of transition for the unobserved transition; determine a destination for the unobserved transition; determine a characteristic of the destination; and determine the classification using a set
Assignees
Inventors
Classifications
Structural analysis for program understanding · CPC title
Program code verification, e.g. Java bytecode verification, proof-carrying code (high-level semantic checks G06F8/43; prevention of errors by analysis, debugging or testing of software G06F11/36) · CPC title
using software metrics · CPC title
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
Assessing vulnerabilities and evaluating computer system security · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12585771B2 cover?
- Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow diagram for a process on a computing system and monitoring execution of the process on the computing system using the control flow diagram. An un…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/51. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 24 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).