Exploit detection based on heap spray detection
US-9336386-B1 · May 10, 2016 · US
Detecting an attempt to exploit a memory allocation vulnerability
US2018285564A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2018285564-A1 |
| Application number | US-201815886690-A |
| Country | US |
| Kind code | A1 |
| Filing date | Feb 1, 2018 |
| Priority date | Jul 21, 2015 |
| Publication date | Oct 4, 2018 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Various techniques for detection of malware that attempt to exploit a memory allocation vulnerability are disclosed. In some embodiments, a system, process, and/or computer program product for detecting an attempt to exploit a memory allocation vulnerability includes receiving a malware sample; monitoring an array operation performed by the malware sample using a memory monitoring component; and determining whether the array operation performed by the malware sample is suspicious. For example, an array operation, such as a vector operation performed by an application that is executed using an ActionScript virtual machine, can be monitored to detect any suspicious vector operations.
First claim
Opening claim text (preview).
What is claimed is: 1 . (canceled) 2 . A system for detecting an attempt to exploit a memory allocation vulnerability, comprising: a processor configured to: receive a malware sample; monitor an array operation performed by the malware sample using a memory monitoring component; and determine whether the array operation performed by the malware sample is suspicious based on one or more of the following: a vector size associated with the array operation, a structure hash on the array operation, or a cookie appended at an end of an allocated buffer during the array operation; and a memory coupled to the processor and configured to provide the processor with instructions. 3 . The system recited in claim 2 , wherein the processor is further configured to: determine that the array operation performed by the malware sample is suspicious based on one or more heuristics performed using the memory monitoring component for detecting an attempt to exploit a memory allocation vulnerability. 4 . The system recited in claim 2 , wherein the array operation is a vector operation performed by an application. 5 . The system recited in claim 2 , wherein the array operation is a vector operation performed by an application implemented in a scripting language that is executed in a virtual machine. 6 . The system recited in claim 2 , wherein the array operation is a vector operation performed by an application implemented in an ActionScript scripting language that is executed in an ActionScript virtual machine. 7 . The system recited in claim 2 , wherein the array operation is performed by an application implemented in a JavaScript scripting language that is executed in a JavaScript virtual machine. 8 . The system recited in claim 2 , wherein the malware sample is monitored for at least a predetermined period of time or until suspicious behavior is detected. 9 . The system recited in claim 2 , wherein the processor is further configured to: automatically generate a signature for the malware sample if the malware sample is determined to be malware. 10 . The system recited in claim 2 , wherein the processor is further configured to: identify the malware sample as malware based on a detection of an array operation that is associated with an attempt to exploit a memory allocation vulnerability; and automatically generate a signature for the malware sample. 11 . The system recited in claim 2 , wherein the processor is further configured to: block the array operation if the array operation is determined to be suspicious. 12 . The system recited in claim 2 , wherein the processor is further configured to: perform an action if the malware sample is determined to be malware. 13 . The system recited in claim 2 , wherein the processor is further configured to: perform a remedial action if the malware sample is determined to be malware, wherein the remedial action includes one or more of the following: block the malware sample from downloading, block the malware sample from installing, block the malware sample from executing, generate a signature for the malware sample, generate a warning about the malware sample, and log the malware sample. 14 . The system recited in claim 2 , wherein the processor is further configured to: detonate the malware sample in an instrumented virtual machine environment, wherein to monitor the array operation performed by the malware sample using the memory monitoring component is executed in the instrumented virtual machine environment. 15 . The system recited in claim 2 , wherein the system executes a cloud security service, and wherein the processor is further configured to: receive the malware sample at the cloud security service from a security device, wherein an instrumented virtual machine environment is monitored during execution of the malware sample using the memory monitoring component to determine whether the malware sample performs potentially malicious behavior that is associated with an attempt to exploit a memory allocation vulnerability. 16 . A method for detecting an attempt to exploit a memory allocation vulnerability, comprising: receiving a malware sample; monitoring an array operation performed by the malware sample using a memory monitoring component; and determining whether the array operation performed by the malware sample is suspicious based on one or more of the following: a vector size associated with the array operation, a structure hash on the array operation, or a cookie appended at an end of an allocated buffer during the array operation. 17 . The method of claim 16 , wherein the malware sample is monitored for at least a predetermined period of time or until suspicious behavior is detected. 18 . The method of claim 16 , wherein an instrumented virtual machine environment is executed by a cloud security service, and further comprising: receiving the malware sample at the cloud security service from a security device, wherein the instrumented virtual machine environment is monitored during execution of the malware sample to determine whether the malware sample performs potentially malicious behavior that is associated with an attempt to exploit a memory allocation vulnerability. 19 . A computer program product for detecting an attempt to exploit a memory allocation vulnerability, the computer program product being embodied in a non-transitory, tangible computer readable storage medium and comprising computer instructions for: receiving a malware sample; monitoring an array operation performed by the malware sample using a memory monitoring component; and determining whether the array operation performed by the malware sample is suspicious based on one or more of the following: a vector size associated with the array operation, a structure hash on the array operation, or a cookie appended at an end of an allocated buffer during the array operation. 20 . The computer program product recited in claim 19 , wherein the malware sample is monitored for at least a predetermined period of time or until suspicious behavior is detected. 21 . The computer program product recited in claim 19 , wherein an instrumented virtual machine environment is executed by a cloud security service, and further comprising computer instructions for: receiving the malware sample at the cloud security service from a security device, wherein the instrumented virtual machine environment is monitored during execution of the malware sample to determine whether the malware sample performs potentially malicious behavior that is associated with an attempt to exploit a memory allocation vulnerability.
Assignees
Inventors
Classifications
Security improvement · CPC title
Electricity · mapped topic
- G06F21/554Primary
involving event detection and direct action · CPC title
Protection against unauthorised use of memory {or access to memory} · CPC title
Test or assess a computer or a system · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2018285564A1 cover?
- Various techniques for detection of malware that attempt to exploit a memory allocation vulnerability are disclosed. In some embodiments, a system, process, and/or computer program product for detecting an attempt to exploit a memory allocation vulnerability includes receiving a malware sample; monitoring an array operation performed by the malware sample using a memory monitoring component; an…
- Who is the assignee on this patent?
- Palo Alto Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/554. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Oct 04 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).