Invention Grant
- Patent Title: Suspicious program detection
-
Application No.: US14779620Application Date: 2014-03-24
-
Publication No.: US09747447B2Publication Date: 2017-08-29
- Inventor: Fadi El-Moussa
- Applicant: BRITISH TELECOMMUNICATIONS PLC
- Applicant Address: GB London
- Assignee: BRITISH TELECOMMUNICATIONS public limited company
- Current Assignee: BRITISH TELECOMMUNICATIONS public limited company
- Current Assignee Address: GB London
- Agency: Nixon & Vanderhye P.C.
- Priority: EP13250033 20130325
- International Application: PCT/GB2014/000110 WO 20140324
- International Announcement: WO2014/155036 WO 20141002
- Main IPC: G06F21/56
- IPC: G06F21/56

Abstract:
A processing device (10) includes a processor (12), an interface (14) and a memory (100). The memory (100) is formed from system Random Access Memory (RAM) and one or more other storage devices. The memory (100) can be considered as comprising working memory (110) and persistent storage (120). The working memory includes the system RAM but may also use memory from one or more other storage devices and when certain suspicious program detection modules are operating also stores a comparison table (112) discussed below. Contained within the persistent storage are several executable program files as follows: an Absolute Memory Address Calculator executable program (121) which is responsible for causing the system (10) to inspect a copy of a persistently stored (and compiled) executable program (e.g. an executable program (125, 126, 127, . . . as stored in the persistent storage 120) and to calculate expected absolute memory locations for the various functions or helper programs that it makes calls to and to store these in a table (112) that it creates in the working memory (110) for this purpose; a Loaded Program Accessor executable program (122) which is responsible for causing the system (10) to inspect a copy of an executable program as loaded in the working memory (110) of the system after loading and linking of the program have been completed, to determine the actual memory locations stored in the Import Address Table (IAT) of the loaded program, and to store these actual memory locations in the comparison table (112); a Memory Location Comparator executable program (123) which is responsible for causing the system (10) during execution of this program to compare the calculated expected absolute memory locations with their respective actual accessed memory locations as stored in the comparison table of memory locations (112); and a Corroborator executable program (124) which is responsible for causing the system (10) during execution of this program to perform a corroboration of any mismatches of memory locations detected in the memory location pairs stored in the table (112) of memory locations, by, in the present embodiment, inspecting the contents of any executable instructions contained at the actually accessed memory location to look for the presence of an instruction causing a new thread of execution to be instantiated.
Public/Granted literature
- US20160055337A1 SUSPICIOUS PROGRAM DETECTION Public/Granted day:2016-02-25
Information query