US 12,169,564 B2
Early filtering of clean file using dynamic analysis
Soumyadipta Das, Bangalore (IN); SushilKumar Kuchan, Bangalore (IN); and Aleksandr Dubrovsky, San Mateo, CA (US)
Assigned to SonicWall, Inc., Milpitas, CA (US)
Filed by SonicWall, Inc., Milpitas, CA (US)
Filed on Nov. 21, 2022, as Appl. No. 17/991,749.
Application 17/991,749 is a continuation of application No. 16/783,065, filed on Feb. 5, 2020, granted, now 11,507,664.
Claims priority of provisional application 62/943,134, filed on Dec. 3, 2019.
Prior Publication US 2023/0153439 A1, May 18, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/57 (2013.01); G06F 21/56 (2013.01)
CPC G06F 21/57 (2013.01) [G06F 21/563 (2013.01); G06F 2221/033 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for analyzing received computer data, the method comprising:
scanning a set of computer data before the set of computer data is received by an intended destination, the set of computer data including instructions executable by a processor;
providing the set of computer data to a runtime exploit detection framework that includes a parent process;
generating a child process for executing the set of computer data, wherein the child process is generated based on execution of the parent process;
executing instrumentation code by the parent process concurrent with execution of the set of computer data by the child process, wherein the instrumentation code collects contextual data relating to behaviors observed by a plurality of probes during the child process, wherein the probes monitor a first set of the behaviors during a first time period and a second set of the behaviors during a second time period;
generating a mapping that identifies one or more patterns of activity associated with good program code during the first time period;
comparing the second set of behaviors with the mapping to obtain a comparison result indicating whether the second set of behaviors is consistent with the good program code;
identifying that the second set of behaviors meets a threshold level associated with the mapping; and
providing the set of computer data to the intended destination based on whether the threshold level being met.