CPC G06F 21/57 (2013.01) [G06F 21/563 (2013.01); G06F 2221/033 (2013.01)] | 20 Claims |
1. A method for analyzing received computer data, the method comprising:
scanning a set of computer data before the set of computer data is received by an intended destination, the set of computer data including instructions executable by a processor;
providing the set of computer data to a runtime exploit detection framework that includes a parent process;
generating a child process for executing the set of computer data, wherein the child process is generated based on execution of the parent process;
executing instrumentation code by the parent process concurrent with execution of the set of computer data by the child process, wherein the instrumentation code collects contextual data relating to behaviors observed by a plurality of probes during the child process, wherein the probes monitor a first set of the behaviors during a first time period and a second set of the behaviors during a second time period;
generating a mapping that identifies one or more patterns of activity associated with good program code during the first time period;
comparing the second set of behaviors with the mapping to obtain a comparison result indicating whether the second set of behaviors is consistent with the good program code;
identifying that the second set of behaviors meets a threshold level associated with the mapping; and
providing the set of computer data to the intended destination based on whether the threshold level being met.
|