Method and system for tracking access to application data and preventing data exploitation by malicious programs

摘要

Provided are a method and system for tracking access to application data and preventing data exploitation by malicious programs. In one example, the method includes shimming into a running process of the system to create at least one monitoring hook to monitor a program, building an execution path of the monitored program, and monitoring a behavior of the execution path for malicious behavior using the monitoring hook.

主权项

1. A method of detecting a malicious program on a computer system, the method comprising:
by a processor of the computer system, activating a detection program, the detection program scanning a virtual memory of the computer system to locate an operating system message dispatcher function, replacing the operating system message dispatcher function with a detection program dispatcher function, scanning a desktop virtual memory space of the computer system to locate a function of interest, and replacing the function of interest with a detection program monitoring hook for the function of interest; building at least one execution path of at least one process executing on the computer system, said at least one execution path including sequences of calls made by the at least one process to functions and application programming interfaces (APIs) of the operating system; via the monitoring hook, monitoring behavior of the at least one execution path for atypical behavior in the sequences of calls made in the execution path; and, when atypical behavior is observed in the execution path, associating that behavior with an instance of a program of interest; when atypical behavior in the execution path is observed, monitoring the instance of the program of interest for additional operating system API calls, and, in the event of such API calls, placing the program of interest on a watch list and further monitoring the program of interest for additional activity that generates atypical behavior and interactions between the program of interest and other program modules running on the computer system; based on said further monitoring, associating and adjusting a weighting of the instance of the program of interest, the weighting being indicative of a probability that the program of interest is atypical, wherein a decrease in the weighting, as well as an increase in the weighting, both indicate a change in the probability that the program of interest is atypical; in the event that the weighting reaches a predefined threshold value, performing a module analysis to lower the weighting if the instance of the program of interest is calling a program module that is determined to be a legitimate program, and in the event the weighting crosses the predefined threshold value, triggering an alert.