主权项 |
1. A method for monitoring executing software, the method comprising:
prior to execution of the software, accessing data indicative of expected behavior of the software, the expected behavior determined based on analysis of the software, wherein accessing data indicative of expected behavior of the software includes generating a first binary program graph that corresponds to source code level or executable code level program flow of the software, wherein the first binary program graph includes data structures, connectors, and executable commands; and during execution of the software:
monitoring behavior of the software and comparing the monitored behavior with the data indicative of the expected behavior of the software, wherein monitoring behavior of the software includes generating a second binary program graph that corresponds to source code level or executable code level program flow of the software during execution, wherein the second binary program graph includes data structures, connectors, and executable commands;determining whether the monitored behavior deviates from the expected behavior in accordance with a predetermined trigger, wherein determining whether the monitored behavior deviates from the expected behavior in accordance with the predetermined trigger comprises matching the second binary program graph of the software and associated data structures or values of the software with the first binary program graph of the software; andresponsive to a determination that the monitored behavior deviates from the expected behavior in accordance with the predetermined trigger, automatically initiating an action. |