THWARTING MAP-LOADED MODULE MASQUERADE ATTACKS

摘要

Apparatus, computer-implemented method, and computer-readable medium for thwarting map-loaded module (8) attacks on a digital computer (1). Within the computer (1) is a registry (10) containing mappings from generic names (4) of map-loaded modules (8) to specific locations (5) of the map-loaded modules (8). Coupled to the registry (10) is a registry monitor module (20) adapted to monitor attempts to replace existing mappings (5) of map-loaded modules (8) with replacement mappings (5). Coupled to the map-loaded modules (8) is a file system monitor module (70) adapted to monitor attempts to insert new map-loaded modules (8) into the computer (1). Coupled to the registry monitor module (20) and to the file system monitor module (70) is a programmable control module (30) adapted to determine when a change in mapping constitutes a malicious code attack. Such determinations are made when one or more pre-established rules (50) are satisfied. Two categories of rules (50) can be pre-established for use by control module (30): a first set of rules (50) for which programmable control module (30) can make decisions on its own, and a second set of rules (50) for which programmable control module (30) passes control to a system administrator (40).