Correlation-based detection of exploit activity

摘要

#$%^&*AU2017202071A120171026.pdf#####ABSTRACT A security agent implemented on a monitored computing device is described herein. The security agent is configured to receive an event notification indicative of execution of an object and store, in a data structure on the monitored computing device, information associated with the event notification and the object. The security agent is further configured to receive an event notification indicative of an occurrence on the monitored computing device of an activity. Based at least in part on the stored information, the security agent correlates the occurrence of the activity with the execution of the object and generates an exploit detection event based on the correlating.INVENTOR: UANIEL VV. IROWN DOCKET No: C052-0019US TITLE: CORRELATION-BASED DETECTION OF EXPLOIT ACTIVITY 1/5 SECURITY AGENT 102 EVENT COLLECTOR(S) 108 O OBJECT EXECUTION ACTIVITY EVENTS 118 EVENTS 124 FILTER/LOGIC 110 POLICY112 EVENTS + EVENTS + OBJ TYPES 120 OBJ TYPES 126 CORRELATOR(S) 1_14 INDEX 116C O R L T J CORRELATE STORE INFO O122 -6 BJECTS AND ACTIVITIES 128 7 EXPLOIT DETECTION EVENT 130 :NETWORK 0 REMOTE SECURITY SERVICE 104 Fig. 1a