CORRELATION-BASED DETECTION OF EXPLOIT ACTIVITY

摘要

A security agent implemented on a monitored computing device isdescribed herein. The security agent is configured to receive an eventnotification indicative of execution of an object and store, in a datastructure onthe monitored computing device, information associated with the eventnotification and the object. The security agent is further configured toreceivean event notification indicative of an occurrence on the monitored computingdevice of an activity. Based at least in part on the stored information, thesecurity agent correlates the occurrence of the activity with the execution oftheobject and generates an exploit detection event based on the correlating.