CPC G06F 21/554 (2013.01) [G06F 9/445 (2013.01); G06F 2221/033 (2013.01); G06F 2221/2101 (2013.01)] | 20 Claims |
1. A system, comprising:
a memory storing a token cache and an operating system; and
at least one computing device in communication with the memory, the at least one computing device being configured to:
receive a first notification that a process has started on the at least one computing device;
in response to the first notification, record a first access token associated with the process into the token cache;
receive a second notification that the process has interacted with the operating system to perform at least one of a set of predetermined operations on the at least one computing device;
in response to the second notification, capture a second access token from the process;
perform a comparison of the second access token captured from the process against the first access token recorded into the token cache; and
determine that an escalation of privilege attack has occurred based on the comparison of the second access token captured from the process against the first access token recorded in the token cache.
|