CPC G06F 21/566 (2013.01) [G06F 3/0604 (2013.01); G06F 3/0631 (2013.01); G06F 3/0673 (2013.01); G06F 21/567 (2013.01); G06F 2221/034 (2013.01)] | 20 Claims |
1. A method of detecting unexpected behavior associated with a process, comprising:
receiving a memory allocation request, the memory allocation request indicating one or more memory segments to be allocated in memory of a computing system;
allocating the one or more memory segments in the memory based on the memory allocation request;
allocating one or more decoy memory segments in the memory based on the memory allocation request;
trapping an input/output (I/O) operation prior to detecting an unexpected behavior associated with the I/O operation, the I/O operation including a payload and a starting address associated with the one or more memory segments;
detecting the unexpected behavior associated with the I/O operation before the decoy memory is updated by determining, based on the starting address and a size of the payload, that the I/O operation impacts at least one of the one or more decoy memory segments; and
performing one or more actions based on the detecting.
|