| CPC G06F 21/554 (2013.01) [G06F 21/552 (2013.01); G06F 21/566 (2013.01); G06F 2201/865 (2013.01)] | 12 Claims |
|
1. A method, comprising:
monitoring, by a monitor engine including a secure execution environment, interactions between software content and a computing environment, wherein the monitor engine executes in the computing environment and maintains a secure execution environment in a secure area of the computing environment such that the secure execution environment is inaccessible to any untrusted components or operations;
detecting, by the monitor engine, storing of instructions into memory of the computing environment based on an address of a memory access;
evaluating, by the monitor engine, instructions of the software content, wherein evaluating the instructions comprises evaluating the instructions to determine performance data associated with the software content using one or more profiling tools or models to evaluate at least one aspect of the instructions to determine the performance data;
identifying, by the monitor engine using the secure execution environment, calls of interest in the instructions by classifying the calls of interest based on the performance data and evaluating the calls of interest to generate behavioral signatures;
applying, by the monitor engine, behavioral signatures to determine that software content is malicious; and
based on the determined malicious software content, taking a remedial action including isolating the software content.
|