| CPC G06F 16/164 (2019.01) [G06F 11/3644 (2013.01); G06F 16/1734 (2019.01); G06F 16/18 (2019.01); G06F 2221/2137 (2013.01)] | 30 Claims |
|
1. A computer-implemented method comprising:
determining, by an initialization process, a monitor instance identifier of an instance of an application, wherein the initialization process initializes monitoring of the instance of the application;
generating, by the initialization process, a system call argument based on a pseudo-randomly generated identifier;
making, by the initialization process, a system call comprising the system call argument;
determining, by a kernel-space Berkeley packet filter (BPF), to monitor the instance of the application based on the system call;
extracting, by the kernel-space BPF, the pseudo-randomly generated identifier from the system call argument to obtain the monitor instance identifier;
storing, in a watch list, the monitor instance identifier and the pseudo-randomly generated identifier;
transforming the system call data into instrumentation data, wherein the transforming comprises filtering the system call data to include system calls associated with the monitor instance identifier and obtaining the instrumentation data using the monitor instance identifier and the pseudo-randomly generated identifier, and wherein the instrumentation data comprises at least one of file access data, network traffic data, or operating system call data; and
implementing application security enhancement by using the instrumentation data to modify system operation, wherein implementing the application security enhancement comprises programmatically blocking the application from accessing one or more specific computing resources that are not identified in the instrumentation data, the one or more specific computing resources including at least one of: a specific file, a network port, or an operating system call that the instrumentation data indicate is not accessed during typical operation of the application.
|