US 12,455,957 B2
Methods and apparatus for control and detection of malicious content using a sandbox environment
Anup Ghosh, Centreville, VA (US); Scott Cosby, Alexandria, VA (US); Alan Keister, Oakton, VA (US); Benjamin Bryant, Alexandria, VA (US); and Stephen Taylor, Washington, DC (US)
Assigned to Invincea, Inc., Burlington, MA (US)
Filed by Invincea, Inc., Burlington, MA (US)
Filed on May 23, 2024, as Appl. No. 18/672,750.
Application 18/672,750 is a continuation of application No. 17/211,412, filed on Mar. 24, 2021, granted, now 12,019,734.
Application 17/211,412 is a continuation of application No. 16/671,664, filed on Nov. 1, 2019, granted, now 10,984,097, issued on Apr. 20, 2021.
Application 16/671,664 is a continuation of application No. 16/018,720, filed on Jun. 26, 2018, granted, now 10,467,406, issued on Nov. 5, 2019.
Application 16/018,720 is a continuation of application No. 15/359,004, filed on Nov. 22, 2016, granted, now 10,043,001, issued on Aug. 7, 2018.
Application 15/359,004 is a continuation of application No. 14/797,847, filed on Jul. 13, 2015, granted, now 9,519,779, issued on Dec. 13, 2016.
Application 14/797,847 is a continuation of application No. 13/690,452, filed on Nov. 30, 2012, granted, now 9,081,959, issued on Jul. 14, 2015.
Claims priority of provisional application 61/566,162, filed on Dec. 2, 2011.
Prior Publication US 2024/0320323 A1, Sep. 26, 2024
Int. Cl. G06F 21/53 (2013.01); G06F 21/56 (2013.01)
CPC G06F 21/53 (2013.01) [G06F 21/56 (2013.01); G06F 21/566 (2013.01); G06F 2221/034 (2013.01); G06F 2221/2101 (2013.01); G06F 2221/2141 (2013.01); G06F 2221/2149 (2013.01)] 17 Claims
OG exemplary drawing
 
1. A non-transitory processor-readable medium storing code representing instructions to be executed by one or more processors, the instructions comprising code to cause the one or more processors to:
receive a file;
open, in a sandbox environment, the file using a process associated with the file;
receive a set of indications of actual behavior associated with the file;
classify an actual behavior associated with an indication of actual behavior from the set of indications of actual behavior as an anomalous behavior for the file based on the indication of actual behavior not being in a set of indications of allowed behavior for the file, the set of indications of allowed behavior for the file being based on a trust level associated with the file; and
send an indication associated with the anomalous behavior in response to identifying the anomalous behavior.