	US 12,130,919 B2
	Detection of exploitative program code
Soumyadipta Das, Bangalore (IN); Sai Sravan Kumar Ganachari, Bangalore (IN); Yao He, San Jose, CA (US); and Aleksandr Dubrovsky, Los Altos, CA (US)
Assigned to SONICWALL INC., Milpitas, CA (US)
Filed by SONICWALL INC., Milpitas, CA (US)
Filed on Jan. 10, 2023, as Appl. No. 18/095,340.
Application 18/095,340 is a continuation of application No. 16/903,060, filed on Jun. 16, 2020, granted, now 11,550,912, issued on Jan. 10, 2023.
Application 16/903,060 is a continuation of application No. 15/858,785, filed on Dec. 29, 2017, granted, now 10,685,110, issued on Jun. 16, 2020.
Prior Publication US 2023/0222214 A1, Jul. 13, 2023
Int. Cl. H04L 29/06 (2006.01); G06F 21/56 (2013.01)

CPC G06F 21/563 (2013.01) [G06F 21/566 (2013.01); G06F 2221/034 (2013.01)]

19 Claims

1. A method for analyzing data for suspicious code, the method comprising:

receiving computer information associated with a set of program code, the received computer information including data associated with internal structures of the set of program code;

executing the set of program code, wherein the set of program code is executable to access memory;

identify that the program code is executed to access an allocated region of the memory, wherein the access corresponds to one or more writes to the allocated region;

correlating at least one of the writes to one or more previous writes to the allocated region of the memory based on the data set associated with the set of program code, wherein the correlation includes identifying that at least one of the previous writes has been overwritten in an execution path of one of the writes in the allocated region; and

classifying the program code as suspicious based on one or more suspicious events that include a number of attempts to access and write to the allocated region of the memory, wherein classifying the program code includes matching one or more criteria of an access pattern with the suspicious events associated with malicious program code.