US Patent 10977368 Detecting malware based on memory allocation patterns

A method for threat detection by identifying patterns of used memory blocks is described. In one embodiment, the method includes identifying a pattern of memory allocations from a known malware threat; tracking memory allocations of memory; identifying a plurality of memory allocations that match at least a portion of the pattern of memory allocations based at least in part on the tracking of the memory allocations; and performing a security action upon determining a quantity of the plurality of memory allocations satisfies a predetermined threshold. In some examples, the method includes determining that a sequence of wiped data strings satisfies a confidence threshold, and identifying the plurality of memory allocations is based at least in part on the confidence threshold. In some cases, the security action includes flagging the identified pattern of memory allocations, quarantining an associated application or process, or generating a notification.