Malicious content analysis with multi-version application support within single operating environment

US 10,025,927 B1
Filed: 04/17/2017
Issued: 07/17/2018
Est. Priority Date: 03/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious content, comprising:

installing a plurality of versions of a software application concurrently within a virtual machine, each of the plurality of versions of the software application being different from each other;

selecting, by logic being executed by a processor of a data processing system, a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine;

processing one or more software application versions of the subset of the plurality of versions of the software application to access a potentially malicious content suspect within the virtual machine, without switching to another virtual machine;

monitoring behaviors of the potentially malicious content suspect during processing by the one or more software application versions of the subset of the plurality of versions of the software application to detect behaviors associated with a malicious attack;

storing information associated with the detected behaviors that are associated with a malicious attack; and

issuing an alert with respect to the malicious attack.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for efficient malicious content detection in plural versions of a software application are described. According to one embodiment, the computerized method includes installing a plurality of different versions of a software application concurrently within a virtual machine and selecting a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine. Next, one or more software application versions of the subset of the plurality of versions of the software application are processed to access a potentially malicious content suspect within the virtual machine, without switching to another virtual machine. The behaviors of the potentially malicious content suspect during processing by the one or more software application versions are monitored to detect behaviors associated with a malicious attack. Thereafter, information associated with the detected behaviors pertaining to a malicious attack is stored, and an alert with respect to the malicious attack is issued.

737 Citations

47 Claims

1. A method for detecting malicious content, comprising:
- installing a plurality of versions of a software application concurrently within a virtual machine, each of the plurality of versions of the software application being different from each other;
  
  selecting, by logic being executed by a processor of a data processing system, a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine;
  
  processing one or more software application versions of the subset of the plurality of versions of the software application to access a potentially malicious content suspect within the virtual machine, without switching to another virtual machine;
  
  monitoring behaviors of the potentially malicious content suspect during processing by the one or more software application versions of the subset of the plurality of versions of the software application to detect behaviors associated with a malicious attack;
  
  storing information associated with the detected behaviors that are associated with a malicious attack; and
  
  issuing an alert with respect to the malicious attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 22, 23, 24, 25, 26, 27, 28, 29, 30, 36, 37, 38, 39)
- - 2. The method of claim 1, wherein the installing of the plurality of versions of the software application comprises installing the plurality of versions of the software application in a plurality of virtual machines configured in a virtual machine pool, each virtual machine of the plurality of virtual machines being associated with a different version of a guest operating system.
  - 3. The method of claim 1, wherein the installing of the plurality of versions of the software application further comprises installing a first software application version of the subset of the plurality of versions of the software application in a first directory and installing a second software application version of the subset of the plurality of versions of the software application in a second separate directory different than the first directory.
  - 4. The method of claim 1, wherein the installing of the plurality of versions of the software application further comprises installing each of the plurality of versions of the software application in a single directory.
  - 5. The method of claim 1, wherein the processing of the one or more software application versions of the subset of the plurality of versions of the software application comprises processing each software application version of the subset of the plurality of versions of the software application by concurrently launching each software application version of the subset of the plurality of versions of the software application within the virtual machine in response to providing an identifier identifying the potentially malicious content suspect to allow each of the launched software application versions of the subset of the plurality of versions of the software application to process the potentially malicious content suspect.
  - 6. The method of claim 1 further comprising:
    - based on information associated with the potentially malicious content suspect, selecting by a scheduler the virtual machine from a virtual machine pool that has been configured to mimic a target operating environment associated with the malicious content suspect; and
      
      scheduling, by the scheduler, the selected virtual machine to be launched within the data processing system.
  - 7. The method of claim 1, wherein the alert comprises a pointer or other referencing information to identify one or more packets of content associated with a malicious attack.
  - 22. The method of claim 1, wherein the processing of the one or more software applications further comprises processing a plurality of software application versions concurrently within the virtual machine with the potentially malicious content suspect.
  - 23. The method of claim 22, wherein the processing of the one or more software applications further comprises concurrently monitoring behaviors of the potentially malicious content suspect during processing of the plurality of software application versions within the virtual machine.
  - 24. The method of claim 1, wherein the processing of the one or more software applications further comprises concurrently monitoring behaviors of the potentially malicious content suspect during processing of the plurality of software application versions within the virtual machine.
  - 25. The method of claim 1, wherein prior to selecting the subset of the plurality of versions of the software application, the method further comprising registering each of the plurality of versions of the software application with a different identifier within a Windows registry.
  - 26. The method of claim 1, wherein prior to selecting the subset of the plurality of versions of the software application, the method further comprising registering each of the plurality of versions of the software application with a different identifier or name within an operating system.
  - 27. The method of claim 1, wherein the virtual machine is managed by a virtual machine monitor hosted in a host operating system, the virtual machine being hosted by a guest operating system.
  - 28. The method of claim 1, wherein the selecting of the subset of the plurality of versions of the software application is performed by the logic determining one or more software profiles, including at least an operating system and at least a software application suited for testing for the potentially malicious content suspect.
  - 29. The method of claim 28, wherein the selecting of the subset of the plurality of versions of the software application comprises selecting a flight of different software application versions of the plurality of versions of the software application based on the operating system.
  - 30. The method of claim 1, wherein the selecting of the subset of the plurality of versions of the software application comprises selecting different software applications manufactured by different manufacturers.
  - 36. The method of claim 1, wherein the processing of the one or more software application versions comprises launching and executing each software application version of the subset of the plurality of versions of the software application within the virtual machine in a temporal overlapping manner in order to test the subset of the plurality of versions of the software application concurrently.
  - 37. The method of claim 36, wherein the one or more software application versions comprises a first version of the software application and a second version of the software application being a patched version of the first version of the software application to close a security vulnerability in the first version of the software application.
  - 38. The method of claim 37, wherein the monitoring of the behaviors of the potentially malicious content suspect during processing by the one or more software application versions comprises testing of multiple versions of the software application where a determination is made that the security vulnerability has been addressed when the second version of the software application is tested without the security vulnerability while the first version of the software application is concurrently tested and features the security vulnerability.
  - 39. The method of claim 36, wherein the one or more software application versions comprises a first version of the software application and a second version of the software application being a hardened version of the first version of the software application.

8. A malicious content detection system, comprising:
- a processor; and
  
  a memory coupled to the processor, the memory to store instructions, including instructions that, when executed, cause the processor toinstall a plurality of versions of a software application concurrently within a virtual machine, each of the plurality of versions of the software application being different from each other,select a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine that is executed within the malicious content detection system,process one or more software application versions of the subset of the plurality of versions of the software application to access a potentially malicious content suspect within the virtual machine, without switching to another virtual machine,monitor behaviors of the potentially malicious content suspect during processing by each software application version of the subset of the plurality of versions of the software application to detect a behavior associated with a malicious attack, andissue an alert in response to detecting the malicious attack.
- View Dependent Claims (9, 10, 11, 12, 13, 31, 32, 33, 40, 41, 42, 43)
- - 9. The malicious content detection system of claim 8, wherein the processor to install the plurality of versions of the software application in a plurality of virtual machines configured in a virtual machine pool, each virtual machine of the plurality of virtual machines being associated with a specific version of a guest operating system.
  - 10. The malicious content detection system of claim 8, wherein the installing of the plurality of versions of the software application further comprises installing a different directory path corresponding to each software application version of the subset of the plurality of versions of the software application.
  - 11. The malicious content detection system of claim 8, wherein the processor is to sequentially launch the one or more software application versions of the subset of the plurality of versions of the software application within the virtual machine.
  - 12. The malicious content detection system of claim 8, further comprising a scheduler executed in the memory by the processor tobased on information associated with the malicious content suspect, select the virtual machine from a virtual machine pool that has been configured to mimic a target operating environment of malicious content suspect;
    - andschedule the virtual machine to be launched within the malicious content detection system.
  - 13. The malicious content detection system of claim 12, wherein the potentially malicious content suspect being tested during processing of the subset of the plurality of versions of the software application within the virtual machine, without having to schedule, launch, and terminate an individual virtual machine for each software application version for the subset of the plurality of versions of the software application.
  - 31. The malicious content detection system of claim 8, wherein responsive to an identifier, identifying the potentially malicious content suspect to allow the launched version of the software application to process the malicious content suspect.
  - 32. The malicious content detection system of claim 8, wherein prior to the processor selecting the subset of the plurality of versions of the software application, the processor to register each of the plurality of versions of the software application with a different identifier within a Windows registry.
  - 33. The malicious content detection system of claim 8, wherein prior to the processor selecting the subset of the plurality of versions of the software application, the processor to register each of the plurality of versions with a different identifier or name within an operating system.
  - 40. The malicious content detection system of claim 8, wherein the processor to process each software application version of the subset of the plurality of versions of the software application, being the one or more software application versions, by at least launching and executing each software application version of the subset of the plurality of versions of the software application within the virtual machine in a temporal overlapping manner in order to test the subset of the plurality of versions of the software application concurrently.
  - 41. The malicious content detection system of claim 40, wherein the one or more software application versions comprises a first version of the software application and a second version of the software application being a patched version of the first version of the software application to close a security vulnerability in the first version of the software application.
  - 42. The malicious content detection system of claim 41, wherein the processor to monitor the behaviors of the potentially malicious content suspect by at least testing of multiple versions of the software application where a determination is made that the security vulnerability has been addressed when the second version of the software application is tested without the security vulnerability while the first version of the software application is concurrently tested and features the security vulnerability.
  - 43. The malicious content detection system of claim 40, the one or more software application versions comprises a first version of the software application and a second version of the software application being a hardened version of the first version of the software application.

14. A system, comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, the memory to store instructions that, when executed, cause the processor to perform operations, includinginstall a plurality of versions of a software application within a virtual machine, each of the plurality of versions of the software application being different from each other,select a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine,execute one or more software application versions of the subset of the plurality of versions of the software application concurrently to process a potentially malicious content suspect within the virtual machine, without switching to another virtual machine,monitor one or more behaviors of the potentially malicious content suspect during processing by each software application version of the subset of the plurality of versions of the software application to detect a behavior associated with a malicious attack, andissue an alert in response to detecting the malicious attack.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 34, 35, 44, 45, 46, 47)
- - 15. The system of claim 14, wherein the processor to install the plurality of versions of the software application in a plurality of virtual machines configured in a virtual machine pool, each virtual machine of the plurality of virtual machines being associated with a specific version of a guest operating system.
  - 16. The system of claim 14, wherein the installing of the plurality of versions of the software application further comprises installing a unique directory path corresponding to each software application version of the subset of the plurality of versions of the software application.
  - 17. The system of claim 14, wherein the processor is to sequentially launch the one or more software application versions of the subset of the plurality of versions of the software application within the virtual machine in response to providing an identifier identifying the potentially malicious content suspect to allow the launched version of the software application to process the malicious content suspect.
  - 18. The system of claim 14, wherein the memory further comprising a scheduler, when executed by the processor, to select, based on information associated with the malicious content suspect, the virtual machine from a virtual machine pool that has been configured to mimic a target operating environment of malicious content suspect;
    - andschedule the virtual machine to be launched within the malicious content detection system.
  - 19. The system of claim 14, wherein the subset of the plurality of versions of the software application are tested in processing the potentially malicious content suspect within the virtual machine, without having to schedule, launch, and terminate the virtual machine for each software application version for the subset of the plurality of versions of the software application.
  - 20. The system of claim 14, wherein the subset of the plurality of versions of the software application is selected through an input device allowing a user to enter an operating system version and one or more software application versions.
  - 21. The system of claim 14, wherein the plurality of versions of the software application include a new release of the software application or a service pack.
  - 34. The system of claim 14, wherein prior to the processor selecting the subset of the plurality of versions of the software application, the processor to register each of the plurality of versions of the software application with a different identifier within a Windows registry.
  - 35. The system of claim 14, wherein prior to the processor selecting the subset of the plurality of versions of the software application, the processor to register each of the plurality of versions with a different identifier or name within an operating system.
  - 44. The system of claim 14, wherein the processor to execute each of the one or more software application versions within the virtual machine in a temporal overlapping manner in order to test the subset of the plurality of versions of the software application concurrently.
  - 45. The system of claim 44, wherein the one or more software application versions comprises a first version of the software application and a second version of the software application being a patched version of the first version of the software application to close a security vulnerability in the first version of the software application.
  - 46. The system of claim 44, wherein the processor to monitor the behaviors of the potentially malicious content suspect by at least testing multiple versions of the software application where a determination is made that the security vulnerability has been addressed when the second version of the software application is tested without the security vulnerability while the first version of the software application is concurrently tested and features the security vulnerability.
  - 47. The system of claim 44, wherein the one or more software application versions comprises a first version of the software application and a second version of the software application being a hardened version of the first version of the software application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Khalid, Yasir, Amin, Muhammad, Jing, Emily, Rizwan, Muhammad
Primary Examiner(s)
Leung, Robert B

Application Number

US15/489,665
Time in Patent Office

456 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45575   Starting, stopping, suspend...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/556   involving covert channels, ...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45558   Hypervisor-specific managem...

Malicious content analysis with multi-version application support within single operating environment

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

737 Citations

47 Claims

Specification

Use Cases

Quick Links

Others

Malicious content analysis with multi-version application support within single operating environment

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

737 Citations

47 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others