System and method of threat detection under hypervisor control
First Claim
1. A computing device comprising:
- one or more hardware processors; and
a memory coupled to the one or more processors, the memory comprises software that, when executed by the one or more hardware processors, operates as (i) a virtual machine including a guest kernel that facilitates communications between a guest application being processed within the virtual machine and one or more resources and (ii) a hypervisor configured to intercept a system call issued from the guest application,wherein the hypervisor is configured to signal logic within the guest kernel to analyze information associated with the intercepted system call to determine whether the intercepted system call is associated with a malicious attack in response to the intercepted system call occurring during a first operating state,wherein the hypervisor is further configured to obfuscate interception of the system call in response to the intercepted system call being issued during a second operating state,wherein the first operating state is a first guest cycle and the second operating state is a second guest cycle.
5 Assignments
0 Petitions
Accused Products
Abstract
A computing device is described that comprises one or more hardware processors and a memory communicatively coupled to the one or more hardware processors. The memory comprises software that, when executed by the processors, operates as (i) a virtual machine and (ii) a hypervisor. The virtual machine includes a guest kernel that facilitates communications between a guest application being processed within the virtual machine and one or more virtual resources. The hypervisor configures a portion of the guest kernel to intercept a system call from the guest application and redirect information associated with the system call to the hypervisor. The hypervisor enables logic within the guest kernel to analyze information associated with the system call to determine whether the system call is associated with a malicious attack in response to the system call being initiated during a memory page execution cycle. Alternatively, the hypervisor operates to obfuscate interception of the system call in response to the system call being initiated during memory page read cycle.
512 Citations
20 Claims
-
1. A computing device comprising:
-
one or more hardware processors; and a memory coupled to the one or more processors, the memory comprises software that, when executed by the one or more hardware processors, operates as (i) a virtual machine including a guest kernel that facilitates communications between a guest application being processed within the virtual machine and one or more resources and (ii) a hypervisor configured to intercept a system call issued from the guest application, wherein the hypervisor is configured to signal logic within the guest kernel to analyze information associated with the intercepted system call to determine whether the intercepted system call is associated with a malicious attack in response to the intercepted system call occurring during a first operating state, wherein the hypervisor is further configured to obfuscate interception of the system call in response to the intercepted system call being issued during a second operating state, wherein the first operating state is a first guest cycle and the second operating state is a second guest cycle. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computerized method comprising:
-
intercepting, using a hypervisor, a system call issued from an object being processed by a guest application operating within a virtual machine, the virtual machine including a guest kernel that facilitates communications between the guest application and one or more resources within the virtual machine; responsive to the intercepted system call occurring during a first operating state, signaling logic with the guest kernel to analyze information associated with the intercepted system call to determine whether the intercepted system call is associated with a malicious attack; and responsive to the intercepted system call occurring during a second operating state different than the first operating state, obfuscating interception of the system call, wherein the first operating state is a first guest cycle and the second operating state is a second guest cycle. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A computing device comprising:
-
a virtual machine including a guest kernel that facilitates communications between a guest application being processed within the virtual machine and one or more resources; and a hypervisor communicatively coupled to the virtual machine, the hypervisor being configured to receive an intercepted system call initiated by an object being processed within the guest application within the virtual machine, the intercepted system call being directed to a memory page in an altered state with a first instruction of the memory page being substituted with a HALT instruction to trap to the hypervisor, wherein the hypervisor (i) signals logic within the guest kernel to analyze information associated with the intercepted system call to determine whether the intercepted system call is associated with a malicious attack in response to the intercepted system call occurring during a first operating state and (ii) obfuscates interception of the system call by emulating a read access to the memory page in an unaltered state in response to the intercepted system call occurring during a second operating state different than the first operating state, wherein the first operating state is a first guest cycle and the second operating state is a second guest cycle. - View Dependent Claims (19, 20)
-
Specification