Device, method, and system of differentiating between virtual machine and non-virtualized device

US 10,049,209 B2
Filed: 09/26/2016
Issued: 08/14/2018
Est. Priority Date: 11/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining whether a user, who utilizes a computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM);

wherein the determining comprises;

monitoring response of the computing device to an interference that was introduced to a communication session between the computerized service and the computing device;

based on the monitored response, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM).

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. An end-user device (a desktop computer, a laptop computer, a smartphone, a tablet, or the like) interacts and communicates with a server of a computerized server (a banking website, an electronic commerce website, or the like). The interactions are monitored, tracked and logged. Communication interferences are intentionally introduced to the communication session; and the server tracks the response or the reaction of the end-user device to such communication interferences. The system determines whether the user is a legitimate human user; or a cyber-attacker posing as a legitimate human user but actually utilizing a Virtual Machine.

Citations

21 Claims

1. A method comprising:
- determining whether a user, who utilizes a computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM);
  
  wherein the determining comprises;
  
  monitoring response of the computing device to an interference that was introduced to a communication session between the computerized service and the computing device;
  
  based on the monitored response, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, comprising:
    - generating said interference by duplicating a packet in said communication session between the computerized service and the computing device;
      
      wherein the determining comprises;
      
      based on the response of the computing device to said interference of a duplicated packet, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM).
  - 3. The method of claim 1, comprising:
    - generating said interference by intentionally dropping a packet in said communication session between the computerized service and the computing device;
      
      wherein the determining comprises;
      
      based on the response of the computing device to said interference of a dropped packet, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM).
  - 4. The method of claim 1, comprising:
    - generating said interference by inserting an error code into said communication session between the computerized service and the computing device;
      
      wherein the determining comprises;
      
      based on the response of the computing device to said interference of error code insertion, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM).
  - 5. The method of claim 1, comprising:
    - generating said interference by generating network congestion in said communication session between the computerized service and the computing device;
      
      wherein the determining comprises;
      
      based on the response of the computing device to said interference of network congestion, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM).
  - 6. The method of claim 1, comprising:
    - generating said interference by slowing-down network transport in said communication session between the computerized service and the computing device;
      
      wherein the determining comprises;
      
      based on the response of the computing device to said interference of slowed-down network transport, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM).
  - 7. The method of claim 1, comprising:
    - generating said interference by generating latency in said communication session between the computerized service and the computing device;
      
      wherein the determining comprises;
      
      based on the response of the computing device to said interference of latency, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM).
  - 8. The method of claim 1, comprising:
    - generating said interference by generating a communication error that causes a Virtual Machine Monitor (VMM) to handle the communication error without passing the communication error for handling by an underlying Virtual Machine (VM);
      
      based on the handling of said communication error, determining that the computing device is a Virtual Machine (VM) running on a Virtual Machine Monitor (VMM).
  - 9. The method of claim 1, comprising:
    - generating a communication error that causes a packet to be handled by both (i) a virtualized network card of a Virtual Machine (VM), and (ii) a hardware network card of a computer on which said Virtual Machine (VM) is running;
      
      detecting dual-handling of said packet due to said communication error;
      
      based on said dual-handling, determining that said computing device is a Virtual Machine (VM).
  - 10. The method of claim 1, comprising:
    - generating a communication error that causes a packet to be handled by both (i) a virtualized driver of a Virtual Machine (VM), and (ii) a non-virtualized driver of a computer on which said Virtual Machine (VM) is running;
      
      detecting dual-handling of said packet due to said communication error;
      
      based on said dual-handling, determining that said computing device is a Virtual Machine (VM).
  - 11. The method of claim 1, comprising:
    - determining whether said computing device is defined by utilizing Network Address Translation (NAT) or by utilizing bridged networking;
      
      based on a determination that said computing device is defined by utilizing Network Address Translation (NAT), determining that said computing device is a Virtual Machine (VM).
  - 12. The method of claim 1, comprising:
    - generating a communication error that is typically handled by an end-user device at a communication layer that is higher than data link layer (L2);
      
      monitoring the handling of said communication error by said computing device;
      
      detecting that said communication error was handled at the data link layer (L2);
      
      based on said detecting, determining that said computing device is a Virtual Machine (VM).
  - 13. The method of claim 1, comprising:
    - measuring a time-to-live (TTL) value of packets transported from said computerized service to said computing device;
      
      based on said TTL value, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM).
  - 14. The method of claim 1, comprising:
    - measuring a Transmission Control Protocol (TCP) window size of said computing device;
      
      based on said TCP window size of said computing device, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM).
  - 15. The method of claim 1, comprising:
    - storing in a repository profiles of multiple computing stacks of Virtual Machines (VMs);
      
      during the communication session between said computerized service and said computing device, generating an ad-hoc computing stack profile of said computing device;
      
      if the ad-hoc computing stack profile of said computing device matches a previously-stored profile of computing stack of Virtual Machine (VM), then determining that said computing device is a Virtual Machine (VM).
  - 16. The method of claim 1, comprising:
    - storing in a repository profiles of multiple computing stacks of non-virtualized computing platforms;
      
      during the communication session between said computerized service and said computing device, generating an ad-hoc computing stack profile of said computing device;
      
      if the ad-hoc computing stack profile of said computing device matches a previously-stored profile of a computing stack of non-virtualized computing platform, then determining that said computing device is a non-virtualized computing platform.
  - 17. The method of claim 1, comprising:
    - estimating two or more parameters of a computing stack of said computing device;
      
      generating a weighted score based on said two or more parameters of the computing stack of said computing device;
      
      if the weighted score matches a previously-calculated score that typically characterizes a Virtual Machine (VM), then determining that said computing device is a Virtual Machine (VM).
  - 18. The method of claim 1, comprising:
    - causing said computing device to perform a processing-intensive process, and monitoring progress of said processing-intensive process;
      
      based on monitored progress of said processing-intensive process, estimating whether said computing device is a single-core computing device or a multiple-core computing device;
      
      based at least on an estimation that said computing device is a single-core computing device, determining that said computing device is a Virtual Machine (VM).
  - 19. The method of claim 1, comprising:
    - causing said computing device to perform a resource-overloading process, and monitoring progress of said resource-overloading process;
      
      based on monitored progress of said processing-intensive process, estimating whether said computing device is a high-resource computing device or a low-resource computing device;
      
      based at least on an estimation that said computing device is a low-resource computing device, determining that said computing device is a Virtual Machine (VM).
  - 20. The method of claim 1, comprising:
    - causing said computing device to invoke a process that attempts to directly access a graphics card of said computing device;
      
      monitoring whether or not said process successfully accessed directly the graphics card of said computing device;
      
      if it is detected that said process did not successfully access directly the graphics card of said computing device, then determining that said computing device is a Virtual Machine (VM).
  - 21. The method of claim 1, comprising:
    - causing said computing device to invoke a process that attempts to draw a particular on-screen graphic item that can be drawn only by direct access to a graphics card of said computing device;
      
      monitoring whether or not said process successfully drew said graphic item;
      
      if it is detected that said process did not successfully draw said graphic item, then determining that said computing device is a Virtual Machine (VM).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biocatch Ltd.
Original Assignee
Biocatch Ltd.
Inventors
Turgeman, Avi, Lehmann, Yaron
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US15/275,504
Publication Number

US 20170011217A1
Time in Patent Office

687 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/301   where the computing system ...

G06F 11/3055   Monitoring arrangements for...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/32   using biometric data, e.g. ...

G06F 21/554   involving event detection a...

G06F 2221/2133   Verifying human interaction...

G06F 3/041   Digitisers, e.g. for touch ...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

Device, method, and system of differentiating between virtual machine and non-virtualized device

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Device, method, and system of differentiating between virtual machine and non-virtualized device

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links