Zero-day rotating guest image profile
First Claim
1. A threat detection platform comprising:
- a communication interface;
one or more processors coupled to the communication interface; and
a storage device that includes (i) an event log, (ii) a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured to capture data associated with operations for the first software component, (iii) a second guest image that is based on a temporary software profile including a second software component being different from the first software component and the activity monitors specifically configured for the first software component instead of the second software component,wherein, in response to receipt of an object by the threat detection platform, the one or more processors are configured to provision both a first virtual machine with the first guest image and a second virtual machine with the second guest image to concurrently analyze the object to determine if the object is associated with a malicious attack by at least (1) processing the object by the first virtual machine and monitoring behaviors of the first virtual machine by the activity monitors and (2) processing the object by the second virtual machine and monitoring behaviors of the second virtual machine by the activity monitors.
8 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a threat detection platform features a housing, a communication interface, a processor coupled to the communication interface, and a data store. The data store includes (i) an event log, (ii) a first virtual machine, and (iii) a second virtual machine. The first virtual machine is provisioned with a first guest image that is based on an instrumented software profile that includes a first software component and activity monitors configured for the first software component. The second virtual machine is provisioned with a second guest image that is based on a temporary software profile that includes a second software component that is a more recent version of the first software component and the activity monitors configured for the first software component.
702 Citations
32 Claims
-
1. A threat detection platform comprising:
-
a communication interface; one or more processors coupled to the communication interface; and a storage device that includes (i) an event log, (ii) a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured to capture data associated with operations for the first software component, (iii) a second guest image that is based on a temporary software profile including a second software component being different from the first software component and the activity monitors specifically configured for the first software component instead of the second software component, wherein, in response to receipt of an object by the threat detection platform, the one or more processors are configured to provision both a first virtual machine with the first guest image and a second virtual machine with the second guest image to concurrently analyze the object to determine if the object is associated with a malicious attack by at least (1) processing the object by the first virtual machine and monitoring behaviors of the first virtual machine by the activity monitors and (2) processing the object by the second virtual machine and monitoring behaviors of the second virtual machine by the activity monitors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A threat detection platform comprising:
-
a communication interface; one or more processors coupled to the communication interface; a storage device that includes (i) an event log, (ii) a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured to capture data associated with operations for the first software component, (iii) a second guest image that includes information that causes retrieval of a second software component that is different from and a more recent version of the first software component from a remote source and the activity monitors are specifically configured for the first software component instead of the second software component, wherein, in response to receipt of an object by the threat detection platform, the one or more processors are configured to provision a first virtual machine with the first guest image and a second virtual machine with the second guest image that causes subsequent loading of the second software component, and the first virtual machine and the second virtual machine concurrently analyze the object to determine if the object is associated with a malicious attack by at least (1) processing the object by the first virtual machine and monitoring behaviors of the first virtual machine by the activity monitors and (2) processing the object by the second virtual machine and monitoring behaviors of the second virtual machine by the activity monitors. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A computerized method comprising:
-
receiving an object for analysis; provisioning a first virtual machine with a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured for the first software component; provisioning a second virtual machine with a second guest image that is based on a temporary software profile including a second software component being different from the first software component and the activity monitors specifically configured to capture data associated with operations for the first software component instead of the second software component; and concurrently analyzing the object by the first virtual machine and by the second virtual machine to determine whether the object is associated with a zero-day attack in response to detecting one or more anomalous behaviors by the second virtual machine upon processing of the object without experiencing one or more anomalous behaviors by the first virtual machine upon processing of the object, wherein the concurrent analysis of the object by the first virtual machine and the second virtual machine comprises (1) processing the object by the first virtual machine and monitoring behaviors of the first virtual machine by the activity monitors and (2) processing the object by the second virtual machine and monitoring behaviors of the second virtual machine by the activity monitors. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification