Zero-day rotating guest image profile

US 10,075,455 B2
Filed: 06/30/2015
Issued: 09/11/2018
Est. Priority Date: 12/26/2014
Status: Active Grant

First Claim

Patent Images

1. A threat detection platform comprising:

a communication interface;

one or more processors coupled to the communication interface; and

a storage device that includes (i) an event log, (ii) a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured to capture data associated with operations for the first software component, (iii) a second guest image that is based on a temporary software profile including a second software component being different from the first software component and the activity monitors specifically configured for the first software component instead of the second software component,wherein, in response to receipt of an object by the threat detection platform, the one or more processors are configured to provision both a first virtual machine with the first guest image and a second virtual machine with the second guest image to concurrently analyze the object to determine if the object is associated with a malicious attack by at least (1) processing the object by the first virtual machine and monitoring behaviors of the first virtual machine by the activity monitors and (2) processing the object by the second virtual machine and monitoring behaviors of the second virtual machine by the activity monitors.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a threat detection platform features a housing, a communication interface, a processor coupled to the communication interface, and a data store. The data store includes (i) an event log, (ii) a first virtual machine, and (iii) a second virtual machine. The first virtual machine is provisioned with a first guest image that is based on an instrumented software profile that includes a first software component and activity monitors configured for the first software component. The second virtual machine is provisioned with a second guest image that is based on a temporary software profile that includes a second software component that is a more recent version of the first software component and the activity monitors configured for the first software component.

702 Citations

32 Claims

1. A threat detection platform comprising:
- a communication interface;
  
  one or more processors coupled to the communication interface; and
  
  a storage device that includes (i) an event log, (ii) a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured to capture data associated with operations for the first software component, (iii) a second guest image that is based on a temporary software profile including a second software component being different from the first software component and the activity monitors specifically configured for the first software component instead of the second software component,wherein, in response to receipt of an object by the threat detection platform, the one or more processors are configured to provision both a first virtual machine with the first guest image and a second virtual machine with the second guest image to concurrently analyze the object to determine if the object is associated with a malicious attack by at least (1) processing the object by the first virtual machine and monitoring behaviors of the first virtual machine by the activity monitors and (2) processing the object by the second virtual machine and monitoring behaviors of the second virtual machine by the activity monitors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The threat detection platform of claim 1, wherein the first virtual machine is a different virtual machine than the second virtual machine.
  - 3. The threat detection platform of claim 1, wherein the second software component is a more recent version of the first software component.
  - 4. The threat detection platform of claim 1, wherein at least the first virtual machine, the second virtual machine and the activity monitors collectively detect that the object is associated with a zero-day attack, being a particular type of malicious attack, in response to the activity monitors detecting one or more anomalous behaviors being conducted by the second virtual machine during processing of the object while the activity monitors failing to detect any of the one or more anomalous behaviors being conducted by the first virtual machine during processing of the object.
  - 5. The threat detection platform of claim 4, wherein at least the first virtual machine, the second virtual machine and the activity monitors collectively detect that the object is associated with a known type of malicious attack in response to the activity monitors detecting one or more anomalous behaviors being conducted by both the first virtual machine and the second virtual machine during processing of the object.
  - 6. The threat detection platform of claim 4, wherein the communication interface compriseslogic that receives a flow from a remote source, decompresses or decrypts the flow, and extracts an object from the flow;
    - logic that extracts or generates metadata associated with the object that is subsequently used by the one or more processors in provisioning at least the first virtual machine and the second virtual machine; and
      
      logic that analyzes features of the object to identify the object is suspect when a likelihood of the object being associated with a malicious attack exceeds a threshold.
  - 7. The threat detection platform of claim 6, wherein the remote source is a network and the flow is network content propagating over the network.
  - 8. The threat detection platform of claim 1, wherein the activity monitors for the second guest image is lesser in number that the activity monitors for the first guest image.
  - 9. The threat detection platform of claim 1, wherein in response to receiving a third guest image that is based on a second fully-instrumented software profile including the second software component and activity monitors specifically configured for the second software component prior to receipt of the object, the one or more processors are configured to provision a virtual machine with the third guest image in lieu of provisioning the first virtual machine and the second virtual machine.
  - 10. The threat detection platform of claim 1, wherein the first virtual machine with the first guest image and the second virtual machine with the second guest image continuing to concurrently analyze the object as the activity monitors are updated.
  - 11. The threat detection platform of claim 10, wherein the activity monitors are updated until the second software component is fully instrumented.
  - 12. The threat detection platform of claim 11, wherein, in response the second software component being fully instrumented, discontinuing analysis of the object using the first virtual machine with the first guest image and analyzing the object using the second virtual machine including the fully-instrumented second software component.
  - 13. The threat detection platform of claim 1, wherein the activity monitors being separate from with the second software component.
  - 14. The threat detection platform of claim 13, wherein the second software component being a more recent version of software than the first software component.

15. A threat detection platform comprising:
- a communication interface;
  
  one or more processors coupled to the communication interface;
  
  a storage device that includes (i) an event log, (ii) a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured to capture data associated with operations for the first software component, (iii) a second guest image that includes information that causes retrieval of a second software component that is different from and a more recent version of the first software component from a remote source and the activity monitors are specifically configured for the first software component instead of the second software component,wherein, in response to receipt of an object by the threat detection platform,the one or more processors are configured to provision a first virtual machine with the first guest image and a second virtual machine with the second guest image that causes subsequent loading of the second software component, andthe first virtual machine and the second virtual machine concurrently analyze the object to determine if the object is associated with a malicious attack by at least (1) processing the object by the first virtual machine and monitoring behaviors of the first virtual machine by the activity monitors and (2) processing the object by the second virtual machine and monitoring behaviors of the second virtual machine by the activity monitors.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The threat detection platform of claim 15, wherein the first virtual machine is a different virtual machine than the second virtual machine.
  - 17. The threat detection platform of claim 15, wherein at least the first virtual machine, the second virtual machine and the activity monitors collectively detect that the object is associated with a zero-day attack, being a particular type of malicious attack, in response to the activity monitors detecting one or more anomalous behaviors being conducted by the second virtual machine during processing of the object while the activity monitors failing to detect any of the one or more anomalous behaviors being conducted by the first virtual machine during processing of the object.
  - 18. The threat detection platform of claim 17, wherein at least the first virtual machine, the second virtual machine and the activity monitors collectively detect that the object is associated with a known type of malicious attack in response to the activity monitors detecting one or more anomalous behaviors being conducted by both the first virtual machine and the second virtual machine during processing of the object.
  - 19. The threat detection platform of claim 15, wherein the communication interface compriseslogic that receives a flow from a remote source, decompresses or decrypts the flow, and extracts an object from the flow;
    - logic that extracts or generates metadata associated with the object that is subsequently used by the one or more processors in provisioning at least the first virtual machine and the second virtual machine; and
      
      logic that analyzes features of the object to identify the object is suspect when a likelihood of the object being associated with a malicious attack exceeds a threshold.
  - 20. The threat detection platform of claim 19, wherein the remote source is a network and the flow is network content propagating over the network.
  - 21. The threat detection platform of claim 15, wherein in response to receiving a third guest image that is based on a second fully-instrumented software profile including the second software component and activity monitors specifically configured for the second software component prior to receipt of the object, the one or more processors are configured to provision a virtual machine with the third guest image to analyze the object in lieu of provisioning the first virtual machine and the second virtual machine for analyzing the object.

22. A computerized method comprising:
- receiving an object for analysis;
  
  provisioning a first virtual machine with a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured for the first software component;
  
  provisioning a second virtual machine with a second guest image that is based on a temporary software profile including a second software component being different from the first software component and the activity monitors specifically configured to capture data associated with operations for the first software component instead of the second software component; and
  
  concurrently analyzing the object by the first virtual machine and by the second virtual machine to determine whether the object is associated with a zero-day attack in response to detecting one or more anomalous behaviors by the second virtual machine upon processing of the object without experiencing one or more anomalous behaviors by the first virtual machine upon processing of the object,wherein the concurrent analysis of the object by the first virtual machine and the second virtual machine comprises (1) processing the object by the first virtual machine and monitoring behaviors of the first virtual machine by the activity monitors and (2) processing the object by the second virtual machine and monitoring behaviors of the second virtual machine by the activity monitors.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 23. The method of claim 22, wherein:
    - a number of the activity monitors associated with the second guest image is lesser than or equal to a number of the activity monitors associated with the first guest image, andthe second software component is a subsequent version of the first software component.
  - 24. The method of claim 22, wherein the second software component included in the second guest image is a newer version of the first software component included in the first guest image.
  - 25. The method of claim 22, wherein the analyzing of the object by the first virtual machine comprises processing the object with the first virtual machine by a provisioned software application controlled by an operating system being part of the first guest image.
  - 26. The method of claim 22, wherein the provisioning of the first virtual image is based, at least in part, on metadata associated with the object, the metadata being received with the object extracted from network traffic propagating over a network.
  - 27. The method of claim 22, wherein the first virtual machine is provisioned by a scheduler that selects the first guest image based on metadata accompanying the object.
  - 28. The method of claim 22, wherein the concurrent analysis of the object by the first virtual machine with the first guest image and the second virtual machine with the second guest image continues as the activity monitors are updated.
  - 29. The method of claim 28, wherein the activity monitors are updated until the second software component is fully instrumented.
  - 30. The method of claim 29 further comprising:
    - in response the second software component being fully instrumented, discontinuing analysis of the object using the first virtual machine with the first guest image; and
      
      analyzing the object using the second virtual machine including the fully-instrumented second software component.
  - 31. The method of claim 22, wherein the activity monitors being separate from with the first software component and the second software component.
  - 32. The method of claim 31, wherein the second software component being a more recent version of software than the first software component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Zafar, Asim, Qureshi, Eirij, Kindlund, Darien
Primary Examiner(s)
Li, Meng

Application Number

US14/788,450
Publication Number

US 20160191547A1
Time in Patent Office

1,169 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Zero-day rotating guest image profile

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

702 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Zero-day rotating guest image profile

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

702 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others