Zero-day discovery system
First Claim
Patent Images
1. A method for determining a zero-day attack by an electronic device, comprising:
- determining a plurality of fortified software profiles for use in instantiating a plurality of virtual machines based on information associated with an exploit;
instantiating, by the electronic device, a first virtual machine of the plurality of virtual machines based on a first fortified software profile of the plurality of fortified software profiles and a second virtual machine of the plurality of virtual machines based on a second fortified software profile of the plurality of fortified software profiles that is different from the first fortified software profile, the first fortified software profile includes an operating system and an application and the second fortified software profile includes an update of the operating system or an update of the application;
processing content associated with the exploit on both the first virtual machine and the second virtual machine, the processing of the content being performed concurrently in which one or more of operations performed by the first virtual machine at least partially overlaps in time one or more operations performed by the second virtual machine;
determining, by the electronic device, undesired behaviors during the processing of the content associated with the exploit on both the first virtual machine and the second virtual machine;
weighting, by the electronic device, each of the undesired behaviors, determined during the processing of the content associated with the exploit, to obtain a weighted value; and
determining, by the electronic device, that the exploit is associated with the zero-day attack responsive to the weighted value exceeds a threshold value.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for determining a zero-day attack by an electronic device is described. According to one embodiment, the method comprises instantiating, by the electronic device, at least one virtual machine, the at least one virtual machine being based on a fortified software profile. The method further comprises executing content capable of behaving as an exploit on the at least one virtual machine, and determining that the exploit is associated with zero-day exploit when the exploit, upon execution of the content on the at least one virtual machine, performs an undesired behavior.
657 Citations
44 Claims
-
1. A method for determining a zero-day attack by an electronic device, comprising:
-
determining a plurality of fortified software profiles for use in instantiating a plurality of virtual machines based on information associated with an exploit; instantiating, by the electronic device, a first virtual machine of the plurality of virtual machines based on a first fortified software profile of the plurality of fortified software profiles and a second virtual machine of the plurality of virtual machines based on a second fortified software profile of the plurality of fortified software profiles that is different from the first fortified software profile, the first fortified software profile includes an operating system and an application and the second fortified software profile includes an update of the operating system or an update of the application; processing content associated with the exploit on both the first virtual machine and the second virtual machine, the processing of the content being performed concurrently in which one or more of operations performed by the first virtual machine at least partially overlaps in time one or more operations performed by the second virtual machine; determining, by the electronic device, undesired behaviors during the processing of the content associated with the exploit on both the first virtual machine and the second virtual machine; weighting, by the electronic device, each of the undesired behaviors, determined during the processing of the content associated with the exploit, to obtain a weighted value; and determining, by the electronic device, that the exploit is associated with the zero-day attack responsive to the weighted value exceeds a threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. An electronic device, comprising:
-
a communication interface logic adapted to receive incoming content; and one or more hardware processors in communication with the communication interface logic, the one or more hardware processors to (i) determine a plurality of fortified software profiles for use in instantiating one or more virtual machines based on information associated with an exploit, (ii) instantiate at least a first virtual machine of the one or more virtual machines based on a fortified software profile of the plurality of fortified software profiles and a second virtual machine of the one or more virtual machines based on a software profile different than the fortified software profile, wherein the software profile includes an operating system and one or more applications and the fortified software profile includes an update of the operating system or an update of the one or more applications; (iii) control execution of content associated with the exploit on the first virtual machine and the second virtual machine, the execution of the content associated with the exploit being performed concurrently in which one or more of operations performed by the first virtual machine at least partially overlaps in time one or more operations performed by the second virtual machine; (iv) determining undesired behaviors caused by the execution of the content associated with the exploit on both the first virtual machine and the second virtual machine; (v) weighting each of the undesired behaviors, determined during the execution of the content associated with the exploit, to obtain a weighted value; and (vi) determining that the exploit is associated with a zero-day attack responsive to the weighted value exceeds a threshold value. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A non-transitory storage medium to contain software that, when executed by one or more processors within an electronic device, performs operations comprising:
-
receiving content associated with an exploit propagating over a transmission medium being part of a network; determining both a first software profile for a first virtual machine based on the content associated with the exploit and a second software profile for a second virtual machine based on the content associated with the exploit, the first software profile includes an operating system and at least one application and the second software profile includes an update of the operating system or an update of the at least one application; instantiating, by the one or more processors, the first virtual machine based on the first software profile; instantiating, by the one or more processors, the second virtual machine based on the second software profile; processing the content associated with the exploit on both the first virtual machine and the second virtual machine, the processing of the content associated with the exploit being performed concurrently in which one or more of operations performed by the first virtual machine at least partially overlaps in time one or more operations performed by the second virtual machine; determining, by the one or more processors, undesired behaviors during the processing of the content associated with the exploit on both the first virtual machine and the second virtual machine; weighting, by the one or more processors, each of the undesired behaviors determined during the processing of the content associated with the exploit, to obtain a weighted value; and determining that the exploit is associated with a zero-day attack responsive to the weighted value exceeds a threshold value. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A method for determining a zero-day attack by an electronic device, comprising:
-
determining a plurality of fortified software profiles for use in instantiating one or more virtual machines based on information associated with an exploit; instantiating, by the electronic device, a first virtual machine of the one or more virtual machines based on a first fortified software profile of the plurality of fortified software profiles that includes an update of an operating system and an update of at least one application and a second virtual machine of the one or more of virtual machines based on a second fortified software profile of the plurality of fortified software profiles that is different from the first fortified software profile and the second fortified software profile includes an update of the updated operating system of the first fortified software profile or an update of the updated application of the first fortified software profile; processing content associated with the exploit on both the first virtual machine and the second virtual machine, the processing of the content associated with the exploit being performed concurrently in which one or more of operations performed by the first virtual machine at least partially overlaps in time one or more operations performed by the second virtual machine; determining, by the electronic device, undesired behaviors during the processing of the content associated with the exploit on both the first virtual machine and the second virtual machine weighting, by the electronic device, each of the undesired behaviors determined during the processing of the content associated with the exploit, to obtain a weighted value; and determining, by the electronic device, that the exploit is associated with the zero-day attack responsive to the weighted value exceeds a threshold value. - View Dependent Claims (41, 42, 43, 44)
-
Specification