Exploit detection system
First Claim
Patent Images
1. A system comprising:
- one or more hardware processors; and
a storage module communicatively coupled to the one or more hardware processors, the storage module comprising logic that, upon execution by the one or more hardware processors, performs operations comprising;
providing, by a first virtual machine, identifying information corresponding to an object to a security virtual machine for analysis of the object, the first virtual machine being one of a plurality of virtual machines and the first virtual machine being different than the security virtual machine;
performing, by the security virtual machine, a pre-processing based on the identifying information to determine whether the object is malicious;
responsive to the pre-processing resulting in a determination of suspicious, potentially suspicious or non-malicious, processing the object in the first virtual machine;
upon detection within the first virtual machine of a triggering event, providing, by the first virtual machine, information associated with the triggering event to the security virtual machine, wherein the detection occurs during the processing of the object in the first virtual machine; and
determining, within the security virtual machine, whether the object is malicious based upon an analysis of the information associated with the triggering event using one or more correlation rules, wherein a hypervisor coordinates communication between the security virtual machine and the plurality of virtual machines to prevent comingling of data between the plurality of virtual machines, and wherein the information associated with the triggering event is different than the identifying information.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a virtualized malware detection system is integrated with a virtual machine host including a plurality of virtual machines and a security virtual machine. Logic within the virtual machines are configured to perform a dynamic analysis of an object and monitor for the occurrence of a triggering event. Upon detection of a triggering event within a virtual machine, the logic within the virtual machine provides the security virtual machine with information associated with the triggering event for further analysis. Based on the further analysis, the object may then be classified as “non-malicious,” or “malicious.”
-
Citations
28 Claims
-
1. A system comprising:
-
one or more hardware processors; and a storage module communicatively coupled to the one or more hardware processors, the storage module comprising logic that, upon execution by the one or more hardware processors, performs operations comprising; providing, by a first virtual machine, identifying information corresponding to an object to a security virtual machine for analysis of the object, the first virtual machine being one of a plurality of virtual machines and the first virtual machine being different than the security virtual machine; performing, by the security virtual machine, a pre-processing based on the identifying information to determine whether the object is malicious; responsive to the pre-processing resulting in a determination of suspicious, potentially suspicious or non-malicious, processing the object in the first virtual machine; upon detection within the first virtual machine of a triggering event, providing, by the first virtual machine, information associated with the triggering event to the security virtual machine, wherein the detection occurs during the processing of the object in the first virtual machine; and determining, within the security virtual machine, whether the object is malicious based upon an analysis of the information associated with the triggering event using one or more correlation rules, wherein a hypervisor coordinates communication between the security virtual machine and the plurality of virtual machines to prevent comingling of data between the plurality of virtual machines, and wherein the information associated with the triggering event is different than the identifying information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable medium having stored thereon logic that, upon execution by one or more processors, performs operations comprising:
-
providing, by a first virtual machine, identifying information corresponding to an object to a security virtual machine for analysis of the object, wherein the first virtual machine being one of a plurality of virtual machines and the first virtual machine being different than the security virtual machine; performing, by the security virtual machine, a pre-processing based on the identifying information to determine whether the object is malicious; responsive to the pre-processing resulting in a determination of suspicious, potentially suspicious or non-malicious, processing the object in the first virtual machine; upon detection, by the first virtual machine, of a triggering event, providing, by logic of the first virtual machine, information associated with the triggering event to the security virtual machine, wherein the detection of the triggering event occurs during the processing of the object in the first virtual machine; and determining, within the security virtual machine, that the object is malicious based upon an analysis of information associated with the triggering event and additional information associated with processing of the object after the detection of the triggering event using one or more correlation rules, wherein a hypervisor coordinates communication between the security virtual machine and the plurality of virtual machines to prevent comingling of data between the plurality of virtual machines, and wherein the information associated with the triggering event, the additional information, and the identifying information are different from each other. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A computerized method comprising:
-
providing, by a first virtual machine, identifying information corresponding to an object to a security virtual machine for analysis of the object, wherein the first virtual machine being one of a plurality of virtual machines and the first virtual machine being different than the security virtual machine; performing, by the security virtual machine, a pre-processing based on the identifying information to determine whether the object is malicious; responsive to the pre-processing resulting in a determination of suspicious, potentially suspicious or non-malicious, processing the object in the first virtual machine; upon detection, within the first virtual machine, of a triggering event, providing, by logic within the first virtual machine, information associated with the triggering event to the security virtual machine, wherein the detection occurs during the processing of the object in the first virtual machine; and determining, within the security virtual machine, that the object is malicious based upon an analysis of the information associated with the triggering event using one or more correlation rules, and wherein a hypervisor coordinates communication between the security virtual machine and the plurality of virtual machines to prevent comingling of data between the plurality of virtual machines, wherein the information associated with the triggering event is different than the identifying information. - View Dependent Claims (25, 26, 27, 28)
-
Specification