Exploit detection system

US 10,148,693 B2
Filed: 06/15/2015
Issued: 12/04/2018
Est. Priority Date: 03/25/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more hardware processors; and

a storage module communicatively coupled to the one or more hardware processors, the storage module comprising logic that, upon execution by the one or more hardware processors, performs operations comprising;

providing, by a first virtual machine, identifying information corresponding to an object to a security virtual machine for analysis of the object, the first virtual machine being one of a plurality of virtual machines and the first virtual machine being different than the security virtual machine;

performing, by the security virtual machine, a pre-processing based on the identifying information to determine whether the object is malicious;

responsive to the pre-processing resulting in a determination of suspicious, potentially suspicious or non-malicious, processing the object in the first virtual machine;

upon detection within the first virtual machine of a triggering event, providing, by the first virtual machine, information associated with the triggering event to the security virtual machine, wherein the detection occurs during the processing of the object in the first virtual machine; and

determining, within the security virtual machine, whether the object is malicious based upon an analysis of the information associated with the triggering event using one or more correlation rules, wherein a hypervisor coordinates communication between the security virtual machine and the plurality of virtual machines to prevent comingling of data between the plurality of virtual machines, and wherein the information associated with the triggering event is different than the identifying information.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a virtualized malware detection system is integrated with a virtual machine host including a plurality of virtual machines and a security virtual machine. Logic within the virtual machines are configured to perform a dynamic analysis of an object and monitor for the occurrence of a triggering event. Upon detection of a triggering event within a virtual machine, the logic within the virtual machine provides the security virtual machine with information associated with the triggering event for further analysis. Based on the further analysis, the object may then be classified as “non-malicious,” or “malicious.”

645 Citations

28 Claims

1. A system comprising:
- one or more hardware processors; and
  
  a storage module communicatively coupled to the one or more hardware processors, the storage module comprising logic that, upon execution by the one or more hardware processors, performs operations comprising;
  
  providing, by a first virtual machine, identifying information corresponding to an object to a security virtual machine for analysis of the object, the first virtual machine being one of a plurality of virtual machines and the first virtual machine being different than the security virtual machine;
  
  performing, by the security virtual machine, a pre-processing based on the identifying information to determine whether the object is malicious;
  
  responsive to the pre-processing resulting in a determination of suspicious, potentially suspicious or non-malicious, processing the object in the first virtual machine;
  
  upon detection within the first virtual machine of a triggering event, providing, by the first virtual machine, information associated with the triggering event to the security virtual machine, wherein the detection occurs during the processing of the object in the first virtual machine; and
  
  determining, within the security virtual machine, whether the object is malicious based upon an analysis of the information associated with the triggering event using one or more correlation rules, wherein a hypervisor coordinates communication between the security virtual machine and the plurality of virtual machines to prevent comingling of data between the plurality of virtual machines, and wherein the information associated with the triggering event is different than the identifying information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the pre-processing includes a signature check of the identifying information of the object.
  - 3. The system of claim 1, wherein the information associated with the triggering event is an event that, through at least one of experiential knowledge or machine learning techniques, has been determined to have an association with a malicious attack.
  - 4. The system of claim 1, wherein the triggering event is an attempt to perform one of:
    - (i) deleting a first file or a first directory, (ii) creating a second file or second directory, (iii) establishing communication with an external server, (iv) protecting a file or directory with a password, or (v) encrypting a third file or a third directory.
  - 5. The system of claim 1, wherein the first virtual machine simulates an endpoint device through configuration of the first virtual machine using a prescribed software profile.
  - 6. The system of claim 1, wherein logic within the security virtual machine receives information associated with one or more triggering events from each of a plurality of first virtual machines included in the system.
  - 7. The system of claim 1 further comprising:
    - upon determining that the object is malicious, generating an alert within the security virtual machine to notify one or more of a user of an endpoint device, a network administrator or an expert network analyst.
  - 8. The system of claim 7, wherein the alert is provided to the one or more of a user of an endpoint device, a network administrator or an expert network analyst through a security appliance.
  - 9. The system of claim 1 further comprising:
    - upon determining that the object is malicious, adding information associated with the object to a blacklist.
  - 10. The system of claim 1 further comprising:
    - upon determining that the object is malicious, uploading information associated with the object to cloud services.
  - 11. The system of claim 1 further comprising:
    - receiving, by logic of the security virtual machine, (a) one or more updates to one or more of (i) a blacklist, (ii) a whitelist, or (iii) a correlation rule of one or more correlation rules, or (b) a set of correlation rules including updates to the one or more correlation rules from a security appliance.
  - 12. The system of claim 1, wherein the information associated with the triggering event is provided from the first virtual machine to the security virtual machine via the hypervisor communicatively coupled to the first virtual machine and the security virtual machine.
  - 13. The system of claim 1, wherein a first set of the plurality of virtual machines is configured for utilization by a first entity and a second set of the plurality of virtual machines is configured for utilization by a second entity, and wherein the first entity and the second entity are each one of an enterprise or an entrepreneur.
  - 14. The system of claim 1, wherein the plurality of virtual machines are contained within a virtual machine host.

15. A non-transitory computer readable medium having stored thereon logic that, upon execution by one or more processors, performs operations comprising:
- providing, by a first virtual machine, identifying information corresponding to an object to a security virtual machine for analysis of the object, wherein the first virtual machine being one of a plurality of virtual machines and the first virtual machine being different than the security virtual machine;
  
  performing, by the security virtual machine, a pre-processing based on the identifying information to determine whether the object is malicious;
  
  responsive to the pre-processing resulting in a determination of suspicious, potentially suspicious or non-malicious, processing the object in the first virtual machine;
  
  upon detection, by the first virtual machine, of a triggering event, providing, by logic of the first virtual machine, information associated with the triggering event to the security virtual machine, wherein the detection of the triggering event occurs during the processing of the object in the first virtual machine; and
  
  determining, within the security virtual machine, that the object is malicious based upon an analysis of information associated with the triggering event and additional information associated with processing of the object after the detection of the triggering event using one or more correlation rules, wherein a hypervisor coordinates communication between the security virtual machine and the plurality of virtual machines to prevent comingling of data between the plurality of virtual machines, and wherein the information associated with the triggering event, the additional information, and the identifying information are different from each other.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The non-transitory computer readable medium of claim 15, wherein the logic that, upon execution by the one or more processors, performs operations further comprising:
    - determining, within the security virtual machine, that the object is suspicious based upon an analysis of the information associated with the triggering event using one or more correlation rules; and
      
      upon determination the object is suspicious based on the information associated with the triggering event, requesting, by logic within the security virtual machine, the additional information associated with processing of the object after the detection of the triggering event.
  - 17. The non-transitory computer readable medium of claim 15, wherein the pre-processing includes a signature check of the identifying information of the object.
  - 18. The non-transitory computer readable medium of claim 15, wherein the information associated with the triggering event is an event that, through at least one of experiential knowledge or machine learning techniques, has been determined to have an association with a malicious attack.
  - 19. The non-transitory computer readable medium of claim 15, wherein the triggering event is an attempt to perform one of:
    - (i) deleting a first file or a first directory, (ii) creating a second file or second directory, (iii) establishing communication with an external server, (iv) protecting a file or directory with a password, or (v) encrypting a third file or a third directory.
  - 20. The non-transitory computer readable medium of claim 15, wherein the information associated with the triggering event is provided from the first virtual machine to the security virtual machine via the hypervisor communicatively coupled to the first virtual machine and the security virtual machine.
  - 21. The non-transitory computer readable medium of claim 15, wherein a first set of the plurality of virtual machines is configured for utilization by a first entity and a second set of the plurality of virtual machines is configured for utilization by a second entity, and wherein the first entity and the second entity are each one of an enterprise or an entrepreneur.
  - 22. The non-transitory computer readable medium of claim 15, wherein the plurality of virtual machines are contained within a virtual machine host.
  - 23. The non-transitory computer readable medium of claim 15, wherein the logic that, upon execution by the one or more processors, performs operations further comprising:
    - providing, by the logic of the first virtual machine, additional information associated with processing of the object after the detection of the triggering event, to the security virtual machine; and
      
      determining, within the security virtual machine, that the object is malicious based upon an analysis of the additional information associated with processing of the object after the detection of the triggering event using one or more correlation rules, wherein a hypervisor coordinates communication between the security virtual machine and the plurality of virtual machines to prevent comingling of data between the plurality of virtual machines.

24. A computerized method comprising:
- providing, by a first virtual machine, identifying information corresponding to an object to a security virtual machine for analysis of the object, wherein the first virtual machine being one of a plurality of virtual machines and the first virtual machine being different than the security virtual machine;
  
  performing, by the security virtual machine, a pre-processing based on the identifying information to determine whether the object is malicious;
  
  responsive to the pre-processing resulting in a determination of suspicious, potentially suspicious or non-malicious, processing the object in the first virtual machine;
  
  upon detection, within the first virtual machine, of a triggering event, providing, by logic within the first virtual machine, information associated with the triggering event to the security virtual machine, wherein the detection occurs during the processing of the object in the first virtual machine; and
  
  determining, within the security virtual machine, that the object is malicious based upon an analysis of the information associated with the triggering event using one or more correlation rules, and wherein a hypervisor coordinates communication between the security virtual machine and the plurality of virtual machines to prevent comingling of data between the plurality of virtual machines, wherein the information associated with the triggering event is different than the identifying information.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The computerized method of claim 24, wherein the triggering event is an attempt to perform one of:
    - (i) deleting a first file or a first directory, (ii) creating a second file or second directory, (iii) establishing communication with an external server, (iv) protecting a file or directory with a password, or (v) encrypting a third file or a third directory.
  - 26. The computerized method of claim 24, wherein the information associated with the triggering event is provided from the first virtual machine to the security virtual machine via the hypervisor communicatively coupled to the first virtual machine and the security virtual machine.
  - 27. The computerized method of claim 24, wherein a first set of the plurality of virtual machines is configured for utilization by a first entity and a second set of the plurality of virtual machines is configured for utilization by a second entity, and wherein the first entity and the second entity are each one of an enterprise or an entrepreneur.
  - 28. The computerized method of claim 24, wherein the plurality of virtual machines are contained within a virtual machine host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Singh, Japneet, Ramchetty, Harinath, Gupta, Anil
Primary Examiner(s)
Alata, Ayoub

Application Number

US14/739,921
Publication Number

US 20160285914A1
Time in Patent Office

1,268 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

Exploit detection system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

645 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Exploit detection system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

645 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links