Dynamic guest image creation and rollback

US 10,242,185 B1
Filed: 03/21/2014
Issued: 03/26/2019
Est. Priority Date: 03/21/2014
Status: Active Grant

First Claim

Patent Images

1. A computerized method comprising:

relating, by a system including the virtual machine having access to information within a Lightweight Directory Access Protocol (LDAP) server, a plurality of master images to a corresponding plurality of groups, each master image representing a base amount of content to be loaded into a client device for use by a member of a particular group of the plurality of groups;

automatically generating a software guest image for a targeted client device assigned to or associated with a first group of the plurality of groups in response to a change of storage volume in the targeted client device, the software guest image being based, at least in part, on an image upload message and a prior software guest image of an operating state of the targeted client device that is prior to the change of storage volume, the image upload message includes changes in the operating state of the targeted client device that have occurred after generation of the prior software guest image, the prior software guest image includes either (i) the master image of the first group or (ii) a guest image based on the master image of the first group;

dynamically configuring a virtual machine with the software guest image representing a current operating state of the targeted client device, the software guest image representing content and structure of the storage volume for the targeted client device at a time of configuring the virtual machine; and

processing an object by the virtual machine in order to detect any anomalous behaviors that may cause the object to be classified as an exploit, the object being data associated with network traffic directed to the targeted client device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method comprises three operations. First, an incoming object is analyzed to determine if the incoming object is suspicious by having characteristics that suggest the object is an exploit. Next, a virtual machine is dynamically configured with a software image representing a current operating state of a targeted client device. The software image represents content and structure of a storage volume for the targeted client device at a time of configuring the virtual machine. Lastly, the object is processed by the virtual machine in order to detect any anomalous behaviors that may cause the object to be classified as an exploit.

681 Citations

26 Claims

1. A computerized method comprising:
- relating, by a system including the virtual machine having access to information within a Lightweight Directory Access Protocol (LDAP) server, a plurality of master images to a corresponding plurality of groups, each master image representing a base amount of content to be loaded into a client device for use by a member of a particular group of the plurality of groups;
  
  automatically generating a software guest image for a targeted client device assigned to or associated with a first group of the plurality of groups in response to a change of storage volume in the targeted client device, the software guest image being based, at least in part, on an image upload message and a prior software guest image of an operating state of the targeted client device that is prior to the change of storage volume, the image upload message includes changes in the operating state of the targeted client device that have occurred after generation of the prior software guest image, the prior software guest image includes either (i) the master image of the first group or (ii) a guest image based on the master image of the first group;
  
  dynamically configuring a virtual machine with the software guest image representing a current operating state of the targeted client device, the software guest image representing content and structure of the storage volume for the targeted client device at a time of configuring the virtual machine; and
  
  processing an object by the virtual machine in order to detect any anomalous behaviors that may cause the object to be classified as an exploit, the object being data associated with network traffic directed to the targeted client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computerized method of claim 1, wherein the object is a plurality of related packets.
  - 3. The computerized method of claim 1, wherein the generating of the software guest image for the targeted client device that is used in configuring the virtual machine prior to processing the object occurs in response to a first polling event based on the change of the storage volume in the targeted client device exceeding a prescribed amount since a prior polling event.
  - 4. The computerized method of claim 1, wherein the generating of the software guest image is further based on the prior software guest image representing a prior operating state of the targeted client device preceding the change of the storage volume.
  - 5. The computerized method of claim 4, wherein the prior software guest image is based on the master image of the first group that includes software and corresponding metadata that is originally loaded into the targeted client device.
  - 6. The computerized method of claim 4, wherein the prior software guest image is based on the guest image that represents software and corresponding metadata stored within the targeted client device at a time preceding the change in storage volume.
  - 7. The computerized method of claim 1, wherein the targeted client device transitions from a non-infected state to an infected state upon receipt and processing of the object having the exploit.
  - 8. The computerized method of claim 7 further comprising:
    - conducting a remediation to restore an operating state of the targeted client device from the infected state to the non-infected state, the remediation includes loading a stored, software guest image associated with the targeted client device prior to targeted client device transitioning from the non-infected state to the infected state.
  - 9. The computerized method of claim 8, wherein the remediation occurs automatically without being prompted by the user.
  - 10. The computerized method of claim 7, wherein responsive to transitioning the targeted client device from the non-infected state to the infected state upon receipt and processing of the object having the exploit, the method further comprising:
    - determining a software guest image prior to the targeted client device receiving the object including the exploit; and
      
      restoring an operating state of the targeted client device by restoring the software guest image on the targeted client device so that the client device reverts to an operating state of the client device prior to activation of the exploit.
  - 11. The computerized method of claim 10, wherein the restoring of the operating state of the targeted client device prior to activation of the exploit may be conducted automatically upon transition of the targeted client device from the non-infected state to the infected state.
  - 12. The computerized method of claim 1, wherein the change of storage volume needs to exceed at least a predetermined amount of data being stored or deleted from persistent storage of the targeted client device and the particular group is determined from information within a Lightweight Directory Access Protocol (LDAP) server.
  - 13. The computerized method of claim 12, wherein the predetermined amount of data being ten kilobytes of data.
  - 14. The computerized method of claim 1, wherein the changes in the operating state of the targeted client device that have occurred after generation of the prior software guest image comprises a software application newly installed on the targeted client device or metadata changes on an operating system that support the newly installed software application.
  - 15. The computerized method of claim 1, wherein the master image provides an initial operating state corresponding to initial amount of software installed on the targeted client device for use by the member of the particular group.

16. A system comprising:
- one or more memory blades; and
  
  one or more processor blades communicatively coupled to the one or more memory blades, the one or more processor blades includes a first processor blade that includes logic toautomatically generate a software guest image for a targeted client device in response to a change of storage volume in the targeted client device, wherein the targeted client device is associated with a first group of a plurality of groups based on communications with a Lightweight Directory Access Protocol (LDAP) server and each group is assigned a master image representing a base amount of content to be loaded into client devices associated with a particular group of the plurality of groups, the software guest image being based, at least in part, on an image upload message received from the targeted client device and a prior software guest image of an operating state of the targeted client device that is prior to the change of storage volume, the image upload message includes changes in the operating state of the targeted client device that have occurred after generation of the prior software guest image, the prior software guest image includes either (i) a master image associated with the first group or (ii) a guest image based on the master image;
  
  determine that an incoming object, including data associated with network traffic directed to the targeted client device, is suspicious by having characteristics that suggest the object is an exploit,dynamically configure a virtual machine with the software guest image representing a current operating state of the targeted client device to which the object is directed, the software guest image representing content and structure of the storage volume for the targeted client device at a time of configuring the virtual machine, andprocess the object by the virtual machine in order to detect any anomalous behaviors that may cause the object to be classified as an exploit.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The system of claim 16, wherein the incoming object is an object associated with network traffic directed to the targeted client device.
  - 18. The system of claim 16, wherein prior to logic within the first processor blade dynamically configuring the virtual machine with the software guest image, a memory blade within the one or more memory blades including logic to generate the software guest image for the targeted client device based on the change of storage volume in the targeted client device.
  - 19. The system of claim 18, wherein the memory blade to generate the software guest image based on the prior software guest image representing a prior operating state of the targeted client device being the operating state of the targeted client device prior to the change of storage volume.
  - 20. The system of claim 19, wherein the prior software guest image represents software and corresponding metadata that is originally loaded into the targeted client device.
  - 21. The system of claim 20, wherein the software guest image represents software and corresponding metadata that is currently stored within the targeted client device.
  - 22. The system of claim 16, wherein the first processor blade detecting the targeted client device transitioning from a non-infected state to an infected state upon receipt and processing of the object having the exploit.
  - 23. The system of claim 22, wherein the processor blade further conducting a remediation to restore an operating state of the targeted client device from the infected state to the non-infected state, the remediation includes loading a stored, software guest image associated with the targeted client device prior to targeted client device transitioning from the non-infected state to the infected state.
  - 24. The system of claim 22, wherein the remediation occurs automatically without being prompted by the user.
  - 25. The system of claim 16 operating as a cloud service communicatively coupled to an appliance to receive the incoming object.
  - 26. The system of claim 16, wherein the master image provides an initial operating state corresponding to the base amount of content that represents an initial amount of software installed on the targeted client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Goradia, Harnish
Primary Examiner(s)
Gergiso, Techane

Application Number

US14/222,524
Time in Patent Office

1,831 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/566 Dynamic detection, i.e. det...

Dynamic guest image creation and rollback

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

681 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Dynamic guest image creation and rollback

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

681 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others