Virtual system and method with threat protection

US 10,395,029 B1
Filed: 06/30/2016
Issued: 08/27/2019
Est. Priority Date: 06/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

one or more hardware processors; and

a memory coupled to the one or more processors, the memory comprises one or more software components that, when executed by the one or more hardware processors, provide a virtualization software architecture including (i) a virtual machine, (ii) a plurality of hyper-processes and (iii) a hypervisor, whereinthe visual machine to operate in a guest environment and includes a process that is configured to monitor behaviors of data under analysis within the virtual machine,the plurality of hyper-processes to operate in a host environment and isolated from each other within an address space of the memory, the plurality of hyper-processes include a threat protection process to classify the data under analysis as malicious or non-malicious based on the monitored behaviors and a guest monitor process configured to manage execution of the virtual machine and operate with the process to obtain and forward metadata associated with the monitored behaviors to the threat protection process, andthe hypervisor is configure to enforce temporal separation of the plurality of hyper-processes and enable inter-process communications between the plurality of hyper-processes.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device is described that comprises one or more hardware processors and a memory communicatively coupled to the one or more hardware processors. The memory comprises software that supports a software virtualization architecture, including (i) a virtual machine operating in a guest environment and including a process that is configured to monitor behaviors of data under analysis within the virtual machine and (ii) a threat protection component operating in a host environment. The threat protection component is configured to classify the data under analysis as malicious or non-malicious based on the monitored behaviors.

Citations

34 Claims

1. A computing device comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more processors, the memory comprises one or more software components that, when executed by the one or more hardware processors, provide a virtualization software architecture including (i) a virtual machine, (ii) a plurality of hyper-processes and (iii) a hypervisor, whereinthe visual machine to operate in a guest environment and includes a process that is configured to monitor behaviors of data under analysis within the virtual machine,the plurality of hyper-processes to operate in a host environment and isolated from each other within an address space of the memory, the plurality of hyper-processes include a threat protection process to classify the data under analysis as malicious or non-malicious based on the monitored behaviors and a guest monitor process configured to manage execution of the virtual machine and operate with the process to obtain and forward metadata associated with the monitored behaviors to the threat protection process, andthe hypervisor is configure to enforce temporal separation of the plurality of hyper-processes and enable inter-process communications between the plurality of hyper-processes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computing device of claim 1, wherein the process is a guest agent operating within the virtual machine and, when executed by the processor, monitors behaviors of the data under analysis that includes an object being processed by a guest application running in the guest environment.
  - 3. The computing device of claim 1, wherein the process is a guest agent operating within a guest operating system (OS) of the virtual machine and, when executed by the processor, monitors behaviors of the data under analysis that includes one or more events based on operations by the guest OS during execution of the virtual machine.
  - 4. The computing device of claim 3, wherein the one or more events are based on operations conducted by a guest OS kernel of the guest OS during processing of the data under analysis within the virtual machine.
  - 5. The computing device of claim 1, wherein the threat protection process is further configured to determine whether the data under analysis is malicious or non-malicious completely outside the guest environment.
  - 6. The computing device of claim 5, wherein the process is a guest agent operating within a guest operating system (OS) of the virtual machine and, when executed by the processor, monitors behaviors of the data under analysis that includes one or more events based on operations by the guest OS during execution of the virtual machine.
  - 7. The computing device of claim 1, wherein the process is a guest agent operating within a guest operating system (OS) of the virtual machine and, when executed by the processor, communicates with the threat protection component to provide semantic information from inside the guest OS to the threat protection component.
  - 8. The computing device of claim 7, wherein the semantic information from inside the guest OS is unavailable to the host environment, including the threat protection component, other than through the guest agent.
  - 9. The computing device of claim 1, wherein the plurality of hyper-processes further includes a master controller process, the master controller process is configured to enforce policy rules directed to operations of the virtualization software architecture.
  - 10. The computing device of claim 9, wherein a software component of the one or more software components comprises the hypervisor configured to enforce temporal separation of the plurality of hyper-processes.
  - 11. The computing device of claim 1, wherein the plurality of hyper-processes operating in the host environment are based on code located in different binaries to isolate the plurality of hyper-processes from each other.
  - 12. The computing device of claim 1, wherein the plurality of hyper-processes are isolated in which each hyper-process of the plurality of hyper-processes is running in its own separate address space.
  - 13. The computing device of claim 1, wherein host environment including a master controller process, being a hyper-process operating separately from the plurality of hyper-processes.
  - 14. The computing device of claim 1, wherein the hypervisor is configure to enforce temporal separation of all of the plurality of hyper-processes and enable inter-process communications between all of the plurality of hyper-processes.
  - 15. The computing device of claim 1, wherein the plurality of hyper-processes operating in the host environment are isolated from each other when each of the plurality of hyper-processes are assigned different memory address spaces within the address space of the memory.
  - 16. The computing device of claim 1, wherein the hypervisor enforces separation through a scheduling context, which is used for scheduling thread level activities within each of the plurality of hyper-processes.
  - 17. The computing device of claim 16, wherein the scheduling context include a priority and a quantum time for execution of a thread within a protection domain associated with a first hyper-process of the plurality of hyper-processes.

18. A computerized method comprising:
- configuring a virtualization software architecture with a guest environment and a host environment;
  
  processing an object by a virtual machine operating in the guest environment, the virtual machine includes a process that monitors behaviors of the object during the processing of the object by the virtual machine;
  
  classifying, by a plurality of hyper-processes operating in a host environment different from the guest environment, the object that undergoes processing by the virtual machine as malicious or non-malicious based at least on one or more of the monitored behaviors provided to a threat protection process being one of the plurality of hyper-processes; and
  
  supporting inter-process communications between the plurality of hyper-processes by a hypervisor communicatively coupled to the plurality of hyper-processes,wherein the plurality of hyper-processes include the threat protection process to classify the object as malicious or non-malicious based on the monitored behaviors and a guest monitor process configured to manage execution of the virtual machine and operate with the process to obtain and forward metadata associated with the monitored behaviors to the threat protection process that is isolated from the guest monitor process.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 33)
- - 19. The computerized method of claim 18, wherein the process is a guest agent operating within the virtual machine and, when executed by a processor, monitors the behaviors of the object being processed by a guest application running in the virtual machine.
  - 20. The computerized method of claim 18, wherein the process is a guest agent operating within a guest operating system (OS) of the virtual machine and, when executed by a processor, monitors behaviors of the object that includes one or more events based on operations by the guest OS during execution of the virtual machine.
  - 21. The computerized method of claim 20, wherein the one or more events are based on operations conducted by a guest OS kernel of the guest OS during processing of the object within the virtual machine.
  - 22. The computerized method of claim 18, wherein the threat protection process is further configured to determine whether the object is malicious or non-malicious completely outside the guest environment.
  - 23. The computerized method of claim 18, wherein the process is a guest agent operating within a guest operating system (OS) of the virtual machine and, when executed by the processor, communicates with the threat protection process to provide semantic information from inside the guest OS to the threat protection process.
  - 24. The computerized method of claim 23, wherein the semantic information from inside the guest OS is only made available to the threat protection process of the host environment from the guest agent.
  - 25. The computerized method of claim 18, wherein the threat protection process is isolated from the guest monitor process in which code associated with threat protection process is stored within an address space used to store code associated with the guest monitor process.
  - 33. The computerized method of claim 18, wherein the threat protection process is isolated from the guest monitor process as the threat protection process is assigned a memory address space that is separate from and different than a memory address space assigned to the guest monitor process.

26. A non-transitory storage medium including software that, when executed by a processor, configures a virtualization software architecture with a guest environment and a host environment including a hypervisor, the medium comprising:
- a virtual machine operating in the guest environment, the virtual machine to process an object and monitor behaviors of the object during processing of the object;
  
  a plurality of hyper-processes operating in a host environment different from the guest environment, the plurality of hyper-processes including a threat protection process to classify the object as malicious or non-malicious based at least on one or more of the monitored behaviors provided to the threat protection process; and
  
  supporting inter-process communications between the plurality of hyper-processes by the hypervisor communicatively coupled to the plurality of hyper-processes,wherein the plurality of hyper-processes include the threat protection process to classify the object as malicious or non-malicious based on the monitored behaviors and a guest monitor process configured to manage execution of the virtual machine and operate with the process to obtain and forward metadata associated with the monitored behaviors to the threat protection process that is isolated from the guest monitor process.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 34)
- - 27. The non-transitory storage medium of claim 26, wherein a guest agent is operating within the virtual machine to monitor the behaviors of the object being processed by a guest application running in the virtual machine.
  - 28. The non-transitory storage medium of claim 26, wherein a guest agent is operating within a guest operating system (OS) of the virtual machine and, when executed by the processor, monitors behaviors of the object that includes one or more events based on operations by the guest OS during execution of the virtual machine.
  - 29. The non-transitory storage medium of claim 28, wherein the one or more events are based on operations conducted by a guest OS kernel of the guest OS during processing of the object within the virtual machine.
  - 30. The non-transitory storage medium of claim 26, wherein the threat protection process is further configured to determine whether the object is malicious or non-malicious completely outside the guest environment.
  - 31. The non-transitory storage medium of claim 26, wherein a guest agent is operating within a guest operating system (OS) of the virtual machine and, when executed by the processor, communicates with the threat protection process to provide semantic information from inside the guest OS to the threat protection process.
  - 32. The non-transitory storage medium of claim 31, wherein the semantic information from inside the guest OS is only made available to the threat protection process of the host environment from the guest agent.
  - 34. The non-transitory storage medium of claim 26, wherein the threat protection process is isolated from the guest monitor process as the threat protection process is assigned a memory address space that is separate from and different than a memory address space assigned to the guest monitor process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Steinberg, Udo
Primary Examiner(s)
Poltorak, Piotr

Application Number

US15/199,871
Time in Patent Office

1,153 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 2221/034   Test or assess a computer o...

G06F 9/45541   Bare-metal, i.e. hypervisor...

G06F 9/45558   Hypervisor-specific managem...

Virtual system and method with threat protection

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual system and method with threat protection

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links