Automatic initiation of execution analysis

US 10,430,614 B2
Filed: 04/19/2016
Issued: 10/01/2019
Est. Priority Date: 01/31/2014
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory machine-readable storage mediums storing one or more sequences of instructions for initiating execution analysis upon a bit set, which when executed by one or more processors, causes:

monitoring execution of the bit set in a host operating system execution environment to identify whether the bit set exhibits a suspicious characteristic, wherein said suspicious characteristic corresponds to one or more of a set consisting of;

(1) creating a new executable bit set, (2) modifying an existing executable bit set in the host operating system execution environment, and (3) loading a new dynamic link library (DLL) file, wherein said monitoring execution of said bit set is performed without additional performance of execution analysis upon said bit set;

upon determining that the execution of the bit set exhibits a suspicious characteristic, then consulting metadata maintained locally upon a machine in which said one or more processors reside to determine if said execution analysis has previously been performed upon said bit set; and

upon determining that the execution of the bit set exhibits a suspicious characteristic and upon determining that said execution analysis has not yet been performed upon said bit set, then (a) ceasing the execution of the bit set in the host operating system execution environment, (b) instantiating an isolated environment configured to have the same operating attributes as said host operating system execution environment, (c) copying the bit set into the isolated environment and transferring control to the bit set within the isolated environment, and (d) initiating said execution analysis upon the bit set in the isolated environment,wherein said same operating attributes includes any versions of software executing in said host operating system execution environment and any patches applied to said host operating system execution environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches for transferring control to a bit set. Execution of a bit set upon a host operating system is monitored. A determination is made that the execution of the bit set exhibits a suspicious characteristic. In response, the execution of the bit set on the host operating system is ceased. Then, the bit set is copied into an isolated environment and control to the bit set is transferred within the isolated environment. Thereafter, execution analysis upon the bit set is initiated in the isolated environment. The isolated environment may, but need not, reside on a different physical device than upon which executes the host operating system.

171 Citations

16 Claims

1. One or more non-transitory machine-readable storage mediums storing one or more sequences of instructions for initiating execution analysis upon a bit set, which when executed by one or more processors, causes:
- monitoring execution of the bit set in a host operating system execution environment to identify whether the bit set exhibits a suspicious characteristic, wherein said suspicious characteristic corresponds to one or more of a set consisting of;
  
  (1) creating a new executable bit set, (2) modifying an existing executable bit set in the host operating system execution environment, and (3) loading a new dynamic link library (DLL) file, wherein said monitoring execution of said bit set is performed without additional performance of execution analysis upon said bit set;
  
  upon determining that the execution of the bit set exhibits a suspicious characteristic, then consulting metadata maintained locally upon a machine in which said one or more processors reside to determine if said execution analysis has previously been performed upon said bit set; and
  
  upon determining that the execution of the bit set exhibits a suspicious characteristic and upon determining that said execution analysis has not yet been performed upon said bit set, then (a) ceasing the execution of the bit set in the host operating system execution environment, (b) instantiating an isolated environment configured to have the same operating attributes as said host operating system execution environment, (c) copying the bit set into the isolated environment and transferring control to the bit set within the isolated environment, and (d) initiating said execution analysis upon the bit set in the isolated environment,wherein said same operating attributes includes any versions of software executing in said host operating system execution environment and any patches applied to said host operating system execution environment.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The one or more non-transitory machine-readable storage mediums of claim 1, wherein said monitoring execution of the bit set is only performed upon determining that said bit set is not in either (a) a set of universally known malicious bit sets or (b) a set of locally known virtuous bit sets.
  - 3. The one or more non-transitory machine-readable storage mediums of claim 1, wherein said isolated environment resides on a different physical machine than said host operating system execution environment.
  - 4. The one or more non-transitory machine-readable storage mediums of claim 1, wherein said host operating system execution environment executes on a device, and wherein execution of the one or more sequences of instructions further cause:
    - sending information, from said device to a remote location across a network, which describes attributes of said host operating system execution environment; and
      
      at said remote location, creating said isolated environment to possess said attributes of said host operating system execution environment.
  - 5. The one or more non-transitory machine-readable storage mediums of claim 1, after performing said execution analysis upon the bit set in the isolated environment, updating either a set of universally known malicious bit sets or a set of locally known virtuous bit sets to include said bit set.
  - 6. The one or more non-transitory machine-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - updating metadata to prevent the execution analysis to be performed upon the bit set more than once.

7. An apparatus for initiating execution analysis upon a bit set, comprising:
- one or more processors; and
  
  one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions, which when executed, cause;
  
  monitoring execution of the bit set in a host operating system execution environment to identify whether the bit set exhibits a suspicious characteristic, wherein said suspicious characteristic corresponds to one or more of a set consisting of;
  
  (1) creating a new executable bit set, (2) modifying an existing executable bit set in the host operating system execution environment, and (3) loading a new dynamic link library (DLL) file, wherein said monitoring execution of said bit set is performed without additional performance of execution analysis upon said bit set;
  
  upon determining that the execution of the bit set exhibits a suspicious characteristic, then consulting metadata maintained locally upon a machine in which said one or more processors reside to determine if said execution analysis has previously been performed upon said bit set; and
  
  upon determining that the execution of the bit set exhibits a suspicious characteristic and upon determining that said execution analysis has not yet been performed upon said bit set, then (a) ceasing the execution of the bit set in the host operating system execution environment, (b) instantiating an isolated environment configured to have the same operating attributes as said host operating system execution environment, (c) copying the bit set into the isolated environment and transferring control to the bit set within the isolated environment, and (d) initiating said execution analysis upon the bit set in the isolated environment,wherein said same operating attributes includes any versions of software executing in said host operating system execution environment and any patches applied to said host operating system execution environment.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein said monitoring execution of the bit set is only performed upon determining that said bit set is not in either (a) a set of universally known malicious bit sets or (b) a set of locally known virtuous bit sets.
  - 9. The apparatus of claim 7, wherein said isolated environment resides on a different physical machine than said host operating system execution environment.
  - 10. The apparatus of claim 7, wherein said host operating system execution environment executes on a device, and wherein execution of the one or more sequences of instructions further cause:
    - sending information, from said device to a remote location across a network, which describes attributes of said host operating system execution environment; and
      
      at said remote location, creating said isolated environment to possess said attributes of said host operating system execution environment.
  - 11. The apparatus of claim 7, after performing said execution analysis upon the bit set in the isolated environment, updating either a set of universally known malicious bit sets or a set of locally known virtuous bit sets to include said bit set.
  - 12. The apparatus of claim 7, wherein execution of the one or more sequences of instructions further cause:
    - updating metadata to prevent the execution analysis to be performed upon the bit set more than once.

13. A method for initiating execution analysis upon a bit set, comprising:
- monitoring execution of the bit set in a host operating system execution environment to identify whether the bit set exhibits a suspicious characteristic, wherein said suspicious characteristic corresponds to one or more of a set consisting of;
  
  (1) creating a new executable bit set, (2) modifying an existing executable bit set in the host operating system execution environment, and (3) loading a new dynamic link library (DLL) file, wherein said monitoring execution of said bit set is performed without additional performance of execution analysis upon said bit set;
  
  upon determining that the execution of the bit set exhibits a suspicious characteristic, then consulting metadata maintained locally upon a machine in which said one or more processors reside to determine if said execution analysis has previously been performed upon said bit set; and
  
  upon determining that the execution of the bit set exhibits a suspicious characteristic and upon determining that said execution analysis has not yet been performed upon said bit set, then (a) ceasing the execution of the bit set in the host operating system execution environment, (b) instantiating an isolated environment configured to have the same operating attributes as said host operating system execution environment, (c) copying the bit set into the isolated environment and transferring control to the bit set within the isolated environment, and (d) initiating said execution analysis upon the bit set in the isolated environment,wherein said same operating attributes includes any versions of software executing in said host operating system execution environment and any patches applied to said host operating system execution environment.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein said monitoring execution of the bit set is only performed upon determining that said bit set is not in either (a) a set of universally known malicious bit sets or (b) a set of locally known virtuous bit sets.
  - 15. The method of claim 13, wherein said isolated environment resides on a different physical machine than said host operating system execution environment.
  - 16. The method of claim 13, wherein execution of the one or more sequences of instructions further cause:
    - updating metadata to prevent the execution analysis to be performed upon the bit set more than once.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Bromium (HP Inc.)
Inventors
Pratt, Ian, Kashyap, Rahul C., Banga, Gaurav
Primary Examiner(s)
Wu, Benjamin C

Application Number

US15/133,077
Publication Number

US 20160232380A1
Time in Patent Office

1,260 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/71   to assure secure computing ...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Automatic initiation of execution analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

171 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic initiation of execution analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

171 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links