Optimized resource allocation for virtual machines within a malware content detection system

US 10,469,512 B1
Filed: 11/14/2016
Issued: 11/05/2019
Est. Priority Date: 05/10/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method conducted by a system, comprising:

determining software profile information of an operating environment targeted for received content;

responsive to determining that the system supports a first software profile that corresponds to the software profile information and a first virtual machine instance operating with the first software profile is currently running, instantiating a second virtual machine instance operating with the first software profile to conduct malware analysis on the received content, the second virtual machine instance being provided access to resources allocated for use by the first virtual machine instance; and

instantiating a third virtual machine instance that is based on a software profile that is different than the first software profile wherein the first software profile is associated with a first version of a particular application and the software profile is associated with a second version of the particular application that is different from the first version of the particular application, the third virtual machine instance being allocated resources that are not shared by the first virtual machine instance and the second virtual machine instance.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method comprises operations of receiving incoming content propagating over a network and determining software profile information of an operating environment targeted for the incoming content. Responsive to determining that the system supports a first software profile that corresponds to the software profile information and a first virtual machine instance operating with the first software profile is currently running, a second virtual machine instance operating with the first software profile is instantiated for conducting a malware analysis on the incoming content. The second virtual machine instance is provided access to resources allocated for use by the first virtual machine instance.

748 Citations

42 Claims

1. A computerized method conducted by a system, comprising:
- determining software profile information of an operating environment targeted for received content;
  
  responsive to determining that the system supports a first software profile that corresponds to the software profile information and a first virtual machine instance operating with the first software profile is currently running, instantiating a second virtual machine instance operating with the first software profile to conduct malware analysis on the received content, the second virtual machine instance being provided access to resources allocated for use by the first virtual machine instance; and
  
  instantiating a third virtual machine instance that is based on a software profile that is different than the first software profile wherein the first software profile is associated with a first version of a particular application and the software profile is associated with a second version of the particular application that is different from the first version of the particular application, the third virtual machine instance being allocated resources that are not shared by the first virtual machine instance and the second virtual machine instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computerized method of claim 1, wherein prior to instantiating the second virtual machine instance, the method further comprising:
    - determining whether instantiation of the second virtual machine instance would exceed a virtual machine threshold, the virtual machine threshold representing a predetermined number of concurrently operating virtual machine instances and is computed by analyzing an amount of memory allocated for virtual machine operations within the system and determining that the instantiating of the second virtual machine instance will not exceed the virtual machine threshold; and
      
      refraining from instantiating the second virtual machine instance if the sum of the plurality of virtual machine instances exceeds the virtual machine threshold.
  - 3. The computerized method of claim 2, wherein an amount of memory allocated to support the second virtual machine instance operating with the first software profile is less than an amount of memory allocated to support a virtual machine instance operating in accordance with a second software profile different than the first software profile.
  - 4. The computerized method of claim 3, wherein the amount of memory allocated to support the second virtual machine instance operating with the first software profile is at least ten times less than the amount of memory allocated to support the virtual machine instance operating in accordance with the second software profile.
  - 5. The computerized method of claim 2, further comprising:
    - after instantiation of a plurality of virtual machine instances including the first virtual machine instance and the second virtual machine instance, determining whether instantiation of the third virtual machine instance would exceed the virtual machine threshold;
      
      instantiating the third virtual machine instance if a sum of the plurality of virtual machine instances does not exceed the virtual machine threshold; and
      
      refraining from instantiating the third virtual machine instance if the sum of the plurality of virtual machine instances exceeds the virtual machine threshold.
  - 6. The computerized method of claim 2, wherein the predetermined number of concurrently operating virtual machine instances varies based on a number of software profiles supported by the system.
  - 7. The computerized method of claim 1, wherein the determining whether the system supports the first software profile comprises determining whether any virtual machine disk files within a storage device of the system corresponds to the software profile information.
  - 8. The computerized method of claim 1 further comprising:
    - allocating additional resources exclusively accessible by the second virtual machine instance in response to conducting a Copy-On Write operation.
  - 9. The computerized method of claim 1, wherein the second virtual machine instance operating concurrently with the first virtual machine instance.
  - 10. The computerized method of claim 9, wherein the first software profile comprises at least one of (i) a type of operating system corresponding to an operating system identified in the software profile information, or (ii) a type of application corresponding to a particular application identified in the software profile information.
  - 11. The computerized method of claim 1, wherein the resources allocated for use by the first virtual machine instance include one or more memory pages within a system memory implemented within an electronic device.
  - 12. The computerized method of claim 1, wherein the first software profile identifies a first type of operating system and a first version of the first type of the operating system while the second software profile identifies the first type of operating system and a second version of the first type of the operating system, wherein the first version is different from the second version.

13. An electronic device for conducting an analysis for malware, comprising:
- a network port adapted to receive incoming content; and
  
  a controller coupled to the network port, the controller to (i) determine software profile information of an operating environment targeted for the incoming content, and (ii) responsive to a determination that the electronic device supports a first software profile that corresponds to the software profile information and a first virtual machine instance operating with the first software profile is currently running, instantiate a second virtual machine instance operating with the first software profile to conduct malware analysis on the incoming content, the second virtual machine instance being provided access to resources allocated for use by the first virtual machine instance,wherein the resources include one or more memory pages within a memory implemented within the electronic device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The electronic device of claim 13, wherein prior to instantiating the second virtual machine instance, the controller to (i) determine whether instantiation of the second virtual machine instance would exceed a virtual machine threshold, the virtual machine threshold representing a predetermined number of concurrently operating virtual machine instances and being computed by (a) analyzing an amount of memory allocated for virtual machine operations within the electronic device and (b) determining that the instantiating of the second virtual machine instance will not exceed the virtual machine threshold, and (ii) refrain from instantiating the second virtual machine instance if the sum of the plurality of virtual machine instances exceeds the virtual machine threshold.
  - 15. The electronic device of claim 14, wherein an amount of memory allocated to support the second virtual machine instance operating with the first software profile is less than an amount of memory allocated to support a virtual machine instance operating in accordance with a second software profile different than the first software profile.
  - 16. The electronic device of claim 15, wherein the amount of memory allocated to support the second virtual machine instance operating with the first software profile is at least ten times less than the amount of memory allocated to support the virtual machine instance operating in accordance with the second software profile.
  - 17. The electronic device of claim 13, wherein the controller to determine whether the electronic device supports the first software profile by at least determining whether any virtual machine disk files within a storage device of the electronic device corresponds to the software profile information.
  - 18. The electronic device of claim 13, wherein the controller to allocate additional resources exclusively accessible by the second virtual machine instance in response to conducting a Copy-On Write operation.
  - 19. The electronic device of claim 13, wherein the second virtual machine instance operating concurrently with the first virtual machine instance.
  - 20. The electronic device of claim 19, wherein the first software profile comprises at least one of (i) a type of operating system corresponding to an operating system identified in the software profile information, or (ii) a type of application corresponding to a particular application identified in the software profile information.
  - 21. The electronic device of claim 19, wherein the predetermined number of concurrently operating virtual machine instances varies based on a number of software profiles supported by the electronic device.

22. An electronic device for conducting an analysis for malware, comprising:
- a network port adapted to receive incoming content; and
  
  a controller coupled to the network port, the controller to (i) determine software profile information of an operating environment targeted for the incoming content, and (ii) responsive to a determination that the electronic device supports a first software profile that corresponds to the software profile information and a first virtual machine instance operating with the first software profile is currently running, instantiate a second virtual machine instance operating with the first software profile to conduct malware analysis on the incoming content,wherein the second virtual machine instance, operating concurrently with the first virtual machine instance, being provided access to resources allocated for use by the first virtual machine instance, andwherein a virtual machine threshold, representing a predetermined number of concurrently operating virtual machine instances, varies based on a number of software profiles supported by the electronic device.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The electronic device of claim 22, wherein prior to instantiating the second virtual machine instance, the controller to (i) determine whether instantiation of the second virtual machine instance would exceed the virtual machine threshold by at least (a) analyzing an amount of memory allocated for virtual machine operations within the electronic device and (b) determining that the instantiating of the second virtual machine instance will not exceed the virtual machine threshold, and (ii) refrain from instantiating the second virtual machine instance if the sum of the plurality of virtual machine instances exceeds the threshold.
  - 24. The electronic device of claim 23, wherein an amount of memory allocated to support the second virtual machine instance operating with the first software profile is less than an amount of memory allocated to support a virtual machine instance operating in accordance with a second software profile different than the first software profile.
  - 25. The electronic device of claim 24, wherein the amount of memory allocated to support the second virtual machine instance operating with the first software profile is at least ten times less than the amount of memory allocated to support the virtual machine instance operating in accordance with the second software profile.
  - 26. The electronic device of claim 22, wherein the controller to determine whether the electronic device supports the first software profile by at least determining whether any virtual machine disk files within a storage device of the electronic device corresponds to the software profile information.
  - 27. The electronic device of claim 22, wherein the controller to allocate additional resources exclusively accessible by the second virtual machine instance in response to conducting a Copy-On Write operation.
  - 28. The electronic device of claim 22, wherein the virtual machine threshold varies based on the number of software profiles supported by the electronic device given that a low number of software profiles necessitates that a greater number of virtual machine instances would share a substantial portion of the same resources.
  - 29. The electronic device of claim 22, wherein the first software profile comprises at least one of (i) a type of operating system corresponding to an operating system identified in the software profile information, or (ii) a type of application corresponding to a particular application identified in the software profile information.
  - 30. The electronic device of claim 22, wherein the resources include one or more memory pages within a memory implemented within the electronic device.

31. A non-transitory storage medium including software, deployed within and processed by an electronic device including a scheduler, that performs operations comprising:
- determining software profile information of an operating environment targeted for received content;
  
  determining that the electronic device supports a first software profile based on the software profile information;
  
  responsive to determining that the electronic device supports the first software profile and a first virtual machine instance operating with the first software profile is currently running, instantiating a second virtual machine instance operating with the first software profile to conduct malware analysis on the received content, the second virtual machine instance being provided access to resources allocated for use by the first virtual machine instance; and
  
  instantiating a third virtual machine instance that is based on a software profile that is different than the first software profile, wherein the first software profile is associated with a first version of a particular application and the software profile is associated with a second version of the particular application that is different from the first version of the particular application, the third virtual machine instance being allocated resources that are not shared by the first virtual machine instance and the second virtual machine instance.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 32. The non-transitory storage medium of claim 31, wherein prior to instantiating the second virtual machine instance, the software, deployed within and processed by the electronic device, performs operations comprising:
    - determining whether instantiation of the second virtual machine instance would exceed a virtual machine threshold, the virtual machine threshold representing a predetermined number of concurrently operating virtual machine instances and is computed by analyzing an amount of memory allocated for virtual machine operations within the system and determining that the instantiating of the second virtual machine instance will not exceed the virtual machine threshold; and
      
      refraining from instantiating the second virtual machine instance if the sum of the plurality of virtual machine instances exceeds the virtual machine threshold.
  - 33. The non-transitory storage medium of claim 32, wherein an amount of memory allocated to support the second virtual machine instance operating with the first software profile is less than an amount of memory allocated to support a virtual machine instance operating in accordance with a second software profile different than the first software profile.
  - 34. The non-transitory storage medium of claim 33, wherein the amount of memory allocated to support the second virtual machine instance operating with the first software profile is at least ten times less than the amount of memory allocated to support the virtual machine instance operating in accordance with the second software profile.
  - 35. The non-transitory storage medium of claim 32, wherein the software, deployed within and processed by the electronic device, further performs operations comprising:
    - after instantiation of a plurality of virtual machine instances including the first virtual machine instance and the second virtual machine instance, determining whether instantiation of the third virtual machine instance would exceed the virtual machine threshold;
      
      instantiating the third virtual machine instance if a sum of the plurality of virtual machine instances does not exceed the virtual machine threshold; and
      
      refraining from instantiating the third virtual machine instance if the sum of the plurality of virtual machine instances exceeds the virtual machine threshold.
  - 36. The non-transitory storage medium of claim 32, wherein the predetermined number of concurrently operating virtual machine instances varies based on a number of software profiles supported by the system.
  - 37. The non-transitory storage medium of claim 31, wherein the determining whether the system supports the first software profile comprises determining whether any virtual machine disk files within a storage device of the system corresponds to the software profile information.
  - 38. The non-transitory storage medium of claim 31 further comprising:
    - allocating additional resources exclusively accessible by the second virtual machine instance in response to conducting a Copy-On Write operation.
  - 39. The non-transitory storage medium of claim 31, wherein the second virtual machine instance operating concurrently with the first virtual machine instance.
  - 40. The non-transitory storage medium of claim 39, wherein the first software profile comprises at least one of (i) a type of operating system corresponding to an operating system identified in the software profile information, or (ii) a type of application corresponding to a particular application identified in the software profile information.
  - 41. The non-transitory storage medium of claim 31, wherein the resources allocated for use by the first virtual machine instance include one or more memory pages within a system memory implemented within an electronic device.
  - 42. The non-transitory storage medium of claim 31, wherein the first software profile identifies a first type of operating system and a first version of the first type of the operating system while the second software profile identifies the first type of operating system and a second version of the first type of the operating system, wherein the first version is different from the second version.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul
Primary Examiner(s)
Lin, Kenny S

Application Number

US15/351,112
Time in Patent Office

1,086 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45579   I/O management, e.g. provid...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 3/0604   Improving or facilitating a...

G06F 3/0631   by allocating resources to ...

G06F 3/067   Distributed or networked st...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5011   the resources being hardwar...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Optimized resource allocation for virtual machines within a malware content detection system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

748 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Optimized resource allocation for virtual machines within a malware content detection system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

748 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links