System and method of distributing files between virtual machines forming a distributed system for performing antivirus scans

US 10,496,819 B2
Filed: 02/14/2017
Issued: 12/03/2019
Est. Priority Date: 05/20/2016
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious files in a distributed network having a plurality of protected virtual machines, the method comprising:

obtaining, by a first protected virtual machine of the plurality of protected virtual machines, at least one file from a thin client installed on the first protected virtual machine, for performing an antivirus scan of the at least one file;

collecting, by the first protected virtual machine, data relating to characteristics of computing resources of the plurality of protected virtual machines and one or more parameters relating to the antivirus scan;

determining an approximation time function of the characteristics of the computing resources of the plurality of virtual machines based on analysis of the data relating to the characteristics of the computing resources;

determining an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data defining behavior of the antivirus scan;

determining an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters, wherein effectiveness of the antivirus scan is determined by comparing defined properties of the antivirus scan with predetermined criteria; and

based at least on the approximation time function of effectiveness of the antivirus scan, selecting at least one virtual machine from the plurality of virtual machines to perform the antivirus scan in order to determine whether the at least one file is malicious according to the desired effectiveness of the antivirus scan.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is provided for detecting malicious files in a distributed network having a plurality of virtual machines. An example method includes: determining and obtaining, by a virtual machine, at least one file for performing an antivirus scan; collecting data relating to characteristics of computing resources of each virtual machine and parameters relating to the antivirus scan; determining an approximation time function of the characteristics of the computing resources and an approximation function of the one or more parameters for determining an approximation time function of effectiveness of the antivirus scan; and beased at least on the approximation time function of effectiveness of the antivirus scan, selecting one virtual machine to perform the antivirus scan in order to determine whether the at least one file is malicious.

20 Citations

20 Claims

1. A method for detecting malicious files in a distributed network having a plurality of protected virtual machines, the method comprising:
- obtaining, by a first protected virtual machine of the plurality of protected virtual machines, at least one file from a thin client installed on the first protected virtual machine, for performing an antivirus scan of the at least one file;
  
  collecting, by the first protected virtual machine, data relating to characteristics of computing resources of the plurality of protected virtual machines and one or more parameters relating to the antivirus scan;
  
  determining an approximation time function of the characteristics of the computing resources of the plurality of virtual machines based on analysis of the data relating to the characteristics of the computing resources;
  
  determining an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data defining behavior of the antivirus scan;
  
  determining an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters, wherein effectiveness of the antivirus scan is determined by comparing defined properties of the antivirus scan with predetermined criteria; and
  
  based at least on the approximation time function of effectiveness of the antivirus scan, selecting at least one virtual machine from the plurality of virtual machines to perform the antivirus scan in order to determine whether the at least one file is malicious according to the desired effectiveness of the antivirus scan.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein selecting the at least one virtual machine comprises determining the most effective start time for performing the antivirus scan by fulfilling at least on one of the following criteria:
    - the antivirus scan taking the least time;
      
      the antivirus scan taking less time than scheduled;
      
      the antivirus scan that will be completed no later than a scheduled time;
      
      a minimum number of computing resources of the virtual machine is needed to perform the antivirus scan;
      
      orfewer computing resources of the virtual machine than scheduled are needed to perform the antivirus scan.
  - 3. The method of claim 1, wherein selecting at least one virtual machine comprises:
    - detecting that the at least one virtual machine is able to at least perform the antivirus scan of the at least one file using computing resources available in a scheduled time slot;
      
      detecting the at least one virtual machine with the lowest calculated workload level among the plurality of virtual machines in the distributed network;
      
      detecting the at least one virtual machine with a calculated workload level lower than an established threshold value;
      
      ordetecting no less than two virtual machines of the plurality of virtual machines whose combined calculated workload level is less than the combined workload level of the remaining virtual machines of the plurality of virtual machines.
  - 4. The method of claim 1, wherein collecting the data relating to the characteristics of computing resources of the plurality of virtual machines comprises at least one of:
    - detecting a time period between obtaining the at least one file and determining whether the at least one file is malicious;
      
      detecting a number of files transmitted to the virtual machine for the antivirus scan; and
      
      determining a computing capacity of each of the plurality of the virtual machines.
  - 5. The method of claim 1, wherein the one or more parameters relating to the antivirus scan comprise at least one of:
    - methods for detecting malicious files used by the plurality of virtual machines, the methods comprising at least one of;
      
      a signature analysis, a heuristic analysis, an analysis of emulation results, and an analysis of black and white lists; and
      
      the characteristics of computing resources of the plurality of virtual machines used for performing the antivirus scan,wherein parameters for the methods for detecting malicious files comprise;
      
      maximum time of the antivirus scan and depth of emulation of the at least one file being scanned.
  - 6. The method of claim 5, wherein the methods for detecting malicious files are determined based at least on the maximum time during which the antivirus scan takes place, and an emulation depth of files being scanned.
  - 7. The method of claim 1, wherein the approximation time function of the characteristics of the computing resources of the plurality of virtual machines is determined based at least on the collected data relating to the characteristics of the computing resources of each virtual machine, characteristics of computing resources of each virtual machine which are accessible at a selected time, the time of determination of characteristics of the computing resources of each virtual machine, and the time for which it is necessary to determine the characteristics of the computing resources of each virtual machine.
  - 8. The method of claim 1, wherein the approximation function of the one or more parameters relating to the antivirus scan is determined based at least on data relating to presumptive parameters of the antivirus scan for the characteristics of the computing resources, and characteristics of the computing resources of each virtual machine for performing the antivirus scan.
  - 9. The method of claim 1, wherein the approximation time function of effectiveness of the antivirus scan is determined based on parameters defining a type and size of the at least one file.

10. A system for detecting malicious files in a distributed network having a plurality of protected virtual machines, the system comprising:
- a hardware processor, configured to;
  
  obtain at least one file from a thin client installed on a first protected virtual machine, for performing an antivirus scan of the at least one file;
  
  collect data relating to characteristics of computing resources of the plurality of protected virtual machines and one or more parameters relating to the antivirus scan;
  
  determine an approximation time function of the characteristics of the computing resources of the plurality of virtual machines based on analysis of the data relating to the characteristics of the computing resources;
  
  determine an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data defining behavior of the antivirus scan;
  
  determine an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters, wherein effectiveness of the antivirus scan is determined by comparing defined properties of the antivirus scan with predetermined criteria; and
  
  based at least on the approximation time function of effectiveness of the antivirus scan, select at least one virtual machine from the plurality of virtual machines to perform the antivirus scan in order to determine whether the at least one file is malicious according to the desired effectiveness of the antivirus scan.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the hardware processor is configured to select the at least one virtual machine from the plurality of virtual machines to perform the antivirus scan by determining the most effective start time for performing the antivirus scan by fulfilling at least on one of the following criteria:
    - the antivirus scan taking the least time;
      
      the antivirus scan taking less time than scheduled;
      
      the antivirus scan that will be completed no later than a scheduled time;
      
      a minimum number of computing resources of the virtual machine is needed to perform the antivirus scan;
      
      orfewer computing resources of the virtual machine than scheduled are needed to perform the antivirus scan.
  - 12. The system of claim 10, wherein the virtual machine hardware processor is configured to select the at least one virtual machine from the plurality of virtual machines to perform the antivirus scan by:
    - detecting that the at least one virtual machine is able to at least perform the antivirus scan of the at least one file using computing resources available in a scheduled time slot;
      
      detecting the at least one virtual machine with the lowest calculated workload level among the plurality of virtual machines in the distributed network;
      
      detecting the at least one virtual machine with a calculated workload level lower than an established threshold value;
      
      ordetecting no less than two virtual machines of the plurality of virtual machines whose combined calculated workload level is less than the combined workload level of the remaining virtual machines of the plurality of virtual machines.
  - 13. The system of claim 10, wherein the hardware processor is configured to collect the data relating to the characteristics of computing resources of the plurality of virtual machines via at least one of:
    - detecting a time period between obtaining the at least one file and determining whether the at least one file is malicious;
      
      detecting a number of files transmitted to the virtual machine for the antivirus scan; and
      
      determining a computing capacity of each of the plurality of the virtual machines.
  - 14. The system of claim 10, wherein the one or more parameters relating to the antivirus scan comprise at least one of:
    - methods for detecting malicious files used by the plurality of virtual machines, the methods comprising at least one of;
      
      a signature analysis, a heuristic analysis, an analysis of emulation results, and an analysis of black and white lists; and
      
      the characteristics of computing resources of the plurality of virtual machines used for performing the antivirus scan,.wherein parameters for the methods for detecting malicious files comprise;
      
      maximum time of the antivirus scan and depth of emulation of the at least one file being scanned.
  - 15. The system of claim 14, wherein the methods for detecting malicious files are determined based at least on the maximum time during which the antivirus scan takes place, and an emulation depth of files being scanned.
  - 16. The system of claim 10, wherein the approximation time function of the characteristics of the computing resources of the plurality of virtual machines is determined based at least on the collected data relating to the characteristics of the computing resources of each virtual machine, characteristics of computing resources of each virtual machine which are accessible at a selected time, the time of determination of characteristics of the computing resources of each virtual machine, and the time for which it is necessary to determine the characteristics of the computing resources of each virtual machine.
  - 17. The system of claim 10, wherein the approximation function of the one or more parameters relating to the antivirus scan is determined based at least on data relating to presumptive parameters of the antivirus scan for the characteristics of the computing resources, and characteristics of the computing resources of each virtual machine for performing the antivirus scan.
  - 18. The system of claim 10, wherein the approximation time function of effectiveness of the antivirus scan is determined based on parameters defining a type and size of the at least one file.

19. A non-transitory computer readable medium storing thereon computer executable instructions for detecting malicious files in a distributed network having a plurality of protected virtual machines, including instructions for:
- obtaining, by a first protected virtual machine of the plurality of protected virtual machines, at least one file from a thin client installed on the first protected virtual machine, for performing an antivirus scan of the at least one file;
  
  collecting, by the first protected virtual machine, data relating to characteristics of computing resources of the plurality of protected virtual machines and one or more parameters relating to the antivirus scan;
  
  determining an approximation time function of the characteristics of the computing resources of the plurality of virtual machines based on analysis of the data relating to the characteristics of the computing resources;
  
  determining an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data defining behavior of the antivirus scan;
  
  determining an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters, wherein effectiveness of the antivirus scan is determined by comparing defined properties of the antivirus scan with predetermined criteria; and
  
  based at least on the approximation time function of effectiveness of the antivirus scan, selecting at least one virtual machine from the plurality of virtual machines to perform the antivirus scan in order to determine whether the at least one file is malicious according to the desired effectiveness of the antivirus scan.
- View Dependent Claims (20)
- - 20. The computer readable medium of claim 19, wherein the approximation time function of the characteristics of the computing resources of the plurality of virtual machines is determined based at least on the collected data relating to the characteristics of the computing resources of each virtual machine, characteristics of computing resources of each virtual machine which are accessible at a selected time, the time of determination of characteristics of the computing resources of each virtual machine, and the time for which it is necessary to determine the characteristics of the computing resources of each virtual machine, andwherein the approximation function of the one or more parameters relating to the antivirus scan is determined based at least on data relating to presumptive parameters of the antivirus scan for the characteristics of the computing resources, and characteristics of the computing resources of each virtual machine for performing the antivirus scan.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Lab A.O. Kaspersky
Inventors
Vlaznev, Denis O., Voitov, Nikita M., Vasilyev, Maxim A., Naumov, Maxim E., Semenov, Evgeny S., Onishchenko, Alexander Y.
Primary Examiner(s)
Lewis, Lisa C
Assistant Examiner(s)
Salman, Raied A

Application Number

US15/432,068
Publication Number

US 20170337377A1
Time in Patent Office

1,022 Days
Field of Search

726 24, 726 1, 713200
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/564   by virus signature recognition

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

System and method of distributing files between virtual machines forming a distributed system for performing antivirus scans

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method of distributing files between virtual machines forming a distributed system for performing antivirus scans

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others