Microvisor-based malware detection appliance architecture
First Claim
1. A system comprising:
- a microvisor configured to control access to a kernel resource of the system by generating a capability violation in response to an object running in a guest operating system attempting to access the kernel resource;
a type 0 virtual machine monitor (VMM
0) disposed over the microvisor and configured to expose the kernel resource to an operating system kernel of the system; and
a type 1 virtual machine monitor (VMM
1) further disposed over the microvisor and configured to operate under control of the microvisor to instrument the object as the object runs in the guest operating system,wherein the VMM 1 and VMM 0 being configured to cooperate with the microvisor to capture run-time behaviors of the object as dynamic analysis results in response to the capability violation to detect whether the behaviors are indicative of malware.
5 Assignments
0 Petitions
Accused Products
Abstract
A threat-aware microvisor may be deployed in a malware detection appliance architecture and execute on a malware detection system (MDS) appliance to provide exploit and malware detection within a network environment. The microvisor may underlie an operating system kernel of the MDS appliance and execute in kernel space of the architecture to control access to kernel resources of the appliance for any operating system process. A type 0 virtual machine monitor may be disposed over the microvisor and execute in user space of the architecture as a pass-through module configured to expose the kernel resources of the appliance to the operating system kernel. One or more hypervisors, e.g., type 1 VMM, may be further disposed over the microvisor and execute in user space of the architecture under control of the microvisor to support execution of one or more guest operating systems inside one or more full virtual machines.
774 Citations
18 Claims
-
1. A system comprising:
-
a microvisor configured to control access to a kernel resource of the system by generating a capability violation in response to an object running in a guest operating system attempting to access the kernel resource; a type 0 virtual machine monitor (VMM
0) disposed over the microvisor and configured to expose the kernel resource to an operating system kernel of the system; anda type 1 virtual machine monitor (VMM
1) further disposed over the microvisor and configured to operate under control of the microvisor to instrument the object as the object runs in the guest operating system,wherein the VMM 1 and VMM 0 being configured to cooperate with the microvisor to capture run-time behaviors of the object as dynamic analysis results in response to the capability violation to detect whether the behaviors are indicative of malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
one or more processing units; one or more network interfaces; one or more input/output (I/O) devices; and a memory coupled to the one or more processing units, the memory comprises a microvisor that, when executed by the one or more processing units, controls access to a kernel resource, being at least one of a collection of resources including any of the one or more processing units, the one or more network interfaces and the one or more I/O devices, by generating a capability violation in response to an object running in a guest operating system attempting to access the kernel resource; a type 0 virtual machine monitor (VMM
0) that, when executed by the one or more processing units, exposes the kernel resource to an operating system kernel of the system; anda type 1 virtual machine monitor (VMM
1) that, when executed by the one or more processing units, operates under control of the microvisor to instrument the object as the object runs in the guest operating system,wherein the VMM 1 and VMM 0 being configured to cooperate with the microvisor to capture run-time behaviors of the object as dynamic analysis results in response to the capability violation to detect whether the behaviors are indicative of malware. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification