Adaptive virtual machine snapshot update framework for malware behavioral analysis

US 10,552,610 B1
Filed: 06/19/2017
Issued: 02/04/2020
Est. Priority Date: 12/22/2016
Status: Active Grant

First Claim

Patent Images

1. A computerized method for updating a virtual machine disk snapshot for use in instantiating one or more virtual guest instances for malware detection, the method comprising:

detecting a guest image update package that comprises information for updating one or more software components included in a first storage area of the virtual machine disk snapshot, the virtual machine disk snapshot includes a base virtual machine disk snapshot including a runtime state for one or more pre-launched software components and the first storage area;

determining whether the guest image update package is contained in the first storage area that is part of the virtual machine disk snapshot; and

responsive to determining that the guest image update package is more recent than content contained in the first storage area, inserting the guest image update package into the first storage area to generate a revised virtual machine disk snapshot that includes the one or more updated software components.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for updating a virtual machine disk snapshot for use in instantiating one or more virtual guest instances for malware detection is described. The method features (i) detecting a guest image update package that includes information for updating one or more software components included as part of the virtual machine disk snapshot, and (ii) determining whether the guest image update package is currently contained in a contiguous storage area that is part of the virtual machine disk snapshot. Responsive to determining that the guest image update package is more recent than content currently contained in the contiguous storage area, the guest image update package is inserted into the contiguous storage area that is part of the virtual machine disk snapshot to generate a revised virtual machine disk snapshot that includes the one or more updated software components.

747 Citations

22 Claims

1. A computerized method for updating a virtual machine disk snapshot for use in instantiating one or more virtual guest instances for malware detection, the method comprising:
- detecting a guest image update package that comprises information for updating one or more software components included in a first storage area of the virtual machine disk snapshot, the virtual machine disk snapshot includes a base virtual machine disk snapshot including a runtime state for one or more pre-launched software components and the first storage area;
  
  determining whether the guest image update package is contained in the first storage area that is part of the virtual machine disk snapshot; and
  
  responsive to determining that the guest image update package is more recent than content contained in the first storage area, inserting the guest image update package into the first storage area to generate a revised virtual machine disk snapshot that includes the one or more updated software components.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 15)
- - 2. The computerized method of claim 1, wherein the first storage area being storage included as part of the base virtual machine disk file.
  - 3. The computerized method of claim 1, wherein the detecting of the guest image update package comprises an analysis of content within a file system for any guest image update packages in response to a triggering event.
  - 4. The computerized method of claim 3, wherein the triggering event includes a first type of operational state change experienced by a network device including the virtual machine disk snapshot.
  - 5. The computerized method of claim 4, wherein the first type of operational state change experienced by the network device includes a reboot condition occurring for the network device.
  - 6. The computerized method of claim 4, wherein the first type of operational state change experienced by the network device includes installation of a virtual machine disk image including the virtual machine disk snapshot.
  - 7. The computerized method of claim 1, wherein the determining whether the guest image update package is contained in the first storage area comprises comparing content from a first portion of the guest image update package to selected information within a portion of the first storage area that is part of the virtual machine disk snap shot.
  - 8. The computerized method of claim 7, wherein the first portion of the guest image update package includes a version number assigned to the guest image update package and the selected information within the portion of the first storage area includes an area of the first storage area that is to contain a version number for any guest image update package contained with the portion of the first storage area.
  - 9. The computerized method of claim 1, wherein the determining whether the guest image update package is currently contained in the first storage area comprises comparing data representative of one of a version number or timestamp assigned to the guest image update package to data representative of information contained within a selected area of the first memory that is part of the virtual machine disk snapshot.
  - 10. The computerized first of claim 1, wherein the guest image update package comprises an image launcher and meta information that includes rules processed by the image launcher to control a loading of software components to update software components that are part of the virtual machine disk snapshot.
  - 15. The computerized method of claim 1, wherein the first storage area is a continuous storage area of the virtual machine disk snapshot.

11. A non-transitory computer readable medium including a virtual machine disk snapshot that, when processed by a hardware processor, generates an update of the virtual machine disk snapshot in real-time during a malware analysis of an object, the non-transitory computer readable medium comprising:
- an update package processor to monitor a first area of a virtual file system that is part of the virtual machine disk snapshot and is operating as a memory area for a guest image update package newly added to the virtual file system, the virtual machine disk snapshot comprises a base virtual machine disk snapshot including state information for one or more software components and the memory area; and
  
  an image launcher installed into the virtual machine disk snapshot after detection of the guest image update package by the update package processor, the image launcher to receive meta information from the guest image update package where the meta information includes rules that control installation of the one or more software components of the guest image update package as updates to the virtual machine disk snapshot to produce a revised virtual machine disk snapshot.
- View Dependent Claims (12, 13, 14)
- - 12. The non-transitory computer readable medium of claim 11, wherein the update package processor to detect the guest image update package has been newly added to the virtual file system comprises a comparison of content from a first portion of the guest image update package to selected information within a portion of the first area being part of the virtual machine disk snapshot.
  - 13. The non-transitory computer readable medium of claim 12, wherein the first portion of the guest image update package includes a version number assigned to the guest image update package and the selected information within the portion of the first area includes a version number for any guest image update package contained with the portion of the first area.
  - 14. The non-transitory computer readable medium of claim 12, wherein the image launcher is part of the guest image update package includes a version number assigned to the guest image update package and the selected information within the portion of the first storage area includes a version number for any guest image update package contained with the portion of the first storage area.

16. A network device, comprising:
- a hardware processor; and
  
  a memory communicatively coupled to the hardware processor, the memory comprises a dynamic analysis engine that, when executed by the processor, performs an analysis of an object for malware, the dynamic analysis engine comprises one or more virtual machine (VM) instances each including a guest VM instance, whereinthe guest VM instance is instantiated in accordance with a virtual disk image including a VM disk snapshot, the VM disk snapshot includes a first VM disk snapshot including state information for one or more software components and a first storage area including content that can be updated by logic operating within the dynamic analysis engine prior to analysis of the object for malware, wherein the VM disk snapshot being updated by at leastdetecting a guest image update package that includes information for updating the one or more software components included as part of the first VM disk snapshot,determining whether the detected guest image update package is currently contained in the first storage area that is part of the first VM disk snapshot, andresponsive to determining that the guest image update package is more recent than content currently contained in the first storage area, inserting the guest image update package into the first storage area that is part of the first VM disk snapshot to generate a revised VM disk snapshot that includes the one or more updated software components for use in instantiating the guest VM instance with the revised VM disk snapshot.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The network device of claim 16, wherein the logic to detect the guest image update package by at least analyzing content with a file system for any guest image update packages in response to a triggering event.
  - 18. The network device of claim 17, wherein the triggering event includes a first type of operational state change experienced by the network device.
  - 19. The network device of claim 18, wherein the first type of operational state change experienced by the network device includes a reboot condition occurring for the network device.
  - 20. The network device of claim 18, wherein the first type of operational state change experienced by the network device includes installation of a VM disk image including the first VM disk snapshot.
  - 21. The network device of claim 16, wherein the determining by the logic whether the guest image update package is currently contained in the first storage area comprises comparing content from a first portion of the guest image update package to selected information within a portion of the first storage area that is part of the first VM disk snapshot.
  - 22. The network device of claim 16, wherein the first storage area is a continuous storage area of the virtual machine disk snapshot.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Vashisht, Sai Omkar, Ha, Phung-Te, Paithane, Sushant, Deshpande, Sumer
Primary Examiner(s)
Patel, Haresh N

Application Number

US15/627,272
Time in Patent Office

960 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 3/0613   in relation to throughput

G06F 3/0619   in relation to data integri...

G06F 3/0623   in relation to content

G06F 3/0641   De-duplication techniques

G06F 3/065   Replication mechanisms

G06F 3/0665   at area level, e.g. provisi...

G06F 3/067   Distributed or networked st...

G06F 3/0689   Disk arrays, e.g. RAID, JBOD

G06F 8/65   Updates security arrangemen...

G06F 9/45558   Hypervisor-specific managem...

Adaptive virtual machine snapshot update framework for malware behavioral analysis

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

747 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive virtual machine snapshot update framework for malware behavioral analysis

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

747 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links