Adaptive virtual machine snapshot update framework for malware behavioral analysis
First Claim
1. A computerized method for updating a virtual machine disk snapshot for use in instantiating one or more virtual guest instances for malware detection, the method comprising:
- detecting a guest image update package that comprises information for updating one or more software components included in a first storage area of the virtual machine disk snapshot, the virtual machine disk snapshot includes a base virtual machine disk snapshot including a runtime state for one or more pre-launched software components and the first storage area;
determining whether the guest image update package is contained in the first storage area that is part of the virtual machine disk snapshot; and
responsive to determining that the guest image update package is more recent than content contained in the first storage area, inserting the guest image update package into the first storage area to generate a revised virtual machine disk snapshot that includes the one or more updated software components.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for updating a virtual machine disk snapshot for use in instantiating one or more virtual guest instances for malware detection is described. The method features (i) detecting a guest image update package that includes information for updating one or more software components included as part of the virtual machine disk snapshot, and (ii) determining whether the guest image update package is currently contained in a contiguous storage area that is part of the virtual machine disk snapshot. Responsive to determining that the guest image update package is more recent than content currently contained in the contiguous storage area, the guest image update package is inserted into the contiguous storage area that is part of the virtual machine disk snapshot to generate a revised virtual machine disk snapshot that includes the one or more updated software components.
747 Citations
22 Claims
-
1. A computerized method for updating a virtual machine disk snapshot for use in instantiating one or more virtual guest instances for malware detection, the method comprising:
-
detecting a guest image update package that comprises information for updating one or more software components included in a first storage area of the virtual machine disk snapshot, the virtual machine disk snapshot includes a base virtual machine disk snapshot including a runtime state for one or more pre-launched software components and the first storage area; determining whether the guest image update package is contained in the first storage area that is part of the virtual machine disk snapshot; and responsive to determining that the guest image update package is more recent than content contained in the first storage area, inserting the guest image update package into the first storage area to generate a revised virtual machine disk snapshot that includes the one or more updated software components. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 15)
-
-
11. A non-transitory computer readable medium including a virtual machine disk snapshot that, when processed by a hardware processor, generates an update of the virtual machine disk snapshot in real-time during a malware analysis of an object, the non-transitory computer readable medium comprising:
-
an update package processor to monitor a first area of a virtual file system that is part of the virtual machine disk snapshot and is operating as a memory area for a guest image update package newly added to the virtual file system, the virtual machine disk snapshot comprises a base virtual machine disk snapshot including state information for one or more software components and the memory area; and an image launcher installed into the virtual machine disk snapshot after detection of the guest image update package by the update package processor, the image launcher to receive meta information from the guest image update package where the meta information includes rules that control installation of the one or more software components of the guest image update package as updates to the virtual machine disk snapshot to produce a revised virtual machine disk snapshot. - View Dependent Claims (12, 13, 14)
-
-
16. A network device, comprising:
-
a hardware processor; and a memory communicatively coupled to the hardware processor, the memory comprises a dynamic analysis engine that, when executed by the processor, performs an analysis of an object for malware, the dynamic analysis engine comprises one or more virtual machine (VM) instances each including a guest VM instance, wherein the guest VM instance is instantiated in accordance with a virtual disk image including a VM disk snapshot, the VM disk snapshot includes a first VM disk snapshot including state information for one or more software components and a first storage area including content that can be updated by logic operating within the dynamic analysis engine prior to analysis of the object for malware, wherein the VM disk snapshot being updated by at least detecting a guest image update package that includes information for updating the one or more software components included as part of the first VM disk snapshot, determining whether the detected guest image update package is currently contained in the first storage area that is part of the first VM disk snapshot, and responsive to determining that the guest image update package is more recent than content currently contained in the first storage area, inserting the guest image update package into the first storage area that is part of the first VM disk snapshot to generate a revised VM disk snapshot that includes the one or more updated software components for use in instantiating the guest VM instance with the revised VM disk snapshot. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
Specification