Methods and apparatus for application isolation

US 10,567,414 B2
Filed: 01/17/2019
Issued: 02/18/2020
Est. Priority Date: 09/12/2008
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a memory; and

a hardware processor communicatively coupled to the memory, the hardware processor configured to execute a virtual machine monitor at least partially stored in the memory, the virtual machine monitor configured to provide a first level of virtualization,the hardware processor configured to execute, using the virtual machine monitor, a plurality of virtual environments to provide a second level of virtualization, the second level of virtualization operating within the first level of virtualization,each virtual environment from the plurality of virtual environments configured to execute an application from a plurality of applications, the plurality of virtual environments configured to isolate each application from the plurality of applications from the remaining applications from the plurality of applications,the hardware processor configured to monitor behavior of the application within a virtual environment from the plurality of virtual environments to detect unauthorized activity of the application within the virtual environment,the hardware processor configured to discard the virtual environment in response to detecting the unauthorized activity of the application within the virtual environment.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.

179 Citations

20 Claims

1. An apparatus, comprising:
- a memory; and
  
  a hardware processor communicatively coupled to the memory, the hardware processor configured to execute a virtual machine monitor at least partially stored in the memory, the virtual machine monitor configured to provide a first level of virtualization,the hardware processor configured to execute, using the virtual machine monitor, a plurality of virtual environments to provide a second level of virtualization, the second level of virtualization operating within the first level of virtualization,each virtual environment from the plurality of virtual environments configured to execute an application from a plurality of applications, the plurality of virtual environments configured to isolate each application from the plurality of applications from the remaining applications from the plurality of applications,the hardware processor configured to monitor behavior of the application within a virtual environment from the plurality of virtual environments to detect unauthorized activity of the application within the virtual environment,the hardware processor configured to discard the virtual environment in response to detecting the unauthorized activity of the application within the virtual environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the unauthorized activity includes at least one of an unauthorized change to a non-modifiable section of the virtual environment, a registry write, a start of a new process, corruption to an existing process, a web site visited, a redirected Uniform Resource Locator (URL), an infection detail, an event timeline, a network connection, a file system write, or a configuration change.
  - 3. The apparatus of claim 1, wherein, other than the virtual environment, each virtual environment from the plurality of virtual environments is not discarded in response to detecting the unauthorized activity of the application within the virtual environment.
  - 4. The apparatus of claim 1, wherein access to data associated with a host operating system by the application within the virtual environment is restricted to a shared memory configured to operate within the first level of virtualization.
  - 5. The apparatus of claim 1, wherein the first level of virtualization is hardware level virtualization and the second level of virtualization is operating system level virtualization.
  - 6. The apparatus of claim 1, wherein the virtual machine monitor is executed within a host operating system and each virtual environment from the plurality of virtual environments is executed within a guest operating system executing within the first level of virtualization,the guest operating system being a first type of operating system and the host operating system being a second type of operating system different than the first type of operating system.
  - 7. The apparatus of claim 1, wherein each virtual environment from the plurality of virtual environments is initiated based on a template specific to an application from the plurality of applications to be executed within that virtual environment.

8. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code to cause the processor to:
- execute each application from a plurality of applications within a different virtual environment from a plurality of virtual environments to isolate each application from the plurality of applications from the remaining applications from the plurality of applications, the plurality of virtual environments providing a first level of virtualization within a second level of virtualization;
  
  monitor behavior of each application from the plurality of applications to detect unauthorized activity; and
  
  discard a virtual environment from the plurality of virtual environments without discarding the remaining virtual environments from the plurality of virtual environments when unauthorized activity of an application within the virtual environment is detected and unauthorized activity of applications within the remaining virtual environments from the plurality of virtual environments is not detected.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory processor-readable medium of claim 8, wherein the first level of virtualization is operating system level virtualization and the second level of virtualization is hardware level virtualization.
  - 10. The non-transitory processor-readable medium of claim 8, wherein the second level of virtualization is controlled by a virtual machine monitor executing on a host operating system, each virtual environment from the plurality of virtual environments being executed by a guest operating system operating under control of the virtual machine monitor.
  - 11. The non-transitory processor-readable medium of claim 8, wherein the unauthorized activity includes at least one of an unauthorized change to a non-modifiable section of the virtual environment, a registry write, a start of a new process, corruption to an existing process, a web site visited, a redirected Uniform Resource Locator (URL), an infection detail, an event timeline, a network connection, a file system write, or a configuration change.
  - 12. The non-transitory processor-readable medium of claim 8, wherein access to data associated with a host operating system by the plurality of applications is restricted to a shared memory configured to operate within the second level of virtualization.
  - 13. The non-transitory processor-readable medium of claim 8, wherein each virtual environment from the plurality of virtual environments is initiated based on a template specific to an application from the plurality of applications to be executed within that virtual environment.
  - 14. The non-transitory processor-readable medium of claim 8, wherein contents of a shared memory associated with the virtual environment are not discarded when discarding the virtual environment.

15. A method, comprising:
- initiating a first virtual environment within which to execute a first application, the first virtual environment isolating the first application from a second application executing within a second virtual environment, the first virtual environment and the second virtual environment providing a first level of virtualization within a second level of virtualization;
  
  monitoring behavior of the first application within the first virtual environment; and
  
  detecting, based on the monitoring, an unauthorized activity of the first application, the unauthorized activity including at least one of an unauthorized change to a non-modifiable section of the first virtual environment, a registry write, a start of a new process, corruption to an existing process, a web site visited, a redirected Uniform Resource Locator (URL), an infection detail, an event timeline, a network connection, a file system write, or a configuration change.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising:
    - discarding the first virtual environment without discarding the second virtual environment based on the detecting the unauthorized activity of the first application and not detecting an unauthorized activity of the second application.
  - 17. The method of claim 15, wherein the first level of virtualization is operating system level virtualization and the second level of virtualization is hardware level virtualization.
  - 18. The method of claim 15, further comprising:
    - restricting access to data associated with a host operating system by the first application to a shared memory configured to operate within the second level of virtualization.
  - 19. The method of claim 15, wherein the first virtual environment is initiated based on a template specific to the first application and the second virtual environment is initiated based on a template specific to the second application.
  - 20. The method of claim 15, wherein the second level of virtualization is provided by a virtual machine monitor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
George Mason Research Foundation Inc.
Original Assignee
George Mason Research Foundation Inc.
Inventors
Ghosh, Anup, Huang, Yih, Wang, Jiang, Stavrou, Angelos
Primary Examiner(s)
Shayanfar, Ali

Application Number

US16/250,006
Publication Number

US 20190158523A1
Time in Patent Office

397 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2149   Restricted operating enviro...

G06F 9/45545   Guest-host, i.e. hypervisor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Methods and apparatus for application isolation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

179 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for application isolation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

179 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links