Micro-virtual machine forensics and detection
First Claim
1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed by one or more processors, cause:
- identifying one or more events occurring within an isolated environment in which a process executes, wherein the isolated environment is instantiated in response to receiving a request to execute the process;
determining whether an actual behavior of the process executing within the isolated environment deviates from an expected behavior of the execution of the process based upon a set of events associated with the process that pertain to the process accessing or attempting to access an encryption API or an API associated with sleeping;
only upon determining that the process deviates from the expected behavior, storing behavior data that describes the actual behavior of the process during execution, the storing behavior data includes creating a snapshot of the isolated environment; and
determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.
2 Assignments
0 Petitions
Accused Products
Abstract
An isolated environment is instantiated in response to receiving a request to execute a process. One or more events occurring within the isolated environment in which the process executes are identified. Whether the actual behavior of the process executing within the isolated environment deviates from an expected behavior of the execution of the process is determined. Only when it is determined that the process deviates from the expected behavior is behavior data, which describes the actual behavior of the process during execution, stored. A determination is then made as to whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.
60 Citations
18 Claims
-
1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed by one or more processors, cause:
-
identifying one or more events occurring within an isolated environment in which a process executes, wherein the isolated environment is instantiated in response to receiving a request to execute the process; determining whether an actual behavior of the process executing within the isolated environment deviates from an expected behavior of the execution of the process based upon a set of events associated with the process that pertain to the process accessing or attempting to access an encryption API or an API associated with sleeping; only upon determining that the process deviates from the expected behavior, storing behavior data that describes the actual behavior of the process during execution, the storing behavior data includes creating a snapshot of the isolated environment; and determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 17, 18)
-
-
8. An apparatus, comprising:
-
one or more processors; and one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed, cause; identifying one or more events occurring within an isolated environment in which a process executes, wherein the isolated environment is instantiated in response to receiving a request to execute the process; determining whether an actual behavior of the process executing within the isolated environment deviates from an expected behavior of the execution of the process based upon a set of events associated with the process that pertain to the process accessing or attempting to access an encryption API or an API associated with sleeping; only upon determining that the process deviates from the expected behavior, storing behavior data that describes the actual behavior of the process during execution, the storing behavior data includes creating a snapshot of the isolated environment; and determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for monitoring process behavior, comprising:
-
programmatically identifying one or more events occurring within an isolated environment in which a process executes, wherein the isolated environment is instantiated in response to receiving a request to execute the process; programmatically determining whether an actual behavior of the process executing within the isolated environment deviates from an expected behavior of the execution of the process based upon a set of events associated with the process that pertain to the process accessing or attempting to access an encryption API or an API associated with sleeping; programmatically storing behavior data that describes the actual behavior of the process during execution only upon determining that the process deviates from the expected behavior the programmatically storing behavior data includes programmatically creating a snapshot of the isolated environment; and programmatically determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process. - View Dependent Claims (16)
-
Specification