Virtualized exploit detection system
First Claim
Patent Images
1. A virtualized malware detection system comprising:
- a controller; and
a memory communicatively coupled to the controller and including one or more virtual hosts, the one or more virtual hosts comprises a first virtual host including a plurality of virtual resources and a secondary virtual resource, the plurality of virtual resources includes a first virtual resource configured to conduct an analysis of an object to detect any of a set of events, and the secondary virtual resource, operating concurrently with the first virtual resource, to receive information associated with the detected event,wherein after processing an object by the first virtual resource and responsive to the detected event, the first virtual resource provides the object and information associated with the detected event to the secondary virtual resource while continuing to process the object and gathering post-processing information during continued processing of the object,wherein the secondary virtual resource conducts an analysis of the object and the information associated with the detected event using correlation rules, determines a first score for the object based on the analysis, compares the first score to a first threshold, and upon the first score exceeding the first threshold, the secondary virtual resource requests the post-processing information from the first virtual resource to determine a second score for the object based on the post-processing information and the information of the event, andwherein the secondary virtual resource determines that the object is malicious and generates an alert in response to the second score exceeding a second threshold.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a virtualized malware detection system is integrated with a virtual machine host including a plurality of virtual machines and a security virtual machine. Logic within the virtual machines are configured to perform a dynamic analysis of an object and monitor for the occurrence of a triggering event. Upon detection of a triggering event within a virtual machine, the logic within the virtual machine provides the security virtual machine with information associated with the triggering event for further analysis. Based on the further analysis, the object may then be classified as “non-malicious,” or “malicious.”
797 Citations
25 Claims
-
1. A virtualized malware detection system comprising:
-
a controller; and a memory communicatively coupled to the controller and including one or more virtual hosts, the one or more virtual hosts comprises a first virtual host including a plurality of virtual resources and a secondary virtual resource, the plurality of virtual resources includes a first virtual resource configured to conduct an analysis of an object to detect any of a set of events, and the secondary virtual resource, operating concurrently with the first virtual resource, to receive information associated with the detected event, wherein after processing an object by the first virtual resource and responsive to the detected event, the first virtual resource provides the object and information associated with the detected event to the secondary virtual resource while continuing to process the object and gathering post-processing information during continued processing of the object, wherein the secondary virtual resource conducts an analysis of the object and the information associated with the detected event using correlation rules, determines a first score for the object based on the analysis, compares the first score to a first threshold, and upon the first score exceeding the first threshold, the secondary virtual resource requests the post-processing information from the first virtual resource to determine a second score for the object based on the post-processing information and the information of the event, and wherein the secondary virtual resource determines that the object is malicious and generates an alert in response to the second score exceeding a second threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 24, 25)
-
-
14. A virtualized malware detection system comprising:
-
a controller; a memory communicatively coupled to the controller and including a first virtual host, the first virtual host includes a first plurality of virtual resources and a first security virtual resource communicatively coupled to each of the first plurality of virtual resources, the first plurality of virtual resources includes a first virtual resource configured to conduct an analysis of an object to detect any of a set of events, and the first security virtual resource, operating concurrently with the first virtual resource, to receive information associated with the detected event, wherein after processing an object by the first virtual resource and responsive to the detected event, the first virtual resource provides the object and information associated with the detected event to the first security virtual resource while continuing to process the object and gathering post-processing information during continued processing of the object, wherein the first security virtual resource conducts an analysis of the object and the information associated with the detected event using correlation rules, determines a first score for the object based on the analysis, compares the first score to a first threshold, and upon the first score exceeding the first threshold, the first security virtual resource requests the post-processing information from the first virtual resource to determine a second score for the object based on the post-processing information and the information of the event, and wherein the first security virtual resource determines that the object is malicious and generates an alert in response to the second score exceeding a second threshold. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
Specification