Virtualized exploit detection system

US 10,666,686 B1
Filed: 12/03/2018
Issued: 05/26/2020
Est. Priority Date: 03/25/2015
Status: Active Grant

First Claim

Patent Images

1. A virtualized malware detection system comprising:

a controller; and

a memory communicatively coupled to the controller and including one or more virtual hosts, the one or more virtual hosts comprises a first virtual host including a plurality of virtual resources and a secondary virtual resource, the plurality of virtual resources includes a first virtual resource configured to conduct an analysis of an object to detect any of a set of events, and the secondary virtual resource, operating concurrently with the first virtual resource, to receive information associated with the detected event,wherein after processing an object by the first virtual resource and responsive to the detected event, the first virtual resource provides the object and information associated with the detected event to the secondary virtual resource while continuing to process the object and gathering post-processing information during continued processing of the object,wherein the secondary virtual resource conducts an analysis of the object and the information associated with the detected event using correlation rules, determines a first score for the object based on the analysis, compares the first score to a first threshold, and upon the first score exceeding the first threshold, the secondary virtual resource requests the post-processing information from the first virtual resource to determine a second score for the object based on the post-processing information and the information of the event, andwherein the secondary virtual resource determines that the object is malicious and generates an alert in response to the second score exceeding a second threshold.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a virtualized malware detection system is integrated with a virtual machine host including a plurality of virtual machines and a security virtual machine. Logic within the virtual machines are configured to perform a dynamic analysis of an object and monitor for the occurrence of a triggering event. Upon detection of a triggering event within a virtual machine, the logic within the virtual machine provides the security virtual machine with information associated with the triggering event for further analysis. Based on the further analysis, the object may then be classified as “non-malicious,” or “malicious.”

797 Citations

25 Claims

1. A virtualized malware detection system comprising:
- a controller; and
  
  a memory communicatively coupled to the controller and including one or more virtual hosts, the one or more virtual hosts comprises a first virtual host including a plurality of virtual resources and a secondary virtual resource, the plurality of virtual resources includes a first virtual resource configured to conduct an analysis of an object to detect any of a set of events, and the secondary virtual resource, operating concurrently with the first virtual resource, to receive information associated with the detected event,wherein after processing an object by the first virtual resource and responsive to the detected event, the first virtual resource provides the object and information associated with the detected event to the secondary virtual resource while continuing to process the object and gathering post-processing information during continued processing of the object,wherein the secondary virtual resource conducts an analysis of the object and the information associated with the detected event using correlation rules, determines a first score for the object based on the analysis, compares the first score to a first threshold, and upon the first score exceeding the first threshold, the secondary virtual resource requests the post-processing information from the first virtual resource to determine a second score for the object based on the post-processing information and the information of the event, andwherein the secondary virtual resource determines that the object is malicious and generates an alert in response to the second score exceeding a second threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 24, 25)
- - 2. The virtualized malware detection system of claim 1, wherein each of the plurality of virtual resources corresponds to a virtual machine including the first virtual resource corresponding to a first virtual machine, the secondary virtual resource being a security virtual machine.
  - 3. The virtualized malware detection system of claim 1 further comprising a network interface communicatively coupled to the controller.
  - 4. The virtualized malware detection system of claim 2, wherein the one or more virtual hosts includes the first virtual host to be utilized by a first enterprise and a second virtual host to be utilized by a second enterprise different than the first enterprise.
  - 5. The virtualized malware detection system of claim 1, wherein the first virtual host comprises the plurality of virtual resources including a first plurality of virtual resources corresponding to a first plurality of virtual machines to be utilized by a first enterprise and a second plurality of virtual resources corresponding to a second plurality of virtual machines to be utilized by a second enterprise different than the first enterprise.
  - 6. The virtualized malware detection system of claim 5, wherein the secondary virtual resource corresponds to a security virtual machine accessible by both the first plurality of virtual machines utilized by the first enterprise and the second plurality of virtual machines utilized by the second enterprise.
  - 7. The virtualized malware detection system of claim 2, wherein prior to processing the object by the first virtual machine, the security virtual machine to perform a pre-processing based on identifying information of the object provided by the first virtual machine, wherein the pre-processing includes a comparison of the identifying information with content associated with at least one of a whitelist or a blacklist.
  - 8. The virtualized malware detection system of claim 2, wherein prior to processing the object by the first virtual machine, the security virtual machine to perform a pre-processing based on identifying information of the object provided by the first virtual machine, wherein the pre-processing includes a signature check of the identifying information of the object.
  - 9. The virtualized malware detection system of claim 2, wherein the information associated with the detected event includes information associated with an event that, through at least one of experiential knowledge or machine learning techniques, has been determined to have an association with a malicious attack.
  - 10. The virtualized malware detection system of claim 9, wherein the detected event is an attempt to perform at least one of:
    - (i) deleting a first file or a first directory, (ii) creating a second file or second directory, (iii) establishing communication with an external server, (iv) protecting a file or directory with a password, or (v) encrypting a third file or a third directory.
  - 11. The virtualized malware detection system of claim 2, wherein the security virtual machine being configured to, upon determining the object is malicious, generate the alert to notify one or more of (i) a user of an endpoint device, (ii) a network administrator or (iii) an expert network analyst.
  - 12. The virtualized malware detection system of claim 11, wherein the alert is provided to the one or more of a user of an endpoint device, a network administrator or an expert network analyst through a security appliance.
  - 13. The virtualized malware detection system of claim 2, wherein the security virtual machine of the first virtual host being configured to uploading information associated with the object to cloud services for subsequent access upon determining the object is malicious.
  - 24. The virtualized malware detection system of claim 1, wherein the first score exceeding the first threshold when the first score is greater than the first threshold.
  - 25. The virtualized malware detection system of claim 1, wherein the first virtual host comprises a first hypervisor to manage communications between the first plurality of virtual resources and the secondary virtual resource.

14. A virtualized malware detection system comprising:
- a controller;
  
  a memory communicatively coupled to the controller and including a first virtual host, the first virtual host includes a first plurality of virtual resources and a first security virtual resource communicatively coupled to each of the first plurality of virtual resources, the first plurality of virtual resources includes a first virtual resource configured to conduct an analysis of an object to detect any of a set of events, and the first security virtual resource, operating concurrently with the first virtual resource, to receive information associated with the detected event,wherein after processing an object by the first virtual resource and responsive to the detected event, the first virtual resource provides the object and information associated with the detected event to the first security virtual resource while continuing to process the object and gathering post-processing information during continued processing of the object,wherein the first security virtual resource conducts an analysis of the object and the information associated with the detected event using correlation rules, determines a first score for the object based on the analysis, compares the first score to a first threshold, and upon the first score exceeding the first threshold, the first security virtual resource requests the post-processing information from the first virtual resource to determine a second score for the object based on the post-processing information and the information of the event, andwherein the first security virtual resource determines that the object is malicious and generates an alert in response to the second score exceeding a second threshold.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The virtualized malware detection system of claim 14, whereina first virtual resource of the first plurality of virtual resources conducting an analysis of the object to detect any of the set of events being the detected event previously determined to be associated with a malicious attack;
    - andthe first security virtual resource to receive information associated with the detected event and to conduct a secondary analysis of information associated with the detected event to determine whether the object is suspicious to warrant further analysis by the first virtual resource in determining whether the object is to be labeled as malicious or non-malicious.
  - 16. The virtualized malware detection system of claim 14, wherein the memory further comprises a second virtual host communicatively coupled to the controller, the second virtual host includes a second plurality of virtual resources and a second security virtual resource,wherein the first virtual host is to be utilized by a first enterprise and the second virtual host to be utilized by a second enterprise different than the first enterprise.
  - 17. The virtualized malware detection system of claim 14, wherein a first subset of virtual resources being part of the first plurality of virtual resources are utilized by a first enterprise and a second subset of virtual resources being part of the first plurality of virtual resources are utilized by a second enterprise different than the first enterprise, the first subset of virtual resources being mutually exclusive from the second subset of virtual resources.
  - 18. The virtualized malware detection system of claim 17, wherein the first security virtual resource is utilized by both the first subset of virtual resources utilized by the first enterprise and the second subset of virtual resources utilized by the second enterprise.
  - 19. The virtualized malware detection system of claim 16, wherein the first plurality of virtual resources corresponds to a first plurality of virtual machines, the first security virtual resource corresponds to a first security virtual machine, the second plurality of virtual resources corresponds to a second plurality of virtual machines, and the second security virtual resource corresponds to a second security virtual machine.
  - 20. The virtualized malware detection system of claim 14, wherein the information associated with the detected event includes information associated with an event that, through at least one of experiential knowledge or resource learning techniques, has been determined to have an association with a malicious attack.
  - 21. The virtualized malware detection system of claim 14, wherein the first virtual host comprises a hypervisor to manage communications between the first plurality of virtual resources and the first security virtual resource.
  - 22. The virtualized malware detection system of claim 16, wherein the first virtual host comprises a first hypervisor to manage communications between the first plurality of virtual resources and the first security virtual resource and the second virtual host comprises a second hypervisor to manage communications between the second plurality of virtual resources and the second security virtual resource.
  - 23. The virtualized malware detection system of claim 14, wherein the first score exceeding the first threshold when the first score is greater than the first threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Singh, Japneet, Ramchetty, Harinath, Gupta, Anil
Primary Examiner(s)
Alata, Ayoub

Application Number

US16/208,378
Time in Patent Office

540 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

Virtualized exploit detection system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

797 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Virtualized exploit detection system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

797 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links