Evaluating malware in a virtual machine using copy-on-write

US 10,678,918 B1
Filed: 02/06/2018
Issued: 06/09/2020
Est. Priority Date: 07/30/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

copy a respective first and second original virtual machine image to a RAM disk, wherein the respective first and second original virtual machine images correspond, respectively, to first and second base installations;

initialize, as respective first and second copy-on-write overlays, a first virtual machine instance for execution of a sample and a second virtual machine instance for execution of the sample, wherein the first and second virtual machine instances are respectively associated with the first and second original virtual machine images, wherein any changes to the first virtual machine will be captured in a first copy-on-write overlay file, and wherein any changes to the second virtual machine will be captured in a second copy-on-write overlay file;

start the respective first virtual machine instance and second virtual machine instances;

execute the sample inside the first virtual machine instance during a first evaluation period, and at a time occurring during the first evaluation period, execute the sample inside the second virtual machine instance;

determine, based at least in part on an analysis of the respective first copy-on-write overlay file and second copy-on-write overlay file, that the sample acts maliciously when executed in the first virtual machine instance, and that the sample does not act maliciously when executed in the second virtual machine instance; and

take a remedial action with respect to the sample; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Evaluating a potentially malicious sample using a copy-on-write overlay is disclosed. A first virtual machine instance is initialized as a copy-on-write overlay associated with an original virtual machine image. The first virtual machine image is started and a first sample is executed. A second virtual machine instance is initialized as a copy-on-write overlay associated with a second original virtual machine image. The second virtual machine image is started and a second sample is executed. The first and second samples are executed at an overlapping time.

229 Citations

25 Claims

1. A system, comprising:
- a processor configured to;
  
  copy a respective first and second original virtual machine image to a RAM disk, wherein the respective first and second original virtual machine images correspond, respectively, to first and second base installations;
  
  initialize, as respective first and second copy-on-write overlays, a first virtual machine instance for execution of a sample and a second virtual machine instance for execution of the sample, wherein the first and second virtual machine instances are respectively associated with the first and second original virtual machine images, wherein any changes to the first virtual machine will be captured in a first copy-on-write overlay file, and wherein any changes to the second virtual machine will be captured in a second copy-on-write overlay file;
  
  start the respective first virtual machine instance and second virtual machine instances;
  
  execute the sample inside the first virtual machine instance during a first evaluation period, and at a time occurring during the first evaluation period, execute the sample inside the second virtual machine instance;
  
  determine, based at least in part on an analysis of the respective first copy-on-write overlay file and second copy-on-write overlay file, that the sample acts maliciously when executed in the first virtual machine instance, and that the sample does not act maliciously when executed in the second virtual machine instance; and
  
  take a remedial action with respect to the sample; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1 wherein the first copy-on-write overlay file indicates changes made to the first virtual machine instance during execution of the first sample, relative to the first original virtual machine image.
  - 3. The system of claim 1 wherein the first virtual machine instance is a copy-on-write overlay of the first original virtual machine image.
  - 4. The system of claim 1 wherein the first virtual machine instance is a copy-on-write overlay of a hierarchy of virtual machine images, wherein the first original virtual machine image comprises the root of the hierarchy.
  - 5. The system of claim 4 wherein the first copy-on-write overlay file indicates changes made to the first virtual machine instance during execution of the first sample, relative to a parent of the first instance in the hierarchy.
  - 6. The system of claim 5 wherein an intermediate node between the root of the hierarchy and the first copy-on-write overlay in the hierarchy comprises a copy-on-write overlay associated with the installation of one or more applications on top of the first original virtual machine image.
  - 7. The system of claim 6 wherein the hierarchy includes a plurality of intermediate nodes, wherein at least some of the intermediate nodes are associated with the installation of different combinations of applications on top of the first original virtual machine image.
  - 8. The system of claim 6 wherein the hierarchy includes a plurality of intermediate nodes, wherein at least some of the intermediate nodes are associated with different versions of the same application.
  - 9. The system of claim 1 wherein executing the first sample includes loading the first sample in an application.
  - 10. The system of claim 1 wherein the first original virtual machine is selected from a plurality of virtual machine images collectively representing a plurality of operating system versions.
  - 11. The system of claim 1 wherein the first original virtual machine is selected from a plurality of virtual machine images collectively representing a plurality of platforms.
  - 12. The system of claim 1 wherein at least one virtual machine image included in the plurality is customized in accordance with a customer specification.

13. A method, comprising:
- copying a respective first and second original virtual machine image to a RAM disk, wherein the respective first and second original virtual machine images correspond, respectively, to first and second base installations;
  
  initializing, as respective first and second copy-on-write overlays, a first virtual machine instance for execution of a sample and a second virtual machine instance for execution of the sample, wherein the first and second virtual machine instances are respectively associated with the first and second original virtual machine images, wherein any changes to the first virtual machine will be captured in a first copy-on-write overlay file, and wherein any changes to the second virtual machine will be captured in a second copy-on-write overlay file;
  
  starting the respective first virtual machine instance and second virtual machine instances;
  
  executing the sample inside the first virtual machine instance during a first evaluation period, and at a time occurring during the first evaluation period, executing the sample inside the second virtual machine instance;
  
  determining, based at least in part on an analysis of the respective first copy-on-write overlay file and second copy-on-write overlay file, that the sample acts maliciously when executed in the first virtual machine instance, and that the sample does not act maliciously when executed in the second virtual machine instance; and
  
  taking a remedial action with respect to the sample.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13 wherein the first copy-on-write overlay file indicates changes made to the first virtual machine instance during execution of the sample, relative to the first original virtual machine image.
  - 15. The method of claim 13 wherein the first virtual machine instance is a copy-on-write overlay of the first original virtual machine image.
  - 16. The method of claim 13 wherein the first virtual machine instance is a copy-on-write overlay of a hierarchy of virtual machine images, wherein the first original virtual machine image comprises the root of the hierarchy.
  - 17. The method of claim 16 wherein the first copy-on-write overlay file indicates changes made to the first virtual machine instance during execution of the sample, relative to a parent of the first instance in the hierarchy.
  - 18. The method of claim 17 wherein an intermediate node between the root of the hierarchy and the first copy-on-write overlay in the hierarchy comprises a copy-on-write overlay associated with the installation of one or more applications on top of the first original virtual machine image.
  - 19. The method of claim 18 wherein the hierarchy includes a plurality of intermediate nodes, wherein at least some of the intermediate nodes are associated with the installation of different combinations of applications on top of the first original virtual machine image.
  - 20. The method of claim 18 wherein the hierarchy includes a plurality of intermediate nodes, wherein at least some of the intermediate nodes are associated with different versions of the same application.
  - 21. The method of claim 13 wherein executing the first sample includes loading the first sample in an application.
  - 22. The method of claim 13 wherein the first original virtual machine is selected from a plurality of virtual machine images collectively representing a plurality of operating system versions.
  - 23. The method of claim 13 wherein the first original virtual machine is selected from a plurality of virtual machine images collectively representing a plurality of platforms.
  - 24. The method of claim 13 wherein at least one virtual machine image included in the plurality is customized in accordance with a customer specification.

25. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- copying a first original virtual machine image to a RAM disk, wherein the first original virtual machine image corresponds to a base installation of a first operating system;
  
  initializing, as a first copy-on-write overlay, a first virtual machine instance for execution of a first sample, wherein the first virtual machine instance is associated with the first original virtual machine image, and wherein any changes to the first virtual machine will be captured in a first copy-on-write overlay file;
  
  starting the first virtual machine instance and execute the first sample inside the first virtual machine instance;
  
  initializing, as a second copy-on-write overlay, a second virtual machine instance for execution of a second sample, wherein the second virtual machine instance is associated with a second original virtual machine image, and wherein any changes to the second virtual machine will be captured in a second copy-on-write overlay file; and
  
  starting the second virtual machine instance and execute the second sample inside the second virtual machine instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Wang, Xinran, Xie, Huagang
Primary Examiner(s)
Gee, Jason K

Application Number

US15/890,198
Time in Patent Office

854 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

Evaluating malware in a virtual machine using copy-on-write

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

229 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Evaluating malware in a virtual machine using copy-on-write

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

229 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links