Malware Detector

US 20080320594A1
Filed: 03/19/2008
Published: 12/25/2008
Est. Priority Date: 03/19/2007
Status: Abandoned Application

First Claim

Patent Images

1. A computer readable medium, the computer readable medium including a series of computer readable instructions that when executed by one or more processors performs a method for detecting malware on a virtual machine, the virtual machine residing on a host operating system, the instructions executed from outside the virtual machine, the method comprising:

a. retrieving for inspection virtual machine internal system states from virtual resources, based on non-intrusive virtual machine introspection without perturbing their execution, the virtual resources including;

i. virtual machine memory; and

ii. at least one virtual disk; and

the virtual machine internal system states comprising;

i. virtual memory states; and

ii. virtual disk states;

b. extrapolating guest functions by interpreting the virtual memory states and the virtual disk states; and

c. transparently encapsulating and presenting the interpreted virtual memory states and the interpreted virtual disk states to anti-malware software; and

wherein the anti-malware software is configured to use the interpreted virtual memory states and the interpreted virtual disk states to detect system compromises.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The malware detection system enables out-of-the box, tamper-resistant malware detection without losing the semantic view. This system comprises at least one guest operating system and at least one virtual machine, where the guest operating system runs on the virtual machine. Having virtual resources, the virtual machine resides on a host operating system. The virtual resources include virtual memory and at least one virtual disk. A virtual machine examiner is used to examine the virtual machine. With a virtual machine inspector, a guest function extrapolator, and a transparent presenter, the virtual machine examiner resides outside the virtual machine. The virtual machine inspector is configured to retrieve virtual machine internal system states and/or events. The guest function extrapolator is configured to interpret such states and/or events. The transparent presenter is configured to present the interpreted states and/or events to anti-malware software. The anti-malware software is configured to use the interpreted states and/or events to detect any system compromise.

477 Citations

20 Claims

1. A computer readable medium, the computer readable medium including a series of computer readable instructions that when executed by one or more processors performs a method for detecting malware on a virtual machine, the virtual machine residing on a host operating system, the instructions executed from outside the virtual machine, the method comprising:
- a. retrieving for inspection virtual machine internal system states from virtual resources, based on non-intrusive virtual machine introspection without perturbing their execution, the virtual resources including;
  
  i. virtual machine memory; and
  
  ii. at least one virtual disk; and
  
  the virtual machine internal system states comprising;
  
  i. virtual memory states; and
  
  ii. virtual disk states;
  
  b. extrapolating guest functions by interpreting the virtual memory states and the virtual disk states; and
  
  c. transparently encapsulating and presenting the interpreted virtual memory states and the interpreted virtual disk states to anti-malware software; and
  
  wherein the anti-malware software is configured to use the interpreted virtual memory states and the interpreted virtual disk states to detect system compromises.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer readable medium according to claim 1, wherein at least some of the instructions are executed on the host operating system.
  - 3. The computer readable medium according to claim 1, wherein the instructions further include retrieving virtual network interface states from at least one virtual network interface.
  - 4. The computer readable medium according to claim 1, further including retrieving for inspection virtual machine internal system events from the virtual resources, based on non-intrusive virtual machine introspection without perturbing their execution, the virtual machine internal system events comprising:
    - a. virtual memory events; and
      
      b. virtual disk events.
  - 5. The computer readable medium according to claim 4, wherein the virtual machine internal system events are retrieved using instructions executed between the host operating system and the virtual machine.
  - 6. The computer readable medium according to claim 4, further including interpreting the virtual memory events.
  - 7. The computer readable medium according to claim 6, further including transparently encapsulating and presenting the interpreted virtual memory events to the anti-malware software, the anti-malware software further configured to use the virtual memory events to detect system compromises.
  - 8. The computer readable medium according to claim 4, further including interpreting the virtual disk events.
  - 9. The computer readable medium according to claim 8, further including transparently encapsulating and presenting the interpreted virtual disk events to the anti-malware software, the anti-malware software configured to use the virtual disk events to detect system compromises.

10. A malware detection system, comprising:
- a. a guest operating system running on a virtual machine, the virtual machine residing on a host operating system, the virtual machine having virtual resources, the virtual resources including;
  
  i. virtual machine memory; and
  
  ii. at least one virtual disk; and
  
  b. a virtual machine examiner residing outside the virtual machine, the virtual machine examiner including;
  
  i. a virtual machine inspector, the virtual machine inspector configured to retrieve for inspection virtual machine internal system states from the virtual resources, based on non-intrusive virtual machine introspection without perturbing their execution, the virtual machine internal system states comprising;
  
  1. virtual memory states; and
  
  virtual disk states;
  
  ii. a guest function extrapolator, the guest function extrapolator configured to extrapolate guest functions by;
  
  1. interpreting the virtual memory states; and
  
  2. interpreting the virtual disk states; and
  
  iii. a transparent presenter, the transparent presentor configured to encapsulate and present the interpreted virtual memory states and the interpreted virtual disk states to anti-malware software, the anti-malware software configured to use the interpreted virtual memory states and the interpreted disk states to detect system compromises.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The malware detection system according to claim 10, wherein the virtual machine examiner runs on the host operating system.
  - 12. The malware detection system according to claim 10, wherein the virtual resources further include at least one virtual network interface.
  - 13. The malware detection system according to claim 12, wherein the virtual machine inspector is further configured to retrieve virtual network interface states from the at least one virtual network interface.
  - 14. The malware detection system according to claim 10, wherein the virtual machine inspector is further configured to retrieve for inspection virtual machine internal system events from the virtual resources, based on non-intrusive virtual machine introspection without perturbing their execution, the virtual machine internal system events comprising:
    - i. virtual memory events; and
      
      ii. virtual disk events;
  - 15. The malware detection system according to claim 14, whereina. the virtual machine inspector retrieves the virtual memory events from a virtual machine monitor;
    - b. the virtual machine monitor runs between the host operating system and the virtual machine; and
      
      c. the virtual machine monitor is configured to intercept the virtual memory events.
  - 16. The malware detection system according to claim 15, wherein the guest function extrapolator is further configured to interpret the virtual memory events.
  - 17. The malware detection system according to claim 16, whereina. the transparent presentor is further configured to encapsulate and present the interpreted virtual memory events to anti-malware software;
    - andb. the anti-malware software is further configured to use the virtual memory events to detect system compromises.
  - 18. The malware detection system according to claim 14, wherein:
    - a. the virtual machine inspector retrieves the virtual disk events from a virtual machine monitor;
      
      b. the virtual machine monitor runs between the host operating system and the virtual machine; and
      
      c. the virtual machine monitor is configured to intercept the virtual disk events.
  - 19. The malware detection system according to claim 18, wherein the guest function extrapolator is further configured to interpret the virtual disk events.
  - 20. The malware detection system according to claim 19, whereina. the transparent presentor is further configured to encapsulate and present the interpreted virtual disk events to anti-malware software;
    - andb. the anti-malware software is configured to use the virtual disk events to detect system compromises.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
George Mason Intellectual Properties, Inc.
Original Assignee
George Mason Intellectual Properties, Inc.
Inventors
Jiang, Xuxian

Application Number

US12/051,703
Publication Number

US 20080320594A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Malware Detector

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

477 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Malware Detector

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

477 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links