Distributed Sensor for Detecting Malicious Software
First Claim
1. A system for detecting malicious software comprising:
- a) an application processor comprising;
i) a virtual machine monitor configured to operate on a hardware computing machine under control of a host operating system;
ii) at least one network application template, each of the “
at least one network application template”
including;
(1) a modifiable section; and
(2) a non-modifiable section;
iii) at least one container, at least one of the at least one container;
(1) configured to operate in a protected memory space under control of a guest operating system virtual machine;
(2) initialized with at least one copy of the “
at least one network application template; and
(3) including;
(a) a file system; and
(b) a network address;
iv) a detection module configured to operate under control of the “
guest operating system virtual machine, the detection module comprising;
(1) a trigger detection module configured to monitor activity on the “
at least one container”
for a trigger event;
(2) a logging module configured to write activity to an activity report in response to the trigger event; and
(3) a container command module configured to conditionally issue at least one command in response to the trigger event, the “
at least one command being at least one of the following;
(a) a container stop command;
(b) a container revert command; and
(c) a container start command;
v) a virtual machine control console configured to;
(1) operate under control of the “
host operating machine;
” and
(2) start and stop the “
hardware virtual machine monitor;
”
vi) a container control module configured to;
(1) operate under control of the “
guest operating system virtual machine;
”
(2) to start at least one of the “
at least one container”
in response to the container start command;
”
(3) to stop at least one of the “
at least one container”
in response to the container stop command;
” and
(4) to revert at least one of the “
at least one container”
in response to the container revert command;
” and
vii) a server communication module configured to transmit the activity over a network; and
b) the central collection network appliance configured to;
i) receive over the “
network”
at least one of the “
at least one activity report;
” and
ii) maintain a repository of activities for infected devices.
3 Assignments
0 Petitions
Accused Products
Abstract
Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s)operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.
376 Citations
20 Claims
-
1. A system for detecting malicious software comprising:
-
a) an application processor comprising; i) a virtual machine monitor configured to operate on a hardware computing machine under control of a host operating system; ii) at least one network application template, each of the “
at least one network application template”
including;(1) a modifiable section; and (2) a non-modifiable section; iii) at least one container, at least one of the at least one container; (1) configured to operate in a protected memory space under control of a guest operating system virtual machine; (2) initialized with at least one copy of the “
at least one network application template; and(3) including; (a) a file system; and (b) a network address; iv) a detection module configured to operate under control of the “
guest operating system virtual machine, the detection module comprising;(1) a trigger detection module configured to monitor activity on the “
at least one container”
for a trigger event;(2) a logging module configured to write activity to an activity report in response to the trigger event; and (3) a container command module configured to conditionally issue at least one command in response to the trigger event, the “
at least one command being at least one of the following;(a) a container stop command; (b) a container revert command; and (c) a container start command; v) a virtual machine control console configured to; (1) operate under control of the “
host operating machine;
” and(2) start and stop the “
hardware virtual machine monitor;
”vi) a container control module configured to; (1) operate under control of the “
guest operating system virtual machine;
”(2) to start at least one of the “
at least one container”
in response to the container start command;
”(3) to stop at least one of the “
at least one container”
in response to the container stop command;
” and(4) to revert at least one of the “
at least one container”
in response to the container revert command;
” andvii) a server communication module configured to transmit the activity over a network; and b) the central collection network appliance configured to; i) receive over the “
network”
at least one of the “
at least one activity report;
” andii) maintain a repository of activities for infected devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An appliance processor for detecting malicious software comprising:
-
a) a hardware virtual machine monitor configured to operate on a hardware computing machine under control of a host operating system; b) at least one network application template, the “
at least one network application template”
including;i) a modifiable section; and ii) a non-modifiable section; c) at least one container, at least one of the at least one container; i) configured to operate in a protected memory space under control of a guest operating system virtual machine; ii) initialized with at least one copy of the “
at least one network application template; andiii) including; (1) a file system; and (2) a network address; d) a detection module configured to operate under control of the “
guest operating system virtual machine, the detection module comprising;i) a trigger detection module configured to monitor activity on the “
at least one container”
for a trigger event;ii) a logging module configured to write activity to an activity report in response to the trigger event; and iii) a container command module configured to conditionally issue at least one command in response to the trigger event, the “
at least one command being at least one of the following;(1) a container stop command; (2) a container revert command; and (3) a container start command; e) a virtual machine control console configured to; i) operate under control of the “
host operating machine;
” andii) start and stop the “
hardware virtual machine monitor;
”f) a container control module configured to; i) operate under control of the “
guest operating system virtual machine;
”ii) to start at least one of the “
at least one container”
in response to the container start command;
”iii) to stop at least one of the “
at least one container”
in response to the container stop command;
” andiv) to revert at least one of the “
at least one container”
in response to the container revert command;
” andg) a server communication module configured to send the activity report to a central collection network appliance over a network, the central collection network appliance configured to; i) receive at least one of the “
at least one activity report;
” andii) maintain a repository of activities for infected devices. - View Dependent Claims (17, 18, 19, 20)
-
Specification