Systems and Methods for Virtualization and Emulation Assisted Malware Detection
First Claim
1. A method comprising:
- intercepting an object provided from a first digital device to a second digital device;
instantiating a virtualization environment with the one or more resources;
processing the object within the virtualization environment;
tracing operations of the object while processing within the virtualization environment;
detecting suspicious behavior associated with the object in the virtualization environment;
instantiating an emulation environment in response to the detected suspicious behavior;
processing the object within the emulation environment;
recording responses to the object within the emulation environment;
tracing operations of the object while processing within the emulation environment;
detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment;
re-instantiating the virtualization environment in response to the detected divergence;
providing the recorded response from the emulation environment to the object in the re-instantiated virtualization environment;
monitoring the operations of the object while processing within the re-instantiation of the virtualization environment;
identifying untrusted actions from the monitored operations; and
generating a report regarding the identified untrusted actions of the object.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for virtualization and emulation malware enabled detection are described. In some embodiments, a method comprises intercepting an object, instantiating and processing the object in a virtualization environment, tracing operations of the object while processing within the virtualization environment, detecting suspicious behavior associated with the object, instantiating an emulation environment in response to the detected suspicious behavior, processing, recording responses to, and tracing operations of the object within the emulation environment, detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment, re-instantiating the virtualization environment, providing the recorded response from the emulation environment to the object in the virtualization environment, monitoring the operations of the object within the re-instantiation of the virtualization environment, identifying untrusted actions from the monitored operations, and generating a report regarding the identified untrusted actions of the object.
-
Citations
21 Claims
-
1. A method comprising:
-
intercepting an object provided from a first digital device to a second digital device; instantiating a virtualization environment with the one or more resources; processing the object within the virtualization environment; tracing operations of the object while processing within the virtualization environment; detecting suspicious behavior associated with the object in the virtualization environment; instantiating an emulation environment in response to the detected suspicious behavior; processing the object within the emulation environment; recording responses to the object within the emulation environment; tracing operations of the object while processing within the emulation environment; detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment; re-instantiating the virtualization environment in response to the detected divergence; providing the recorded response from the emulation environment to the object in the re-instantiated virtualization environment; monitoring the operations of the object while processing within the re-instantiation of the virtualization environment; identifying untrusted actions from the monitored operations; and generating a report regarding the identified untrusted actions of the object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a collection module configured to receive an object provided from a first digital device to a second digital device; a virtualization module configured to instantiate a virtualization environment with the one or more resources, to process the object within the virtualization environment, to trace operations of the object while processing within the virtualization environment, to detect suspicious behavior associated with the object in the virtualization environment, to monitor the operations of the object while processing within a re-instantiation of the virtualization environment, to identify untrusted actions from the monitored operations, and to generate a report regarding the identified untrusted actions of the object; an emulation module configured to instantiate an emulation environment in response to the detected suspicious behavior, to process the object within the emulation environment, to record responses to the object within the emulation environment and to trace operations of the object while processing within the emulation environment; and a control module configured to detect a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment, to re-instantiate the virtualization environment in response to the detected divergence, and to provide the recorded response from the emulation environment to the object in the virtualization environment. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer readable medium comprising instructions, the instructions being executable by a processor for performing a method, the method comprising:
-
intercepting an object provided from a first digital device to a second digital device; instantiating a virtualization environment with the one or more resources; processing the object within the virtualization environment; tracing operations of the object while processing within the virtualization environment; detecting suspicious behavior associated with the object in the virtualization environment; instantiating an emulation environment in response to the detected suspicious behavior; processing the object within the emulation environment; recording responses to the object within the emulation environment; tracing operations of the object while processing within the emulation environment; detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment; re-instantiating the virtualization environment in response to the detected divergence; providing the recorded response from the emulation environment to the object in the virtualization environment; monitoring the operations of the object while processing within the re-instantiation of the virtualization environment; identifying untrusted actions from the monitored operations; and generating a report regarding the identified untrusted actions of the object.
-
Specification