Systems and Methods for Virtualized Malware Detection

US 20130117849A1
Filed: 11/03/2011
Published: 05/09/2013
Est. Priority Date: 11/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting an object provided from a first digital device to a second digital device;

determining one or more resources the object requires when the object is executed;

instantiating a virtual environment with the one or more resources;

processing the object within the virtual environment;

tainting operations of the object within the virtual environment;

monitoring the operations of the object while processing within the virtual environment;

identifying an additional resource of the object while processing that is not provided in the virtual environment;

re-instantiating the virtual environment with the additional resource as well as the one or more resources;

monitoring the operations of the object while processing within the re-instantiated virtual environment;

identifying untrusted actions from the monitored operations; and

generating a report identifying the operations and the untrusted actions of the object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for virtualized malware enabled detection are described. In some embodiments, a method comprises intercepting an object provided from a first digital device, determining one or more resources the object requires, instantiating a virtual environment with the one or more resources, processing the object within the virtual environment, tainting operations of the object within the virtual environment, monitoring the operations of the object, identifying an additional resource of the object while processing that is not provided in the virtual environment, re-instantiating the virtual environment with the additional resource, monitoring the operations of the object while processing within the re-instantiated virtual environment, identifying untrusted actions from the monitored operations, and generating a report identifying the operations and the untrusted actions of the object.

250 Citations

27 Claims

1. A method comprising:
- intercepting an object provided from a first digital device to a second digital device;
  
  determining one or more resources the object requires when the object is executed;
  
  instantiating a virtual environment with the one or more resources;
  
  processing the object within the virtual environment;
  
  tainting operations of the object within the virtual environment;
  
  monitoring the operations of the object while processing within the virtual environment;
  
  identifying an additional resource of the object while processing that is not provided in the virtual environment;
  
  re-instantiating the virtual environment with the additional resource as well as the one or more resources;
  
  monitoring the operations of the object while processing within the re-instantiated virtual environment;
  
  identifying untrusted actions from the monitored operations; and
  
  generating a report identifying the operations and the untrusted actions of the object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the object comprises an executable file, a batch file, or a data file.
  - 3. The method of claim 1, further comprising performing a heuristic process on the object and determining the one or more resources the object requires based on the result of the heuristic process.
  - 4. The method of claim 1, wherein determining the one or more resources the object requires based on metadata associated with the object.
  - 5. The method of claim 1, wherein the one or more resources may include one or more applications.
  - 6. The method of claim 1, wherein generating the report identifying the operations and the untrusted actions of the object comprises generating a signature to be used to detect malware.
  - 7. The method of claim 1, wherein generating the report identifying the operations and the untrusted actions of the object comprises identifying a vulnerability in an application based on the operations and the untrusted actions of the object.
  - 8. The method of claim 1, wherein re-instantiating the virtual environment with the additional resource as well as the one or more resources comprises instantiating a second instance of a virtual environment with at least one resource that is different than a resource available in the prior virtual environment.
  - 9. The method of claim 8, further comprising comparing identified monitored operations of the prior virtual environment to operations monitored in the second instance of the virtual environment.
  - 10. The method of claim 9, wherein generating the report comprises generating the report based, at least in part, on the comparison.
  - 11. The method of claim 1, further comprising increasing or decreasing a clock signal within the virtual environment.
  - 12. The method of claim 1, further comprising logging a state of the virtual environment while monitoring the operations of the object.
  - 13. The method of claim 12, wherein re-instantiating the virtual environment with the additional resource as well as the one or more resources comprises halting the virtual environment and re-instantiating the virtual environment with the logged state.

14. A system comprising:
- a collection module configured to receive an object provided from a first digital device to a second digital device;
  
  a virtualization module configured to instantiate a virtual environment with the one or more resources, to process the object within the virtual environment, to identify an additional resource of the object while processing that is not provided in the virtual environment, re-instantiate the virtual environment with the additional resource as well as the one or more resources, and to taint operations of the object within the virtual environment;
  
  a control module configured to determine one or more resources the object requires when the object is processed, to monitor the operations of the object while processing within the virtual environment, to monitor the operations of the object while processing within the re-instantiated virtual environment, and to identify untrusted actions from the monitored operations; and
  
  a report module configured to generate a report identifying the operations and the untrusted actions of the object.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, wherein the object comprises an executable file, a batch file, or a data file.
  - 16. The system of claim 14, further comprising a heuristic module configured to perform a heuristic process on the object and determining the one or more resources the object requires based on the result of the heuristic process.
  - 17. The system of claim 14, wherein the control module determines the one or more resources of the object based on metadata associated with the object.
  - 18. The system of claim 14, wherein the one or more resources may include one or more applications.
  - 19. The system of claim 14, wherein the report module configured to generate the report identifying the operations and the untrusted actions of the object comprises the report module configured to generate a signature to be used to detect malware.
  - 20. The system of claim 14, wherein the report module configured to generate the report identifying the operations and the untrusted actions of the object comprises the report module configured to identify a vulnerability in an application based on the operations and the untrusted actions of the object.
  - 21. The system of claim 14, wherein the virtualization module configured to re-instantiate the virtual environment with the additional resource as well as the one or more resources comprises the virtualization module configured to instantiate a second instance of a virtual environment with at least one resource that is different than a resource available in the prior virtual environment.
  - 22. The system of claim 21, wherein the virtualization module is further configured to compare identified monitored operations of the prior virtual environment to operations monitored in the second instance of the virtual environment.
  - 23. The system of claim 22, wherein the reporting module is configured to generate the report based, at least in part, on the comparison.
  - 24. The system of claim 14, wherein the control module is further configured to increase or decrease a clock signal within the virtual environment.
  - 25. The system of claim 14, wherein the control module is further configured to log a state of the virtual environment while monitoring the operations of the object.
  - 26. The system of claim 25, wherein the virtualization module configured to re-instantiate the virtual environment with the additional resource as well as the one or more resources comprises the virtualization module configured to modify the re-instantiated virtual environment based on the logged state.

27. A computer readable medium comprising instructions, the instructions being executable by a processor for performing a method, the method comprising:
- intercepting an object provided from a first digital device to a second digital device;
  
  determining one or more resources the object requires when the object is executed;
  
  instantiating a virtual environment with the one or more resources;
  
  processing the object within the virtual environment;
  
  tainting operations of the object within the virtual environment;
  
  monitoring the operations of the object while processing within the virtual environment;
  
  identifying an additional resource of the object while processing that is not provided in the virtual environment;
  
  re-instantiating the virtual environment with the additional resource as well as the one or more resources;
  
  monitoring the operations of the object while processing within the re-instantiated virtual environment;
  
  identifying untrusted actions from the monitored operations; and
  
  generating a report identifying the operations and the untrusted actions of the object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Original Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Inventors
Golshan, Ali, Binder, James S.

Granted Patent

US 9,792,430 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

Systems and Methods for Virtualized Malware Detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

250 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Virtualized Malware Detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

250 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links