Process Evaluation for Malware Detection in Virtual Machines
First Claim
1. A host system comprising at least one processor configured to execute:
- a hypervisor configured to expose a virtual machine;
a process evaluator executing within the virtual machine;
a memory introspection engine executing outside the virtual machine; and
a process-scoring module, wherein;
the process evaluator is configured to;
determine whether an evaluated process executing within the virtual machine performs an action, andin response, when the evaluated process performs the action, transmit a first process evaluation indicator to the process-scoring module, the first process evaluation indicator determined for the evaluated process;
the memory introspection engine is configured to;
intercept a call to an operating system function, to detect a launch of a protected process executing within the virtual machine, wherein the operating system function is configured to add the protected process to a list of processes executing within the virtual machine, andin response to detecting the launch,determine whether the evaluated process attempts to modify a memory page of the protected process, andin response, when the evaluated process attempts to modify the memory page,transmit a second process evaluation indicator to the process-scoring module, the second process evaluation indicator determined for the evaluated process; and
the process-scoring module is configured to;
receive the first and second process evaluation indicators, andin response, determine whether the evaluated process is malicious according to the first and second process evaluation indicators.
1 Assignment
0 Petitions
Accused Products
Abstract
Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. An anti-malware component executes within a virtual machine (VM) exposed by a hypervisor executing on the computer system. A memory introspection engine executes outside the virtual machine, at the processor privilege level of the hypervisor, and protects a process executing within the virtual machine by write-protecting a memory page of the respective process. By combining anti-malware components executing inside and outside the respective VM, some embodiments of the present invention may use the abundance of behavioral data that inside-VM components have access to, while protecting the integrity of such components from outside the respective VM.
-
Citations
24 Claims
-
1. A host system comprising at least one processor configured to execute:
-
a hypervisor configured to expose a virtual machine; a process evaluator executing within the virtual machine; a memory introspection engine executing outside the virtual machine; and a process-scoring module, wherein; the process evaluator is configured to; determine whether an evaluated process executing within the virtual machine performs an action, and in response, when the evaluated process performs the action, transmit a first process evaluation indicator to the process-scoring module, the first process evaluation indicator determined for the evaluated process; the memory introspection engine is configured to; intercept a call to an operating system function, to detect a launch of a protected process executing within the virtual machine, wherein the operating system function is configured to add the protected process to a list of processes executing within the virtual machine, and in response to detecting the launch, determine whether the evaluated process attempts to modify a memory page of the protected process, and in response, when the evaluated process attempts to modify the memory page, transmit a second process evaluation indicator to the process-scoring module, the second process evaluation indicator determined for the evaluated process; and the process-scoring module is configured to; receive the first and second process evaluation indicators, and in response, determine whether the evaluated process is malicious according to the first and second process evaluation indicators. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-readable medium encoding instructions which, when executed on a host system comprising at least one processor, cause the host system to form:
-
a hypervisor configured to expose a virtual machine; a process evaluator executing within the virtual machine; a memory introspection engine executing outside the virtual machine; and a process-scoring module, wherein; the process evaluator is configured to; determine whether an evaluated process executing within the virtual machine performs an action, and in response, when the evaluated process performs the action, transmit a first process evaluation indicator to the process-scoring module, the first process evaluation indicator determined for the evaluated process; the memory introspection engine is configured to; intercept a call to an operating system function, to detect a launch of a protected process executing within the virtual machine, wherein the operating system function executes within the virtual machine and is configured to add the protected process to a list of processes executing within the virtual machine, and in response to detecting the launch, determine whether the evaluated process attempts to modify a memory page of the protected process, and in response, when the evaluated process attempts to modify the memory page, transmit a second process evaluation indicator to the process-scoring module, the second process evaluation indicator determined for the evaluated process; and the process-scoring module is configured to; receive the first and second process evaluation indicators, and in response, determine whether the evaluated process is malicious according to the first and second process evaluation indicators. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method comprising:
-
employing at least one processor of a host system to receive a first process evaluation indicator determined for an evaluated process, the evaluated process executing within a virtual machine exposed by a hypervisor executing on the host system; employing the at least one processor to receive a second process evaluation indicator determined for the evaluated process; and in response to receiving the first and second process evaluation indicators, employing the at least one processor to determine whether the evaluated process is malicious according to the first and second process evaluation indicators; wherein determining the first process evaluation indicator comprises employing a process evaluator executing within the virtual machine to determine whether the evaluated process performs a first action, and wherein determining the second process evaluation indicator comprises employing a memory introspection engine executing outside the virtual machine to determine whether the evaluated process performs a second action.
-
-
24. A method comprising:
-
employing at least one processor of a host system to execute a memory introspection engine, the memory introspection engine executing outside a virtual machine exposed by a hypervisor executing on the host system, wherein executing the memory introspection engine comprises detecting a launch of a process executing within the virtual machine; in response to the memory introspection engine detecting the launch of the process, employing the at least one processor to determine a first and a second process evaluation indicators of the process; and in response to determining the first and second evaluation indicators, employing the at least one processor to determine whether the process is malicious according to the first and second process evaluation indicators.
-
Specification