System, Apparatus and Method for Using Malware Analysis Results to Drive Adaptive Instrumentation of Virtual Machines to Improve Exploit Detection

US 20150096025A1
Filed: 09/30/2013
Published: 04/02/2015
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method comprising:

determining, by a virtual machine being executed by hardware circuitry, an event during malware analysis of an object associated with content under analysis; and

dynamically altering a virtual machine instrumentation of the virtual machine by the hardware circuitry based on information associated with the event.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, an electronic device comprises a memory to store information and a processor. The processor is adapted to receive information associated with content such as network traffic, to process the stored information and to conduct operations on the content. These operations may comprise determining, by a virtual machine processed by the processor, an occurrence of an event during malware analysis of an object associated with the content, and dynamically altering a virtual machine instrumentation of the virtual machine based on information associated with the event.

303 Citations

24 Claims

1. A computerized method comprising:
- determining, by a virtual machine being executed by hardware circuitry, an event during malware analysis of an object associated with content under analysis; and
  
  dynamically altering a virtual machine instrumentation of the virtual machine by the hardware circuitry based on information associated with the event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computerized method of claim 1, wherein the hardware circuitry comprises one or more processors.
  - 3. The computerized method of claim 1, wherein the event comprises at least one of (1) a detection of an exploit during analysis of results produced by the malware analysis;
    - (2) an occurrence of a first timeout condition;
      
      (3) a detection of an access to a particular memory address range within a memory device; and
      
      (4) detection of an exploit causing an overflow condition of a first type of buffer.
  - 4. The computerized method of claim 1, wherein the dynamic altering of the virtual machine instrumentation comprises changing an instrumentation of a virtual device of the virtual machine from a first instrumentation of the virtual device to a second instrumentation of the virtual device, where both the first instrumentation and the second instrumentation of the virtual device having a same defined operation and the second instrumentation of the virtual device having additional functionality from functionality provided by the first instrumentation of the virtual device.
  - 5. The computerized method of claim 4, wherein the second instrumentation of the virtual device being downloaded from a cloud computing service.
  - 6. The computerized method of claim 1, wherein the virtual machine instrumentation comprises logic that performs one of a plurality of virtualized operations including (i) controlling virtualized operations conducted on the object associated with the content under analysis being network traffic and (ii) monitoring the virtualized operations conducted on the object.
  - 7. The computerized method of claim 1, wherein determining of the event during malware analysis of an object associated with the content under analysis comprises (i) performing a replay operation on the object and (ii) analyzing characteristics associated with anomalous behavior if an exploit associated with the object is detected during the replay operation.
  - 8. The computerized method of claim 1, wherein the characteristics associated with anomalous behavior comprises at least one of unexpected network transmissions from an electronic device that comprises the hardware circuitry and unexpected changes in performance by the electronic device.
  - 9. The computerized method of claim 1, wherein dynamically altering of the virtual machine instrumentation comprises changing operations of the virtual machine running as part of a host virtual system for detecting exploits associated with the network traffic while preserving state so as to remain transparent to a guest virtual system of the virtual machine.
  - 10. The computerized method of claim 1, wherein dynamically altering of the virtual machine instrumentation comprises altering the virtual machine to focus further analysis on a particular exploit or a family of exploits that are more likely to be present within the network traffic based on prior malware analysis results.
  - 11. The computerized method of claim 1, wherein dynamically altering of the virtual machine instrumentation comprises interrupting a virtual machine (VM) replay to change an instrumentation for at least one virtual machine (VM) process of the virtual machine during malware analysis of the object.
  - 12. The computerized method of claim 1 further comprising conducting malware analysis on the object using the virtual machine having the changed instrumentation for the at least one VM process.
  - 13. The computerized method of claim 1, wherein dynamically altering of the virtual machine instrumentation comprises interrupting a virtual machine (VM) replay to change an instrumentation for at least one virtual machine (VM) process of the virtual machine during malware analysis of a second object different from the object, where the object and the second object are part of the same data flow.

14. An electronic device comprising:
- a memory to store information;
  
  a processor adapted to receive information associated with network traffic, the processor to process the stored information and conduct operations on the network traffic, the operations comprise (i) determining, by a virtual machine processed by the processor, an occurrence of an event during malware analysis of an object associated with content under analysis, and (ii) dynamically altering a virtual machine instrumentation of the virtual machine based on information associated with the event.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The electronic device of claim 14, the processor detects the occurrence of the event by detecting at least one of (1) an exploit during analysis of results produced by the malware analysis;
    - (2) an occurrence of a first timeout condition;
      
      (3) an access to a particular memory address range within a memory device; and
      
      (4) an exploit causing an overflow condition of a first type of buffer.
  - 16. The electronic device of claim 14, wherein the dynamic altering of the virtual machine instrumentation comprises changing an instrumentation of a virtual device of the virtual machine from a first instrumentation of the virtual device to a second instrumentation of the virtual device, where both the first instrumentation and the second instrumentation of the virtual device having a same defined operation and the second instrumentation of the virtual device having additional functionality from functionality provided by the first instrumentation of the virtual device.
  - 17. The electronic device of claim 16, wherein the second instrumentation of the virtual device being downloaded from a cloud computing service.
  - 18. The electronic device of claim 14, wherein the virtual machine instrumentation comprises logic that performs one of a plurality of virtualized operations including (i) controlling virtualized operations conducted on the object associated with the content received over a network and (ii) monitoring the virtualized operations conducted on the object.
  - 19. The electronic device of claim 14, wherein the processor determines the event during malware analysis of the object associated with network traffic by (i) performing a replay operation on the object and (ii) analyzing characteristics associated with anomalous behavior if an exploit associated with the object is detected during the replay operation.
  - 20. The electronic device of claim 19, wherein the characteristics associated with anomalous behavior comprises at least one of unusual network transmissions from the electronic device and unusual changes in performance by the electronic device.
  - 21. The electronic device of claim 14, wherein the processor dynamically altering of the virtual machine instrumentation by at least changing subsequent operations of the virtual machine, running as part of a host virtual system in the electronic device, for detecting exploits associated with the network traffic while preserving state so as to remain transparent to a guest virtual system of the electronic device.
  - 22. The electronic device of claim 14, wherein the processor dynamically altering the virtual machine instrumentation so that the virtual machine conducts subsequent analysis on a particular exploit or a family of exploits that are more likely to be present within the network traffic based on prior malware analysis results.
  - 23. The electronic device of claim 14, wherein the processor dynamically altering of the virtual machine instrumentation comprises interrupting a virtual machine (VM) replay to at least (i) change an instrumentation for at least one virtual machine (VM) process of the virtual machine during malware analysis of the object and (ii) change the instrumentation during malware analysis of a second object different from the object, where the object and the second object are part of the same data flow.
  - 24. The electronic device of claim 14, wherein the processor further conducting malware analysis on the object using the virtual machine having the changed instrumentation for the at least one VM process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul

Granted Patent

US 9,736,179 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

H04L 63/145 the attack involving the pr...

System, Apparatus and Method for Using Malware Analysis Results to Drive Adaptive Instrumentation of Virtual Machines to Improve Exploit Detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

303 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System, Apparatus and Method for Using Malware Analysis Results to Drive Adaptive Instrumentation of Virtual Machines to Improve Exploit Detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

303 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links