MICRO-VIRTUAL MACHINE FORENSICS AND DETECTION
First Claim
Patent Images
1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed by one or more processors, cause:
- identifying an action performed by a process executing within an isolated environment, wherein identifying comprises;
monitoring a list of processes to determine when a new process is initiated within the isolated environment,monitoring events associated with a guest operating system executing within said isolated environment, andmonitoring events associated with said isolated environment, wherein said events includes attempts to modify page tables and attempts to access CPU registers;
determining whether an actual behavior of said process executing within said isolated environment deviates from an expected behavior of the execution of the process;
upon determining that that the process deviates from the expected behavior, initiating monitoring activity of the process by storing behavior data that describes the actual behavior of the process during execution; and
determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.
2 Assignments
0 Petitions
Accused Products
Abstract
The execution of a process within a VM may be monitored, and when a trigger event occurs, additional monitoring is initiated, including storing behavior data describing the real-time events taking place inside the VM. This behavior data may then be compared to information about the expected behavior of that type of process in order to determine whether malware has compromised the VM.
-
Citations
26 Claims
-
1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed by one or more processors, cause:
-
identifying an action performed by a process executing within an isolated environment, wherein identifying comprises; monitoring a list of processes to determine when a new process is initiated within the isolated environment, monitoring events associated with a guest operating system executing within said isolated environment, and monitoring events associated with said isolated environment, wherein said events includes attempts to modify page tables and attempts to access CPU registers; determining whether an actual behavior of said process executing within said isolated environment deviates from an expected behavior of the execution of the process; upon determining that that the process deviates from the expected behavior, initiating monitoring activity of the process by storing behavior data that describes the actual behavior of the process during execution; and determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed by one or more processors, cause:
-
executing a process in an isolated environment; identifying an action performed by said process executing within said isolated environment, wherein identifying comprises; monitoring a list of processes to determine when a new process is initiated, monitoring events associated with a guest operating system executing within said isolated environment, and monitoring events associated with said isolated environment, wherein said events includes attempts to modify page tables and attempts to access CPU registers; collecting data related to events occurring in the isolated environment, wherein the data collection is in response to a determination that a process has deviated from expected behavior; and generating graphical nodes in a visual display, where the nodes represent the events occurring in the isolated environment. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification