MICROVISOR-BASED MALWARE DETECTION ENDPOINT ARCHITECTURE

US 20160191550A1
Filed: 11/02/2015
Published: 06/30/2016
Est. Priority Date: 12/29/2014
Status: Abandoned Application

First Claim

Patent Images

1. A system comprising:

a memory of an endpoint coupled to a network, the memory configured to store an operating system process, a plurality of user mode processes, and a microvisor deployed in a malware detection endpoint architecture of the endpoint; and

a central processing unit (CPU) coupled to the memory and adapted to execute the operating system process, the user mode processes, and the microvisor, wherein the user mode processes and the microvisor when executed are operable to;

perform static analysis of an object of the operating system process to detect anomalous characteristics of the object as static analysis results;

perform dynamic analysis of the object to observe behaviors of the object via one or more capability violations as the operating system process executes, wherein the behaviors are captured as dynamic analysis results;

correlate the static analysis results and dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and

render a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A threat-aware microvisor may be deployed in a malware detection endpoint architecture and execute on an endpoint to provide exploit and malware detection within a network environment. Exploit and malware detection on the endpoint may be performed in accordance with one or more processes embodied as software modules or engines configured to detect suspicious and/or malicious behaviors of an operating system process (object), and to correlate and classify the detected behaviors as indicative of malware. Detection of suspicious and/or malicious behaviors may be performed by static and dynamic analysis of the object. Static analysis may perform examination of the object to determine whether it is suspicious, while dynamic analysis may instrument the behavior of the object as the operating system process runs via capability violations of, e.g. operating system events. A behavioral analysis logic engine and a classifier may thereafter cooperate to perform correlation and classification of the detected behaviors.

148 Citations

25 Claims

1. A system comprising:
- a memory of an endpoint coupled to a network, the memory configured to store an operating system process, a plurality of user mode processes, and a microvisor deployed in a malware detection endpoint architecture of the endpoint; and
  
  a central processing unit (CPU) coupled to the memory and adapted to execute the operating system process, the user mode processes, and the microvisor, wherein the user mode processes and the microvisor when executed are operable to;
  
  perform static analysis of an object of the operating system process to detect anomalous characteristics of the object as static analysis results;
  
  perform dynamic analysis of the object to observe behaviors of the object via one or more capability violations as the operating system process executes, wherein the behaviors are captured as dynamic analysis results;
  
  correlate the static analysis results and dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and
  
  render a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1 wherein the microvisor is organized as a main protection domain representative of the operating system process and including one or more execution contexts and capabilities defining permissions for the operating system process to access kernel resources of the endpoint.
  - 3. The system of claim 2 further comprising a virtual machine monitor (VMM) stored in the memory and executable by the CPU, the VMM when executed operable to:
    - spawn a micro-virtual machine as a container configured to encapsulate the operating system process;
      
      clone the main protection domain by copying the execution contexts and capabilities to create a cloned protection domain representative of the operating system process, wherein the capabilities of the cloned protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resources; and
      
      cooperate with the micro-virtual machine to monitor operation of the operating system process encapsulated in the micro-virtual machine as the operating system process attempts to access one or more of the kernel resources.
  - 4. The system of claim 3 wherein the microvisor when executed is further operable to generate the one or more capability violations at the cloned protection domain in response to the operating system process attempting to access one or more of the kernel resources.
  - 5. The system of claim 4 wherein the dynamic analysis comprises exploit detection to observe the behaviors of the object by instrumenting the object as the operating system process executes at the micro-virtual machine.
  - 6. The system of claim 5 wherein the dynamic analysis further comprises monitors configured to monitor run-time behaviors of the object, the monitors embodied as the one or more capability violations configured to trace one or more operating system events.
  - 7. The system of claim 6 wherein the monitors comprise breakpoints inserted within code of the operating system process, wherein the breakpoints are configured to trigger the one or more capability violations in response to the operating system process accessing the object to monitor the run-time behaviors.
  - 8. The system of claim 4 wherein the user mode processes comprise an indicator generator stored in the memory and executable by the CPU, the indicator generator when executed operable to create behavioral indicators of observed behaviors of the object as indicative of malware.
  - 9. The system of claim 8 wherein the behavioral indicators are embodied as signatures of behaviors of malware observed during the dynamic analysis of the object.
  - 10. The system of claim 9 wherein the indicator generator is configured to generate the behavioral indicators and anti-virus signatures to provide a robust set of indicators for use by the endpoint.
  - 11. The system of claim 10 wherein the indicator generator is further configured to organize the behavioral indicators as indicator reports for distribution to an intermediate node of the network and for distribution to appliances within other networks.
  - 12. The system of claim 11 wherein the user mode processes comprise an indicator scanner stored in the memory and executable by the CPU, the indicator scanner when executed operable to prevent processing of the object based on the robust set of indicators in the report.
  - 13. The system of claim 12 wherein the indicator scanner is configured to:
    - perform indicator comparison and matching as the object is instrumented by the micro-virtual machine; and
      
      in response to a match, cooperate with the microvisor to terminate execution of the operating system process.
  - 14. The system of claim 1 wherein the user mode processes comprise a static inspection engine stored in the memory and executable by the CPU, the static inspection engine when executed operable to match bit patterns of indicators with bit patterns of the object, wherein the indicators are exploit indicators used to gather information indicative of suspiciousness.
  - 15. The system of claim 14 wherein the indicators are vulnerability indicators and wherein the static inspection engine is further configured to compare the bit patterns of the object with bit patterns of the vulnerability indicators, wherein the vulnerability indicators are indicative of types of objects prohibited from running on the endpoint.
  - 16. The system of claim 1 wherein the user mode processes comprise a heuristics engine stored in the memory and executable by the CPU, the heuristics engine when executed operable to apply policies to detect anomalous characteristics of the object in order to identify whether the object is suspect and deserving of further analysis or whether it is non-suspect and not in need of further analysis.
  - 17. The system of claim 1 wherein the user mode processes comprise a behavioral analysis logic engine (BALE) stored in the memory and executable by the CPU, the BALE when executed operable to correlate the static analysis results and the dynamic analysis results by operating on correlation rules that define sequences of known malicious events, the BALE embodied as a rules-based correlation engine executing as an isolated process disposed over the microvisor within the malware detection endpoint architecture of the endpoint.
  - 18. The system of claim 17 wherein the user mode processes comprise a classifier stored in the memory and executable by the CPU, the classifier when executed operable to render the decision of whether the object is malicious based on the risk level exceeding a probability threshold.

19. A method comprising:
- performing static analysis of an object of an operating system process stored in a memory of an endpoint, the static analysis performed to detect anomalous characteristics of the object as static analysis results;
  
  performing dynamic analysis of the object at the endpoint to observe behaviors of the object via one or more capability violations as the operating system process executes, wherein the behaviors are captured as dynamic analysis results;
  
  correlating the static analysis results and dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used arrive at a decision of maliciousness; and
  
  rendering a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19 further comprising:
    - spawning a micro-virtual machine as a container configured to encapsulate the operating system process;
      
      cloning a main protection domain of a microvisor stored in the memory by copying execution contexts and capabilities of the main protection domain to create a cloned protection domain representative of the operating system process, wherein the capabilities of the cloned protection domain are more restricted than the capabilities of the main protection domain with respect to access to kernel resources of the endpoint; and
      
      monitoring operation of the operating system process encapsulated in the micro-virtual machine as the operating system process attempts to access one or more of the kernel resources.
  - 21. The method of claim 20 whereingenerating the one or more capability violations at the cloned protection domain in response to the operating system process attempting to access one or more of the kernel resources.
  - 22. The method of claim 21 whereinobserving the behaviors of the object by instrumenting the object as the operating system process executes at the micro-virtual machine.

23. A method comprising:
- deploying a microvisor in a malware detection endpoint architecture of an endpoint, the microvisor having a main protection domain representative of a process executing in an operating system of the architecture, the main protection domain including one or more execution contexts and capabilities defining permissions for the process to access kernel resources of the endpoint;
  
  spawning a micro-virtual machine as a container configured to encapsulate the process, the micro-virtual machine bound to a clone of the main protection domain representative of the operating system process;
  
  performing dynamic analysis of the process to observe behaviors of the process via one or more capability violations as the process executes in the micro-virtual machine, the one or more capability violations generated by the microvisor at the cloned of the main protection domain, wherein the behaviors are captured as dynamic analysis results;
  
  correlating the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and
  
  rendering a decision of whether the process is malicious by classifying the correlation information of the process relative to known malware and benign content.

24. A non-transitory computer readable medium including program instructions for execution on one or more processors, the program instructions when executed operable to:
- perform static analysis of an object of an operating system process stored in a memory of an endpoint, the static analysis performed to detect anomalous characteristics of the object as static analysis results;
  
  perform dynamic analysis of the object at the endpoint to observe behaviors of the object via one or more capability violations as the operating system process executes, wherein the behaviors are captured as dynamic analysis results;
  
  correlate the static analysis results and dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and
  
  render a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content.

25. A system comprising:
- a microvisor disposed beneath an operating system kernel of an endpoint and executing in kernel space of an architecture to control access to kernel resources of the endpoint for an operating system process;
  
  a root task disposed over the microvisor and executing in user space of the architecture, the root task configured to communicate with the microvisor to allocate the kernel resources to user space modules loaded onto the endpoint; and
  
  a behavioral analysis logic engine (BALE) disposed over the microvisor and executing in the user space of the architecture, the BALE embodied as a rules-based correlation engine to correlate results of static and dynamic analysis of an object executing on the endpoint against correlation rules to generate correlation information used to arrive at a decision of maliciousness;
  
  wherein the microvisor, root task and BALE are organized as a trusted computing base (TCB), wherein the microvisor is configured to enforce a security property that is prevents alteration of a state related to the security property of the microvisor, wherein the microvisor is further configured to implement the security property such that no module of the TCB modifies the state related to security of the microvisor without authorization, and wherein trustedness of the microvisor provides a predetermined level of confidence that the security property is implemented by the microvisor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FireEye, Inc.
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul, Aziz, Ashar

Application Number

US14/929,821
Publication Number

US 20160191550A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

MICROVISOR-BASED MALWARE DETECTION ENDPOINT ARCHITECTURE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

148 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

MICROVISOR-BASED MALWARE DETECTION ENDPOINT ARCHITECTURE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

148 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others