MICROVISOR-BASED MALWARE DETECTION ENDPOINT ARCHITECTURE
First Claim
1. A system comprising:
- a memory of an endpoint coupled to a network, the memory configured to store an operating system process, a plurality of user mode processes, and a microvisor deployed in a malware detection endpoint architecture of the endpoint; and
a central processing unit (CPU) coupled to the memory and adapted to execute the operating system process, the user mode processes, and the microvisor, wherein the user mode processes and the microvisor when executed are operable to;
perform static analysis of an object of the operating system process to detect anomalous characteristics of the object as static analysis results;
perform dynamic analysis of the object to observe behaviors of the object via one or more capability violations as the operating system process executes, wherein the behaviors are captured as dynamic analysis results;
correlate the static analysis results and dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and
render a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content.
1 Assignment
0 Petitions
Accused Products
Abstract
A threat-aware microvisor may be deployed in a malware detection endpoint architecture and execute on an endpoint to provide exploit and malware detection within a network environment. Exploit and malware detection on the endpoint may be performed in accordance with one or more processes embodied as software modules or engines configured to detect suspicious and/or malicious behaviors of an operating system process (object), and to correlate and classify the detected behaviors as indicative of malware. Detection of suspicious and/or malicious behaviors may be performed by static and dynamic analysis of the object. Static analysis may perform examination of the object to determine whether it is suspicious, while dynamic analysis may instrument the behavior of the object as the operating system process runs via capability violations of, e.g. operating system events. A behavioral analysis logic engine and a classifier may thereafter cooperate to perform correlation and classification of the detected behaviors.
148 Citations
25 Claims
-
1. A system comprising:
-
a memory of an endpoint coupled to a network, the memory configured to store an operating system process, a plurality of user mode processes, and a microvisor deployed in a malware detection endpoint architecture of the endpoint; and a central processing unit (CPU) coupled to the memory and adapted to execute the operating system process, the user mode processes, and the microvisor, wherein the user mode processes and the microvisor when executed are operable to; perform static analysis of an object of the operating system process to detect anomalous characteristics of the object as static analysis results; perform dynamic analysis of the object to observe behaviors of the object via one or more capability violations as the operating system process executes, wherein the behaviors are captured as dynamic analysis results; correlate the static analysis results and dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and render a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method comprising:
-
performing static analysis of an object of an operating system process stored in a memory of an endpoint, the static analysis performed to detect anomalous characteristics of the object as static analysis results; performing dynamic analysis of the object at the endpoint to observe behaviors of the object via one or more capability violations as the operating system process executes, wherein the behaviors are captured as dynamic analysis results; correlating the static analysis results and dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used arrive at a decision of maliciousness; and rendering a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content. - View Dependent Claims (20, 21, 22)
-
-
23. A method comprising:
-
deploying a microvisor in a malware detection endpoint architecture of an endpoint, the microvisor having a main protection domain representative of a process executing in an operating system of the architecture, the main protection domain including one or more execution contexts and capabilities defining permissions for the process to access kernel resources of the endpoint; spawning a micro-virtual machine as a container configured to encapsulate the process, the micro-virtual machine bound to a clone of the main protection domain representative of the operating system process; performing dynamic analysis of the process to observe behaviors of the process via one or more capability violations as the process executes in the micro-virtual machine, the one or more capability violations generated by the microvisor at the cloned of the main protection domain, wherein the behaviors are captured as dynamic analysis results; correlating the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and rendering a decision of whether the process is malicious by classifying the correlation information of the process relative to known malware and benign content.
-
-
24. A non-transitory computer readable medium including program instructions for execution on one or more processors, the program instructions when executed operable to:
-
perform static analysis of an object of an operating system process stored in a memory of an endpoint, the static analysis performed to detect anomalous characteristics of the object as static analysis results; perform dynamic analysis of the object at the endpoint to observe behaviors of the object via one or more capability violations as the operating system process executes, wherein the behaviors are captured as dynamic analysis results; correlate the static analysis results and dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and render a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content.
-
-
25. A system comprising:
-
a microvisor disposed beneath an operating system kernel of an endpoint and executing in kernel space of an architecture to control access to kernel resources of the endpoint for an operating system process; a root task disposed over the microvisor and executing in user space of the architecture, the root task configured to communicate with the microvisor to allocate the kernel resources to user space modules loaded onto the endpoint; and a behavioral analysis logic engine (BALE) disposed over the microvisor and executing in the user space of the architecture, the BALE embodied as a rules-based correlation engine to correlate results of static and dynamic analysis of an object executing on the endpoint against correlation rules to generate correlation information used to arrive at a decision of maliciousness; wherein the microvisor, root task and BALE are organized as a trusted computing base (TCB), wherein the microvisor is configured to enforce a security property that is prevents alteration of a state related to the security property of the microvisor, wherein the microvisor is further configured to implement the security property such that no module of the TCB modifies the state related to security of the microvisor without authorization, and wherein trustedness of the microvisor provides a predetermined level of confidence that the security property is implemented by the microvisor.
-
Specification