EXPLOIT DETECTION SYSTEM

US 20160285914A1
Filed: 06/15/2015
Published: 09/29/2016
Est. Priority Date: 03/25/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

a storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising;

processing an object in a first virtual machine;

upon detection of a triggering event within the first virtual machine, providing information associated with the triggering event to a security virtual machine, the security virtual machine is different from the first virtual machine; and

determining, within the security virtual machine, whether the object is malicious based upon an analysis of the information associated with the triggering event using one or more correlation rules.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a virtualized malware detection system is integrated with a virtual machine host including a plurality of virtual machines and a security virtual machine. Logic within the virtual machines are configured to perform a dynamic analysis of an object and monitor for the occurrence of a triggering event. Upon detection of a triggering event within a virtual machine, the logic within the virtual machine provides the security virtual machine with information associated with the triggering event for further analysis. Based on the further analysis, the object may then be classified as “non-malicious,” or “malicious.”

Citations

21 Claims

1. A system comprising:
- one or more processors; and
  
  a storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising;
  
  processing an object in a first virtual machine;
  
  upon detection of a triggering event within the first virtual machine, providing information associated with the triggering event to a security virtual machine, the security virtual machine is different from the first virtual machine; and
  
  determining, within the security virtual machine, whether the object is malicious based upon an analysis of the information associated with the triggering event using one or more correlation rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1 further comprising:
    - prior to processing the object, performing a pre-processing within the security virtual machine based on identifying information of the object provided by logic of the first virtual machine, wherein the pre-processing includes a comparison of the identifying information with at least one of a whitelist or a blacklist.
  - 3. The system of claim 1 further comprising:
    - prior to processing the object, performing a pre-processing within the security virtual machine based on identifying information of the object provided by logic of the first virtual machine, wherein the pre-processing includes a signature check of the identifying information of the object.
  - 4. The system of claim 1, wherein the information associated with the triggering event is an event that, through at least one of experiential knowledge or machine learning techniques, has been determined to have an association with a malicious attack.
  - 5. The system of claim 1, wherein the triggering event is an attempt to perform one of:
    - (i) deleting a first file or a first directory, (ii) creating a second file or second directory, (iii) establishing communication with an external server, (iv) protecting a file or directory with a password, or (v) encrypting a third file or a third directory.
  - 6. The system of claim 1, wherein the first virtual machine simulates an endpoint device through configuration of the first virtual machine using a prescribed software profile.
  - 7. The system of claim 1, wherein logic within the security virtual machine receives information associated with one or more triggering events from each of a plurality of first virtual machines included in the system.
  - 8. The system of claim 1 further comprising:
    - upon determining the object is malicious, generating an alert within the security virtual machine to notify one or more of a user of an endpoint device, a network administrator or an expert network analyst.
  - 9. The system of claim 8, wherein the alert is provided to the one or more of a user of an endpoint device, a network administrator or an expert network analyst through a security appliance.
  - 10. The system of claim 1 further comprising:
    - upon determining the object is malicious, adding information associated with the object to a blacklist.
  - 11. The system of claim 1 further comprising:
    - upon determining the object is malicious, uploading information associated with the object to cloud services.
  - 12. The system of claim 1 further comprising:
    - receiving, by logic of the security virtual machine, (a) one or more updates to one or more of (i) a blacklist, (ii) a whitelist, or (iii) a correlation rule of one or more correlation rules, or (b) a set of correlation rules including updates to the one or more correlation rules from a security appliance.

13. A non-transitory computer readable medium having stored thereon logic that, upon execution by one or more processors, performs operations comprising:
- processing an object in one of a plurality of first virtual machines, wherein the plurality of first virtual machines are contained within a virtual machine host, the virtual machine host also including a security virtual machine that is different from the first virtual machine;
  
  upon detection of a triggering event within the one of the plurality of first virtual machines, providing, by logic of the one of the plurality of first virtual machines, information associated with the triggering event to the security virtual machine;
  
  determining, within the security virtual machine, the object is suspicious based upon an analysis of the information associated with the triggering event using one or more correlation rules;
  
  providing, by the logic of the one of the plurality of first virtual machines, additional information associated with processing of the object after the detection of the triggering event, to the security virtual machine; and
  
  determining, within the security virtual machine, the object is malicious based upon an analysis of the additional information associated with processing of the object after the detection of the triggering event using one or more correlation rules.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer readable medium of claim 13 further comprising:
    - upon determination the object is suspicious, requesting, by logic within the security virtual machine, the additional information associated with processing of the object after the detection of the triggering event.
  - 15. The non-transitory computer readable medium of claim 13 further comprising:
    - prior to processing the object, performing a pre-processing in the security virtual machine based on identifying information of the object provided by logic of the one of the plurality of first virtual machines, wherein the pre-processing includes a comparison of the identifying information with at least one of a whitelist or a blacklist.
  - 16. The non-transitory computer readable medium of claim 13 further comprising:
    - prior to processing the object, performing a pre-processing in the security virtual machine based on identifying information of the object provided by logic of the one of the plurality of first virtual machines, wherein the pre-processing includes a signature check of the identifying information of the object.
  - 17. The non-transitory computer readable medium of claim 13, wherein the information associated with the triggering event is an event that, through at least one of experiential knowledge or machine learning techniques, has been determined to have an association with a malicious attack.
  - 18. The non-transitory computer readable medium of claim 13, wherein the triggering event is an attempt to perform one of:
    - (i) deleting a first file or a first directory, (ii) creating a second file or second directory, (iii) establishing communication with an external server, (iv) protecting a file or directory with a password, or (v) encrypting a third file or a third directory.

19. A computerized method comprising:
- processing an object in a first virtual machine;
  
  upon detection of a triggering event within the first virtual machine, providing, by logic within the first virtual machine, information associated with the triggering event to a security virtual machine; and
  
  determining, within the security virtual machine, the object is malicious based upon an analysis of the information associated with the triggering event using one or more correlation rules.
- View Dependent Claims (20, 21)
- - 20. The computerized method of claim 19 further comprising:
    - prior to processing the object, performing a pre-processing in the security virtual machine based on identifying information of the object provided by the first virtual machine.
  - 21. The computerized method of claim 19, wherein the triggering event is an attempt to perform one of:
    - (i) deleting a first file or a first directory, (ii) creating a second file or second directory, (iii) establishing communication with an external server, (iv) protecting a file or directory with a password, or (v) encrypting a third file or a third directory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Singh, Japneet, Ramchetty, Harinath, Gupta, Anil

Granted Patent

US 10,148,693 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

EXPLOIT DETECTION SYSTEM

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

EXPLOIT DETECTION SYSTEM

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links