EXPLOIT DETECTION SYSTEM
First Claim
Patent Images
1. A system comprising:
- one or more processors; and
a storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising;
processing an object in a first virtual machine;
upon detection of a triggering event within the first virtual machine, providing information associated with the triggering event to a security virtual machine, the security virtual machine is different from the first virtual machine; and
determining, within the security virtual machine, whether the object is malicious based upon an analysis of the information associated with the triggering event using one or more correlation rules.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a virtualized malware detection system is integrated with a virtual machine host including a plurality of virtual machines and a security virtual machine. Logic within the virtual machines are configured to perform a dynamic analysis of an object and monitor for the occurrence of a triggering event. Upon detection of a triggering event within a virtual machine, the logic within the virtual machine provides the security virtual machine with information associated with the triggering event for further analysis. Based on the further analysis, the object may then be classified as “non-malicious,” or “malicious.”
-
Citations
21 Claims
-
1. A system comprising:
-
one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising; processing an object in a first virtual machine; upon detection of a triggering event within the first virtual machine, providing information associated with the triggering event to a security virtual machine, the security virtual machine is different from the first virtual machine; and determining, within the security virtual machine, whether the object is malicious based upon an analysis of the information associated with the triggering event using one or more correlation rules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer readable medium having stored thereon logic that, upon execution by one or more processors, performs operations comprising:
-
processing an object in one of a plurality of first virtual machines, wherein the plurality of first virtual machines are contained within a virtual machine host, the virtual machine host also including a security virtual machine that is different from the first virtual machine; upon detection of a triggering event within the one of the plurality of first virtual machines, providing, by logic of the one of the plurality of first virtual machines, information associated with the triggering event to the security virtual machine; determining, within the security virtual machine, the object is suspicious based upon an analysis of the information associated with the triggering event using one or more correlation rules; providing, by the logic of the one of the plurality of first virtual machines, additional information associated with processing of the object after the detection of the triggering event, to the security virtual machine; and determining, within the security virtual machine, the object is malicious based upon an analysis of the additional information associated with processing of the object after the detection of the triggering event using one or more correlation rules. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A computerized method comprising:
-
processing an object in a first virtual machine; upon detection of a triggering event within the first virtual machine, providing, by logic within the first virtual machine, information associated with the triggering event to a security virtual machine; and determining, within the security virtual machine, the object is malicious based upon an analysis of the information associated with the triggering event using one or more correlation rules. - View Dependent Claims (20, 21)
-
Specification