SELECTIVE VIRTUALIZATION FOR SECURITY THREAT DETECTION

US 20160335110A1
Filed: 03/25/2016
Published: 11/17/2016
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method comprising:

configuring a virtual machine running within a platform with a first virtualization logic;

monitoring, by the first virtualization logic, for a first plurality of requests that are initiated during processing of an object within the virtual machine, each of the first plurality of requests is associated with an activity to be performed in connection with one or more resources;

selectively virtualizing, by the first virtualization logic, resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, where the second plurality of requests is lesser in number than the first plurality of requests.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for a first plurality of requests that are initiated during processing of an object within the virtual machine. Each of the first plurality of requests, such as system calls for example, is associated with an activity to be performed in connection with one or more resources. The virtualization logic selectively virtualizes resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, where the second plurality of requests is lesser in number than the first plurality of requests.

Citations

27 Claims

1. A computerized method comprising:
- configuring a virtual machine running within a platform with a first virtualization logic;
  
  monitoring, by the first virtualization logic, for a first plurality of requests that are initiated during processing of an object within the virtual machine, each of the first plurality of requests is associated with an activity to be performed in connection with one or more resources;
  
  selectively virtualizing, by the first virtualization logic, resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, where the second plurality of requests is lesser in number than the first plurality of requests.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computerized method of claim 1, wherein the configuring of the virtual machine further comprises providing the first virtualization logic with access to configuration data, the configuration data comprises one or more interception points that are used for intercepting at least the second plurality of requests.
  - 3. The computerized method of claim 2, wherein the one or more interception points comprise an Application Programming Interface (API) hook.
  - 4. The computerized method of claim 2, wherein the configuration data further comprises at least one usage pattern that specifies a particular resource for virtualization and activities for conducting the virtualization, the particular resource corresponding to a request that is part of the second plurality of requests.
  - 5. The computerized method of claim 1, wherein the selectively virtualizing of the resources associated with the second plurality of requests comprisesintercepting the second plurality of requests;
    - servicing, by the first virtualization logic, a virtualized resource associated with a first request of the second plurality of requests by returning virtualized data to a process or a thread operating within the virtual machine that initiated the first request; and
      
      redirecting, by the first virtualization logic, a second request of the second plurality of requests, the redirecting of the second request comprises generating a modified second request by changing a resource associated with the second request and subsequently passing the modified second request to system code for processing.
  - 6. The computerized method of claim 5, wherein the virtualized resource associated with the first request comprises a handle.
  - 7. The computerized method of claim 5, wherein the resource associated with the second request comprises a path to a first address in a virtual memory of the platform and a resource associated with the modified second request comprises an alternative path to a second address in the virtual memory of the platform, the second address in the virtual memory being different from the first address in the virtual memory.
  - 8. The computerized method of claim 2, wherein the first virtualization logic is implemented in a user mode of the virtual machine.
  - 9. The computerized method of claim 8 further comprising:
    - configuring the virtual machine running within the platform with a second virtualization logic that is implemented within a kernel mode of the virtual machine;
      
      selectively virtualizing, by the second virtualization logic, resources associated with a third plurality of requests that are initiated during the processing of the object within the virtual machine, where the third plurality of requests is lesser in number than the first plurality of requests and differ from the second plurality of requests.
  - 10. The computerized method of claim 9, wherein the second virtualization logic is responsible for selectively conducting virtualization to the resources associated with the third plurality of requests that are handled in the kernel mode of the virtual machine.
  - 11. The computerized method of claim 10, wherein the third plurality of requests includes one or more requests directed to file management, including opening a file and closing a file.
  - 12. The computerized method of claim 10, wherein the third plurality of requests includes one or more requests directed to registry key management, including obtaining a registry key value.
  - 13. The computerized method of claim 10, wherein the third plurality of requests includes one or more requests directed to network management, including establishing a network connection.
  - 14. The computerized method of claim 1 further comprising:
    - obfuscating, by the first virtualization logic, virtualized resources associated with a first request of the second plurality of requests by removing a portion of virtualized data prior to returning the virtualized data to a process or a thread operating within the virtual machine that initiated the first request.
  - 15. The computerized method of claim 1, wherein the selectively virtualizing of the second plurality of requests comprisesintercepting the second plurality of requests;
    - redirecting a first request of the second plurality of requests, the redirecting of the first request comprises generating a modified first request by changing a resource associated with the first request and subsequently passing the modified first request to system code for processing;
      
      receiving virtualized data in response to passing the modified first request to the system code; and
      
      obfuscating at least a portion of the virtualized data prior to returning the virtualized data to a process or thread operating within the virtual machine that initiated the first request.
  - 16. The computerized method of claim 1, wherein the selectively virtualizing of the resources associated with the second plurality of requests comprisesintercepting the second plurality of requests;
    - redirecting a first request of the second plurality of requests by subsequently passing the first request to system code for processing;
      
      receiving data in response to passing the first request to the system code; and
      
      servicing, by the first virtualization logic, a virtualized resource associated with the first request of the second plurality of requests by returning virtualized data in lieu of the received data to a process or a thread operating within the virtual machine that initiated the first request.

17. A computerized method for configuring a virtual machine to selectively conduct virtualization of one or more resources during analysis of an object for malware, the computerized method comprising:
- configuring the virtual machine running within a platform with a first virtualization logic that is configured with access to a first configuration data, the first configuration data comprises (i) information that is used by the first virtualization logic to intercept at least a first request that, when processed, performs an activity on a first resource, (ii) information to determine whether to perform virtualization of the first resource associated with the first request, and (iii) information associated with one or more activities that are to be performed in connection with the first resource during the virtualization operation; and
  
  responsive to detecting an update to the first configuration data, modifying the first configuration data to alter at least one of (i) the information that is used by the first virtualization logic to intercept at least the first request, (ii) the information to determine whether to perform the virtualization of the first resource, and (iii) the information associated with the one or more activities that are to be performed in connection with the first resource associated with the first request during the virtualization operation.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The computerized method of claim 17 further comprising.providing a second virtualization logic configured with access to a second configuration data, the second configuration data comprises (i) information that is used by the second virtualization logic to intercept at least a second request that, when processed, performs an activity on a second resource, (ii) information to determine whether to perform virtualization of the second resource associated with the second request, and (iii) information associated with one or more activities that are to be performed in connection with the second resource during the virtualization operation;
    - andresponsive to detecting an update to the second configuration data, modifying the second configuration data to alter at least one of (i) the information that is used by the second virtualization logic to intercept at least the second request, (ii) the information to determine whether to perform the virtualization operation, and (iii) the information associated with one or more activities that are to be performed in connection with the second resource.
  - 19. The computerized method of claim 18, wherein the first virtualization logic is deployed within a user mode of the virtual machine.
  - 20. The computerized method of claim 19, wherein the second virtualization logic is deployed within a kernel mode of the virtual machine.
  - 21. The computerized method of claim 20, wherein the information associated with the one or more activities that are performed in connection with the second resource includes altering a file path.
  - 22. The computerized method of claim 21, wherein the information associated with the one or more activities that are performed in connection with the first resource includes altering a handle for the first resource.

23. A non-transitory computer readable medium that stores virtualization logic operating within a virtual machine that, when executed by one or more processors, performs operations comprising:
- receiving, by the virtualization logic, a request from a process running on the virtual machine, the request is associated with a first resource;
  
  analyzing, by the virtualization logic, contents of the request to determine whether the first resource identified in the request is to be virtualized; and
  
  in response to determining by the virtualization logic that the first resource is to be virtualized, selecting at least one of a plurality of virtualization schemes conducted to the first resource, the plurality of virtualization schemes comprises (1) servicing the request by returning virtualized data to a portion of the process that initiated the request and (2) redirecting the request to a second resource that is different from the first resource.

24. A platform comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more processors, the memory comprises one or more virtual machines that are configured to process an object under analysis, a first virtual machine of the one or more virtual machines comprisesa first virtualization logic that intercepts a first request associated with a first plurality of activities that are handled by the first virtual machine, performs virtualization of a resource associated with the first request that produces virtualized data, and returns at least a portion of the virtualized data to a source that initiated the first request, anda second virtualization logic that intercepts a second request associated with a second plurality of activities that are handled by the first virtual machine and differ from the first plurality of activities, performs virtualization of a resource associated with the second request that produces virtualized data, and returns at least a portion of the virtualized data associated with the second request to a source that initiated the second request.
- View Dependent Claims (25, 26)
- - 25. The platform of claim 24, wherein the second virtualization logic, in response to detecting the second request associated with the second plurality of activities that are handled by the first virtual machine in kernel mode, the second virtualization logic determines whether to conduct virtualization of the resource associated with the second request.
  - 26. The platform of claim 24 further comprising a first logic that, when executed by the one or more hardware processors, detects whether an update to the configuration data is available to the platform.

27. A platform comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more processors, the memory comprises one or more virtual machines that are configured to process of an object under analysis;
  
  a virtual machine monitor that manages operability of the one or more virtual machines and is configured to detect and control handling of requests initiated by the one or more virtual machines, the virtual machine monitor comprisesa first logic configured to (i) temporarily halt execution of a first virtual machine of the one or more virtual machines in response to detecting a request from the first virtual machine and (ii) maintain an instruction pointer at a first virtual memory address associated with the request,a second logic configured to (i) determine whether the request is associated with a virtualized resource and (ii) select a virtualization scheme for producing virtualized data, anda third logic in communication with the second logic, the third logic to determine a memory location within the virtual memory for placement of the virtualized data and to subsequently modify the instruction pointer to a second virtual memory reference so that, when the virtual machine resumes execution, the request has been serviced.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Paithane, Sushant, Vincent, Michael

Granted Patent

US 10,417,031 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

H04L 63/145   the attack involving the pr...

SELECTIVE VIRTUALIZATION FOR SECURITY THREAT DETECTION

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

SELECTIVE VIRTUALIZATION FOR SECURITY THREAT DETECTION

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links