SELECTIVE VIRTUALIZATION FOR SECURITY THREAT DETECTION
First Claim
1. A computerized method comprising:
- configuring a virtual machine running within a platform with a first virtualization logic;
monitoring, by the first virtualization logic, for a first plurality of requests that are initiated during processing of an object within the virtual machine, each of the first plurality of requests is associated with an activity to be performed in connection with one or more resources;
selectively virtualizing, by the first virtualization logic, resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, where the second plurality of requests is lesser in number than the first plurality of requests.
7 Assignments
0 Petitions
Accused Products
Abstract
Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for a first plurality of requests that are initiated during processing of an object within the virtual machine. Each of the first plurality of requests, such as system calls for example, is associated with an activity to be performed in connection with one or more resources. The virtualization logic selectively virtualizes resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, where the second plurality of requests is lesser in number than the first plurality of requests.
-
Citations
27 Claims
-
1. A computerized method comprising:
-
configuring a virtual machine running within a platform with a first virtualization logic; monitoring, by the first virtualization logic, for a first plurality of requests that are initiated during processing of an object within the virtual machine, each of the first plurality of requests is associated with an activity to be performed in connection with one or more resources; selectively virtualizing, by the first virtualization logic, resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, where the second plurality of requests is lesser in number than the first plurality of requests. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computerized method for configuring a virtual machine to selectively conduct virtualization of one or more resources during analysis of an object for malware, the computerized method comprising:
-
configuring the virtual machine running within a platform with a first virtualization logic that is configured with access to a first configuration data, the first configuration data comprises (i) information that is used by the first virtualization logic to intercept at least a first request that, when processed, performs an activity on a first resource, (ii) information to determine whether to perform virtualization of the first resource associated with the first request, and (iii) information associated with one or more activities that are to be performed in connection with the first resource during the virtualization operation; and responsive to detecting an update to the first configuration data, modifying the first configuration data to alter at least one of (i) the information that is used by the first virtualization logic to intercept at least the first request, (ii) the information to determine whether to perform the virtualization of the first resource, and (iii) the information associated with the one or more activities that are to be performed in connection with the first resource associated with the first request during the virtualization operation. - View Dependent Claims (18, 19, 20, 21, 22)
-
-
23. A non-transitory computer readable medium that stores virtualization logic operating within a virtual machine that, when executed by one or more processors, performs operations comprising:
-
receiving, by the virtualization logic, a request from a process running on the virtual machine, the request is associated with a first resource; analyzing, by the virtualization logic, contents of the request to determine whether the first resource identified in the request is to be virtualized; and in response to determining by the virtualization logic that the first resource is to be virtualized, selecting at least one of a plurality of virtualization schemes conducted to the first resource, the plurality of virtualization schemes comprises (1) servicing the request by returning virtualized data to a portion of the process that initiated the request and (2) redirecting the request to a second resource that is different from the first resource.
-
-
24. A platform comprising:
-
one or more hardware processors; and a memory coupled to the one or more processors, the memory comprises one or more virtual machines that are configured to process an object under analysis, a first virtual machine of the one or more virtual machines comprises a first virtualization logic that intercepts a first request associated with a first plurality of activities that are handled by the first virtual machine, performs virtualization of a resource associated with the first request that produces virtualized data, and returns at least a portion of the virtualized data to a source that initiated the first request, and a second virtualization logic that intercepts a second request associated with a second plurality of activities that are handled by the first virtual machine and differ from the first plurality of activities, performs virtualization of a resource associated with the second request that produces virtualized data, and returns at least a portion of the virtualized data associated with the second request to a source that initiated the second request. - View Dependent Claims (25, 26)
-
-
27. A platform comprising:
-
one or more hardware processors; and a memory coupled to the one or more processors, the memory comprises one or more virtual machines that are configured to process of an object under analysis; a virtual machine monitor that manages operability of the one or more virtual machines and is configured to detect and control handling of requests initiated by the one or more virtual machines, the virtual machine monitor comprises a first logic configured to (i) temporarily halt execution of a first virtual machine of the one or more virtual machines in response to detecting a request from the first virtual machine and (ii) maintain an instruction pointer at a first virtual memory address associated with the request, a second logic configured to (i) determine whether the request is associated with a virtualized resource and (ii) select a virtualization scheme for producing virtualized data, and a third logic in communication with the second logic, the third logic to determine a memory location within the virtual memory for placement of the virtualized data and to subsequently modify the instruction pointer to a second virtual memory reference so that, when the virtual machine resumes execution, the request has been serviced.
-
Specification