Detecting Malicious Instructions in a Virtual Machine Memory

US 20170149801A1
Filed: 05/31/2016
Published: 05/25/2017
Est. Priority Date: 11/23/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a hypervisor associated with a guest virtual machine;

the guest virtual machine in communication with the hypervisor, and comprising;

virtual machine measurement points implemented by a processor; and

a hypervisor control point implemented by the processor, and configured to;

collect virtual machine memory metadata from the guest virtual machine using a first virtual machine measurement point;

collect hypervisor memory metadata that corresponds with the virtual machine memory metadata from the hypervisor using a second virtual machine measurement point;

compare the virtual machine memory metadata to the hypervisor memory metadata;

determine whether the virtual machine memory metadata is the same as the hypervisor memory metadata; and

communicate the virtual machine memory metadata to a virtual vault machine in response to determining that the virtual machine memory metadata is the same as the hypervisor memory metadata; and

the virtual vault machine in communication with the hypervisor, and configured to classify the state of the guest virtual based on the virtual machine memory metadata.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that includes a guest virtual machine is in communication with a hypervisor. The guest virtual machine comprises virtual machine measurement points and a hypervisor control point. The hypervisor control point is configured to collect virtual machine memory metadata from the guest virtual machine and from the hypervisor, and to compare the virtual machine memory metadata to the hypervisor memory metadata. The hypervisor control point is further configured to determine whether the virtual machine memory metadata is the same as the hypervisor memory metadata and to communicate the virtual machine memory metadata to the virtual vault machine in response to determining that the virtual machine memory metadata is the same as the hypervisor memory metadata. The virtual vault machine is in communication with the hypervisor and configured to classify the state of the guest virtual based on the virtual machine memory metadata.

8 Citations

20 Claims

1. A system comprising:
- a hypervisor associated with a guest virtual machine;
  
  the guest virtual machine in communication with the hypervisor, and comprising;
  
  virtual machine measurement points implemented by a processor; and
  
  a hypervisor control point implemented by the processor, and configured to;
  
  collect virtual machine memory metadata from the guest virtual machine using a first virtual machine measurement point;
  
  collect hypervisor memory metadata that corresponds with the virtual machine memory metadata from the hypervisor using a second virtual machine measurement point;
  
  compare the virtual machine memory metadata to the hypervisor memory metadata;
  
  determine whether the virtual machine memory metadata is the same as the hypervisor memory metadata; and
  
  communicate the virtual machine memory metadata to a virtual vault machine in response to determining that the virtual machine memory metadata is the same as the hypervisor memory metadata; and
  
  the virtual vault machine in communication with the hypervisor, and configured to classify the state of the guest virtual based on the virtual machine memory metadata.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the virtual machine memory metadata comprises a page table.
  - 3. The system of claim 2, wherein the page table maps virtual memory of the guest virtual machine to physical memory of the guest virtual machine.
  - 4. The system of claim 1, wherein the virtual machine memory metadata comprises a memory page from a guest page table executing on the guest virtual machine.
  - 5. The system of claim 1, wherein the virtual machine memory metadata comprises information about currently executing memory pages on the guest virtual machine.
  - 6. The system of claim 1, wherein:
    - the virtual machine memory metadata is collected from a random access memory of the guest virtual machine; and
      
      the hypervisor memory metadata is collected from a random access memory of the hypervisor.
  - 7. The system of claim 1, wherein the hypervisor control point is configured to trigger an alarm in response to determining that the virtual machine memory metadata and the hypervisor memory metadata are different.

8. A virtual machine intrusion detection method comprising:
- collecting, by a hypervisor control point implemented by a processor, virtual machine memory metadata from a guest virtual machine using a first virtual machine measurement point from a plurality of virtual machine measurement points implemented by the processor;
  
  collecting, by the hypervisor control point, hypervisor memory metadata that corresponds with the virtual machine memory metadata from a hypervisor associated with the guest virtual machine using a second virtual machine measurement point from the plurality of virtual machine measurement points;
  
  comparing, by the hypervisor control point, the virtual machine memory metadata to the hypervisor memory metadata;
  
  determining, by the hypervisor control point, whether the virtual machine memory metadata is the same as the hypervisor memory metadata; and
  
  communicating, by the hypervisor control point, the virtual machine memory metadata to a virtual vault machine in response to determining that the virtual machine memory metadata is the same as the hypervisor memory metadata.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the virtual machine memory metadata comprises a page table.
  - 10. The method of claim 9, wherein the page table maps virtual memory of the guest virtual machine to physical memory of the guest virtual machine.
  - 11. The method of claim 8, wherein the virtual machine memory metadata comprises a memory page from a guest page table executing on the guest virtual machine.
  - 12. The method of claim 8, wherein the virtual machine memory metadata comprises information about currently executing memory pages on the guest virtual machine.
  - 13. The method of claim 8, wherein:
    - the virtual machine memory metadata is collected from a random access memory of the guest virtual machine; and
      
      the hypervisor memory metadata is collected from a random access memory of the hypervisor.
  - 14. The method of claim 8, wherein the hypervisor control point is configured to trigger an alarm in response to determining that the virtual machine memory metadata and the hypervisor memory metadata are different.

15. An apparatus comprising:
- virtual machine measurement points implemented by a processor; and
  
  a hypervisor control point implemented by the processor, and configured;
  
  collect virtual machine memory metadata from a guest virtual machine using a first virtual machine measurement point;
  
  collect hypervisor memory metadata that corresponds with the virtual machine memory metadata from a hypervisor associated with the guest virtual machine using a second virtual machine measurement point;
  
  compare the virtual machine memory metadata to the hypervisor memory metadata;
  
  determine whether the virtual machine memory metadata is the same as the hypervisor memory metadata; and
  
  communicate the virtual machine memory metadata to a virtual vault machine in response to determining that the virtual machine memory metadata is the same as the hypervisor memory metadata.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the virtual memory metadata comprises a page table that maps virtual memory of the guest virtual machine to physical memory of the guest virtual machine.
  - 17. The apparatus of claim 15, wherein the virtual machine memory metadata comprises a memory page from a guest page table executing on the guest virtual machine.
  - 18. The apparatus of claim 15, wherein the virtual machine memory metadata comprises information about currently executing memory pages on the guest virtual machine.
  - 19. The apparatus of claim 15, wherein:
    - the virtual machine memory metadata is collected from a random access memory of the guest virtual machine; and
      
      the hypervisor memory metadata is collected from a random access memory of the hypervisor.
  - 20. The apparatus of claim 15, wherein the hypervisor control point is configured to trigger an alarm in response to determining that the virtual machine memory metadata and the hypervisor memory metadata are different.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Armor Defense Inc.
Original Assignee
Armor Defense Lnc.
Inventors
Schilling, Jeffery Ray, Cunningham, Chase Cooper, Shah, Tawfiq Mohan, Kotikela, Srujan Das

Granted Patent

US 10,409,983 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1009   using page tables, e.g. pag...

G06F 16/245   Query processing

G06F 16/285   Clustering or classification

G06F 2009/45579   I/O management, e.g. provid...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/561   Virus type analysis

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2212/1052   Security improvement

G06F 2212/152   Virtualized environment, e....

G06F 2212/154   Networked environment

G06F 2221/034   Test or assess a computer o...

G06F 2221/2149 : Restricted operating enviro...

G06F 9/45545 : Guest-host, i.e. hypervisor...

G06F 9/45558 : Hypervisor-specific managem...

H04L 63/0227 : Filtering policies mail mes...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

View All

Detecting Malicious Instructions in a Virtual Machine Memory

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting Malicious Instructions in a Virtual Machine Memory

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links