METHODS AND APPARATUS FOR APPLICATION ISOLATION

US 20170302692A1
Filed: 03/15/2017
Published: 10/19/2017
Est. Priority Date: 09/12/2008
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malicious software comprising:

a) an application processor comprising;

i) a virtual machine monitor configured to operate on a hardware computing machine under control of a host operating system;

ii) at least one network application template, each of the “

at least one network application template”

including;

(1) a modifiable section; and

(2) a non-modifiable section;

iii) at least one container, at least one of the at least one container;

(1) configured to operate in a protected memory space under control of a guest operating system virtual machine;

(2) initialized with at least one copy of the “

at least one network application template; and

(3) including;

(a) a file system; and

(b) a network address;

iv) a detection module configured to operate under control of the “

guest operating system virtual machine, the detection module comprising;

(1) a trigger detection module configured to monitor activity on the “

at least one container”

for a trigger event;

(2) a logging module configured to write activity to an activity report in response to the trigger event; and

(3) a container command module configured to conditionally issue at least one command in response to the trigger event, the “

at least one command being at least one of the following;

(a) a container stop command;

(b) a container revert command; and

(c) a container start command;

v) a virtual machine control console configured to;

(1) operate under control of the “

host operating machine;

” and

(2) start and stop the “

hardware virtual machine monitor;

”

vi) a container control module configured to;

(1) operate under control of the “

guest operating system virtual machine;

”

(2) to start at least one of the “

at least one container”

in response to the container start command;

”

(3) to stop at least one of the “

at least one container”

in response to the container stop command;

” and

(4) to revert at least one of the “

at least one container”

in response to the container revert command;

” and

vii) a server communication module configured to transmit the activity over a network; and

b) the central collection network appliance configured to;

i) receive over the “

network”

at least one of the “

at least one activity report;

” and

ii) maintain a repository of activities for infected devices.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.

20 Citations

View as Search Results

20 Claims

1. A system for detecting malicious software comprising:
- a) an application processor comprising;
  
  i) a virtual machine monitor configured to operate on a hardware computing machine under control of a host operating system;
  
  ii) at least one network application template, each of the “
  
  at least one network application template”
  
  including;
  
  (1) a modifiable section; and
  
  (2) a non-modifiable section;
  
  iii) at least one container, at least one of the at least one container;
  
  (1) configured to operate in a protected memory space under control of a guest operating system virtual machine;
  
  (2) initialized with at least one copy of the “
  
  at least one network application template; and
  
  (3) including;
  
  (a) a file system; and
  
  (b) a network address;
  
  iv) a detection module configured to operate under control of the “
  
  guest operating system virtual machine, the detection module comprising;
  
  (1) a trigger detection module configured to monitor activity on the “
  
  at least one container”
  
  for a trigger event;
  
  (2) a logging module configured to write activity to an activity report in response to the trigger event; and
  
  (3) a container command module configured to conditionally issue at least one command in response to the trigger event, the “
  
  at least one command being at least one of the following;
  
  (a) a container stop command;
  
  (b) a container revert command; and
  
  (c) a container start command;
  
  v) a virtual machine control console configured to;
  
  (1) operate under control of the “
  
  host operating machine;
  
  ” and
  
  (2) start and stop the “
  
  hardware virtual machine monitor;
  
  ”
  
  vi) a container control module configured to;
  
  (1) operate under control of the “
  
  guest operating system virtual machine;
  
  ”
  
  (2) to start at least one of the “
  
  at least one container”
  
  in response to the container start command;
  
  ”
  
  (3) to stop at least one of the “
  
  at least one container”
  
  in response to the container stop command;
  
  ” and
  
  (4) to revert at least one of the “
  
  at least one container”
  
  in response to the container revert command;
  
  ” and
  
  vii) a server communication module configured to transmit the activity over a network; and
  
  b) the central collection network appliance configured to;
  
  i) receive over the “
  
  network”
  
  at least one of the “
  
  at least one activity report;
  
  ” and
  
  ii) maintain a repository of activities for infected devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A system according to claim 1, further including a shared persistent directory configured to operate under control of the “
    - host operating machine,”
      
      the shared directory accessible by at least one of the at least one container.
  - 3. A system according to claim 2, wherein access to the shared directory is limited.
  - 4. A system according to claim 1, wherein the central collection network appliance further analyzes the “
    - at least one activity report”
      
      to determine new trigger events.
  - 5. A system according to claim 1, wherein the central collection network appliance further transmits at least one of the new trigger events to at least one network traffic appliance.
  - 6. A system according to claim 1, wherein the container start command is initiated by the host operating system.
  - 7. A system according to claim 1, wherein at least one of the at least one container is a private container, the private container configured to have private semi-persistent storage.
  - 8. A system according to claim 1, wherein at least one of the at least one container is a public container, the public container configured to access persistent storage.
  - 9. A system according to claim 1, wherein the trigger detection module monitors at least one of the following:
    - a) unauthorized changes to the a non-modifiable section;
      
      b) registry writes;
      
      c) the start of new processes;
      
      d) web sites visited;
      
      e) redirected URL'"'"'s;
      
      f) infection details;
      
      g) event timelines;
      
      h) network connections;
      
      i) file system writes; and
      
      j) configuration changes.
  - 10. A system according to claim 1, wherein at activity report includes at least one of the following:
    - a) unauthorized changes to the a non-modifiable section;
      
      b) registry writes;
      
      c) the start of new processes;
      
      d) web sites visited;
      
      e) redirected URL'"'"'s;
      
      f) Infection details;
      
      g) event timelines;
      
      h) network connections;
      
      i) file system writes; and
      
      j) configuration changes.
  - 11. A system according to claim 1, wherein the display of at least one of the at least one container is displayed by the host operating system.
  - 12. A system according to claim 1, wherein at least one virtual machine window is hidden.
  - 13. A system according to claim 1, wherein the guest operating system and host operating system are different.
  - 14. A system according to claim 1, wherein the activity report is searchable by at least one of the following:
    - a) an MD5 hash;
      
      b) a time interval;
      
      c) a web site;
      
      d) a host;
      
      e) a process name; and
      
      f) a remote connection.
  - 15. A system according to claim 1, wherein at least one of the at least one container resides on a rewritable external storage medium.

16. An appliance processor for detecting malicious software comprising:
- a) a hardware virtual machine monitor configured to operate on a hardware computing machine under control of a host operating system;
  
  b) at least one network application template, the “
  
  at least one network application template”
  
  including;
  
  i) a modifiable section; and
  
  ii) a non-modifiable section;
  
  c) at least one container, at least one of the at least one container;
  
  i) configured to operate in a protected memory space under control of a guest operating system virtual machine;
  
  ii) initialized with at least one copy of the “
  
  at least one network application template; and
  
  iii) including;
  
  (1) a file system; and
  
  (2) a network address;
  
  d) a detection module configured to operate under control of the “
  
  guest operating system virtual machine, the detection module comprising;
  
  i) a trigger detection module configured to monitor activity on the “
  
  at least one container”
  
  for a trigger event;
  
  ii) a logging module configured to write activity to an activity report in response to the trigger event; and
  
  iii) a container command module configured to conditionally issue at least one command in response to the trigger event, the “
  
  at least one command being at least one of the following;
  
  (1) a container stop command;
  
  (2) a container revert command; and
  
  (3) a container start command;
  
  e) a virtual machine control console configured to;
  
  i) operate under control of the “
  
  host operating machine;
  
  ” and
  
  ii) start and stop the “
  
  hardware virtual machine monitor;
  
  ”
  
  f) a container control module configured to;
  
  i) operate under control of the “
  
  guest operating system virtual machine;
  
  ”
  
  ii) to start at least one of the “
  
  at least one container”
  
  in response to the container start command;
  
  ”
  
  iii) to stop at least one of the “
  
  at least one container”
  
  in response to the container stop command;
  
  ” and
  
  iv) to revert at least one of the “
  
  at least one container”
  
  in response to the container revert command;
  
  ” and
  
  g) a server communication module configured to send the activity report to a central collection network appliance over a network, the central collection network appliance configured to;
  
  i) receive at least one of the “
  
  at least one activity report;
  
  ” and
  
  ii) maintain a repository of activities for infected devices.
- View Dependent Claims (17, 18, 19, 20)
- - 17. A system according to claim 16, further including a shared persistent directory configured to operate under control of the “
    - host operating machine,”
      
      the shared directory accessible by at least one of the at least one container.
  - 18. A system according to claim 16, wherein the container start command is initiated by the host operating system.
  - 19. A system according to claim 16, wherein at least one of the at least one container is a private container, the private container configured to have private semi-persistent storage.
  - 20. A system according to claim 16, wherein the trigger detection module monitors at least one of the following:
    - a) unauthorized changes to the a non-modifiable section;
      
      b) registry writes;
      
      c) the start of new processes;
      
      d) web sites visited;
      
      e) redirected URL'"'"'s;
      
      f) infection details;
      
      g) event timelines;
      
      h) network connections;
      
      i) file system writes; and
      
      j) configuration changes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
George Mason Research Foundation Inc.
Original Assignee
George Mason Research Foundation Inc.
Inventors
GHOSH, Anup, HUANG, Yih, WANG, Jiang, STAVROU, Angelos

Granted Patent

US 9,871,812 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2149   Restricted operating enviro...

G06F 9/45545   Guest-host, i.e. hypervisor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

METHODS AND APPARATUS FOR APPLICATION ISOLATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS FOR APPLICATION ISOLATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links