System, Apparatus And Method For Using Malware Analysis Results To Drive Adaptive Instrumentation Of Virtual Machines To Improve Exploit Detection

US 20180013770A1
Filed: 08/14/2017
Published: 01/11/2018
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1-26. -26. (canceled)

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method operates by configuring a virtual machine operating within an electronic device with a first instrumentation for processing of a suspicious object. In response to detecting a type of event during processing of the suspicious object within the virtual machine, the virtual machine is automatically reconfigured with a second instrumentation that is different from the first instrumentation in efforts to achieve reduced configuration time and/or increased effectiveness in exploit detection.

131 Citations

52 Claims

1-26. -26. (canceled)

27. A computerized method comprising:
- configuring a virtual machine operating within an electronic device with a first instrumentation for processing of a suspicious object; and
  
  in response to detecting a type of event during processing of the suspicious object within the virtual machine, automatically reconfiguring the virtual machine with a second instrumentation different than the first instrumentation.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 28. The computerized method of claim 27, wherein the reconfiguring of the virtual machine comprises dynamically changing the first instrumentation of the virtual machine to the second instrumentation while a Guest application operating within the virtual machine continues to run.
  - 29. The computerized method of claim 27, wherein the reconfiguring of the virtual machine comprises dynamically changing an operating state of the virtual machine from a first operating state to a second operating state.
  - 30. The computerized method of claim 29, wherein the second operating state is an operating state immediately subsequent to the first operating state.
  - 31. The computerized method of claim 27, wherein the event includes a timeout where no exploit has been detected during processing of the suspicious object for at least a predetermined amount of time.
  - 32. The computerized method of claim 27, wherein the event comprises a detection of an exploit associated with the suspicious object based on an analysis of results in the processing of the suspicious object within the virtual machine.
  - 33. The computerized method of claim 27, wherein the event comprises a detection of an access to a particular memory address range within a memory device.
  - 34. The computerized method of claim 27, wherein the reconfiguring of the virtual machine is conducted to re-focus operability of the virtual machine on a particular exploit or family of exploits more likely present in network traffic.
  - 35. The computerized method of claim 34, wherein the reconfiguring of the virtual machine is conducted so that changes to the virtual machine are transparent to a guest virtual system of the virtual machine, the guest virtual system including a guest operating system.
  - 36. The computerized method of claim 34, wherein the second instrumentation being coded with at least one virtual device that is different from a corresponding virtual device associated with the first instrumentation of the virtual machine.
  - 37. The computerized method of claim 34, wherein the configuring of the virtual machine with the first instrumentation further comprisesuploading initial virtual machine configuration data to an instrumentation control logic, the initial virtual machine configuration data representing the first instrumentation and including a starting state for the virtual machine.
  - 38. The computerized method of claim 37, wherein prior to automatically reconfiguring the virtual machine with the second instrumentation, the method further comprising:
    - detecting, by the instrumentation control logic, the type of event during processing of the suspicious object within the virtual machine; and
      
      generating a virtual machine instrumentation change message for return to the virtual machine, the virtual machine instrumentation change message includes a command that prompts the virtual machine to request the second instrumentation to be substituted for the first instrumentation.
  - 39. The computerized method of claim 27, wherein the second instrumentation of the virtual machine being downloaded from a cloud computing service.
  - 40. The computerized method of claim 27, wherein the automatically reconfiguring of the virtual machine comprises changing operations of the virtual machine running as part of a host virtual system for detecting exploits associated with network traffic including the suspicious object while preserving state information associated with a virtual machine process while a Guest application continues to run within the virtual machine.
  - 41. The computerized method of claim 27, wherein the automatically reconfiguring of the virtual machine comprises interrupting operations of the virtual machine to change an instrumentation of the virtual machine for at least one virtual machine process of the virtual machine during malware analysis of the suspicious object by the virtual machine.
  - 42. The computerized method of claim 27, wherein the automatically reconfiguring of the virtual machine comprises interrupting operations of the virtual machine to change an instrumentation for at least one virtual machine process of the virtual machine for malware analysis of a second object being part of a data flow including the suspicious object and subsequent in transit within the data flow from the suspicious object.

43. A system for detecting malware, comprising:
- a processor; and
  
  a persistent storage communicatively coupled to the processor, the persistent storage comprisesa virtual machine operating in accordance with a first instrumentation for processing of a suspicious object, andinstrumentation control logic executed by the processor, the instrumentation control logic to automatically reconfigure the virtual machine with a second instrumentation different than the first instrumentation in response to detecting a type of event during processing of the suspicious object within the virtual machine.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 44. The system of claim 43, wherein the instrumentation control logic to reconfigure the virtual machine by at least changing the first instrumentation of the virtual machine to the second instrumentation while a Guest application operating within the virtual machine continues to run.
  - 45. The system of claim 43, wherein the instrumentation control logic to reconfigure the virtual machine by at least dynamically changing an operating state of the virtual machine from a first operating state to a second operating state while preserving a state of operation as perceived by the guest operating system.
  - 46. The system of claim 45, wherein the second operating state is an operating state immediately subsequent to the first operating state.
  - 47. The system of claim 43, wherein the event includes either (i) a timeout where no exploit has been detected during processing of the suspicious object for at least a predetermined amount of time, or (ii) a detection of an exploit associated with the suspicious object based on an analysis of results in the processing of the suspicious object within the virtual machine, or (iii) a detection of an access to a particular memory address range within a memory device.
  - 48. The system of claim 43, wherein the instrumentation control logic to reconfigure the virtual machine in order to re-focus operability of the virtual machine on a particular exploit or family of exploits more likely present in network traffic including the suspicious object.
  - 49. The system of claim 43, wherein the instrumentation control logic, in response to detection of an event, generating a first message including a command that, upon receipt, causes the virtual machine to generate a second message to cause retrieval of the second instrumentation.
  - 50. The system of claim 43 further comprising:
    - a scheduler, executable by the processor, to receive the second message, and in response, to retrieve and load the second instrumentation to the virtual machine.
  - 51. The system of claim 43, wherein the instrumentation control logic configured to (i) detect the type of event during processing of the suspicious object within the virtual machine prior to automatically reconfiguring the virtual machine with the second instrumentation, and (ii) generate a virtual machine instrumentation change message for return to the virtual machine, the virtual machine instrumentation change message includes a command that prompts the virtual machine to request the second instrumentation to be substituted for the first instrumentation.
  - 52. The system of claim 43, wherein the second instrumentation of the virtual machine being downloaded from a cloud computing service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul

Granted Patent

US 11,075,945 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

H04L 63/145 the attack involving the pr...

System, Apparatus And Method For Using Malware Analysis Results To Drive Adaptive Instrumentation Of Virtual Machines To Improve Exploit Detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

131 Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

System, Apparatus And Method For Using Malware Analysis Results To Drive Adaptive Instrumentation Of Virtual Machines To Improve Exploit Detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links