Malware detection using risk analysis based on file system and network activity
First Claim
1. A method of detecting and responding to presence of malware persistently executing in a monitored virtual machine of a virtual computing platform, comprising:
- establishing operational communications between a security virtual machine, which is separate from said monitored virtual machine, of the virtual computing platform and a risk engine, the risk engine having access to a database which includes stored patterns corresponding to patterns of filtered operational data expected to be generated during operation of the monitored virtual machine when the malware is executing;
operating the security virtual machine to (1) receive raw operational data from a virtual machine monitor, which can be insulated from anti-detection activity of said executing malware, of the virtual computing platform, the raw operational data obtained from both of file system operations and network operations of the monitored virtual machine which are visible to the virtual machine monitor;
(2) apply rule-based filtering to the raw operational data to generate filtered operational data; and
(3) in conjunction with the risk engine, perform a mathematical analysis based on the filtered operational data and the stored patterns in the database to calculate a likelihood that the malware is executing in the monitored virtual machine; and
in response to the likelihood exceeding a predetermined threshold, generating a control signal to initiate a control action.
9 Assignments
0 Petitions
Accused Products
Abstract
A virtual machine computing platform uses a security virtual machine (SVM) in operational communications with a risk engine which has access to a database including stored patterns corresponding to patterns of filtered operational data that are expected to be generated during operation of the monitored virtual machine when malware is executing. The stored patterns may have been generated during preceding design and training phases. The SVM is operated to (1) receive raw operational data from a virtual machine monitor, the raw operational data obtained from file system operations and network operations of the monitored virtual machine; (2) apply rule-based filtering to the raw operational data to generate filtered operational data; and (3) in conjunction with the risk engine, perform a mathematical (e.g., Bayesian) analysis based on the filtered operational data and the stored patterns in the database to calculate a likelihood that the malware is executing in the monitored virtual machine. A control action is taken if the likelihood is sufficiently high.
-
Citations
32 Claims
-
1. A method of detecting and responding to presence of malware persistently executing in a monitored virtual machine of a virtual computing platform, comprising:
-
establishing operational communications between a security virtual machine, which is separate from said monitored virtual machine, of the virtual computing platform and a risk engine, the risk engine having access to a database which includes stored patterns corresponding to patterns of filtered operational data expected to be generated during operation of the monitored virtual machine when the malware is executing; operating the security virtual machine to (1) receive raw operational data from a virtual machine monitor, which can be insulated from anti-detection activity of said executing malware, of the virtual computing platform, the raw operational data obtained from both of file system operations and network operations of the monitored virtual machine which are visible to the virtual machine monitor;
(2) apply rule-based filtering to the raw operational data to generate filtered operational data; and
(3) in conjunction with the risk engine, perform a mathematical analysis based on the filtered operational data and the stored patterns in the database to calculate a likelihood that the malware is executing in the monitored virtual machine; and
in response to the likelihood exceeding a predetermined threshold, generating a control signal to initiate a control action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A virtual computing platform, comprising:
-
a physical machine including physical computing resources, the physical computing resources including memory, one or more processors, and input/output circuitry; and software executing on the physical machine, the software including a virtual machine monitor, a monitored virtual machine, and a security virtual machine, the security virtual machine being operative, separate from said monitored virtual machine, to establish operational communications with a risk engine, the risk engine having access to a database which includes stored patterns corresponding to patterns of filtered operational data expected to be generated during operation of the monitored virtual machine when the malware is executing, wherein the security virtual machine is further operative to; receive raw operational data from the virtual machine monitor, which can be insulated from anti-detection activity of said executing malware, the raw operational data obtained from both of file system operations and network operations of the monitored virtual machine which are visible to the virtual machine monitor; apply rule-based filtering to the raw operational data to generate filtered operational data; and in conjunction with the risk engine, perform a mathematical analysis based on the filtered operational data and the stored patterns in the database to calculate a likelihood that the malware is executing in the monitored virtual machine; and in conjunction with the virtual machine monitor, in response to the likelihood exceeding a predetermined threshold, generating a control signal to initiate a control action. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification