×

Malware detection using risk analysis based on file system and network activity

  • US 8,479,276 B1
  • Filed: 12/29/2010
  • Issued: 07/02/2013
  • Est. Priority Date: 12/29/2010
  • Status: Active Grant
First Claim
Patent Images

1. A method of detecting and responding to presence of malware persistently executing in a monitored virtual machine of a virtual computing platform, comprising:

  • establishing operational communications between a security virtual machine, which is separate from said monitored virtual machine, of the virtual computing platform and a risk engine, the risk engine having access to a database which includes stored patterns corresponding to patterns of filtered operational data expected to be generated during operation of the monitored virtual machine when the malware is executing;

    operating the security virtual machine to (1) receive raw operational data from a virtual machine monitor, which can be insulated from anti-detection activity of said executing malware, of the virtual computing platform, the raw operational data obtained from both of file system operations and network operations of the monitored virtual machine which are visible to the virtual machine monitor;

    (2) apply rule-based filtering to the raw operational data to generate filtered operational data; and

    (3) in conjunction with the risk engine, perform a mathematical analysis based on the filtered operational data and the stored patterns in the database to calculate a likelihood that the malware is executing in the monitored virtual machine; and

    in response to the likelihood exceeding a predetermined threshold, generating a control signal to initiate a control action.

View all claims
  • 9 Assignments
Timeline View
Assignment View
    ×
    ×