Techniques for securely performing reputation based analysis using virtualization

US 8,484,739 B1
Filed: 12/15/2008
Issued: 07/09/2013
Est. Priority Date: 12/15/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for performing reputation based analysis comprising:

detecting a specified activity associated with a virtual client, wherein the activity includes at least one of;

spawning a process, analysis of a file, and file system activity, wherein detecting a specified activity comprises utilizing a network proxy of a virtualization platform to monitor one or more activities of a virtual client of the virtualization platform;

determining, using at least one computer processor, a reputation associated with the specified activity; and

performing an action associated with the determined reputation, wherein performing an action associated with the determined reputation comprises;

determining a score based on the determined reputation;

identifying a location of the determined score in at least one range; and

performing an action associated with the at least one range.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for securely performing reputation based analysis using virtualization are disclosed. In one particular exemplary embodiment, the techniques may be realized as a computer implemented method for performing reputation based analysis comprising detecting a specified activity associated with a virtual client, determining a reputation associated with the specified activity, and performing an action associated with the determined reputation.

103 Citations

View as Search Results

18 Claims

1. A computer implemented method for performing reputation based analysis comprising:
- detecting a specified activity associated with a virtual client, wherein the activity includes at least one of;
  
  spawning a process, analysis of a file, and file system activity, wherein detecting a specified activity comprises utilizing a network proxy of a virtualization platform to monitor one or more activities of a virtual client of the virtualization platform;
  
  determining, using at least one computer processor, a reputation associated with the specified activity; and
  
  performing an action associated with the determined reputation, wherein performing an action associated with the determined reputation comprises;
  
  determining a score based on the determined reputation;
  
  identifying a location of the determined score in at least one range; and
  
  performing an action associated with the at least one range.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer implemented method of claim 1, further comprising:
    - performing one or more portions of the reputation based analysis using a process running in a portion secure from access of the virtual client.
  - 3. The computer implemented method of claim 2, wherein the secure portion comprises at least one of:
    - a secure partition, a flash drive, and secure persistent storage.
  - 4. The computer implemented method of claim 1, wherein the specified activity comprises at least one of:
    - downloading a portable executable file, downloading a specified file type, and accessing a specified network resource.
  - 5. The computer implemented method of claim 1, wherein determining a reputation associated with an activity further comprises:
    - generating a indicator uniquely associated with the specified activity; and
      
      comparing the indicator with stored reputation data.
  - 6. The computer implemented method of claim 5, wherein the stored reputation data comprises a network accessible data store.
  - 7. The computer implemented method of claim 5, wherein the comparison generates a reputation score.
  - 8. The computer implemented method of claim 5, wherein generating an indicator comprises running a hash function on data associated with the specified activity.
  - 9. The computer implemented method of claim 8, wherein the data associated with the specified activity comprises at least one of:
    - a file, a Uniform Resource Locator (URL), and a network address.
  - 10. The computer implemented method of claim 1, wherein performing an action associated with the determined reputation comprises at least one of:
    - prompting a user, blocking a file, quarantining a file, denying network access, preventing a virtual client process activity, suspending a virtual client process, terminating a virtual client process, and allowing the specified activity.
  - 11. The computer implemented method of claim 1, wherein detecting a specified activity associated with a virtual client comprises monitoring a file system driver of the virtualization platform.
  - 12. At least one non-transitory processor readable storage medium for storing a computer program of instructions configured to be readable by at least one processor for instructing the at least one processor to execute a computer process for performing the method as recited in claim 1.

13. An article of manufacture for performing reputation based analysis, the article of manufacture comprising:
- at least one non-transitory processor readable storage medium; and
  
  instructions carried on the at least one medium;
  
  wherein the instructions are configured to be readable from the at least one medium by at least one processor and thereby cause the at least one processor to operate so as to;
  
  detect a specified activity associated with a virtual client, wherein the activity includes at least one of;
  
  spawning a process, analysis of a file, and file system activity, wherein detecting a specified activity comprises utilizing a network proxy of a virtualization platform to monitor one or more activities of a virtual client of the virtualization platform;
  
  determine a reputation associated with the specified activity; and
  
  perform an action associated with the determined reputation, wherein performing an action associated with the determined reputation comprises;
  
  determining a score based on the determined reputation;
  
  identifying a location of the determined score in at least one range; and
  
  performing an action associated with the at least one range.

14. A system providing reputation based analysis comprising:
- one or more processors configured to;
  
  detect a specified activity associated with a virtual client, wherein the activity includes at least one of;
  
  spawning a process, analysis of a file, and file system activity, wherein the one or more processors are configured to detect the specified activity by utilizing a network proxy of a virtualization platform to monitor one or more activities of a virtual client of the virtualization platform;
  
  determine a reputation associated with the specified activity; and
  
  perform an action associated with the determined reputation, wherein performing an action associated with the determined reputation comprises;
  
  determining a score based on the determined reputation;
  
  identifying a location of the determined score in at least one range; and
  
  performing an action associated with the at least one range.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, wherein the one or more processors are further configured to:
    - perform one or more portions of the reputation based analysis using a process running in a secure portion of the virtualization platform.
  - 16. The system of claim 14, wherein the specified activity comprises at least one of:
    - downloading a portable executable file, downloading a specified file type, and accessing a specified network resource.
  - 17. The system of claim 14, wherein determining a reputation associated with an activity further comprises:
    - generating a indicator uniquely associated with the specified activity; and
      
      comparing the indicator with stored reputation data.
  - 18. The system of claim 14, wherein the one or more processors are configured to perform a specified action associated with the determined reputation by at least one of:
    - prompting a user, blocking a file, quarantining a file, denying network access, preventing a virtual client process activity, suspending a virtual client process, terminating a virtual client process, and allowing the specified activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Seshadri, Vijay Anand
Primary Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US12/334,844
Time in Patent Office

1,667 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 11/3093   Configuration details there...

G06F 12/1416   by checking the object acce...

G06F 21/51   at application loading time...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

Techniques for securely performing reputation based analysis using virtualization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for securely performing reputation based analysis using virtualization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links