System and method for providing a virtualized secure data containment service with a networked environment
First Claim
1. A method of testing, in a computer network, potential malware, the method comprising the steps of:
- establishing at least one Virtual Machine on a first computer coupled to the computer network and operating suspected malware on the at least one Virtual Machine;
coupling, at least one second computer to the computer network and the first computer such that image display data from the at least one Virtual Machine on the first computer is transmitted from the first computer to the at least one second computer for image display on the second computer;
observing in the image display data from the at least one Virtual Machine on the first computer, from at least one second computer coupled to the computer network and the first computer, source code variables identifying attempts by the suspected malware operating on the at least one Virtual Machine to change Memory and Bridge configuration settings of the at least one Virtual Machine on the first computer to observe how the suspected malware hops memory to attempt access to a hard drive of a host operating system; and
locking down flexible memory and partition space of RAM of the at least one Virtual Machine;
to ensure that no shared memory or hard drive is accessed by the suspected malware running on the at least one Virtual Machine;
wherein the step of locking down flexible memory and partition space of RAM of the at least one Virtual Machine comprises the steps of;
modifying how the host operating system handles memory by lowering a sys control config file to ‘
zero’
by setting the variable “
vm.swappiness=zero”
to instruct the host operating system not to swap processes out of RAM to hard disk; and
setting a variable Vm.overcommit_memory=1 to disallow the host operating system from overcommitting memory that it currently has installed, as a backup to the process swap to keep the host operating system from swapping from RAM to disk and therefore potentially writing viruses to disk.
3 Assignments
0 Petitions
Accused Products
Abstract
The present invention relates to a technique for debugging and testing potential virus, trojans, and other malware programs. The present invention, named Cyberlock™ provides a technique to analyze malware programs on a network in a secure manner, which allows multiple users to access or monitor the analysis. In the present invention, a virtual machine (VM) may be run on a network, emulating the operation of a Windows, LINUX, or Apple operating system (or other O/S), and the malware or suspected malware may be executed on that virtual machine. The virtual machine is isolated on the network, but accessible to one or more users, in such a manner than the malware or suspected malware may be analyzed.
192 Citations
30 Claims
-
1. A method of testing, in a computer network, potential malware, the method comprising the steps of:
-
establishing at least one Virtual Machine on a first computer coupled to the computer network and operating suspected malware on the at least one Virtual Machine; coupling, at least one second computer to the computer network and the first computer such that image display data from the at least one Virtual Machine on the first computer is transmitted from the first computer to the at least one second computer for image display on the second computer; observing in the image display data from the at least one Virtual Machine on the first computer, from at least one second computer coupled to the computer network and the first computer, source code variables identifying attempts by the suspected malware operating on the at least one Virtual Machine to change Memory and Bridge configuration settings of the at least one Virtual Machine on the first computer to observe how the suspected malware hops memory to attempt access to a hard drive of a host operating system; and locking down flexible memory and partition space of RAM of the at least one Virtual Machine;
to ensure that no shared memory or hard drive is accessed by the suspected malware running on the at least one Virtual Machine;wherein the step of locking down flexible memory and partition space of RAM of the at least one Virtual Machine comprises the steps of; modifying how the host operating system handles memory by lowering a sys control config file to ‘
zero’
by setting the variable “
vm.swappiness=zero”
to instruct the host operating system not to swap processes out of RAM to hard disk; andsetting a variable Vm.overcommit_memory=1 to disallow the host operating system from overcommitting memory that it currently has installed, as a backup to the process swap to keep the host operating system from swapping from RAM to disk and therefore potentially writing viruses to disk. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 30)
-
-
2. A method of testing, in a computer network, potential malware, the method comprising the steps of:
-
establishing at least one Virtual Machine on a first computer coupled to the computer network and operating suspected malware on the at least one Virtual Machine; coupling, at least one second computer to the computer network and the first computer such that image display data from the at least one Virtual Machine on the first computer is transmitted from the first computer to the at least one second computer for image display on the second computer; observing in the image display data from the at least one Virtual Machine on the first computer, from at least one second computer coupled to the computer network and the first computer, source code variables identifying attempts by the suspected malware operating on the at least one Virtual Machine to change Memory and Bridge configuration settings of the at least one Virtual Machine on the first computer to observe how the suspected malware hops memory to attempt access to a hard drive of a host operating system; enabling an accurate aspect ratio and resolution of the image display on the at least one second computer, of the image display data from the at least one Virtual Machine using a Virtual Network Computing (VNC) protocol within the at least one Virtual Machine; and using a proxy to handle a secure socket layer (SSL) connection between the at least one Virtual Machine and the least one second computer to run Perl scripts that call the at least one Virtual Machine. - View Dependent Claims (3, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
Specification