Micro-virtual machine forensics and detection
First Claim
1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring task behavior in a virtual machine, which when executed by one or more processors, causes:
- executing a plurality of tasks in a plurality of virtual machines executing in a computing environment, wherein each task executes in a separate virtual machine instantiated for the particular task;
identifying an action performed by a first task of the plurality of tasks, wherein the first task is executing in a first virtual machine;
analyzing the action in relation to a set of heuristics;
based on the analysis, initiating a data collection process, wherein the data comprises information about events occurring in the first virtual machine,wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause;
identifying a suspected file;
determining all files modified after the introduction of the suspected file;
determining what portion of the modified files comprise files of a first file type; and
if the portion of the modified files exceeds a predetermined threshold, then classifying the suspected file as malware.
2 Assignments
0 Petitions
Accused Products
Abstract
The execution of a process within a VM may be monitored, and when a trigger event occurs, additional monitoring is initiated, including storing behavior data describing the real-time events taking place inside the VM. This behavior data may then be compared to information about the expected behavior of that type of process in order to determine whether malware has compromised the VM. The trigger event may be analyzed in relation to a set of heuristics, and based on the analysis, a data collection process may be initiated wherein the data comprises information about events occurring in the first virtual machine.
90 Citations
24 Claims
-
1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring task behavior in a virtual machine, which when executed by one or more processors, causes:
-
executing a plurality of tasks in a plurality of virtual machines executing in a computing environment, wherein each task executes in a separate virtual machine instantiated for the particular task; identifying an action performed by a first task of the plurality of tasks, wherein the first task is executing in a first virtual machine; analyzing the action in relation to a set of heuristics; based on the analysis, initiating a data collection process, wherein the data comprises information about events occurring in the first virtual machine, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause; identifying a suspected file; determining all files modified after the introduction of the suspected file; determining what portion of the modified files comprise files of a first file type; and if the portion of the modified files exceeds a predetermined threshold, then classifying the suspected file as malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. An apparatus, comprising:
-
one or more hardware processors; and one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions, which when executed by the one or more hardware processors, cause; executing a plurality of tasks in a plurality of virtual machines executing in a computing environment, wherein each task executes in a separate virtual machine instantiated for the particular task; identifying an action performed by a first task of the plurality of tasks, wherein the first task is executing in a first virtual machine; analyzing the action in relation to a set of heuristics; based on the analysis, initiating a data collection process, wherein the data comprises information about events occurring in the first virtual machine, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause; identifying a suspected file; determining all files modified after the introduction of the suspected file; determining what portion of the modified files comprise files of a first file type; and if the portion of the modified files exceeds a predetermined threshold, then classifying the suspected file as malware.
-
Specification