Process evaluation for malware detection in virtual machines
First Claim
1. A host system comprising at least one hardware processor configured to execute:
- a hypervisor configured to expose a virtual machine;
a process evaluator executing within the virtual machine;
a memory introspection engine executing outside the virtual machine; and
a process-scoring module, wherein;
the process evaluator is configured to;
determine whether an evaluated process executing within the virtual machine performs an action andin response, when the evaluated process performs the action, transmit a first process evaluation indicator to the process-scoring module, the first process evaluation indicator determined for the evaluated process;
the memory introspection engine is configured to;
intercept a call to an operating system function, to detect a launch of a protected process executing within the virtual machine, wherein the operating system function is configured to add the protected process to a list of processes executing within the virtual machine, and in response to detecting the launch,determine whether the evaluated process attempts to modify a memory page of the protected process, andin response, when the evaluated process attempts to modify the memory page, transmit a second process evaluation indicator to the process-scoring module, the second process evaluation indicator determined for the evaluated process; and
the process-scoring module is configured to;
receive a first weight and a second weight from a security server configured to perform anti-malware transactions with a plurality of computer systems including the host system, receive the first and second process evaluation indicators, andin response, determine whether the evaluated process is malicious according to the first and second process evaluation indicators, wherein determining whether the evaluated process is malicious comprises determining a weighted sum of a first score and a second score, the first weight multiplying the first score in the weighted sum, and the second weight multiplying the second score in the weighted sum, wherein the first and second scores are determined according to the first and second process evaluation indicators, respectively.
1 Assignment
0 Petitions
Accused Products
Abstract
Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. An anti-malware component executes within a virtual machine (VM) exposed by a hypervisor executing on the computer system. A memory introspection engine executes outside the virtual machine, at the processor privilege level of the hypervisor, and protects a process executing within the virtual machine by write-protecting a memory page of the respective process. By combining anti-malware components executing inside and outside the respective VM, some embodiments of the present invention may use the abundance of behavioral data that inside-VM components have access to, while protecting the integrity of such components from outside the respective VM.
10 Citations
20 Claims
-
1. A host system comprising at least one hardware processor configured to execute:
-
a hypervisor configured to expose a virtual machine; a process evaluator executing within the virtual machine; a memory introspection engine executing outside the virtual machine; and a process-scoring module, wherein; the process evaluator is configured to; determine whether an evaluated process executing within the virtual machine performs an action and in response, when the evaluated process performs the action, transmit a first process evaluation indicator to the process-scoring module, the first process evaluation indicator determined for the evaluated process; the memory introspection engine is configured to; intercept a call to an operating system function, to detect a launch of a protected process executing within the virtual machine, wherein the operating system function is configured to add the protected process to a list of processes executing within the virtual machine, and in response to detecting the launch, determine whether the evaluated process attempts to modify a memory page of the protected process, and in response, when the evaluated process attempts to modify the memory page, transmit a second process evaluation indicator to the process-scoring module, the second process evaluation indicator determined for the evaluated process; and the process-scoring module is configured to; receive a first weight and a second weight from a security server configured to perform anti-malware transactions with a plurality of computer systems including the host system, receive the first and second process evaluation indicators, and in response, determine whether the evaluated process is malicious according to the first and second process evaluation indicators, wherein determining whether the evaluated process is malicious comprises determining a weighted sum of a first score and a second score, the first weight multiplying the first score in the weighted sum, and the second weight multiplying the second score in the weighted sum, wherein the first and second scores are determined according to the first and second process evaluation indicators, respectively. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable medium encoding instructions which, when executed on a host system comprising at least one processor, cause the host system to form:
-
a hypervisor configured to expose a virtual machine; a process evaluator executing within the virtual machine; a memory introspection engine executing outside the virtual machine; and a process-scoring module, wherein; the process evaluator is configured to; determine whether an evaluated process executing within the virtual machine performs an action, and in response, when the evaluated process performs the action, transmit a first process evaluation indicator to the process-scoring module, the first process evaluation indicator determined for the evaluated process; the memory introspection engine is configured to; intercept a call to an operating system function, to detect a launch of a protected process executing within the virtual machine, wherein the operating system function executes within the virtual machine and is configured to add the protected process to a list of processes executing within the virtual machine, and in response to detecting the launch, determine whether the evaluated process attempts to modify a memory page of the protected process, and in response, when the evaluated process attempts to modify the memory page, transmit a second process evaluation indicator to the process-scoring module, the second process evaluation indicator determined for the evaluated process; and the process-scoring module is configured to; receive a first weight and a second weight from a security server configured to perform anti-malware transactions with a plurality of computer systems including the host system, receive the first and second process evaluation indicators, and in response, determine whether the evaluated process is malicious according to the first and second process evaluation indicators, wherein determining whether the evaluated process is malicious comprises determining a weighted sum of a first score and a second score, the first weight multiplying the first score in the weighted sum, and the second weight multiplying the second score in the weighted sum, wherein the first and second scores are determined according to the first and second process evaluation indicators, respectively. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method comprising:
-
employing at least one hardware processor of a host system to receive a first weight and a second weight from a security server configured to perform anti-malware transactions with a plurality of computer systems including the host system; employing the at least one hardware processor to receive a first process evaluation indicator determined for an evaluated process, the evaluated process executing within a virtual machine exposed by a hypervisor executing on the host system, wherein determining the first process evaluation indicator comprises employing a process evaluator executing within the virtual machine to determine whether the evaluated process performs a first action; employing the at least one hardware processor to receive a second process evaluation indicator determined for the evaluated process, wherein determining the second process evaluation indicator comprises employing a memory introspection engine executing outside the virtual machine to determine whether the evaluated process performs a second action; and in response to receiving the first and second process evaluation indicators, employing the at least one hardware processor to determine whether the evaluated process is malicious according to the first and second process evaluation indicators, wherein determining whether the evaluated process is malicious comprises determining a weighted sum of a first score and a second score, the first weight multiplying the first score in the weighted sum, and the second weight multiplying the second score in the weighted sum, wherein the first and second scores are determined according to the first and second process evaluation indicators, respectively.
-
-
20. A method comprising:
-
employing at least one hardware processor of a host system to receive a first weight and a second weight from a security server configured to perform anti-malware transactions with a plurality of computer systems including the host system; employing the at least one hardware processor to execute a memory introspection engine, the memory introspection engine executing outside a virtual machine exposed by a hypervisor executing on the host system, wherein executing the memory introspection engine comprises detecting a launch of a process executing within the virtual machine; in response to the memory introspection engine detecting the launch of the process, employing the at least one hardware processor to determine a first and a second process evaluation indicators of the process; and in response to determining the first and second evaluation indicators, employing the at least one hardware processor to determine whether the process is malicious according to the first and second process evaluation indicators, wherein determining whether the evaluated process is malicious comprises determining a weighted sum of a first score and a second score, the first weight multiplying the first score in the weighted sum, and the second weight multiplying the second score in the weighted sum, wherein the first and second scores are determined according to the first and second process evaluation indicators, respectively.
-
Specification