Optimized resource allocation for virtual machines within a malware content detection system
First Claim
Patent Images
1. A computerized method for determining whether incoming content includes malware, comprising:
- determining software profile information associated with the incoming content;
determining a first virtual machine instance operating with a first software profile that corresponds to the software profile information is currently running; and
instantiating a second virtual machine instance operating with the first software profile to conduct malware analysis on the incoming content, wherein responsive to determining the first virtual machine instance is currently running and operating with the first software profile, the second virtual machine instance being provided access to first resources allocated for use by the first virtual machine instance; and
responsive to an attempt by the second virtual machine instance to perform an operation that would alter the first resources, allocating second resources exclusively accessible by the second virtual machine instance.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a computerized method comprises operations of instantiating a first virtual machine instance and a second virtual machine instance to run concurrently with the first virtual machine instance. The first virtual machine instance provides a first virtual operating environment while the second virtual machine instance is adapted to share the resources allocated to the first virtual machine instance. The second virtual machine instance is further adapted to allocate additional resources upon conducting a Copy-On Write operation.
660 Citations
35 Claims
-
1. A computerized method for determining whether incoming content includes malware, comprising:
-
determining software profile information associated with the incoming content; determining a first virtual machine instance operating with a first software profile that corresponds to the software profile information is currently running; and instantiating a second virtual machine instance operating with the first software profile to conduct malware analysis on the incoming content, wherein responsive to determining the first virtual machine instance is currently running and operating with the first software profile, the second virtual machine instance being provided access to first resources allocated for use by the first virtual machine instance; and responsive to an attempt by the second virtual machine instance to perform an operation that would alter the first resources, allocating second resources exclusively accessible by the second virtual machine instance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computerized method for determining whether incoming content includes malware, comprising:
-
determining software profile information associated with the incoming content; instantiating a first set of virtual machine instances to conduct malware analysis on the incoming content, each virtual machine instance of the first set of virtual machine instances being placed into a first virtual operating state with shared access to a first resource; instantiating a second set of virtual machine instances to conduct malware analysis on the incoming content, each virtual machine instance of the second set of virtual machine instances being placed into a second virtual operating state with access to a second resource different from the first resource; and responsive to an attempt by a first virtual machine instance of the second set of virtual machine instances to perform an operation that would alter the second resource, allocating a third resource exclusively accessible by the first virtual machine instance of the second set of virtual machine instances, the third resource different from the first resource and the second resource. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
-
23. An electronic device for conducting an analysis for malware, comprising:
-
a network port adapted to receive incoming content; and a controller coupled to the network port, the controller to; (i) determine software profile information associated with the incoming content, (ii) determine whether a first virtual machine instance operating with a first software profile that corresponds to the software profile information is currently running, the first virtual machine instance being allocated first resources to provide a first virtual execution environment at a prescribed virtual operating state, (iii) instantiate a second virtual machine instance operating with the first software profile to conduct malware analysis on the incoming content, wherein responsive to determining the first virtual machine instance is currently running and operating with the first software profile, the second virtual machine instance being provided access to the first resources, and (iv) responsive to an attempt by the second virtual machine instance to perform an operation that would alter the first resources, allocating second resources exclusively accessible by the second virtual machine instance. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A malware content detection system for conducting an analysis for malware, comprising:
-
a network port adapted to receive incoming content; and a controller coupled to the network port, the controller to (i) determine software profile information associated with the incoming content, (ii) instantiate a first virtual machine instance that is based on a first software profile corresponding to the software profile information being placed into an initial virtual operating state with access to a first resource allocated to be shared with other virtual machine instances that are based on the first software profile in order to conduct malware analysis on incoming content, and (iii) responsive to an attempt by the first virtual machine instance to perform an operation that would alter the first resource, allocate access to a second resource different from the first resource and exclusively accessible by the first virtual machine instance. - View Dependent Claims (34, 35)
-
Specification