Optimized resource allocation for virtual machines within a malware content detection system

US 9,495,180 B2
Filed: 05/10/2013
Issued: 11/15/2016
Est. Priority Date: 05/10/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method for determining whether incoming content includes malware, comprising:

determining software profile information associated with the incoming content;

determining a first virtual machine instance operating with a first software profile that corresponds to the software profile information is currently running; and

instantiating a second virtual machine instance operating with the first software profile to conduct malware analysis on the incoming content, wherein responsive to determining the first virtual machine instance is currently running and operating with the first software profile, the second virtual machine instance being provided access to first resources allocated for use by the first virtual machine instance; and

responsive to an attempt by the second virtual machine instance to perform an operation that would alter the first resources, allocating second resources exclusively accessible by the second virtual machine instance.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method comprises operations of instantiating a first virtual machine instance and a second virtual machine instance to run concurrently with the first virtual machine instance. The first virtual machine instance provides a first virtual operating environment while the second virtual machine instance is adapted to share the resources allocated to the first virtual machine instance. The second virtual machine instance is further adapted to allocate additional resources upon conducting a Copy-On Write operation.

660 Citations

35 Claims

1. A computerized method for determining whether incoming content includes malware, comprising:
- determining software profile information associated with the incoming content;
  
  determining a first virtual machine instance operating with a first software profile that corresponds to the software profile information is currently running; and
  
  instantiating a second virtual machine instance operating with the first software profile to conduct malware analysis on the incoming content, wherein responsive to determining the first virtual machine instance is currently running and operating with the first software profile, the second virtual machine instance being provided access to first resources allocated for use by the first virtual machine instance; and
  
  responsive to an attempt by the second virtual machine instance to perform an operation that would alter the first resources, allocating second resources exclusively accessible by the second virtual machine instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computerized method of claim 1, wherein the attempt to perform an operation that would alter the first resources includes conducting a Copy-On Write operation.
  - 3. The computerized method of claim 1, wherein the second virtual machine instance operating concurrently with the first virtual machine instance.
  - 4. The computerized method of claim 1, wherein the first software profile comprises a type of operating system corresponding to an operating system identified in the software profile information.
  - 5. The computerized method of claim 4, wherein the first software profile further comprises one or more applications being executed by the first virtual machine instance that are identified in the software profile information.
  - 6. The computerized method of claim 1 further comprising:
    - instantiating a third virtual machine instance that is based on a second software profile different from the first software profile, the third virtual machine instance being allocated resources that are not shared by the first virtual machine instance and the second virtual machine instance.
  - 7. The computerized method of claim 1, further comprising:
    - after instantiation of a plurality of virtual machine instances including the first virtual machine instance and the second virtual machine instances, determining whether instantiation of a third virtual machine instance would exceed a threshold, the threshold representing a predetermined number of concurrently operating virtual machine instances; and
      
      instantiating the third virtual machine instance if a sum of the plurality of virtual machine instances does not exceed the threshold; and
      
      refraining from instantiating the third virtual machine instance if the sum of the plurality of virtual machine instances exceeds the threshold.
  - 8. The computerized method of claim 7, wherein the threshold is equal to a first value when a first prescribed number of the plurality of virtual machine instances are virtual machine clones being virtual machine instances operating in an initial operating state upon creation.
  - 9. The computerized method of claim 8, wherein the threshold is equal to a second value that is less than the first value when a second prescribed number of the plurality of virtual machine instances are virtual machine clones, the second prescribed number being less than the first prescribed number.
  - 10. The computerized method of claim 8, wherein the resources include one or more memory pages within a system memory implemented within an electronic device.
  - 11. The computerized method of claim 8, wherein the first software profile identifying the same version of an operating system and a different version of a particular application as the second software profile.
  - 12. The computerized method of claim 8, wherein the first software profile identifies a first type of operating system and a first version of the first type of the operating system while the second software profile identifies the first type of operating system and a second version of the first type of the operating system, wherein the first version is different from the second version.
  - 13. The computerized method of claim 1, wherein altering the resources allocated for use by the first virtual machine instance includes changing data within one or more memory pages of the first resources.
  - 14. The computerized method of claim 1, wherein the first resources include one or more of system memory or virtual disk space.

15. A computerized method for determining whether incoming content includes malware, comprising:
- determining software profile information associated with the incoming content;
  
  instantiating a first set of virtual machine instances to conduct malware analysis on the incoming content, each virtual machine instance of the first set of virtual machine instances being placed into a first virtual operating state with shared access to a first resource;
  
  instantiating a second set of virtual machine instances to conduct malware analysis on the incoming content, each virtual machine instance of the second set of virtual machine instances being placed into a second virtual operating state with access to a second resource different from the first resource; and
  
  responsive to an attempt by a first virtual machine instance of the second set of virtual machine instances to perform an operation that would alter the second resource, allocating a third resource exclusively accessible by the first virtual machine instance of the second set of virtual machine instances, the third resource different from the first resource and the second resource.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The computerized method of claim 15, wherein the first set of virtual machine instances comprises two or more virtual machine instances each based on a first software profile.
  - 17. The computerized method of claim 16, wherein the first software profile comprises a particular type of operating system.
  - 18. The computerized method of claim 17, wherein the second set of virtual machine instances comprises one or more virtual machine instances based on a second software profile.
  - 19. The computerized method of claim 17, wherein the attempt to perform an operation that would alter the second includes conducting a Copy-On Write operation.
  - 20. The computerized method of claim 19, wherein the third resource comprises one or more areas of data storage different from the first resource and the second resource.
  - 21. The computerized method of claim 15, wherein altering the first resource includes changing data within one or more memory pages of the first resource.
  - 22. The computerized method of claim 15, wherein the first resource includes one or more of system memory or virtual disk space.

23. An electronic device for conducting an analysis for malware, comprising:
- a network port adapted to receive incoming content; and
  
  a controller coupled to the network port, the controller to;
  
  (i) determine software profile information associated with the incoming content,(ii) determine whether a first virtual machine instance operating with a first software profile that corresponds to the software profile information is currently running, the first virtual machine instance being allocated first resources to provide a first virtual execution environment at a prescribed virtual operating state,(iii) instantiate a second virtual machine instance operating with the first software profile to conduct malware analysis on the incoming content, wherein responsive to determining the first virtual machine instance is currently running and operating with the first software profile, the second virtual machine instance being provided access to the first resources, and(iv) responsive to an attempt by the second virtual machine instance to perform an operation that would alter the first resources, allocating second resources exclusively accessible by the second virtual machine instance.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 24. The electronic device of claim 23, wherein the controller is configured to allocate the second resources exclusively accessible by the second virtual machine instance in response to the second virtual machine instance conducting a Copy-On Write operation.
  - 25. The electronic device of claim 23, wherein the second virtual machine instance operating concurrently with the first virtual machine instance.
  - 26. The electronic device of claim 23, wherein the first software profile comprises a type of operating system corresponding to an operating system identified in the software profile information and one or more applications being executed by the second virtual machine instance that are identified in the software profile information.
  - 27. The electronic device of claim 23, wherein the controller is further configured to instantiate a third virtual machine instance that is based on a second software profile different from the first software profile, the third virtual machine instance being allocated resources that are not shared by the first virtual machine instance and the second virtual machine instance.
  - 28. The electronic device of claim 23, wherein the controller is further configured, after instantiation of a plurality of virtual machine instances including the first virtual machine instance and the second virtual machine instances, to (i) determine whether instantiation of a third virtual machine instance would exceed a threshold, the threshold representing a predetermined number of concurrently operating virtual machine instances, and (ii) instantiating the third virtual machine instance if a sum of the plurality of virtual machine instances does not exceed the threshold or refraining from instantiating the third virtual machine instance if the sum of the plurality of virtual machine instances exceeds the threshold.
  - 29. The electronic device of claim 28, wherein the threshold is equal to a first value when a first prescribed number of the plurality of virtual machine instances are virtual machine clones being virtual machine instances operating in an initial operating state upon creation.
  - 30. The electronic device of claim 29, wherein the threshold is equal to a second value that is less than the first value when a second prescribed number of the plurality of virtual machine instances are virtual machine clones, the second prescribed number being less than the first prescribed number.
  - 31. The electronic device of claim 23, wherein altering the first resources includes changing data within one or more memory pages of the first resource.
  - 32. The electronic device of claim 23, wherein the first resources include one or more of system memory or virtual disk space.

33. A malware content detection system for conducting an analysis for malware, comprising:
- a network port adapted to receive incoming content; and
  
  a controller coupled to the network port, the controller to (i) determine software profile information associated with the incoming content, (ii) instantiate a first virtual machine instance that is based on a first software profile corresponding to the software profile information being placed into an initial virtual operating state with access to a first resource allocated to be shared with other virtual machine instances that are based on the first software profile in order to conduct malware analysis on incoming content, and (iii) responsive to an attempt by the first virtual machine instance to perform an operation that would alter the first resource, allocate access to a second resource different from the first resource and exclusively accessible by the first virtual machine instance.
- View Dependent Claims (34, 35)
- - 34. The malware detection system of claim 33, wherein altering the first resources includes changing data within one or more memory pages of the first resource.
  - 35. The malware detection system of claim 33, wherein the first resources include one or more of system memory or virtual disk space.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul
Primary Examiner(s)
LIN, KENNY S

Application Number

US13/892,193
Publication Number

US 20140337836A1
Time in Patent Office

1,285 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45579   I/O management, e.g. provid...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 3/0604   Improving or facilitating a...

G06F 3/0631   by allocating resources to ...

G06F 3/067   Distributed or networked st...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5011   the resources being hardwar...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Optimized resource allocation for virtual machines within a malware content detection system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

660 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Optimized resource allocation for virtual machines within a malware content detection system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

660 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links