Micro-virtual machine forensics and detection

US 9,501,310 B2
Filed: 12/28/2015
Issued: 11/22/2016
Est. Priority Date: 07/03/2012
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed by one or more processors, cause:

identifying an action performed by a process executing within an isolated environment, wherein identifying comprises;

monitoring a list of processes to determine when a new process is initiated within the isolated environment,monitoring events associated with a guest operating system executing within said isolated environment, andmonitoring events associated with said isolated environment, wherein said events includes attempts to modify page tables and attempts to access CPU registers;

determining whether an actual behavior of said process executing within said isolated environment deviates from an expected behavior of the execution of the process;

upon determining that that the process deviates from the expected behavior, initiating monitoring activity of the process by storing behavior data that describes the actual behavior of the process during execution; and

determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The execution of a process within a VM may be monitored, and when a trigger event occurs, additional monitoring is initiated, including storing behavior data describing the real-time events taking place inside the VM. This behavior data may then be compared to information about the expected behavior of that type of process in order to determine whether malware has compromised the VM.

49 Citations

26 Claims

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed by one or more processors, cause:
- identifying an action performed by a process executing within an isolated environment, wherein identifying comprises;
  
  monitoring a list of processes to determine when a new process is initiated within the isolated environment,monitoring events associated with a guest operating system executing within said isolated environment, andmonitoring events associated with said isolated environment, wherein said events includes attempts to modify page tables and attempts to access CPU registers;
  
  determining whether an actual behavior of said process executing within said isolated environment deviates from an expected behavior of the execution of the process;
  
  upon determining that that the process deviates from the expected behavior, initiating monitoring activity of the process by storing behavior data that describes the actual behavior of the process during execution; and
  
  determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The non-transitory one or more computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - identifying the isolated environment in which the compromised process is executing as compromised.
  - 3. The non-transitory one or more computer-readable storage mediums of claim 1, wherein storing data related to the process comprises creating a snapshot of the isolated environment in which the compromised process is executing.
  - 4. The non-transitory one or more computer-readable storage mediums of claim 3, wherein the snapshot comprises code, which when executed, caused the process to become compromised.
  - 5. The non-transitory one or more computer-readable storage mediums of claim 1, wherein the process comprises a web browsing session.
  - 6. The non-transitory one or more computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - in response to determining whether the process has been compromised, isolating a portion of the isolated environment in which said process is executing; and
      
      persisting and moving said isolated portion of the isolated environment to a different location.
  - 7. The non-transitory one or more computer-readable storage mediums of claim 1, wherein said behavior data comprises memory contents of said isolated environment and a copy of executable code corresponding to said process.
  - 8. The non-transitory one or more computer-readable storage mediums of claim 1, wherein said behavior data identifies a version number of software residing in said isolated environment.
  - 9. The non-transitory one or more computer-readable storage mediums of claim 1, wherein said behavior data comprises any dll files loaded by said process.
  - 10. The non-transitory one or more computer-readable storage mediums of claim 1, wherein the deviation from expected behavior comprises writing to the master boot record of the isolated environment.
  - 11. The non-transitory one or more computer-readable storage mediums of claim 1, wherein analyzing the data to determine whether the process has been compromised comprises:
    - storing data comprising known behavior of a plurality of processes;
      
      comparing the data related to the process to the data comprising known behavior of a plurality of processes; and
      
      based on the comparison, identifying whether the data related to the process matches a portion of the data comprising known behavior of a plurality of processes.
  - 12. The non-transitory one or more computer-readable storage mediums of claim 1, wherein storing data related to the process comprises storing data identifying the differences between at least one state of the isolated environment at particular points of time.
  - 13. The non-transitory one or more computer-readable storage mediums of claim 12, wherein the data identifying the differences between the state of isolated environment at particular points of time includes all changes that have occurred within the isolated environment over a particular duration.

14. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed by one or more processors, cause:
- executing a process in an isolated environment;
  
  identifying an action performed by said process executing within said isolated environment, wherein identifying comprises;
  
  monitoring a list of processes to determine when a new process is initiated,monitoring events associated with a guest operating system executing within said isolated environment, andmonitoring events associated with said isolated environment, wherein said events includes attempts to modify page tables and attempts to access CPU registers;
  
  collecting data related to events occurring in the isolated environment, wherein the data collection is in response to a determination that a process has deviated from expected behavior; and
  
  generating graphical nodes in a visual display, where the nodes represent the events occurring in the isolated environment.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The non-transitory one or more computer-readable storage mediums of claim 14, wherein the data comprises volatile and non-volatile information about the isolated environment.
  - 16. The non-transitory one or more computer-readable storage mediums of claim 14, wherein the data comprises the time at which a particular event occurred.
  - 17. The non-transitory one or more computer-readable storage mediums of claim 14, wherein the graphical nodes are correlated by time.
  - 18. The non-transitory one or more computer-readable storage mediums of claim 14, wherein the generation of the graphical nodes occurs in real-time.
  - 19. The non-transitory one or more computer-readable storage mediums of claim 14, wherein the generation of the graphical nodes occurs subsequent to, and asynchronously from, the events represents the graphical nodes.
  - 20. The non-transitory one or more computer-readable storage mediums of claim 14, wherein the graphical nodes display information about the event represented by the node.
  - 21. The non-transitory one or more computer-readable storage mediums of claim 14, wherein execution of the one or more sequences of instructions further cause:
    - classifying a particular event with a level of severity by comparing the particular event to a database of known events.
  - 22. The non-transitory one or more computer-readable storage mediums of claim 14, wherein the graphical nodes are visually differentiated based on a level of severity.
  - 23. The non-transitory one or more computer-readable storage mediums of claim 14, wherein execution of the one or more sequences of instructions further cause:
    - creating an association between a plurality of the graphical nodes, wherein the association is determined by comparing the sequence of events represented by the plurality of graphical nodes to a database of known events.
  - 24. The non-transitory one or more computer-readable storage mediums of claim 23, wherein the association between a plurality of the graphical nodes is visually indicated.
  - 25. The non-transitory one or more computer-readable storage mediums of claim 24, wherein the visual indication comprises a stack of layered graphical nodes.
  - 26. The non-transitory one or more computer-readable storage mediums of claim 24, wherein the visual indication comprises displaying the plurality of graphical nodes as a group of graphical nodes which when selected, visually expands to display the individual graphical nodes comprising the group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Bromium (HP Inc.)
Inventors
Kashyap, Rahul C., Navaraj, J. McEnroe Samuel, Singh, Baibhav, Passi, Arun, Wojtczuk, Rafal
Primary Examiner(s)
KIM, TAE K

Application Number

US14/981,514
Publication Number

US 20160132351A1
Time in Patent Office

330 Days
Field of Search

726 22- 25, 713/189, 713/193, 713/194
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

Micro-virtual machine forensics and detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Micro-virtual machine forensics and detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others