Malicious content analysis with multi-version application support within single operating environment
First Claim
1. A computer-implemented method for detecting malicious content, the method comprising:
- installing a plurality of versions of a software application concurrently within a virtual machine by at least registering each of the plurality of versions of the software application with an operating system of the virtual machine under different identifiers, each of the plurality of versions of the software application being different from each other;
selecting, by logic within a virtual machine monitor being executed by a processor of a data processing system, a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine that is executed within the data processing system;
processing one or more software application versions of the subset of the plurality of versions of the software application to access a malicious content suspect within the virtual machine, without switching to another virtual machine;
monitoring, by a monitoring module, behaviors of the malicious content suspect during processing by one or more software application versions of the subset of the plurality of versions of the software application to detect behaviors associated with a malicious attack;
storing information associated with the detected behaviors that are associated with a malicious attack; and
issuing an alert with respect to any detected malicious content.
9 Assignments
0 Petitions
Accused Products
Abstract
Techniques for efficient and effective malicious content detection in plural versions of a software application are described herein. According to one embodiment, multiple versions of a software application are concurrently within a virtual machine (VM) executed within a data processing system. For each of the versions of the software application, a corresponding one of the versions is invoked to access a malicious content suspect within the VM without switching to another VM. The behaviors of each of the versions of the software application in response to the malicious content suspect is monitored to detect anomalous behavior indicative of malicious content in the malicious content suspect during execution of any of the versions of the software application. The detected anomalous behaviors, and, associated therewith, a version number corresponding to each of the versions of the software application whose execution resulted in the anomalous behavior are stored. An alert with respect to any indicated malicious content is issued.
-
Citations
49 Claims
-
1. A computer-implemented method for detecting malicious content, the method comprising:
-
installing a plurality of versions of a software application concurrently within a virtual machine by at least registering each of the plurality of versions of the software application with an operating system of the virtual machine under different identifiers, each of the plurality of versions of the software application being different from each other; selecting, by logic within a virtual machine monitor being executed by a processor of a data processing system, a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine that is executed within the data processing system; processing one or more software application versions of the subset of the plurality of versions of the software application to access a malicious content suspect within the virtual machine, without switching to another virtual machine; monitoring, by a monitoring module, behaviors of the malicious content suspect during processing by one or more software application versions of the subset of the plurality of versions of the software application to detect behaviors associated with a malicious attack; storing information associated with the detected behaviors that are associated with a malicious attack; and issuing an alert with respect to any detected malicious content. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
9. A non-transitory machine-readable medium storing instructions, which when executed by a processor, cause the processor to perform operations comprising:
-
installing a plurality of versions of a software application concurrently within a virtual machine by at least registering each of the plurality of versions of the software application with an operating system of the virtual machine under different identifiers, each of the plurality of versions of the software application being different from each other; selecting, by logic within a virtual machine monitor operating on a processor of a data processing system, a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine that is executed within the data processing system; for one or more software application versions of the subset of the plurality of versions of the software application, processing the corresponding software application version to access a malicious content suspect within the virtual machine without switching to another virtual machine; monitoring behaviors of the malicious content suspect during execution by the one or more software application versions of the subset of the plurality of versions of the software application to detect behaviors associated with a malicious attack during execution of any of the one or more software application versions; storing information associated with the detected behaviors that are associated with a malicious attack; and issuing an alert with respect to any indicated malicious content, the alert comprises an identifier of the software application version with the detected behaviors. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
17. A malicious content detection system, comprising:
-
a processor; and a memory coupled to the processor, the memory to store instructions, including instructions that, when executed, cause the processor to install a plurality of versions of a software application concurrently within a virtual machine by at least registering each of the plurality of versions of the software application with an operating system of the virtual machine under different identifiers, each of the plurality of versions of the software application being different from each other, select, by logic within a virtual machine monitor, a subset of the plurality of versions of the software application that are concurrently installed within a virtual machine that is executed within the malicious content detection system, process one or more software application versions of the subset of the plurality of versions of the software application to access a malicious content suspect within the virtual machine, without switching to another virtual machine, monitor behaviors of the malicious content suspect during processing by each software application version of the subset of the plurality of versions of the software application in response to the malicious content suspect to detect a behavior associated with a malicious attack, store information associated with the detected behavior associated with a malicious attack, and issue an alert with respect to any detected malicious content. - View Dependent Claims (18, 19, 20, 21, 22, 23, 42, 43, 44, 45, 46, 47, 48, 49)
-
Specification