Malicious content analysis with multi-version application support within single operating environment

US 9,626,509 B1
Filed: 03/13/2013
Issued: 04/18/2017
Est. Priority Date: 03/13/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious content, the method comprising:

installing a plurality of versions of a software application concurrently within a virtual machine by at least registering each of the plurality of versions of the software application with an operating system of the virtual machine under different identifiers, each of the plurality of versions of the software application being different from each other;

selecting, by logic within a virtual machine monitor being executed by a processor of a data processing system, a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine that is executed within the data processing system;

processing one or more software application versions of the subset of the plurality of versions of the software application to access a malicious content suspect within the virtual machine, without switching to another virtual machine;

monitoring, by a monitoring module, behaviors of the malicious content suspect during processing by one or more software application versions of the subset of the plurality of versions of the software application to detect behaviors associated with a malicious attack;

storing information associated with the detected behaviors that are associated with a malicious attack; and

issuing an alert with respect to any detected malicious content.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for efficient and effective malicious content detection in plural versions of a software application are described herein. According to one embodiment, multiple versions of a software application are concurrently within a virtual machine (VM) executed within a data processing system. For each of the versions of the software application, a corresponding one of the versions is invoked to access a malicious content suspect within the VM without switching to another VM. The behaviors of each of the versions of the software application in response to the malicious content suspect is monitored to detect anomalous behavior indicative of malicious content in the malicious content suspect during execution of any of the versions of the software application. The detected anomalous behaviors, and, associated therewith, a version number corresponding to each of the versions of the software application whose execution resulted in the anomalous behavior are stored. An alert with respect to any indicated malicious content is issued.

Citations

49 Claims

1. A computer-implemented method for detecting malicious content, the method comprising:
- installing a plurality of versions of a software application concurrently within a virtual machine by at least registering each of the plurality of versions of the software application with an operating system of the virtual machine under different identifiers, each of the plurality of versions of the software application being different from each other;
  
  selecting, by logic within a virtual machine monitor being executed by a processor of a data processing system, a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine that is executed within the data processing system;
  
  processing one or more software application versions of the subset of the plurality of versions of the software application to access a malicious content suspect within the virtual machine, without switching to another virtual machine;
  
  monitoring, by a monitoring module, behaviors of the malicious content suspect during processing by one or more software application versions of the subset of the plurality of versions of the software application to detect behaviors associated with a malicious attack;
  
  storing information associated with the detected behaviors that are associated with a malicious attack; and
  
  issuing an alert with respect to any detected malicious content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 2. The method of claim 1, wherein the installing of the plurality of versions of the software application comprises installing the plurality of versions of the software application in a plurality of virtual machines configured in a virtual machine pool, each virtual machine of the plurality of virtual machines being associated with a specific version of a guest operating system.
  - 3. The method of claim 1, wherein the installing of the plurality of versions of the software application further comprises installing a first software application version of the subset of the plurality of versions of the software application in a first directory and installing a second software application version of the subset of the plurality of versions of the software application in a second separate directory different than the first directory.
  - 4. The method of claim 1, wherein the registering of each of the plurality of versions of the software application with the operating system is conducted using a different, separate application identifier for each of the plurality of versions of the software application.
  - 5. The method of claim 1, wherein the installing of the plurality of versions of the software application further comprises installing each of the plurality of versions of the software application in an identical directory.
  - 6. The method of claim 1, wherein the processing of the one or more software application versions of the subset of the plurality of versions of the software application comprises processing each software application version of the subset of the plurality of versions of the software application by at least launching each software application version of the subset of the plurality of versions of the software application within the virtual machine in response to providing an identifier identifying the malicious content suspect to allow each of the launched software application versions of the subset of the plurality of versions of the software application to process the malicious content suspect.
  - 7. The method of claim 2, further comprising:
    - based on information associated with the malicious content suspect, selecting by a scheduler the virtual machine from the virtual machine pool that has been configured to mimic a target operating environment of malicious content suspect; and
      
      scheduling, by the scheduler, the selected virtual machine to be launched within the data processing system.
  - 8. The method of claim 1, wherein the alert comprises an identifier of at least one software application version of the subset of the plurality of versions of the software application with the detected behaviors associated with a malicious attack.
  - 24. The method of claim 6, wherein the launching of each software application version of the subset of the plurality of versions of the software application within the virtual machine comprises launching multiple versions of the software application concurrently.
  - 25. The method of claim 1, wherein the processing of the one or more software application versions of the subset of the plurality of versions of the software application comprises processing each software application version of the subset of the plurality of versions of the software application being lesser in number than the plurality of versions of the software application.
  - 26. The method of claim 25, wherein each software application version of the subset of the plurality of versions of the software application is a new release of the software application.
  - 27. The method of claim 25, wherein each software application version of the subset of the plurality of versions of the software application is either a new release of the software application or a modification of the software application through a service pack.
  - 28. The method of claim 25, wherein prior to installing of the plurality of versions of the software application, the method further comprising:
    - generating a graphical user interface that displays a menu including one or more operating system versions along with versions of software applications compatible with each of the one or more operating system versions that includes the operating system for use in selecting the subset of the plurality of versions of the software application.
  - 29. The method of claim 1, wherein the subset of the plurality of versions of the software application is equal in number to the plurality of versions of the software application.
  - 30. The method of claim 1, wherein the installing of the plurality of versions of the software application concurrently within the virtual machine is conducted by the logic within the virtual machine monitor that receives information that identifies selected versions of the software application that correspond to the subset of the plurality of versions of the software application.
  - 31. The method of claim 1, wherein prior to installing of the plurality of versions of the software application, the method further comprising:
    - generating a graphical user interface that displays a menu including at least the plurality of versions of the software application that are compatible with the operating system.
  - 32. The method of claim 1, wherein the selecting of the subset of the plurality of versions of the software application is based, at least in part, on input provided by an individual including a system administrator.

9. A non-transitory machine-readable medium storing instructions, which when executed by a processor, cause the processor to perform operations comprising:
- installing a plurality of versions of a software application concurrently within a virtual machine by at least registering each of the plurality of versions of the software application with an operating system of the virtual machine under different identifiers, each of the plurality of versions of the software application being different from each other;
  
  selecting, by logic within a virtual machine monitor operating on a processor of a data processing system, a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine that is executed within the data processing system;
  
  for one or more software application versions of the subset of the plurality of versions of the software application, processing the corresponding software application version to access a malicious content suspect within the virtual machine without switching to another virtual machine;
  
  monitoring behaviors of the malicious content suspect during execution by the one or more software application versions of the subset of the plurality of versions of the software application to detect behaviors associated with a malicious attack during execution of any of the one or more software application versions;
  
  storing information associated with the detected behaviors that are associated with a malicious attack; and
  
  issuing an alert with respect to any indicated malicious content, the alert comprises an identifier of the software application version with the detected behaviors.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 10. The non-transitory machine-readable medium of claim 9, wherein the installing of the plurality of versions of the software application comprises installing the plurality of versions of the software application in a plurality of virtual machines configured in a virtual machine pool, each virtual machine of the plurality of virtual machines being associated with a specific version of a guest operating system.
  - 11. The non-transitory machine-readable medium of claim 9, wherein the installing of the plurality of versions of the software application further comprises installing a first software application version of the subset of the plurality of versions of the software application in a first directory and installing a second software application version of the plurality of versions of the software application in a second separate directory different than the first directory.
  - 12. The non-transitory machine-readable medium of claim 9, wherein the registering of each of the plurality of versions of the software application comprises registering each of the plurality of versions of the software application that are different from each other with a guest operating system using the different identifiers.
  - 13. The non-transitory machine-readable medium of claim 9, wherein the installing of the plurality of versions of the software application further comprises installing each software application version of the plurality of versions of the software application in an identical directory.
  - 14. The non-transitory machine-readable medium of claim 9, wherein the processing operations performed by the processor comprises sequentially launching the one or more of the software application versions of the subset of the plurality of versions of the software application within the virtual machine in response to providing an identifier identifying the malicious content suspect to allow each of the one or more launched software application versions to process the malicious content suspect.
  - 15. The non-transitory machine-readable medium of claim 9, wherein the operations further comprise:
    - based on information associated with the malicious content suspect, selecting by a scheduler the virtual machine from a virtual machine pool that has been configured to mimic a target operating environment of malicious content suspect; and
      
      scheduling by the scheduler the virtual machine to be launched within the data processing system.
  - 16. The non-transitory machine-readable medium of claim 15, wherein the subset of the plurality of versions of the software application are tested in processing the malicious content suspect within the virtual machine, without having to schedule, launch, and terminate an individual virtual machine for each of the subset of the plurality of versions of the software application.
  - 33. The non-transitory machine-readable medium of claim 9, wherein the processor to process each software application version of the subset of the plurality of versions of the software application being lesser in number than the plurality of versions of the software application.
  - 34. The non-transitory machine-readable medium of claim 33, wherein the stored information associated with the detected behaviors includes the detected behaviors and a version number corresponding to a software application version of the subset of the plurality of versions of the software application whose execution resulted in the detected behaviors.
  - 35. The non-transitory machine-readable medium of claim 33, wherein each software application version of the subset of the plurality of versions of the software application is a new release of the software application.
  - 36. The non-transitory machine-readable medium of claim 33, wherein each software application version of the subset of the plurality of versions of the software application is either a new release of the software application or a modification of the software application through a service pack.
  - 37. The non-transitory machine-readable medium of claim 33, wherein prior to installing of the plurality of versions of the software application, the method further comprising:
    - generating a graphical user interface that displays a menu including one or more operating system versions along with versions of software applications compatible with each of the one or more operating system versions that include the operating system for use in selecting the subset of the plurality of versions of the software application.
  - 38. The non-transitory machine-readable medium of claim 9, wherein the subset of the plurality of versions of the software application is equal in number to the plurality of versions of the software application.
  - 39. The non-transitory machine-readable medium of claim 9, wherein the installing of the plurality of versions of the software application concurrently within the virtual machine is conducted by logic within the virtual machine monitor that receives information that identifies selected versions of the software application that correspond to the subset of the plurality of versions of the software application.
  - 40. The non-transitory machine-readable medium of claim 9, wherein prior to installing of the plurality of versions of the software application, the operations performs by the processor further comprising:
    - generating a graphical user interface that displays a menu including at least the plurality of versions of the software application that are compatible with the operating system for use in selecting of the subset of the plurality of versions of the software application.
  - 41. The non-transitory machine-readable medium of claim 9, wherein the selecting of the subset of the plurality of versions of the software application is based, at least in part, on input provided by an individual including a system administrator.

17. A malicious content detection system, comprising:
- a processor; and
  
  a memory coupled to the processor, the memory to store instructions, including instructions that, when executed, cause the processor toinstall a plurality of versions of a software application concurrently within a virtual machine by at least registering each of the plurality of versions of the software application with an operating system of the virtual machine under different identifiers, each of the plurality of versions of the software application being different from each other,select, by logic within a virtual machine monitor, a subset of the plurality of versions of the software application that are concurrently installed within a virtual machine that is executed within the malicious content detection system,process one or more software application versions of the subset of the plurality of versions of the software application to access a malicious content suspect within the virtual machine, without switching to another virtual machine,monitor behaviors of the malicious content suspect during processing by each software application version of the subset of the plurality of versions of the software application in response to the malicious content suspect to detect a behavior associated with a malicious attack,store information associated with the detected behavior associated with a malicious attack, andissue an alert with respect to any detected malicious content.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 42, 43, 44, 45, 46, 47, 48, 49)
- - 18. The malicious content detection system of claim 17, wherein the processor to install the plurality of versions of the software application in a plurality of virtual machines configured in a virtual machine pool, each virtual machine of the plurality of virtual machines being associated with a specific version of a guest operating system.
  - 19. The malicious content detection system of claim 17, wherein the installing of the plurality of versions of the software application further comprises installing a unique directory path corresponding to each software application version of the subset of the plurality of versions of the software application.
  - 20. The malicious content detection system of claim 17, wherein registering of each of the plurality of versions of the software application with the operating system is performed using a different identifier for each of the plurality of versions of the software application.
  - 21. The malicious content detection system of claim 17, wherein the processor is to sequentially launch the one or more software application versions of the subset of the plurality of versions of the software application within the virtual machine in response to providing an identifier identifying the malicious content suspect to allow the launched version of the software application to process the malicious content suspect.
  - 22. The malicious content detection system of claim 17, further comprising a scheduler executed in the memory by the processor tobased on information associated with the malicious content suspect, select the virtual machine from a virtual machine pool that has been configured to mimic a target operating environment of malicious content suspect;
    - andschedule the virtual machine to be launched within the malicious content detection system.
  - 23. The malicious content detection system of claim 22, wherein the subset of the plurality of versions of the software application are tested in processing the malicious content suspect within the virtual machine, without having to schedule, launch, and terminate an individual virtual machine for each software application version for the subset of the plurality of versions of the software application.
  - 42. The malicious content detection system of claim 17, wherein the processor to process the one or more software application versions of the subset of the plurality of versions of the software application by processing each software application version of the subset of the plurality of versions of the software application being lesser in number than the plurality of versions of the software application.
  - 43. The malicious content detection system of claim 42, wherein the information associated with the detected behavior includes the detected behavior and a version number corresponding to a software application version of the subset of the plurality of versions of the software application whose execution resulted in the detected behavior.
  - 44. The malicious content detection system of claim 42, wherein each software application version of the subset of the plurality of versions of the software application is a new release of the software application.
  - 45. The malicious content detection system of claim 42, wherein each software application version of the subset of the plurality of versions of the software application is either a new release of the software application or a modification of the software application through a service pack.
  - 46. The malicious content detection system of claim 17, wherein the subset of the plurality of versions of the software application is equal in number to the plurality of versions of the software application.
  - 47. The malicious content detection system of claim 17, wherein prior to the install of the plurality of versions of the software application, the processor further performs operations comprising:
    - generating a graphical user interface that displays a menu including one or more operating system versions along with versions of software applications compatible with each of the one or more operating system versions that includes the operating system for use in selecting the subset of the plurality of versions of the software application.
  - 48. The malicious content detection system of claim 17, wherein prior to the install of the plurality of versions of the software application, the processor further generates a graphical user interface that displays a menu including at least the plurality of versions of the software application that are compatible with the operating system for use in selecting the subset of the plurality of versions of the software application.
  - 49. The malicious content detection system of claim 17, wherein the processor to select the subset of the plurality of versions of the software application based on input provided by an individual including a system administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Khalid, Yasir, Jing, Emily, Rizwan, Muhammad, Amin, Muhammad
Primary Examiner(s)
LEUNG, ROBERT B

Application Number

US13/801,557
Time in Patent Office

1,497 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45575   Starting, stopping, suspend...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/556   involving covert channels, ...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45558   Hypervisor-specific managem...

Malicious content analysis with multi-version application support within single operating environment

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Malicious content analysis with multi-version application support within single operating environment

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links