Selective system call monitoring
First Claim
1. A computerized method performed by a network appliance, comprising:
- determining, by the network appliance including one or more hardware processors, whether a detected system call, which is generated by a process that is executing an object within a virtual machine, belongs to a first class of system calls by at leasthalting operations by the virtual machine in response to the detected system call,determining that there exists a prescribed level of likelihood that the process is associated with a malicious attack that identifies the process is suspicious,responsive to determining that the process is not suspicious, comparing the identifier for the detected system call to each identifier for a first plurality of system calls that are part of the first class of system calls, and subsequently determining that the process is associated with a malicious attack by determining that the detected system call belongs to the first class of system calls upon successfully comparing the identifier for the detected system call to a first identifier for one of the first class of system calls; and
providing information associated with the system call to virtualized device hardware in response to determining that the system call is associated with the first class of system calls.
8 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment of the invention, a computerized method is described for improved efficiency in malware detection. The method comprises detecting a system call initiated by a virtual machine and determining a class assigned to the detected system call. In response to determining that the system call is associated with a first class of system calls, providing information associated with the system call to virtualized device hardware. In contrast, in response to determining that the system call is associated with a second class of system calls, which is different from the first class of system calls, the virtual machine resumes virtual processing of an object without providing information to the virtualized device hardware.
-
Citations
37 Claims
-
1. A computerized method performed by a network appliance, comprising:
-
determining, by the network appliance including one or more hardware processors, whether a detected system call, which is generated by a process that is executing an object within a virtual machine, belongs to a first class of system calls by at least halting operations by the virtual machine in response to the detected system call, determining that there exists a prescribed level of likelihood that the process is associated with a malicious attack that identifies the process is suspicious, responsive to determining that the process is not suspicious, comparing the identifier for the detected system call to each identifier for a first plurality of system calls that are part of the first class of system calls, and subsequently determining that the process is associated with a malicious attack by determining that the detected system call belongs to the first class of system calls upon successfully comparing the identifier for the detected system call to a first identifier for one of the first class of system calls; and providing information associated with the system call to virtualized device hardware in response to determining that the system call is associated with the first class of system calls. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computerized method for determining whether a detected system call that is generated by a process executing an object on a virtual machine is potentially associated with a malicious attack, the method comprising:
-
halting operations by the virtual machine executed by a network appliance including one or more hardware processors, in response to detecting the system call; determining an identifier for the system call; determining whether a prescribed level of likelihood exists that the process is associated with a malicious attack that identifies the process is suspicious; responsive to determining that the process is not suspicious, comparing the identifier for the system call to each identifier for a first plurality of system calls that are part of a first class of system calls and a second class of system calls different than the first class of system calls; and determining that the system call belongs to one of the first class of system calls and the second class of system calls upon successfully comparing the identifier for the system call to a first identifier for one of the first class of system calls and the second class of system calls. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computerized method comprising:
-
detecting a system call initiated by a virtual machine executed by a network appliance including one or more hardware processors, the detecting of the system call comprises halting operations by the virtual machine in response to detecting the system call, determining an identifier for the system call, determining that there exists a prescribed level of likelihood that a process running on the virtual machine and processing an object is associated with a malicious attack to identify that the process is suspicious, responsive to determining that the process is not suspicious, comparing the identifier for the system call to each identifier for a first plurality of system calls that are part of a first class of system calls, and determining that the system call belongs to the first class of system calls upon successfully comparing the identifier for the system call to a first identifier for one of the first plurality of system calls; providing information associated with the system call to virtualized device hardware in response to determining that the system call is associated with the first class of system calls; and resuming processing of an object by the virtual machine without providing information associated with the system call to the virtualized device hardware in response to determining that the system call is associated with a second class of system calls that is different from the first class of system calls. - View Dependent Claims (24, 25, 26, 27, 28)
-
-
29. An apparatus comprising:
-
one or more processors; and a memory coupled to the one or more processors, the memory comprises software that, when executed by the one or more processors, generates (1) a virtual machine including a process that executes an object and initiates a system call during processing of the object, and (2) a virtual machine monitor that (a) detects the system call initiated by the virtual machine, (b) determines a class assigned to the detected system call by at least comparing an identifier for the detected system call to each identifier for a first plurality of system calls that are part of a first class of system calls in response to failing to determine that the process is suspicious based on activities of the process failing to suggest that the process is associated with a malicious attack, (c) provides information associated with the system call to virtualized device hardware in response to determining that the system call is associated with the first class of system calls, and (d) resumes processing of the object by the virtual machine providing the information to the virtual device hardware in response to determining that the system call is associated with a second class of system calls that is different from the first class of system calls. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
-
-
37. A non-transitory computer readable medium that includes software that, when processed by one or more processor, performs operations comprising:
-
detecting a system call initiated by a virtual machine that is included as part of the software and is being executed by the one or more processors; responsive to determining that the system call is not malicious, determining a class assigned to the detected system call by at least comparing an identifier for the detected system call to each identifier for a first plurality of system calls that are part of a first class of system calls; providing information associated with the system call to virtualized device hardware in response to determining that the system call is associated with the first class of system calls; and resuming processing of an object by the virtual machine without providing information associated with the system call to the virtualized device hardware in response to determining that the system call is associated with a second class of system calls that is different from the first class of system calls.
-
Specification