System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection
First Claim
Patent Images
1. A computerized method to determine whether an object is part of a malicious attack, comprising:
- detecting, by a virtual machine being executed by hardware circuitry, an event that has occurred during an analysis of the object, the event comprising an anomalous behavior of the object during execution of the object within the virtual machine, and the virtual machine includes a guest virtual system and a host virtual system;
dynamically altering at least an instrumentation of a virtual device within the host virtual system of the virtual machine by the hardware circuitry based on information associated with the event, the dynamic altering of the instrumentation of the virtual device comprises changing an instrumentation of the virtual device of the virtual machine from a first instrumentation of the virtual device to a second instrumentation of the virtual device while preserving a state of the virtual device as perceived by the guest virtual system, wherein the second instrumentation of the virtual device being different from the first instrumentation of the virtual device; and
determining based on at least the event, whether the object is part of a malicious attack.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, an electronic device comprises a memory to store information and a processor. The processor is adapted to receive information associated with content such as network traffic, to process the stored information and to conduct operations on the content. These operations may comprise determining, by a virtual machine processed by the processor, an occurrence of an event during malware analysis of an object associated with the content, and dynamically altering a virtual machine instrumentation of the virtual machine based on information associated with the event.
-
Citations
31 Claims
-
1. A computerized method to determine whether an object is part of a malicious attack, comprising:
-
detecting, by a virtual machine being executed by hardware circuitry, an event that has occurred during an analysis of the object, the event comprising an anomalous behavior of the object during execution of the object within the virtual machine, and the virtual machine includes a guest virtual system and a host virtual system; dynamically altering at least an instrumentation of a virtual device within the host virtual system of the virtual machine by the hardware circuitry based on information associated with the event, the dynamic altering of the instrumentation of the virtual device comprises changing an instrumentation of the virtual device of the virtual machine from a first instrumentation of the virtual device to a second instrumentation of the virtual device while preserving a state of the virtual device as perceived by the guest virtual system, wherein the second instrumentation of the virtual device being different from the first instrumentation of the virtual device; and determining based on at least the event, whether the object is part of a malicious attack. - View Dependent Claims (2, 3, 4, 5, 6, 8, 9, 28, 29, 30, 31)
-
-
7. A computerized method comprising:
-
determining, by a virtual machine being executed by hardware circuitry, an event that has occurred during an analysis of an object, the event comprises an anomalous behavior of the object during execution of the object within the virtual machine, and the virtual machine includes a guest virtual system and a host virtual system; dynamically altering an instrumentation of a virtual device within the host virtual system of the virtual machine by the hardware circuitry based on information associated with the event, the dynamically altering of the instrumentation of the virtual device comprises changing an instrumentation of the virtual device of the virtual machine running as part of the host virtual system from a first instrumentation of the virtual device to a second instrumentation of the virtual device while preserving a state of the virtual device as perceived by the guest virtual system, wherein the second instrumentation of the virtual device being different from the first instrumentation of the virtual device; and determining, based on at least the event, whether the object is part of the malicious attack.
-
-
10. An electronic device to determine whether an object is part of a malicious attack, comprising:
-
a memory to store information; and a processor adapted to receive information associated with network traffic, the processor to process the stored information and conduct operations on the network traffic, the operations comprise (i) detecting, by a virtual machine processed by the processor, an occurrence of an event during an analysis of the object, the event includes an anomalous behavior of the object during execution of the object within the virtual machine that includes a guest virtual system and a host virtual system, (ii) dynamically altering an instrumentation of a virtual device within the host virtual system of the virtual machine based on information associated with the event, the dynamic altering of the instrumentation comprises changing an instrumentation of a virtual device of the virtual machine from a first instrumentation of the virtual device to a second instrumentation of the virtual device while preserving a state of the virtual device as perceived by the guest virtual system, wherein the second instrumentation of the virtual device being different from the first instrumentation of the virtual device; and
(iii) determining, based on at least the event, whether the object is part of the malicious attack. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An electronic device comprising:
-
a memory to store information; a processor adapted to receive information associated with network traffic, the processor to process the stored information and conduct operations on the network traffic, the operations comprise (i) determining, by a virtual machine processed by the processor, an occurrence of an event during an analysis of an object, and the event includes an anomalous behavior of the object during execution of the object within the virtual machine that includes a guest virtual system and a host virtual system, (ii) dynamically altering an instrumentation of a virtual device within the host virtual system of the virtual machine based on information associated with the event, the dynamic altering of the virtual machine instrumentation comprises at least changing an instrumentation of the virtual device from a first instrumentation of the virtual device to a second instrumentation of the virtual device while preserving a state of the virtual device as perceived by the quest virtual system, wherein the second instrumentation of the virtual device being different from the first instrumentation of the virtual device, and (iii) determining, based on at least the event, whether the object is part of the malicious attack. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
Specification