System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection

US 9,736,179 B2
Filed: 09/30/2013
Issued: 08/15/2017
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method to determine whether an object is part of a malicious attack, comprising:

detecting, by a virtual machine being executed by hardware circuitry, an event that has occurred during an analysis of the object, the event comprising an anomalous behavior of the object during execution of the object within the virtual machine, and the virtual machine includes a guest virtual system and a host virtual system;

dynamically altering at least an instrumentation of a virtual device within the host virtual system of the virtual machine by the hardware circuitry based on information associated with the event, the dynamic altering of the instrumentation of the virtual device comprises changing an instrumentation of the virtual device of the virtual machine from a first instrumentation of the virtual device to a second instrumentation of the virtual device while preserving a state of the virtual device as perceived by the guest virtual system, wherein the second instrumentation of the virtual device being different from the first instrumentation of the virtual device; and

determining based on at least the event, whether the object is part of a malicious attack.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, an electronic device comprises a memory to store information and a processor. The processor is adapted to receive information associated with content such as network traffic, to process the stored information and to conduct operations on the content. These operations may comprise determining, by a virtual machine processed by the processor, an occurrence of an event during malware analysis of an object associated with the content, and dynamically altering a virtual machine instrumentation of the virtual machine based on information associated with the event.

Citations

31 Claims

1. A computerized method to determine whether an object is part of a malicious attack, comprising:
- detecting, by a virtual machine being executed by hardware circuitry, an event that has occurred during an analysis of the object, the event comprising an anomalous behavior of the object during execution of the object within the virtual machine, and the virtual machine includes a guest virtual system and a host virtual system;
  
  dynamically altering at least an instrumentation of a virtual device within the host virtual system of the virtual machine by the hardware circuitry based on information associated with the event, the dynamic altering of the instrumentation of the virtual device comprises changing an instrumentation of the virtual device of the virtual machine from a first instrumentation of the virtual device to a second instrumentation of the virtual device while preserving a state of the virtual device as perceived by the guest virtual system, wherein the second instrumentation of the virtual device being different from the first instrumentation of the virtual device; and
  
  determining based on at least the event, whether the object is part of a malicious attack.
- View Dependent Claims (2, 3, 4, 5, 6, 8, 9, 28, 29, 30, 31)
- - 2. The computerized method of claim 1, wherein the hardware circuitry comprises one or more processors.
  - 3. The computerized method of claim 1, wherein the second instrumentation of the virtual device being downloaded from a cloud computing service.
  - 4. The computerized method of claim 1, wherein the instrumentation of the virtual device comprises logic that performs one of a plurality of virtualized operations including (i) controlling virtualized operations conducted on the object associated with content that includes network traffic and (ii) monitoring the virtualized operations conducted on the object.
  - 5. The computerized method of claim 1, wherein the dynamically altering of the instrumentation of the virtual device comprises dynamically changing a pointer to a particular function for the virtual machine.
  - 6. The computerized method of claim 1, wherein the anomalous behavior comprises at least one of unexpected network transmissions from an electronic device that comprises the hardware circuitry and unexpected changes in performance by the electronic device.
  - 8. The computerized method of claim 1 further comprising conducting an analysis on the object using the virtual machine having the changed instrumentation for at least the virtual device being at least one VM process.
  - 9. The computerized method of claim 1, wherein dynamically altering of the instrumentation of the virtual device comprises interrupting a virtual machine (VM) replay to change an instrumentation for at least one virtual machine (VM) process of the virtual machine during analysis of a second object different from the object, where the object and the second object are part of the same data flow.
  - 28. The computerized method of claim 1 further comprising:
    - executing the object within the virtual machine with the second instrumentation of the virtual device instead of the virtual machine with the first instrumentation of the virtual device that had been operable when the event was detected.
  - 29. The computerized method of claim 28, wherein the executing of the object within the virtual machine with the second instrumentation commences from the preserved state of the virtual device.
  - 30. The computerized method of claim 1, wherein the dynamically altering at least of the instrumentation of the virtual device is performed by instrumentation control logic issuing signaling to the virtual machine in response to receipt of the event, the signaling includes a single command to the virtual machine or a message that includes address or other information that identifies the second instrumentation accessible from a data store.
  - 31. The computerized method of claim 1, wherein the dynamically altering at least of the instrumentation of the virtual device occurs transparently to the guest virtual system so that the virtual device transitions from a first state, being a current state of the virtual device, to a second state.

7. A computerized method comprising:
- determining, by a virtual machine being executed by hardware circuitry, an event that has occurred during an analysis of an object, the event comprises an anomalous behavior of the object during execution of the object within the virtual machine, and the virtual machine includes a guest virtual system and a host virtual system;
  
  dynamically altering an instrumentation of a virtual device within the host virtual system of the virtual machine by the hardware circuitry based on information associated with the event, the dynamically altering of the instrumentation of the virtual device comprises changing an instrumentation of the virtual device of the virtual machine running as part of the host virtual system from a first instrumentation of the virtual device to a second instrumentation of the virtual device while preserving a state of the virtual device as perceived by the guest virtual system, wherein the second instrumentation of the virtual device being different from the first instrumentation of the virtual device; and
  
  determining, based on at least the event, whether the object is part of the malicious attack.

10. An electronic device to determine whether an object is part of a malicious attack, comprising:
- a memory to store information; and
  
  a processor adapted to receive information associated with network traffic, the processor to process the stored information and conduct operations on the network traffic, the operations comprise (i) detecting, by a virtual machine processed by the processor, an occurrence of an event during an analysis of the object, the event includes an anomalous behavior of the object during execution of the object within the virtual machine that includes a guest virtual system and a host virtual system, (ii) dynamically altering an instrumentation of a virtual device within the host virtual system of the virtual machine based on information associated with the event, the dynamic altering of the instrumentation comprises changing an instrumentation of a virtual device of the virtual machine from a first instrumentation of the virtual device to a second instrumentation of the virtual device while preserving a state of the virtual device as perceived by the guest virtual system, wherein the second instrumentation of the virtual device being different from the first instrumentation of the virtual device; and
  
  (iii) determining, based on at least the event, whether the object is part of the malicious attack.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The electronic device of claim 10, wherein the second instrumentation of the virtual device being downloaded from a cloud computing service.
  - 12. The electronic device of claim 10, wherein the instrumentation of the virtual device comprises logic that performs one of a plurality of virtualized operations including (i) controlling virtualized operations conducted on the object associated with content received over a network and (ii) monitoring the virtualized operations conducted on the object.
  - 13. The electronic device of claim 10, wherein the processor determines the event during analysis of the object associated with network traffic by (i) performing a replay operation on the object and (ii) analyzing information associated with the one or more anomalous behavior if an exploit associated with the object is detected during the replay operation.
  - 14. The electronic device of claim 13, wherein the anomalous behavior comprises at least one of unusual network transmissions from the electronic device and unusual changes in performance by the electronic device.
  - 15. The electronic device of claim 10, wherein the processor further dynamically altering of the instrumentation of the virtual device by at least changing subsequent operations of the virtual machine, running as part of the virtual device within the host virtual system, for detecting exploits associated with the network traffic while preserving state so as to remain transparent to a guest virtual system of the electronic device.
  - 16. The electronic device of claim 10, wherein the processor further dynamically altering the instrumentation of the virtual device so that the virtual machine conducts subsequent analysis on a particular exploit or a family of exploits that are more likely to be present within the network traffic based on prior analysis results.
  - 17. The electronic device of claim 10, wherein the processor further dynamically altering of the instrumentation of the virtual device comprises interrupting a virtual machine (VM) replay to at least (i) change the instrumentation of the virtual device that includes a change to at least one virtual machine (VM) process during analysis of the object and (ii) change the instrumentation of the virtual device during analysis of a second object different from the object, where the object and the second object are part of the same data flow.
  - 18. The electronic device of claim 17, wherein the changing of the instrumentation of the virtual device comprises conducting the analysis on the object using the virtual machine having the changed instrumentation for the at least one VM process.

19. An electronic device comprising:
- a memory to store information;
  
  a processor adapted to receive information associated with network traffic, the processor to process the stored information and conduct operations on the network traffic, the operations comprise (i) determining, by a virtual machine processed by the processor, an occurrence of an event during an analysis of an object, and the event includes an anomalous behavior of the object during execution of the object within the virtual machine that includes a guest virtual system and a host virtual system, (ii) dynamically altering an instrumentation of a virtual device within the host virtual system of the virtual machine based on information associated with the event, the dynamic altering of the virtual machine instrumentation comprises at least changing an instrumentation of the virtual device from a first instrumentation of the virtual device to a second instrumentation of the virtual device while preserving a state of the virtual device as perceived by the quest virtual system, wherein the second instrumentation of the virtual device being different from the first instrumentation of the virtual device, and (iii) determining, based on at least the event, whether the object is part of the malicious attack.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The electronic device of claim 19, wherein the detection of an exploit during the analysis of the one or more anomalous behaviors of the object during execution of the object within the virtual machine comprises a detection of an exploit causing an overflow condition of a first type of buffer.
  - 21. The electronic device of claim 19, wherein the processor further dynamically altering of the instrumentation of the virtual device by at least changing subsequent operations of the virtual machine, running as part of the host virtual system in the electronic device, for detecting exploits associated with the network traffic while preserving the state of the virtual device so as to remain transparent to the guest virtual system of the electronic device.
  - 22. The electronic device of claim 19, wherein the processor further dynamically altering the instrumentation so that the virtual machine conducts subsequent analysis on a particular exploit or a family of exploits that are more likely to be present within the network traffic based on prior analysis results.
  - 23. The electronic device of claim 19, wherein the processor further dynamically altering of the instrumentation comprises interrupting a virtual machine (VM) replay to at least (i) change an instrumentation for at least one virtual machine process of the virtual machine during analysis of the object and (ii) change the instrumentation during analysis of a second object different from the object, where the object and the second object are part of the same data flow.
  - 24. The electronic device of claim 19, wherein the second instrumentation of the virtual device having additional functionality from functionality provided by the first instrumentation of the virtual device.
  - 25. The electronic device of claim 19, wherein the second instrumentation of the virtual device being downloaded from a cloud computing service.
  - 26. The electronic device of claim 19, wherein the instrumentation of the virtual device comprises logic that performs one of a plurality of virtualized operations including (i) controlling virtualized operations conducted on the object associated with content received over a network and (ii) monitoring the virtualized operations conducted on the object.
  - 27. The electronic device of claim 19, wherein the one or more anomalous behavior comprises at least one of unusual network transmissions from the electronic device and unusual changes in performance by the electronic device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Ismael, Osman Abdoul
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US14/042,489
Publication Number

US 20150096025A1
Time in Patent Office

1,415 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

H04L 63/145 the attack involving the pr...

System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links