Micro-virtual machine forensics and detection
First Claim
1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring task behavior in a virtual machine, which when executed by one or more processors, causes:
- executing a plurality of tasks in a plurality of virtual machines executing in a computing environment, wherein each task executes in a separate virtual machine instantiated for the particular task;
identifying an action performed by a first task of the plurality of tasks, wherein the first task is executing in a first virtual machine;
analyzing the action in relation to a set of heuristics by performing;
(a) identifying a suspected file,(b) determining all files modified after an introduction of the suspected file, and(c) determining whether the suspected file should be classified as malware based, at least in part, on a set of file formats associated with said all files modified after the introduction of the suspected file, andupon classifying the suspected file as malware, initiating a data collection process to collect information about events occurring in the first virtual machine.
2 Assignments
0 Petitions
Accused Products
Abstract
The execution of a process within a virtual machine (VM) may be monitored, and when a trigger event occurs, additional monitoring is initiated, including storing behavior data describing the real-time events taking place inside the VM. This behavior data may then be compared to information about the expected behavior of that type of process in order to determine whether malware has compromised the VM. The trigger event may be analyzed in relation to a set of heuristics, and based on the analysis, a data collection process may be initiated wherein the data comprises information about events occurring in the first virtual machine.
91 Citations
24 Claims
-
1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring task behavior in a virtual machine, which when executed by one or more processors, causes:
-
executing a plurality of tasks in a plurality of virtual machines executing in a computing environment, wherein each task executes in a separate virtual machine instantiated for the particular task; identifying an action performed by a first task of the plurality of tasks, wherein the first task is executing in a first virtual machine; analyzing the action in relation to a set of heuristics by performing; (a) identifying a suspected file, (b) determining all files modified after an introduction of the suspected file, and (c) determining whether the suspected file should be classified as malware based, at least in part, on a set of file formats associated with said all files modified after the introduction of the suspected file, and upon classifying the suspected file as malware, initiating a data collection process to collect information about events occurring in the first virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method for monitoring task behavior in a virtual machine, comprising:
-
executing a plurality of tasks in a plurality of virtual machines executing in a computing environment, wherein each task executes in a separate virtual machine instantiated for the particular task; identifying an action performed by a first task of the plurality of tasks, wherein the first task is executing in a first virtual machine; analyzing the action in relation to a set of heuristics by performing; (a) identifying a suspected file, (b) determining all files modified after an introduction of the suspected file, and (c) determining whether the suspected file should be classified as malware based, at least in part, on a set of file formats associated with said all files modified after the introduction of the suspected file, and upon classifying the suspected file as malware, initiating a data collection process to collect information about events occurring in the first virtual machine.
-
-
24. An apparatus for monitoring task behavior in a virtual machine, comprising:
-
one or more processors; and one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions, which when executed by the one or more processors, cause; executing a plurality of tasks in a plurality of virtual machines executing in a computing environment, wherein each task executes in a separate virtual machine instantiated for the particular task; identifying an action performed by a first task of the plurality of tasks, wherein the first task is executing in a first virtual machine; analyzing the action in relation to a set of heuristics by performing; (a) identifying a suspected file, (b) determining all files modified after an introduction of the suspected file, and (c) determining whether the suspected file should be classified as malware based, at least in part, on a set of file formats associated with said all files modified after the introduction of the suspected file, and upon classifying the suspected file as malware, initiating a data collection process to collect information about events occurring in the first virtual machine.
-
Specification