Micro-virtual machine forensics and detection

US 9,922,192 B1
Filed: 07/24/2015
Issued: 03/20/2018
Est. Priority Date: 12/07/2012
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring task behavior in a virtual machine, which when executed by one or more processors, causes:

executing a plurality of tasks in a plurality of virtual machines executing in a computing environment, wherein each task executes in a separate virtual machine instantiated for the particular task;

identifying an action performed by a first task of the plurality of tasks, wherein the first task is executing in a first virtual machine;

analyzing the action in relation to a set of heuristics by performing;

(a) identifying a suspected file,(b) determining all files modified after an introduction of the suspected file, and(c) determining whether the suspected file should be classified as malware based, at least in part, on a set of file formats associated with said all files modified after the introduction of the suspected file, andupon classifying the suspected file as malware, initiating a data collection process to collect information about events occurring in the first virtual machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The execution of a process within a virtual machine (VM) may be monitored, and when a trigger event occurs, additional monitoring is initiated, including storing behavior data describing the real-time events taking place inside the VM. This behavior data may then be compared to information about the expected behavior of that type of process in order to determine whether malware has compromised the VM. The trigger event may be analyzed in relation to a set of heuristics, and based on the analysis, a data collection process may be initiated wherein the data comprises information about events occurring in the first virtual machine.

91 Citations

View as Search Results

24 Claims

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring task behavior in a virtual machine, which when executed by one or more processors, causes:
- executing a plurality of tasks in a plurality of virtual machines executing in a computing environment, wherein each task executes in a separate virtual machine instantiated for the particular task;
  
  identifying an action performed by a first task of the plurality of tasks, wherein the first task is executing in a first virtual machine;
  
  analyzing the action in relation to a set of heuristics by performing;
  
  (a) identifying a suspected file,(b) determining all files modified after an introduction of the suspected file, and(c) determining whether the suspected file should be classified as malware based, at least in part, on a set of file formats associated with said all files modified after the introduction of the suspected file, andupon classifying the suspected file as malware, initiating a data collection process to collect information about events occurring in the first virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - identifying all files modified by the first task;
      
      identifying all files initiated as new tasks in the first virtual machine; and
      
      identifying a common set of files modified by the first task and files initiated as new tasks in the first virtual machine.
  - 3. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics considers information about said suspected file from a threat database located remotely over a network.
  - 4. The one or more non-transitory computer-readable storage mediums of claim 1, wherein said determining whether the suspected file should be classified as malware is based, at least in part, on a presence of artifacts associated with malicious code in said suspected file.
  - 5. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt to invoke an executable by a file that has been modified.
  - 6. The one or more non-transitory computer-readable storage mediums of claim 5, wherein the file has been modified within a specified amount of time.
  - 7. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt to load a modified Dynamic Linked Library (DLL) file or system file.
  - 8. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt by an executing process to modify a master boot record (MBR) or volume boot record (VBR).
  - 9. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt by a file to delete itself after performing an action.
  - 10. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt to transfer data via a network; and
      
      identifying whether the attempt matches at least one of a set of prohibited actions.
  - 11. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt to access or change the kernel memory of a guest operating system executing in a virtual machine, wherein the kernel memory is immutable.
  - 12. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt to access Windows tokens.
  - 13. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt by malware to enumerate executing processes inside a virtual machine.
  - 14. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt by an executing task to access a physical drive to which the executing task has write permissions.
  - 15. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt to load a driver inside a virtual machine.
  - 16. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt to clear system logs.
  - 17. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt to change an operating system flag identifying pages as read-only to make the pages writable.
  - 18. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting whether a process has accessed registers being utilized by a virtualized system.
  - 19. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of file formats comprises a first file format, wherein said first file format is an executable file.
  - 20. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - detecting an attempt to modify a system service.
  - 21. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - identifying all files created after the action; and
      
      creating a hash value for each file.
  - 22. The one or more non-transitory computer-readable storage mediums of claim 21, wherein the hash value comprises a unique identifier, and wherein the set of heuristics comprises execution of the one or more sequences of instructions to further cause:
    - comparing a hash value for a first file to a plurality of hash values in a database; and
      
      matching the first file to a file represented by one of the hash values in the database.

23. A method for monitoring task behavior in a virtual machine, comprising:
- executing a plurality of tasks in a plurality of virtual machines executing in a computing environment, wherein each task executes in a separate virtual machine instantiated for the particular task;
  
  identifying an action performed by a first task of the plurality of tasks, wherein the first task is executing in a first virtual machine;
  
  analyzing the action in relation to a set of heuristics by performing;
  
  (a) identifying a suspected file,(b) determining all files modified after an introduction of the suspected file, and(c) determining whether the suspected file should be classified as malware based, at least in part, on a set of file formats associated with said all files modified after the introduction of the suspected file, andupon classifying the suspected file as malware, initiating a data collection process to collect information about events occurring in the first virtual machine.

24. An apparatus for monitoring task behavior in a virtual machine, comprising:
- one or more processors; and
  
  one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions, which when executed by the one or more processors, cause;
  
  executing a plurality of tasks in a plurality of virtual machines executing in a computing environment, wherein each task executes in a separate virtual machine instantiated for the particular task;
  
  identifying an action performed by a first task of the plurality of tasks, wherein the first task is executing in a first virtual machine;
  
  analyzing the action in relation to a set of heuristics by performing;
  
  (a) identifying a suspected file,(b) determining all files modified after an introduction of the suspected file, and(c) determining whether the suspected file should be classified as malware based, at least in part, on a set of file formats associated with said all files modified after the introduction of the suspected file, andupon classifying the suspected file as malware, initiating a data collection process to collect information about events occurring in the first virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Bromium (HP Inc.)
Inventors
Kashyap, Rahul C., Navaraj, J. McEnroe Samuel, Singh, Baibhav, Passi, Arun, Wojtczuk, Rafal
Primary Examiner(s)
Lwin, Maung T

Application Number

US14/809,014
Time in Patent Office

970 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

Micro-virtual machine forensics and detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

91 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Micro-virtual machine forensics and detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links