Malware detection appliance architecture
First Claim
1. A method comprising:
- deploying a virtualization module in a malware detection appliance architecture of an appliance coupled to a network, the virtualization module directly disposed on native hardware of the appliance and having a main protection domain including one or more execution contexts and capabilities defining permissions for a process to access kernel resources of the appliance;
disposing a hypervisor over the virtualization module, the hypervisor operating under control of the virtualization module to spawn a virtual machine configured to contain a guest operating system and instrumentation logic, the virtual machine bound to a clone of the main protection domain representative of the guest operating system;
performing dynamic analysis of the process when executing an object to detect first behaviors of the object via one or more capability violations as the process executes in the virtual machine, the one or more capability violations generated by the virtualization module at the clone of the main protection domain, wherein the first behaviors are captured as dynamic analysis results;
correlating the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and
rendering, by the appliance, a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content.
7 Assignments
0 Petitions
Accused Products
Abstract
A threat-aware virtualization module may be deployed in a malware detection appliance architecture and execute on a malware detection system (MDS) appliance to provide exploit and malware detection within a network environment. The virtualization module may underlie an operating system kernel of the MDS appliance and execute in kernel space of the architecture to control access to kernel resources of the appliance for any operating system process. A type 0 virtual machine monitor may be disposed over the virtualization module and execute in user space of the architecture as a pass-through module configured to expose the kernel resources of the appliance to the operating system kernel. One or more hypervisors, e.g., type 1 VMM, may be further disposed over the virtualization module and execute in user space of the architecture under control of the virtualization module to support execution of one or more guest operating systems inside one or more full virtual machines.
-
Citations
21 Claims
-
1. A method comprising:
-
deploying a virtualization module in a malware detection appliance architecture of an appliance coupled to a network, the virtualization module directly disposed on native hardware of the appliance and having a main protection domain including one or more execution contexts and capabilities defining permissions for a process to access kernel resources of the appliance; disposing a hypervisor over the virtualization module, the hypervisor operating under control of the virtualization module to spawn a virtual machine configured to contain a guest operating system and instrumentation logic, the virtual machine bound to a clone of the main protection domain representative of the guest operating system; performing dynamic analysis of the process when executing an object to detect first behaviors of the object via one or more capability violations as the process executes in the virtual machine, the one or more capability violations generated by the virtualization module at the clone of the main protection domain, wherein the first behaviors are captured as dynamic analysis results; correlating the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and rendering, by the appliance, a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content. - View Dependent Claims (2, 3, 4, 5, 6, 7, 19)
-
-
8. A system comprising:
-
a memory of a malware detection system (MDS) appliance coupled to a network, the memory configured to store an operating system process, a hypervisor and a virtualization module, the hypervisor disposed over the virtualization module and operating under control of the virtualization module in a malware detection appliance architecture of the MDS appliance, the virtualization module directly disposed on native hardware of the appliance and having a main protection domain including one or more execution contexts and capabilities defining permissions for the operating system process to access kernel resources of the appliance; and a processing unit coupled to the memory and adapted to execute the operating system process, the hypervisor, and the virtualization module, wherein the hypervisor and the virtualization module are configured to; create a virtual machine containing a guest operating system and instrumentation logic, the virtual machine bound to a clone of the main protection domain representative of the guest operating system; perform dynamic analysis of the operating system process when executing an object to observe behaviors of the object via one or more capability violations as the operating system process executes in the virtual machine, the one or more capability violations generated by the virtualization module at the clone of the main protection domain, wherein the behaviors are captured as dynamic analysis results; correlate the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and render a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 20)
-
-
18. A non-transitory computer readable medium including program instructions for execution on one or more processors of a malware detection system (MDS) appliance, the program instructions configured to:
-
create a virtual machine containing a guest operating system and instrumentation logic, the virtual machine bound to a clone of a main protection domain of a virtualization module stored in a memory of the MDS appliance, the main protection domain representative of the guest operating system; perform dynamic analysis of an operating system process when executing an object to observe behaviors of the object via one or more capability violations as the operating system process executes in the virtual machine, the one or more capability violations generated by the virtualization module at the clone of the main protection domain, wherein the behaviors are captured as dynamic analysis results; correlate the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and render a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content. - View Dependent Claims (21)
-
Specification