Malware detection appliance architecture

US 9,934,376 B1
Filed: 12/08/2015
Issued: 04/03/2018
Est. Priority Date: 12/29/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

deploying a virtualization module in a malware detection appliance architecture of an appliance coupled to a network, the virtualization module directly disposed on native hardware of the appliance and having a main protection domain including one or more execution contexts and capabilities defining permissions for a process to access kernel resources of the appliance;

disposing a hypervisor over the virtualization module, the hypervisor operating under control of the virtualization module to spawn a virtual machine configured to contain a guest operating system and instrumentation logic, the virtual machine bound to a clone of the main protection domain representative of the guest operating system;

performing dynamic analysis of the process when executing an object to detect first behaviors of the object via one or more capability violations as the process executes in the virtual machine, the one or more capability violations generated by the virtualization module at the clone of the main protection domain, wherein the first behaviors are captured as dynamic analysis results;

correlating the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and

rendering, by the appliance, a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A threat-aware virtualization module may be deployed in a malware detection appliance architecture and execute on a malware detection system (MDS) appliance to provide exploit and malware detection within a network environment. The virtualization module may underlie an operating system kernel of the MDS appliance and execute in kernel space of the architecture to control access to kernel resources of the appliance for any operating system process. A type 0 virtual machine monitor may be disposed over the virtualization module and execute in user space of the architecture as a pass-through module configured to expose the kernel resources of the appliance to the operating system kernel. One or more hypervisors, e.g., type 1 VMM, may be further disposed over the virtualization module and execute in user space of the architecture under control of the virtualization module to support execution of one or more guest operating systems inside one or more full virtual machines.

Citations

21 Claims

1. A method comprising:
- deploying a virtualization module in a malware detection appliance architecture of an appliance coupled to a network, the virtualization module directly disposed on native hardware of the appliance and having a main protection domain including one or more execution contexts and capabilities defining permissions for a process to access kernel resources of the appliance;
  
  disposing a hypervisor over the virtualization module, the hypervisor operating under control of the virtualization module to spawn a virtual machine configured to contain a guest operating system and instrumentation logic, the virtual machine bound to a clone of the main protection domain representative of the guest operating system;
  
  performing dynamic analysis of the process when executing an object to detect first behaviors of the object via one or more capability violations as the process executes in the virtual machine, the one or more capability violations generated by the virtualization module at the clone of the main protection domain, wherein the first behaviors are captured as dynamic analysis results;
  
  correlating the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and
  
  rendering, by the appliance, a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 19)
- - 2. The method of claim 1 further comprising creating the clone of the main protection domain by copying the execution contexts and capabilities of the main protection domain, wherein the capabilities of the clone of the main protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resources.
  - 3. The method of claim 1 further comprising configuring the virtual machine with a software profile that replicates a run-time environment that the object expects.
  - 4. The method of claim 3 wherein the object is a web page and wherein configuring the virtual machine comprises configuring the virtual machine with a browser application.
  - 5. The method of claim 1 further comprising:
    - collecting second behaviors detected during dynamic analysis of the object, wherein the second behaviors are detected without capability violations; and
      
      examining the first and second behaviors to determine whether the behaviors represent one of malicious and benign events indicative of a presence of malware.
  - 6. The method of claim 1 further comprising performing static analysis of the object to determine whether the object is suspicious, wherein performing the static analysis includes running one or more heuristics using weighting to determine whether the object is suspicious.
  - 7. The method of claim 6 further comprising performing the static analysis followed by the dynamic analysis in accordance with a sequential two-phase approach, wherein the object is subjected to dynamic analysis if the object is determined suspicious by the static analysis.
  - 19. The method of claim 1, wherein the virtualization module includes a subset functionality of the hypervisor.

8. A system comprising:
- a memory of a malware detection system (MDS) appliance coupled to a network, the memory configured to store an operating system process, a hypervisor and a virtualization module, the hypervisor disposed over the virtualization module and operating under control of the virtualization module in a malware detection appliance architecture of the MDS appliance, the virtualization module directly disposed on native hardware of the appliance and having a main protection domain including one or more execution contexts and capabilities defining permissions for the operating system process to access kernel resources of the appliance; and
  
  a processing unit coupled to the memory and adapted to execute the operating system process, the hypervisor, and the virtualization module, wherein the hypervisor and the virtualization module are configured to;
  
  create a virtual machine containing a guest operating system and instrumentation logic, the virtual machine bound to a clone of the main protection domain representative of the guest operating system;
  
  perform dynamic analysis of the operating system process when executing an object to observe behaviors of the object via one or more capability violations as the operating system process executes in the virtual machine, the one or more capability violations generated by the virtualization module at the clone of the main protection domain, wherein the behaviors are captured as dynamic analysis results;
  
  correlate the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and
  
  render a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 20)
- - 9. The system of claim 8 wherein the virtualization module is further configured to create the clone of the main protection domain by copying the execution contexts and capabilities of the main protection domain, wherein the capabilities of the clone of the main protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resources.
  - 10. The system of claim 8 wherein the hypervisor is further configured to configure the virtual machine with a software profile that replicates a run-time environment that the object expects.
  - 11. The system of claim 10 wherein the object is a web page and wherein the hypervisor is further configured to configure the virtual machine with a browser application.
  - 12. The system of claim 8 wherein the hypervisor is further configured to configure the instrumentation logic to monitor different types of objects including payloads of network or email packets.
  - 13. The system of claim 8 wherein the memory is further configured to store user mode processes executable by the processing unit, the user mode processes configured to perform static analysis of the object to determine whether the object is suspicious, wherein performing the static analysis includes running one or more heuristics using weighting to determine whether the object is suspicious.
  - 14. The system of claim 13 wherein the user mode processes are further configured to perform the static analysis followed by the dynamic analysis in accordance with a sequential two-phase approach, wherein the object is subjected to dynamic analysis if the object is determined suspicious by the static analysis.
  - 15. The system of claim 14 wherein the user mode processes are further configured to perform scheduling of the dynamic analysis of the object in accordance with a priority based on a static analysis score for the object.
  - 16. The system of claim 8 further comprising a network interface coupling the memory to the network, the network interface operating as a network tap to receive incoming data traffic from the network and provide one of at least some of the data traffic and a duplicated copy of the traffic for malware detection.
  - 17. The system of claim 16 wherein the MDS appliance is deployed in-line with one or more endpoints to subject the incoming data traffic to static analysis and block the traffic that is classified as malware from reaching the endpoints.
  - 20. The system of claim 8, wherein the virtualization module includes a subset functionality of the hypervisor.

18. A non-transitory computer readable medium including program instructions for execution on one or more processors of a malware detection system (MDS) appliance, the program instructions configured to:
- create a virtual machine containing a guest operating system and instrumentation logic, the virtual machine bound to a clone of a main protection domain of a virtualization module stored in a memory of the MDS appliance, the main protection domain representative of the guest operating system;
  
  perform dynamic analysis of an operating system process when executing an object to observe behaviors of the object via one or more capability violations as the operating system process executes in the virtual machine, the one or more capability violations generated by the virtualization module at the clone of the main protection domain, wherein the behaviors are captured as dynamic analysis results;
  
  correlate the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and
  
  render a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content.
- View Dependent Claims (21)
- - 21. The computer readable medium of claim 18, wherein the virtualization module includes a subset functionality of a hypervisor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Ismael, Osman Abdoul
Primary Examiner(s)
Williams, Jeffery

Application Number

US14/962,497
Time in Patent Office

847 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 8/60   Software deployment

G06F 9/45558   Hypervisor-specific managem...

Malware detection appliance architecture

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection appliance architecture

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links