×

Malware detection appliance architecture

  • US 9,934,376 B1
  • Filed: 12/08/2015
  • Issued: 04/03/2018
  • Est. Priority Date: 12/29/2014
  • Status: Active Grant
First Claim
Patent Images

1. A method comprising:

  • deploying a virtualization module in a malware detection appliance architecture of an appliance coupled to a network, the virtualization module directly disposed on native hardware of the appliance and having a main protection domain including one or more execution contexts and capabilities defining permissions for a process to access kernel resources of the appliance;

    disposing a hypervisor over the virtualization module, the hypervisor operating under control of the virtualization module to spawn a virtual machine configured to contain a guest operating system and instrumentation logic, the virtual machine bound to a clone of the main protection domain representative of the guest operating system;

    performing dynamic analysis of the process when executing an object to detect first behaviors of the object via one or more capability violations as the process executes in the virtual machine, the one or more capability violations generated by the virtualization module at the clone of the main protection domain, wherein the first behaviors are captured as dynamic analysis results;

    correlating the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; and

    rendering, by the appliance, a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content.

View all claims
  • 7 Assignments
Timeline View
Assignment View
    ×
    ×