Systems and Methods for Virtualization and Emulation Assisted Malware Detection

US 20130117848A1
Filed: 11/03/2011
Published: 05/09/2013
Est. Priority Date: 11/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting an object provided from a first digital device to a second digital device;

instantiating a virtualization environment with the one or more resources;

processing the object within the virtualization environment;

tracing operations of the object while processing within the virtualization environment;

detecting suspicious behavior associated with the object in the virtualization environment;

instantiating an emulation environment in response to the detected suspicious behavior;

processing the object within the emulation environment;

recording responses to the object within the emulation environment;

tracing operations of the object while processing within the emulation environment;

detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment;

re-instantiating the virtualization environment in response to the detected divergence;

providing the recorded response from the emulation environment to the object in the re-instantiated virtualization environment;

monitoring the operations of the object while processing within the re-instantiation of the virtualization environment;

identifying untrusted actions from the monitored operations; and

generating a report regarding the identified untrusted actions of the object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for virtualization and emulation malware enabled detection are described. In some embodiments, a method comprises intercepting an object, instantiating and processing the object in a virtualization environment, tracing operations of the object while processing within the virtualization environment, detecting suspicious behavior associated with the object, instantiating an emulation environment in response to the detected suspicious behavior, processing, recording responses to, and tracing operations of the object within the emulation environment, detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment, re-instantiating the virtualization environment, providing the recorded response from the emulation environment to the object in the virtualization environment, monitoring the operations of the object within the re-instantiation of the virtualization environment, identifying untrusted actions from the monitored operations, and generating a report regarding the identified untrusted actions of the object.

169 Citations

21 Claims

1. A method comprising:
- intercepting an object provided from a first digital device to a second digital device;
  
  instantiating a virtualization environment with the one or more resources;
  
  processing the object within the virtualization environment;
  
  tracing operations of the object while processing within the virtualization environment;
  
  detecting suspicious behavior associated with the object in the virtualization environment;
  
  instantiating an emulation environment in response to the detected suspicious behavior;
  
  processing the object within the emulation environment;
  
  recording responses to the object within the emulation environment;
  
  tracing operations of the object while processing within the emulation environment;
  
  detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment;
  
  re-instantiating the virtualization environment in response to the detected divergence;
  
  providing the recorded response from the emulation environment to the object in the re-instantiated virtualization environment;
  
  monitoring the operations of the object while processing within the re-instantiation of the virtualization environment;
  
  identifying untrusted actions from the monitored operations; and
  
  generating a report regarding the identified untrusted actions of the object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the suspicious behavior comprises the object loading data into memory within the virtualization environment but not utilizing the data.
  - 3. The method of claim 1, wherein the suspicious behavior comprises the object scanning locations in memory of the virtualization environment and then terminating operations.
  - 4. The method of claim 1, wherein the suspicious behavior comprises the object abruptly halting operations.
  - 5. The method of claim 1, wherein trace capturing is performed in a kernel of a digital device hosting the emulation environment.
  - 6. The method of claim 1, further comprising increasing or decreasing a clock signal within the emulation environment.
  - 7. The method of claim 1, wherein re-instantiating the virtualization environment in response to the detected divergence comprises instantiating a modified image of the virtualization environment.
  - 8. The method of claim 1, further comprising applying state information from the emulation environment to the re-instantiated virtualization environment.
  - 9. The method of claim 1, wherein re-instantiating the virtualization environment in response to the detected divergence comprises halting the virtualization environment and restarting the virtualization environment.
  - 10. The method of claim 1, wherein the virtualization environment is re-instantiated at a point in time where divergence is detected between the virtualization environment and the emulation environment.

11. A system comprising:
- a collection module configured to receive an object provided from a first digital device to a second digital device;
  
  a virtualization module configured to instantiate a virtualization environment with the one or more resources, to process the object within the virtualization environment, to trace operations of the object while processing within the virtualization environment, to detect suspicious behavior associated with the object in the virtualization environment, to monitor the operations of the object while processing within a re-instantiation of the virtualization environment, to identify untrusted actions from the monitored operations, and to generate a report regarding the identified untrusted actions of the object;
  
  an emulation module configured to instantiate an emulation environment in response to the detected suspicious behavior, to process the object within the emulation environment, to record responses to the object within the emulation environment and to trace operations of the object while processing within the emulation environment; and
  
  a control module configured to detect a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment, to re-instantiate the virtualization environment in response to the detected divergence, and to provide the recorded response from the emulation environment to the object in the virtualization environment.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the suspicious behavior comprises the object loading data into memory within the virtualization environment but not utilizing the data.
  - 13. The system of claim 11, wherein the suspicious behavior comprises the object scanning locations in memory of the virtualization environment and then terminating operations.
  - 14. The system of claim 11, wherein the suspicious behavior comprises the object abruptly halting operations.
  - 15. The system of claim 11, wherein trace capturing is performed in a kernel of a digital device hosting the emulation environment.
  - 16. The system of claim 11, wherein the emulation module is further configured to increase or decrease a clock signal within the emulation environment.
  - 17. The system of claim 11, wherein the control module configured to re-instantiate the virtualization environment in response to the detected divergence comprises the control module configured to instantiate a modified image of the virtualization environment.
  - 18. The system of claim 11, wherein the control module is configured to apply state information from the emulation environment to the re-instantiated virtualization environment.
  - 19. The system of claim 11, wherein the control module configured to re-instantiate the virtualization environment in response to the detected divergence comprises the control module configured to halt the virtualization environment and restart the virtualization environment.
  - 20. The system of claim 11, wherein the control module is further configured to re-instantiate the virtualization environment at a point in time where divergence is detected between the virtualization environment and the emulation environment.

21. A computer readable medium comprising instructions, the instructions being executable by a processor for performing a method, the method comprising:
- intercepting an object provided from a first digital device to a second digital device;
  
  instantiating a virtualization environment with the one or more resources;
  
  processing the object within the virtualization environment;
  
  tracing operations of the object while processing within the virtualization environment;
  
  detecting suspicious behavior associated with the object in the virtualization environment;
  
  instantiating an emulation environment in response to the detected suspicious behavior;
  
  processing the object within the emulation environment;
  
  recording responses to the object within the emulation environment;
  
  tracing operations of the object while processing within the emulation environment;
  
  detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment;
  
  re-instantiating the virtualization environment in response to the detected divergence;
  
  providing the recorded response from the emulation environment to the object in the virtualization environment;
  
  monitoring the operations of the object while processing within the re-instantiation of the virtualization environment;
  
  identifying untrusted actions from the monitored operations; and
  
  generating a report regarding the identified untrusted actions of the object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Original Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Inventors
Golshan, Ali, Binder, James S.

Granted Patent

US 9,519,781 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 9/45541   Bare-metal, i.e. hypervisor...

G06F 9/45558   Hypervisor-specific managem...

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Systems and Methods for Virtualization and Emulation Assisted Malware Detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

169 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Virtualization and Emulation Assisted Malware Detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

169 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links