Zero-Day Rotating Guest Image Profile

US 20160191547A1
Filed: 06/30/2015
Published: 06/30/2016
Est. Priority Date: 12/26/2014
Status: Active Grant

First Claim

Patent Images

1. A threat detection platform comprising:

a housing;

a communication interface;

one or more processors coupled to the communication interface;

a storage device that includes (i) an event log, (ii) a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured for the first software component, (iii) a second guest image that is based on a temporary software profile including a second software component and the activity monitors specifically configured for the first software component,wherein, in response to receipt of a suspect object by the threat detection platform, the one or more processors are configured to provision both a first virtual machine with the first guest image and a second virtual machine with the second guest image to concurrently analyze the suspect object to determine if the suspect object is associated with a malicious attack.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a threat detection platform features a housing, a communication interface, a processor coupled to the communication interface, and a data store. The data store includes (i) an event log, (ii) a first virtual machine, and (iii) a second virtual machine. The first virtual machine is provisioned with a first guest image that is based on an instrumented software profile that includes a first software component and activity monitors configured for the first software component. The second virtual machine is provisioned with a second guest image that is based on a temporary software profile that includes a second software component that is a more recent version of the first software component and the activity monitors configured for the first software component.

172 Citations

24 Claims

1. A threat detection platform comprising:
- a housing;
  
  a communication interface;
  
  one or more processors coupled to the communication interface;
  
  a storage device that includes (i) an event log, (ii) a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured for the first software component, (iii) a second guest image that is based on a temporary software profile including a second software component and the activity monitors specifically configured for the first software component,wherein, in response to receipt of a suspect object by the threat detection platform, the one or more processors are configured to provision both a first virtual machine with the first guest image and a second virtual machine with the second guest image to concurrently analyze the suspect object to determine if the suspect object is associated with a malicious attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The threat detection platform of claim 1, wherein the first virtual machine is a different virtual machine than the second virtual machine.
  - 3. The threat detection platform of claim 1, wherein the second software component is a more recent version of the first software component.
  - 4. The threat detection platform of claim 3, wherein the concurrent analysis of the suspect object by the first virtual machine and the second virtual machine comprises (1) processing the suspect object by the first virtual machine and monitoring behaviors of the first virtual machine by the activity monitors and (2) processing the suspect object by the second virtual machine and monitoring behaviors of the second virtual machine by the activity monitors.
  - 5. The threat detection platform of claim 4, wherein at least the first virtual machine, the second virtual machine and the activity monitors collectively detect that the suspect object is associated with a zero-day attack, being a particular type of malicious attack, in response to the activity monitors detecting one or more anomalous behaviors being conducted by the second virtual machine during processing of the suspect object while the activity monitors failing to detect any of the one or more anomalous behaviors being conducted by the first virtual machine during processing of the suspect object.
  - 6. The threat detection platform of claim 5, wherein at least the first virtual machine, the second virtual machine and the activity monitors collectively detect that the suspect object is associated with a known type of malicious attack in response to the activity monitors detecting one or more anomalous behaviors being conducted by both the first virtual machine and the second virtual machine during processing of the suspect object.
  - 7. The threat detection platform of claim 5, wherein the communication interface compriseslogic that receives a flow from a remote source, decompresses or decrypts the flow, and extracts an object from the flow;
    - logic that extracts or generates metadata associated with the object that is subsequently used by the one or more processors in provisioning at least the first virtual machine and the second virtual machine; and
      
      logic that analyzes features of the object to identify the object is suspect when a likelihood of the object being associated with a malicious attack exceeds a threshold.
  - 8. The threat detection platform of claim 7, wherein the remote source is a network and the flow is network content propagating over the network.
  - 9. The threat detection platform of claim 1, wherein the activity monitors for the second guest image is lesser in number that the activity monitors for the first guest image.
  - 10. The threat detection platform of claim 1, wherein in response to receiving a third guest image that is based on a second fully-instrumented software profile including the second software component and activity monitors specifically configured for the second software component prior to receipt of the suspect object, the one or more processors are configured to provision a virtual machine with the third guest image in lieu of provisioning the first virtual machine and the second virtual machine.

11. A threat detection platform comprising:
- a housing;
  
  a communication interface;
  
  one or more processors coupled to the communication interface;
  
  a storage device that includes (i) an event log, (ii) a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured for the first software component, (iii) a second guest image that includes information that causes retrieval of a second software component that is a more recent version of the first software component from a remote source and the activity monitors are specifically configured for the first software component,wherein, in response to receipt of a suspect object by the threat detection platform,the one or more processors are configured to provision a first virtual machine with the first guest image and a second virtual machine with the second guest image that causes subsequent loading of the second software component, andthe first virtual machine and the second virtual machine concurrently analyze the suspect object to determine if the suspect object is associated with a malicious attack.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The threat detection platform of claim 11, wherein the first virtual machine is a different virtual machine than the second virtual machine.
  - 13. The threat detection platform of claim 11, wherein the concurrent analysis of the suspect object by the first virtual machine and the second virtual machine comprises (1) processing the suspect object by the first virtual machine and monitoring behaviors of the first virtual machine by the activity monitors and (2) processing the suspect object by the second virtual machine and monitoring behaviors of the second virtual machine by the activity monitors.
  - 14. The threat detection platform of claim 13, wherein at least the first virtual machine, the second virtual machine and the activity monitors collectively detect that the suspect object is associated with a zero-day attack, being a particular type of malicious attack, in response to the activity monitors detecting one or more anomalous behaviors being conducted by the second virtual machine during processing of the suspect object while the activity monitors failing to detect any of the one or more anomalous behaviors being conducted by the first virtual machine during processing of the suspect object.
  - 15. The threat detection platform of claim 14, wherein at least the first virtual machine, the second virtual machine and the activity monitors collectively detect that the suspect object is associated with a known type of malicious attack in response to the activity monitors detecting one or more anomalous behaviors being conducted by both the first virtual machine and the second virtual machine during processing of the suspect object.
  - 16. The threat detection platform of claim 11, wherein the communication interface compriseslogic that receives a flow from a remote source, decompresses or decrypts the flow, and extracts an object from the flow;
    - logic that extracts or generates metadata associated with the object that is subsequently used by the one or more processors in provisioning at least the first virtual machine and the second virtual machine; and
      
      logic that analyzes features of the object to identify the object is suspect when a likelihood of the object being associated with a malicious attack exceeds a threshold.
  - 17. The threat detection platform of claim 16, wherein the remote source is a network and the flow is network content propagating over the network.
  - 18. The threat detection platform of claim 11, wherein in response to receiving a third guest image that is based on a second fully-instrumented software profile including the second software component and activity monitors specifically configured for the second software component prior to receipt of the suspect object, the one or more processors are configured to provision a virtual machine with the third guest image to analyze the suspect object in lieu of provisioning the first virtual machine and the second virtual machine for analyzing the suspect object.

19. A computerized method comprising:
- receiving an object for analysis;
  
  provisioning a first virtual machine with a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured for the first software component;
  
  provisioning a second virtual machine with a second guest image that is based on a temporary software profile including a second software component and the activity monitors specifically configured for the first software component; and
  
  analyzing the suspect object by the first virtual machine and the second virtual machine to determine whether the suspect object is associated with a zero-day attack in response to detecting one or more anomalous behaviors by the second virtual machine upon processing of the suspect object without experiencing one or more anomalous behaviors by the first virtual machine upon processing of the suspect object.
- View Dependent Claims (20)
- - 20. The method of claim 19, wherein:
    - the analyzing of the suspect object by the first virtual machine is conducted concurrently with analysis of the suspect object by the second virtual machine,a number of the activity monitors associated with the second guest image is lesser than or equal to a number of the activity monitors associated with the first guest image, andthe second software component is a subsequent version of the first software component.

21. A method of operating threat detection platform, the method comprising:
- (A) in a first mode, provisioning a, virtual environment with a first guest image based on a fully instrumented software profile including a first version of a software component, and a complete activity monitor package including a first set of activity monitors for the first version of the software component, wherein the activity monitor package is complete when the first set of activity monitors have been tested and provide comprehensive analysis of operations specific to the first version of the software component;
  
  (B) in a second mode, provisioning a second virtual environment with a second guest image including the first version of the software component and the complete activity monitor package that includes the first set of activity monitors, and provisioning a third virtual environment with a third guest image including a second version of the software component that is released later than the first version of the software component and a partial activity monitor package, wherein the partial activity monitor package initially comprises the first set of activity monitors used for the first virtual environment and are directed specifically to the first version of the software component that is different than the second version of the software component;
  
  (C) in response to receipt of an object to be executed, selecting for execution in a processor either the first virtual environment or the second and third virtual environments; and
  
  (D) executing in the processor the selected first virtual environment or the second and third virtual environments.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21 further comprising:
    - receiving an update to the partial activity monitor package, the updates includes one or more activity monitors that are specifically directed to either (i) a subset of new functionality provided by the second version of software component and absent from the first version of the software component or (ii) modifications to one or more of the activity monitors of the first set of activity monitors that are used by the first version of the software component.
  - 23. The method of claim 21 further comprising:
    - configuring the partial activity monitor package with one or more activity monitors used for the first virtual environment and one or more activity monitors that are directed to, at most, only some of functionality provided by the second version of the software component that is not provided by the first version of the software component.
  - 24. The method of claim 21 further comprising:
    - continuing operating in the second mode until a fourth guest image based on a fully instrumented software profile including the second version of the software component and a complete activity monitor package for the second version of the software component that includes a second set of activity monitors that have been tested and provide comprehensive analysis of operations specific to the second version of the software component with one or more activity monitors different than any activity monitor within the first set of activity monitors; and
      
      subsequent to receipt of the fully instrumented software profile for the second version of the software component, operating in a third mode in which the first virtual environment is provisioned with the fourth guest image for analysis of subsequent objects for associated with a malicious attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Zafar, Asim, Qureshi, Eirij, Kindlund, Darien

Granted Patent

US 10,075,455 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Zero-Day Rotating Guest Image Profile

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

172 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Zero-Day Rotating Guest Image Profile

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

172 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links