Zero-Day Rotating Guest Image Profile
First Claim
1. A threat detection platform comprising:
- a housing;
a communication interface;
one or more processors coupled to the communication interface;
a storage device that includes (i) an event log, (ii) a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured for the first software component, (iii) a second guest image that is based on a temporary software profile including a second software component and the activity monitors specifically configured for the first software component,wherein, in response to receipt of a suspect object by the threat detection platform, the one or more processors are configured to provision both a first virtual machine with the first guest image and a second virtual machine with the second guest image to concurrently analyze the suspect object to determine if the suspect object is associated with a malicious attack.
8 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a threat detection platform features a housing, a communication interface, a processor coupled to the communication interface, and a data store. The data store includes (i) an event log, (ii) a first virtual machine, and (iii) a second virtual machine. The first virtual machine is provisioned with a first guest image that is based on an instrumented software profile that includes a first software component and activity monitors configured for the first software component. The second virtual machine is provisioned with a second guest image that is based on a temporary software profile that includes a second software component that is a more recent version of the first software component and the activity monitors configured for the first software component.
172 Citations
24 Claims
-
1. A threat detection platform comprising:
-
a housing; a communication interface; one or more processors coupled to the communication interface; a storage device that includes (i) an event log, (ii) a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured for the first software component, (iii) a second guest image that is based on a temporary software profile including a second software component and the activity monitors specifically configured for the first software component, wherein, in response to receipt of a suspect object by the threat detection platform, the one or more processors are configured to provision both a first virtual machine with the first guest image and a second virtual machine with the second guest image to concurrently analyze the suspect object to determine if the suspect object is associated with a malicious attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A threat detection platform comprising:
-
a housing; a communication interface; one or more processors coupled to the communication interface; a storage device that includes (i) an event log, (ii) a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured for the first software component, (iii) a second guest image that includes information that causes retrieval of a second software component that is a more recent version of the first software component from a remote source and the activity monitors are specifically configured for the first software component, wherein, in response to receipt of a suspect object by the threat detection platform, the one or more processors are configured to provision a first virtual machine with the first guest image and a second virtual machine with the second guest image that causes subsequent loading of the second software component, and the first virtual machine and the second virtual machine concurrently analyze the suspect object to determine if the suspect object is associated with a malicious attack. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A computerized method comprising:
-
receiving an object for analysis; provisioning a first virtual machine with a first guest image that is based on a fully-instrumented software profile including a first software component and activity monitors specifically configured for the first software component; provisioning a second virtual machine with a second guest image that is based on a temporary software profile including a second software component and the activity monitors specifically configured for the first software component; and analyzing the suspect object by the first virtual machine and the second virtual machine to determine whether the suspect object is associated with a zero-day attack in response to detecting one or more anomalous behaviors by the second virtual machine upon processing of the suspect object without experiencing one or more anomalous behaviors by the first virtual machine upon processing of the suspect object. - View Dependent Claims (20)
-
-
21. A method of operating threat detection platform, the method comprising:
-
(A) in a first mode, provisioning a, virtual environment with a first guest image based on a fully instrumented software profile including a first version of a software component, and a complete activity monitor package including a first set of activity monitors for the first version of the software component, wherein the activity monitor package is complete when the first set of activity monitors have been tested and provide comprehensive analysis of operations specific to the first version of the software component; (B) in a second mode, provisioning a second virtual environment with a second guest image including the first version of the software component and the complete activity monitor package that includes the first set of activity monitors, and provisioning a third virtual environment with a third guest image including a second version of the software component that is released later than the first version of the software component and a partial activity monitor package, wherein the partial activity monitor package initially comprises the first set of activity monitors used for the first virtual environment and are directed specifically to the first version of the software component that is different than the second version of the software component; (C) in response to receipt of an object to be executed, selecting for execution in a processor either the first virtual environment or the second and third virtual environments; and (D) executing in the processor the selected first virtual environment or the second and third virtual environments. - View Dependent Claims (22, 23, 24)
-
Specification