MICRO-VIRTUAL MACHINE FORENSICS AND DETECTION

US 20170076092A1
Filed: 11/21/2016
Published: 03/16/2017
Est. Priority Date: 07/03/2012
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed by one or more processors, cause:

identifying one or more events occurring within an isolated environment in which a process executes, wherein said isolated environment is instantiated in response to receiving a request to execute said process;

determining whether an actual behavior of said process executing within said isolated environment deviates from an expected behavior of the execution of the process;

only upon determining that the process deviates from the expected behavior, storing behavior data that describes the actual behavior of the process during execution; and

determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An isolated environment is instantiated in response to receiving a request to execute a process. One or more events occurring within the isolated environment in which the process executes are identified. Whether the actual behavior of the process executing within the isolated environment deviates from an expected behavior of the execution of the process is determined. Only when it is determined that the process deviates from the expected behavior is behavior data, which describes the actual behavior of the process during execution, stored. A determination is then made as to whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.

31 Citations

View as Search Results

20 Claims

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed by one or more processors, cause:
- identifying one or more events occurring within an isolated environment in which a process executes, wherein said isolated environment is instantiated in response to receiving a request to execute said process;
  
  determining whether an actual behavior of said process executing within said isolated environment deviates from an expected behavior of the execution of the process;
  
  only upon determining that the process deviates from the expected behavior, storing behavior data that describes the actual behavior of the process during execution; and
  
  determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory one or more computer-readable storage mediums of claim 1, wherein determining that the process deviates from the expected behavior is based upon a set of events performed upon simulated hardware.
  - 3. The non-transitory one or more computer-readable storage mediums of claim 2, wherein the simulated hardware is network hardware.
  - 4. The non-transitory one or more computer-readable storage mediums of claim 2, wherein the simulated hardware is a region of memory or a non-volatile storage medium.
  - 5. The non-transitory one or more computer-readable storage mediums of claim 2, wherein the simulated hardware is a register or a page table.
  - 6. The non-transitory one or more computer-readable storage mediums of claim 1, wherein determining that the process deviates from the expected behavior is based upon a set of events pertaining to a change in a file system or a registry.
  - 7. The non-transitory one or more computer-readable storage mediums of claim 1, wherein determining that the process deviates from the expected behavior is based upon a set of events pertaining to a accessing an encryption API or an API associated with sleeping.
  - 8. The non-transitory one or more computer-readable storage mediums of claim 1, wherein storing data related to the process comprises creating a snapshot of the isolated environment in which the compromised process is executing.
  - 9. The non-transitory one or more computer-readable storage mediums of claim 1, wherein analyzing the behavioral data to determine whether the process has been compromised comprises:
    - storing data comprising known behavior of a plurality of processes;
      
      comparing the behavioral data to the data comprising known behavior of a plurality of processes; and
      
      based on the comparison, identifying whether the behavioral data matches a portion of the data comprising known behavior of a plurality of processes.

10. An apparatus, comprising:
- one or more processors; and
  
  one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed, cause;
  
  identifying one or more events occurring within an isolated environment in which a process executes, wherein said isolated environment is instantiated in response to receiving a request to execute said process;
  
  determining whether an actual behavior of said process executing within said isolated environment deviates from an expected behavior of the execution of the process;
  
  only upon determining that the process deviates from the expected behavior, storing behavior data that describes the actual behavior of the process during execution; and
  
  determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus of claim 10, wherein determining that the process deviates from the expected behavior is based upon a set of events performed upon simulated hardware.
  - 12. The apparatus of claim 11, wherein the simulated hardware is network hardware.
  - 13. The apparatus of claim 11, wherein the simulated hardware is a region of memory or a non-volatile storage medium.
  - 14. The apparatus of claim 11, wherein the simulated hardware is a register or a page table.
  - 15. The apparatus of claim 10, wherein determining that the process deviates from the expected behavior is based upon a set of events pertaining to a change in a file system or a registry.
  - 16. The apparatus of claim 10, wherein determining that the process deviates from the expected behavior is based upon a set of events pertaining to a accessing an encryption API or an API associated with sleeping.
  - 17. The apparatus of claim 10, wherein storing data related to the process comprises creating a snapshot of the isolated environment in which the compromised process is executing.
  - 18. The apparatus of claim 10, wherein analyzing the behavioral data to determine whether the process has been compromised comprises:
    - storing data comprising known behavior of a plurality of processes;
      
      comparing the behavioral data to the data comprising known behavior of a plurality of processes; and
      
      based on the comparison, identifying whether the behavioral data matches a portion of the data comprising known behavior of a plurality of processes.

19. A method for monitoring process behavior, comprising:
- programmatically identifying one or more events occurring within an isolated environment in which a process executes, wherein said isolated environment is instantiated in response to receiving a request to execute said process;
  
  programmatically determining whether an actual behavior of said process executing within said isolated environment deviates from an expected behavior of the execution of the process;
  
  programmatically storing behavior data that describes the actual behavior of the process during execution only upon determining that the process deviates from the expected behavior; and
  
  programmatically determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.
- View Dependent Claims (20)
- - 20. The method of claim 19, wherein determining that the process deviates from the expected behavior is based upon a set of events performed upon simulated hardware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Bromium (HP Inc.)
Inventors
Kashyap, Rahul C., Navaraj, J. McEnroe Samuel, Singh, Baibhav, Passi, Arun, Wojtczuk, Rafal, Taylor, Adrian

Granted Patent

US 10,607,007 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/1458   Management of the backup or...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/316   by observing the pattern of...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2201/84   Using snapshots, i.e. a log...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2133   Verifying human interaction...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

MICRO-VIRTUAL MACHINE FORENSICS AND DETECTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MICRO-VIRTUAL MACHINE FORENSICS AND DETECTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links