Systems and methods for virtualization and emulation assisted malware detection

US 9,519,781 B2
Filed: 11/03/2011
Issued: 12/13/2016
Est. Priority Date: 11/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

in response to a data collector on a first network determining that an object transmitted from a first digital device to a second digital device and intercepted by the data collector is suspicious, receiving at a second network the object from the data collector on the first network; and

at the second network;

instantiating a set of virtualization environments, each virtualization environment including a different set of one or more resources based on metadata received from the data collector;

processing the object within the set of virtualization environments;

tracing operations of the object while processing within each of the virtualization environments of the set of virtualization environments to generate a first set of traced operations;

detecting suspicious behavior associated with the object in at least one of the virtualization environments of the set of virtualization environments;

instantiating an emulation environment in response to the detected suspicious behavior in the at least one of the virtualization environments of the set of virtualization environments;

processing the object within the emulation environment;

recording responses to the object within the emulation environment to generate recorded responses;

tracing operations of the object while processing within the emulation environment to generate a second set of traced operations;

determining a likelihood of maliciousness based on at least one of the suspicious behavior associated with the object in the at least one of the virtualization environments, the recorded responses, the first set of traced operations, and the second set of traced operations; and

if the determined likelihood of maliciousness is greater than a threshold, generating a report regarding the object, the report including at least one of the recorded responses, the first set of traced operations, and the second set of traced operations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for virtualization and emulation assisted malware detection are described. In some embodiments, a method comprises intercepting an object; instantiating and processing the object in a virtualization environment; tracing operations of the object while processing within the virtualization environment; detecting suspicious behavior associated with the object; instantiating an emulation environment in response to the detected suspicious behavior; processing, recording responses to, and tracing operations of the object within the emulation environment; detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment; re-instantiating the virtualization environment; providing the recorded response from the emulation environment to the object in the virtualization environment; monitoring the operations of the object within the re-instantiation of the virtualization environment; identifying untrusted actions from the monitored operations; and generating a report regarding the identified untrusted actions of the object.

101 Citations

View as Search Results

21 Claims

1. A method comprising:
- in response to a data collector on a first network determining that an object transmitted from a first digital device to a second digital device and intercepted by the data collector is suspicious, receiving at a second network the object from the data collector on the first network; and
  
  at the second network;
  
  instantiating a set of virtualization environments, each virtualization environment including a different set of one or more resources based on metadata received from the data collector;
  
  processing the object within the set of virtualization environments;
  
  tracing operations of the object while processing within each of the virtualization environments of the set of virtualization environments to generate a first set of traced operations;
  
  detecting suspicious behavior associated with the object in at least one of the virtualization environments of the set of virtualization environments;
  
  instantiating an emulation environment in response to the detected suspicious behavior in the at least one of the virtualization environments of the set of virtualization environments;
  
  processing the object within the emulation environment;
  
  recording responses to the object within the emulation environment to generate recorded responses;
  
  tracing operations of the object while processing within the emulation environment to generate a second set of traced operations;
  
  determining a likelihood of maliciousness based on at least one of the suspicious behavior associated with the object in the at least one of the virtualization environments, the recorded responses, the first set of traced operations, and the second set of traced operations; and
  
  if the determined likelihood of maliciousness is greater than a threshold, generating a report regarding the object, the report including at least one of the recorded responses, the first set of traced operations, and the second set of traced operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the suspicious behavior comprises the object loading data into memory within the at least one of the virtualization environments but not using the data within the at least one of the virtualization environments.
  - 3. The method of claim 1, wherein the suspicious behavior comprises the object scanning locations in memory of the at least one of the virtualization environments and then terminating operations.
  - 4. The method of claim 1, wherein the suspicious behavior comprises the object halting operations.
  - 5. The method of claim 1, wherein trace capturing is performed in a kernel of a digital device hosting the emulation environment.
  - 6. The method of claim 1, further comprising increasing or decreasing a frequency of a clock signal within the emulation environment.
  - 7. The method of claim 1, further comprising re-instantiating the at least one of the virtualization environments in response to a detected divergence and instantiating a modified image of the at least one of the virtualization environments.
  - 8. The method of claim 7, further comprising applying state information from the emulation environment to the at least one of the re-instantiated virtualization environments.
  - 9. The method of claim 7, wherein re-instantiating the at least one of the virtualization environments in response to the detected divergence comprises halting the at least one of the virtualization environments and restarting the at least one of the virtualization environments.
  - 10. The method of claim 7, wherein the at least one of the virtualization environments is re-instantiated at a state when the divergence is detected between the at least one of the virtualization environments and the emulation environment.

11. A system comprising:
- memory;
  
  one or more processors; and
  
  one or more modules stored in the memory and configured for execution by the one or more processors, the modules comprising;
  
  instructions to receive at a second network an object intercepted by a data collector on a first network in response to the data collector on the first network determining that an object transmitted from a first digital device to a second digital device is suspicious;
  
  instructions to instantiate a set of virtualization environments, each virtualization environment including a different set of one or more resources based on metadata received from the data collector;
  
  instructions to process the object within the set of virtualization environments;
  
  instructions to trace operations of the object while processing within each of the virtualization environments of the set of virtualization environments to generate a first set of traced operations;
  
  instructions to detect suspicious behavior associated with the object in at least one of the virtualization environments of the set of virtualization environments;
  
  instructions to instantiate an emulation environment in response to the detected suspicious behavior in the at least one of the virtualization environments of the set of virtualization environments;
  
  instructions to process the object within the emulation environment;
  
  instructions to record responses to the object within the emulation environment to generate recorded responses;
  
  instructions to trace operations of the object while processing within the emulation environment to generate a second set of traced operations;
  
  instructions to determine a likelihood of maliciousness based on at least one of the suspicious behavior associated with the object in the at least one of the virtualization environments, the recorded responses, the first set of traced operations, and the second set of traced operations; and
  
  instructions to generate a report regarding the object, if the determined likelihood of maliciousness is greater than a threshold, the report including at least one of the recorded responses, the first set of traced operations, and the second set of traced operations.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the suspicious behavior comprises the object loading data into memory within the at least one of the virtualization environments but not using the data within the at least one of the virtualization environments.
  - 13. The system of claim 11, wherein the suspicious behavior comprises the object scanning locations in memory of the at least one of the virtualization environments and then terminating operations.
  - 14. The system of claim 11, wherein the suspicious behavior comprises the object halting operations.
  - 15. The system of claim 11, wherein trace capturing is performed in a kernel of a digital device hosting the emulation environment.
  - 16. The system of claim 11, wherein the modules further comprise instructions to increase or decrease a frequency of a clock signal within the emulation environment.
  - 17. The system of claim 11, wherein the modules further comprise instructions to re-instantiate the at least one of the virtualization environments in response to a detected divergence and instructions to instantiate a modified image of the at least one of the virtualization environments in response to the detected divergence.
  - 18. The system of claim 17, wherein the modules further comprise instructions to apply state information from the emulation environment to the at least one of the re-instantiated virtualization environments.
  - 19. The system of claim 17, wherein the instructions to re-instantiate the at least one of the virtualization environments in response to the detected divergence comprise instructions to halt the at least one of the virtualization environments and restart the at least one of the virtualization environments.
  - 20. The system of claim 17, wherein the modules further comprise instructions to re-instantiate the at least one of the virtualization environments at a state when the divergence is detected between the at least one of the virtualization environments and the emulation environment.

21. A non-transitory computer readable medium comprising instructions, the instructions being executable for performing a method, the method comprising:
- in response to a data collector on a first network determining that an object transmitted from a first digital device to a second digital device and intercepted by the data collector is suspicious, receiving at a second network the object from the data collector on the first network;
  
  instantiating a set of virtualization environments, each virtualization environment including a different set of one or more resources based on metadata received from the data collector;
  
  processing the object within the set of virtualization environments;
  
  tracing operations of the object while processing within each of the virtualization environments of the set of virtualization environments to generate a first set of traced operations;
  
  detecting suspicious behavior associated with the object in at least one of the virtualization environments of the set of virtualization environments;
  
  instantiating an emulation environment in response to the detected suspicious behavior in the at least one of the virtualization environments of the set of virtualization environments;
  
  processing the object within the emulation environment;
  
  recording responses to the object within the emulation environment to generate recorded responses;
  
  tracing operations of the object while processing within the emulation environment to generate a second set of traced operations;
  
  determining a likelihood of maliciousness based on at least one of the suspicious behavior associated with the object in the at least one of the virtualization environments, the recorded responses, the first set of traced operations, and the second set of traced operations; and
  
  if the determined likelihood of maliciousness is greater than a threshold, generating a report regarding the object, the report including at least one of the recorded responses, the first set of traced operations, and the second set of traced operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Original Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Inventors
Golshan, Ali, Binder, James S.
Primary Examiner(s)
Davis, Zachary A

Application Number

US13/288,905
Publication Number

US 20130117848A1
Time in Patent Office

1,867 Days
Field of Search

726/24, 726/23, 726/22, 713/188, 718/1, 703/23, 703/26
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 9/45541   Bare-metal, i.e. hypervisor...

G06F 9/45558   Hypervisor-specific managem...

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Systems and methods for virtualization and emulation assisted malware detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

101 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for virtualization and emulation assisted malware detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links