Systems and methods for virtualization and emulation assisted malware detection
First Claim
1. A method comprising:
- in response to a data collector on a first network determining that an object transmitted from a first digital device to a second digital device and intercepted by the data collector is suspicious, receiving at a second network the object from the data collector on the first network; and
at the second network;
instantiating a set of virtualization environments, each virtualization environment including a different set of one or more resources based on metadata received from the data collector;
processing the object within the set of virtualization environments;
tracing operations of the object while processing within each of the virtualization environments of the set of virtualization environments to generate a first set of traced operations;
detecting suspicious behavior associated with the object in at least one of the virtualization environments of the set of virtualization environments;
instantiating an emulation environment in response to the detected suspicious behavior in the at least one of the virtualization environments of the set of virtualization environments;
processing the object within the emulation environment;
recording responses to the object within the emulation environment to generate recorded responses;
tracing operations of the object while processing within the emulation environment to generate a second set of traced operations;
determining a likelihood of maliciousness based on at least one of the suspicious behavior associated with the object in the at least one of the virtualization environments, the recorded responses, the first set of traced operations, and the second set of traced operations; and
if the determined likelihood of maliciousness is greater than a threshold, generating a report regarding the object, the report including at least one of the recorded responses, the first set of traced operations, and the second set of traced operations.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for virtualization and emulation assisted malware detection are described. In some embodiments, a method comprises intercepting an object; instantiating and processing the object in a virtualization environment; tracing operations of the object while processing within the virtualization environment; detecting suspicious behavior associated with the object; instantiating an emulation environment in response to the detected suspicious behavior; processing, recording responses to, and tracing operations of the object within the emulation environment; detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment; re-instantiating the virtualization environment; providing the recorded response from the emulation environment to the object in the virtualization environment; monitoring the operations of the object within the re-instantiation of the virtualization environment; identifying untrusted actions from the monitored operations; and generating a report regarding the identified untrusted actions of the object.
101 Citations
21 Claims
-
1. A method comprising:
-
in response to a data collector on a first network determining that an object transmitted from a first digital device to a second digital device and intercepted by the data collector is suspicious, receiving at a second network the object from the data collector on the first network; and at the second network; instantiating a set of virtualization environments, each virtualization environment including a different set of one or more resources based on metadata received from the data collector; processing the object within the set of virtualization environments; tracing operations of the object while processing within each of the virtualization environments of the set of virtualization environments to generate a first set of traced operations; detecting suspicious behavior associated with the object in at least one of the virtualization environments of the set of virtualization environments; instantiating an emulation environment in response to the detected suspicious behavior in the at least one of the virtualization environments of the set of virtualization environments; processing the object within the emulation environment; recording responses to the object within the emulation environment to generate recorded responses; tracing operations of the object while processing within the emulation environment to generate a second set of traced operations; determining a likelihood of maliciousness based on at least one of the suspicious behavior associated with the object in the at least one of the virtualization environments, the recorded responses, the first set of traced operations, and the second set of traced operations; and if the determined likelihood of maliciousness is greater than a threshold, generating a report regarding the object, the report including at least one of the recorded responses, the first set of traced operations, and the second set of traced operations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
memory; one or more processors; and one or more modules stored in the memory and configured for execution by the one or more processors, the modules comprising; instructions to receive at a second network an object intercepted by a data collector on a first network in response to the data collector on the first network determining that an object transmitted from a first digital device to a second digital device is suspicious; instructions to instantiate a set of virtualization environments, each virtualization environment including a different set of one or more resources based on metadata received from the data collector; instructions to process the object within the set of virtualization environments; instructions to trace operations of the object while processing within each of the virtualization environments of the set of virtualization environments to generate a first set of traced operations; instructions to detect suspicious behavior associated with the object in at least one of the virtualization environments of the set of virtualization environments; instructions to instantiate an emulation environment in response to the detected suspicious behavior in the at least one of the virtualization environments of the set of virtualization environments; instructions to process the object within the emulation environment; instructions to record responses to the object within the emulation environment to generate recorded responses; instructions to trace operations of the object while processing within the emulation environment to generate a second set of traced operations; instructions to determine a likelihood of maliciousness based on at least one of the suspicious behavior associated with the object in the at least one of the virtualization environments, the recorded responses, the first set of traced operations, and the second set of traced operations; and instructions to generate a report regarding the object, if the determined likelihood of maliciousness is greater than a threshold, the report including at least one of the recorded responses, the first set of traced operations, and the second set of traced operations. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer readable medium comprising instructions, the instructions being executable for performing a method, the method comprising:
-
in response to a data collector on a first network determining that an object transmitted from a first digital device to a second digital device and intercepted by the data collector is suspicious, receiving at a second network the object from the data collector on the first network; instantiating a set of virtualization environments, each virtualization environment including a different set of one or more resources based on metadata received from the data collector; processing the object within the set of virtualization environments; tracing operations of the object while processing within each of the virtualization environments of the set of virtualization environments to generate a first set of traced operations; detecting suspicious behavior associated with the object in at least one of the virtualization environments of the set of virtualization environments; instantiating an emulation environment in response to the detected suspicious behavior in the at least one of the virtualization environments of the set of virtualization environments; processing the object within the emulation environment; recording responses to the object within the emulation environment to generate recorded responses; tracing operations of the object while processing within the emulation environment to generate a second set of traced operations; determining a likelihood of maliciousness based on at least one of the suspicious behavior associated with the object in the at least one of the virtualization environments, the recorded responses, the first set of traced operations, and the second set of traced operations; and if the determined likelihood of maliciousness is greater than a threshold, generating a report regarding the object, the report including at least one of the recorded responses, the first set of traced operations, and the second set of traced operations.
-
Specification