System and method for passive threat detection using virtual memory inspection
First Claim
1. A method, comprising:
- synchronizing a first memory page set of a first host with a second memory page set of a virtual guest machine of a second host to capture a current state of the virtual guest machine, wherein the synchronizing is to cause kernel state information and user state information of one or more physical memory pages of the virtual guest machine to be stored in the first memory page set;
capturing a new current state of the virtual guest machine by updating the first memory page set with a subset of the second memory page set at an expiration of a predetermined synchronization interval if monitoring the second memory page set indicates the subset of the second memory page set includes at least one physical memory page modified during the predetermined synchronization interval;
evaluating the new current state of the virtual guest machine by inspecting the updated first memory page set off-line;
detecting a threat in the updated first memory page set based on the inspecting of at least one of the kernel state information and the user state information in the updated first memory page set; and
taking an action based on the threat.
10 Assignments
0 Petitions
Accused Products
Abstract
A method in one example implementation includes synchronizing a first memory page set with a second memory page set of a virtual guest machine, inspecting the first memory page set off-line, and detecting a threat in the first memory page set. The method further includes taking an action based on the threat. In more specific embodiments, the method includes updating the first memory page set with a subset of the second memory page set at an expiration of a synchronization interval, where the subset of the second memory page set was modified during the synchronization interval. In other more specific embodiments, the second memory page set of the virtual guest machine represents non-persistent memory of the virtual guest machine. In yet other specific embodiments, the action includes at least one of shutting down the virtual guest machine and alerting an administrator.
413 Citations
20 Claims
-
1. A method, comprising:
-
synchronizing a first memory page set of a first host with a second memory page set of a virtual guest machine of a second host to capture a current state of the virtual guest machine, wherein the synchronizing is to cause kernel state information and user state information of one or more physical memory pages of the virtual guest machine to be stored in the first memory page set; capturing a new current state of the virtual guest machine by updating the first memory page set with a subset of the second memory page set at an expiration of a predetermined synchronization interval if monitoring the second memory page set indicates the subset of the second memory page set includes at least one physical memory page modified during the predetermined synchronization interval; evaluating the new current state of the virtual guest machine by inspecting the updated first memory page set off-line; detecting a threat in the updated first memory page set based on the inspecting of at least one of the kernel state information and the user state information in the updated first memory page set; and taking an action based on the threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. One or more non-transitory media that includes code for execution and when executed by a processor is operable to perform operations comprising:
-
synchronizing a first memory page set of a first host with a second memory page set of a virtual guest machine of a second host to capture a current state of the virtual guest machine, wherein the synchronizing is to cause kernel state information and user state information of one or more physical memory pages of the virtual guest machine to be stored in the first memory page set; capturing a new current state of the virtual guest machine by updating the first memory page set with a subset of the second memory page set at an expiration of a predetermined synchronization interval if monitoring the second memory page set indicates the subset of the second memory page set includes at least one physical memory page modified during the predetermined synchronization interval; evaluating the new current state of the virtual guest machine by inspecting the updated first memory page set off-line; detecting a threat in the updated first memory page set based on the inspecting of at least one of the kernel state information and the user state information in the updated first memory page set; and taking an action based on the threat. - View Dependent Claims (10, 11, 12, 18, 19, 20)
-
-
13. An apparatus, comprising:
-
a memory synchronization module; a memory inspection engine; a memory element for storing a first memory page set; and a processor operable to execute operations associated with the first memory page set, wherein the memory synchronization module, the memory inspection engine, the first memory page set, and the processor cooperate such that the apparatus is configured for; synchronizing the first memory page set with a second memory page set of a virtual guest machine of a host to capture a current state of the virtual guest machine, wherein the synchronizing is to cause kernel state information and user state information of one or more physical memory pages of the virtual guest machine to be stored in the first memory page set; capturing a new current state of the virtual guest machine by updating the first memory page set with a subset of the second memory page set at an expiration of a predetermined synchronization interval if monitoring the second memory page set indicates the subset of the second memory page set includes at least one physical memory page modified during the predetermined synchronization interval; evaluating the new current state of the virtual guest machine by inspecting the updated first memory page set off-line; detecting a threat in the updated first memory page set based on the inspecting of at least one of the kernel state information and the user state information in the updated first memory page set; and taking an action based on the threat. - View Dependent Claims (14, 15, 16, 17)
-
Specification