System and method for passive threat detection using virtual memory inspection

US 9,594,881 B2
Filed: 09/09/2011
Issued: 03/14/2017
Est. Priority Date: 09/09/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

synchronizing a first memory page set of a first host with a second memory page set of a virtual guest machine of a second host to capture a current state of the virtual guest machine, wherein the synchronizing is to cause kernel state information and user state information of one or more physical memory pages of the virtual guest machine to be stored in the first memory page set;

capturing a new current state of the virtual guest machine by updating the first memory page set with a subset of the second memory page set at an expiration of a predetermined synchronization interval if monitoring the second memory page set indicates the subset of the second memory page set includes at least one physical memory page modified during the predetermined synchronization interval;

evaluating the new current state of the virtual guest machine by inspecting the updated first memory page set off-line;

detecting a threat in the updated first memory page set based on the inspecting of at least one of the kernel state information and the user state information in the updated first memory page set; and

taking an action based on the threat.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes synchronizing a first memory page set with a second memory page set of a virtual guest machine, inspecting the first memory page set off-line, and detecting a threat in the first memory page set. The method further includes taking an action based on the threat. In more specific embodiments, the method includes updating the first memory page set with a subset of the second memory page set at an expiration of a synchronization interval, where the subset of the second memory page set was modified during the synchronization interval. In other more specific embodiments, the second memory page set of the virtual guest machine represents non-persistent memory of the virtual guest machine. In yet other specific embodiments, the action includes at least one of shutting down the virtual guest machine and alerting an administrator.

413 Citations

20 Claims

1. A method, comprising:
- synchronizing a first memory page set of a first host with a second memory page set of a virtual guest machine of a second host to capture a current state of the virtual guest machine, wherein the synchronizing is to cause kernel state information and user state information of one or more physical memory pages of the virtual guest machine to be stored in the first memory page set;
  
  capturing a new current state of the virtual guest machine by updating the first memory page set with a subset of the second memory page set at an expiration of a predetermined synchronization interval if monitoring the second memory page set indicates the subset of the second memory page set includes at least one physical memory page modified during the predetermined synchronization interval;
  
  evaluating the new current state of the virtual guest machine by inspecting the updated first memory page set off-line;
  
  detecting a threat in the updated first memory page set based on the inspecting of at least one of the kernel state information and the user state information in the updated first memory page set; and
  
  taking an action based on the threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein, after being updated with the subset of the second memory page set, the first memory page set is at least substantially the same as the second memory page set existing when the previous synchronization interval expired.
  - 3. The method of claim 1, wherein the inspecting the first memory page set includes analyzing a portion of the first memory page set corresponding to the subset of the second memory page set.
  - 4. The method of claim 1, wherein the second memory page set of the virtual guest machine represents non-persistent memory of the virtual guest machine.
  - 5. The method of claim 1, wherein the action includes sending a communication via a feedback loop to a security manager.
  - 6. The method of claim 1, wherein the inspecting the first memory page set includes analyzing at least one of kernel data structures and user data structures.
  - 7. The method of claim 1, wherein the action is based on a policy.
  - 8. The method of claim 1, wherein the action includes at least one of shutting down the virtual guest machine and alerting an administrator.

9. One or more non-transitory media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- synchronizing a first memory page set of a first host with a second memory page set of a virtual guest machine of a second host to capture a current state of the virtual guest machine, wherein the synchronizing is to cause kernel state information and user state information of one or more physical memory pages of the virtual guest machine to be stored in the first memory page set;
  
  capturing a new current state of the virtual guest machine by updating the first memory page set with a subset of the second memory page set at an expiration of a predetermined synchronization interval if monitoring the second memory page set indicates the subset of the second memory page set includes at least one physical memory page modified during the predetermined synchronization interval;
  
  evaluating the new current state of the virtual guest machine by inspecting the updated first memory page set off-line;
  
  detecting a threat in the updated first memory page set based on the inspecting of at least one of the kernel state information and the user state information in the updated first memory page set; and
  
  taking an action based on the threat.
- View Dependent Claims (10, 11, 12, 18, 19, 20)
- - 10. The one or more non-transitory media of claim 9, wherein, after being updated with the subset of the second memory page set, the first memory page set is at least substantially the same as the second memory page set existing when the previous synchronization interval expired.
  - 11. The one or more non-transitory media of claim 9, wherein the second memory page set of the virtual guest machine represents non-persistent memory of the virtual guest machine.
  - 12. The one or more non-transitory media of claim 9, wherein the inspecting the first memory page set is to analyze at least one of kernel data structures and user data structures.
  - 18. The one or more non-transitory media of claim 9, wherein the inspecting the first memory page set is to analyze a portion of the first memory page set corresponding to the subset of the second memory page set.
  - 19. The one or more non-transitory media of claim 9, wherein the action is based on a policy.
  - 20. The one or more non-transitory media of claim 9, wherein the action is to perform at least one of shutting down the virtual guest machine and alerting an administrator.

13. An apparatus, comprising:
- a memory synchronization module;
  
  a memory inspection engine;
  
  a memory element for storing a first memory page set; and
  
  a processor operable to execute operations associated with the first memory page set, wherein the memory synchronization module, the memory inspection engine, the first memory page set, and the processor cooperate such that the apparatus is configured for;
  
  synchronizing the first memory page set with a second memory page set of a virtual guest machine of a host to capture a current state of the virtual guest machine, wherein the synchronizing is to cause kernel state information and user state information of one or more physical memory pages of the virtual guest machine to be stored in the first memory page set;
  
  capturing a new current state of the virtual guest machine by updating the first memory page set with a subset of the second memory page set at an expiration of a predetermined synchronization interval if monitoring the second memory page set indicates the subset of the second memory page set includes at least one physical memory page modified during the predetermined synchronization interval;
  
  evaluating the new current state of the virtual guest machine by inspecting the updated first memory page set off-line;
  
  detecting a threat in the updated first memory page set based on the inspecting of at least one of the kernel state information and the user state information in the updated first memory page set; and
  
  taking an action based on the threat.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The apparatus of claim 13, wherein, after being updated with the subset of the second memory page set, the first memory page set is at least substantially the same as the second memory page set existing when the previous synchronization interval expired.
  - 15. The apparatus of claim 13, wherein the second memory page set of the virtual guest machine represents non-persistent memory of the virtual guest machine.
  - 16. The apparatus of claim 13, wherein the action includes sending a communication via a feedback loop to a security manager.
  - 17. The apparatus of claim 13, wherein the action is based on a policy and includes at least one of shutting down the virtual guest machine and alerting an administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Bhargava, Rishi, Reese, David P. Jr.
Primary Examiner(s)
Kim, Tae
Assistant Examiner(s)
KU, SHIUH-HUEI P

Application Number

US13/229,502
Publication Number

US 20130246685A1
Time in Patent Office

2,013 Days
Field of Search

726 22- 26
US Class Current

1/1
CPC Class Codes

G06F 12/08   in hierarchically structure...

G06F 21/00   Security arrangements for p...

G06F 21/577   Assessing vulnerabilities a...

G06F 2212/1052   Security improvement

G06F 2212/151   Emulated environment, e.g. ...

System and method for passive threat detection using virtual memory inspection

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

413 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for passive threat detection using virtual memory inspection

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

413 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links