Systems and methods for virtualized malware detection
First Claim
1. A method comprising:
- in response to a data collector on a first network determining that an object transmitted from a first digital device to a second digital device is suspicious, receiving at a second network the object intercepted by the data collector on the first network,at the second network;
determining one or more resources the object will require when the object is executed;
instantiating a first instance of a virtual environment with the one or more resources;
processing the object within the first instance of the virtual environment;
monitoring the operations of the object during the processing within the first instance of the virtual environment;
identifying an additional resource for the object during the processing within the first instance of the virtual environment, the additional resource not provided in the first instance of the virtual environment;
instantiating a second instance of the virtual environment in addition to the first instance of the virtual environment such that the processing of the object in the first instance of the virtual environment continues, the second instance of the virtual environment with the additional resource not provided in the first instance of the virtual environment as well as the one or more resources;
processing the object within the second instance of the virtual environment;
monitoring the operations of the object during the processing within the second instance of the virtual environment;
identifying actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual environment;
determining a threat value of the object intercepted by the data collector on the first network based on the actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual; and
if the determined threat value of the object intercepted by the data collector on the first network is greater than a threshold, generating a report based on the first instance of the virtual environment and the second instance of the virtual environment identifying the operations and the actions of the object.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for virtualized malware enabled detection are described. In some embodiments, a method comprises intercepting an object provided from a first digital device, determining one or more resources the object requires, instantiating a virtual environment with the one or more resources, processing the object within the virtual environment, tainting operations of the object within the virtual environment, monitoring the operations of the object, identifying an additional resource of the object while processing that is not provided in the virtual environment, re-instantiating the virtual environment with the additional resource, monitoring the operations of the object while processing within the re-instantiated virtual environment, identifying untrusted actions from the monitored operations, and generating a report identifying the operations and the untrusted actions of the object.
95 Citations
25 Claims
-
1. A method comprising:
-
in response to a data collector on a first network determining that an object transmitted from a first digital device to a second digital device is suspicious, receiving at a second network the object intercepted by the data collector on the first network, at the second network; determining one or more resources the object will require when the object is executed; instantiating a first instance of a virtual environment with the one or more resources; processing the object within the first instance of the virtual environment; monitoring the operations of the object during the processing within the first instance of the virtual environment; identifying an additional resource for the object during the processing within the first instance of the virtual environment, the additional resource not provided in the first instance of the virtual environment; instantiating a second instance of the virtual environment in addition to the first instance of the virtual environment such that the processing of the object in the first instance of the virtual environment continues, the second instance of the virtual environment with the additional resource not provided in the first instance of the virtual environment as well as the one or more resources; processing the object within the second instance of the virtual environment; monitoring the operations of the object during the processing within the second instance of the virtual environment; identifying actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual environment; determining a threat value of the object intercepted by the data collector on the first network based on the actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual; and if the determined threat value of the object intercepted by the data collector on the first network is greater than a threshold, generating a report based on the first instance of the virtual environment and the second instance of the virtual environment identifying the operations and the actions of the object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
a processor including circuitry; a collection module configured to instruct the processor to receive at a second network an object intercepted by a data collector on a first network in response to the data collector on the first network determining that an object transmitted from a first digital device to a second digital device is suspicious; a virtualization module configured to instruct the processor to instantiate a first virtual environment with the one or more resources, to process the object within the first virtual environment, to identify an additional resource for the object while processing the object within the first virtual environment, the additional resource not provided in the first virtual environment, to instantiate a second virtual environment in addition to the first virtual environment such that the virtualization module is configured to continue to process the object in the first virtual environment, the second virtual environment with the additional resource not provided in the first virtual environment as well as the one or more resources, and to process the object within the second virtual environment; a control module configured to instruct the processor to determine one or more resources the object will require when the object is processed, to monitor the operations of the object while processing the object within the first virtual environment, to monitor the operations of the object while processing the object within the second virtual environment, and to identify actions of the object from the monitored operations of the object within the second virtual environment, and determining a threat value of the object intercepted by the data collector on the first network based on the actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual; and a report module configured to instruct the processor to generate a report based on the first virtual environment and the second virtual environment identifying the operations and the actions of the object if the determined threat value of the object intercepted by the data collector on the first network is greater than a threshold. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory computer readable medium comprising instructions, the instructions being executable by a processor for performing a method, the method comprising:
-
in response to a data collector on a first network determining that an object transmitted from a first digital device to a second digital device is suspicious, receiving at a second network the object intercepted by the data collector on the first network, at the second network; determining one or more resources the object will require when the object is executed; instantiating a first instance of a virtual environment with the one or more resources; processing the object within the first instance of the virtual environment; monitoring the operations of the object during the processing within the first instance of the virtual environment; identifying an additional resource for the object during the processing within the first instance of the virtual environment, the additional resource not being provided in the first instance of the virtual environment; instantiating a second instance of the virtual environment in addition to the first instance of the virtual environment such that the processing of the object in the first instance of the virtual environment continues, the second instance of the virtual environment with the additional resource not provided in the first instance of the virtual environment as well as the one or more resources; processing the object within the second instance of the virtual environment; monitoring the operations of the object during the processing within the second instance of the virtual environment; identifying actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual environment; determining a threat value of the object intercepted by the data collector on the first network based on the actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual; and if the determined threat value of the object intercepted by the data collector on the first network is greater than a threshold, generating a report based on the first instance of the virtual environment and the second instance of the virtual environment identifying the operations and the actions of the object.
-
Specification