Systems and methods for virtualized malware detection

US 9,792,430 B2
Filed: 11/03/2011
Issued: 10/17/2017
Est. Priority Date: 11/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

in response to a data collector on a first network determining that an object transmitted from a first digital device to a second digital device is suspicious, receiving at a second network the object intercepted by the data collector on the first network,at the second network;

determining one or more resources the object will require when the object is executed;

instantiating a first instance of a virtual environment with the one or more resources;

processing the object within the first instance of the virtual environment;

monitoring the operations of the object during the processing within the first instance of the virtual environment;

identifying an additional resource for the object during the processing within the first instance of the virtual environment, the additional resource not provided in the first instance of the virtual environment;

instantiating a second instance of the virtual environment in addition to the first instance of the virtual environment such that the processing of the object in the first instance of the virtual environment continues, the second instance of the virtual environment with the additional resource not provided in the first instance of the virtual environment as well as the one or more resources;

processing the object within the second instance of the virtual environment;

monitoring the operations of the object during the processing within the second instance of the virtual environment;

identifying actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual environment;

determining a threat value of the object intercepted by the data collector on the first network based on the actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual; and

if the determined threat value of the object intercepted by the data collector on the first network is greater than a threshold, generating a report based on the first instance of the virtual environment and the second instance of the virtual environment identifying the operations and the actions of the object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for virtualized malware enabled detection are described. In some embodiments, a method comprises intercepting an object provided from a first digital device, determining one or more resources the object requires, instantiating a virtual environment with the one or more resources, processing the object within the virtual environment, tainting operations of the object within the virtual environment, monitoring the operations of the object, identifying an additional resource of the object while processing that is not provided in the virtual environment, re-instantiating the virtual environment with the additional resource, monitoring the operations of the object while processing within the re-instantiated virtual environment, identifying untrusted actions from the monitored operations, and generating a report identifying the operations and the untrusted actions of the object.

95 Citations

View as Search Results

25 Claims

1. A method comprising:
- in response to a data collector on a first network determining that an object transmitted from a first digital device to a second digital device is suspicious, receiving at a second network the object intercepted by the data collector on the first network,at the second network;
  
  determining one or more resources the object will require when the object is executed;
  
  instantiating a first instance of a virtual environment with the one or more resources;
  
  processing the object within the first instance of the virtual environment;
  
  monitoring the operations of the object during the processing within the first instance of the virtual environment;
  
  identifying an additional resource for the object during the processing within the first instance of the virtual environment, the additional resource not provided in the first instance of the virtual environment;
  
  instantiating a second instance of the virtual environment in addition to the first instance of the virtual environment such that the processing of the object in the first instance of the virtual environment continues, the second instance of the virtual environment with the additional resource not provided in the first instance of the virtual environment as well as the one or more resources;
  
  processing the object within the second instance of the virtual environment;
  
  monitoring the operations of the object during the processing within the second instance of the virtual environment;
  
  identifying actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual environment;
  
  determining a threat value of the object intercepted by the data collector on the first network based on the actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual; and
  
  if the determined threat value of the object intercepted by the data collector on the first network is greater than a threshold, generating a report based on the first instance of the virtual environment and the second instance of the virtual environment identifying the operations and the actions of the object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the object comprises an executable file, a batch file, or a data file.
  - 3. The method of claim 1, further comprising performing a heuristic process on the object and determining the one or more resources the object requires based on the result of the heuristic process.
  - 4. The method of claim 1, wherein determining the one or more resources the object requires is based on metadata associated with the object.
  - 5. The method of claim 1, wherein the one or more resources may include one or more applications.
  - 6. The method of claim 1, wherein generating the report identifying the operations and the actions of the object comprises generating a signature to be used to detect malware.
  - 7. The method of claim 1, wherein generating the report identifying the operations and the actions of the object comprises identifying a vulnerability in an application based on the operations and the untrusted actions of the object.
  - 8. The method of claim 1, wherein instantiating the second instance of the virtual environment with the additional resource as well as the one or more resources comprises instantiating the second instance of the virtual environment with at least one resource that is different than a resource available in the first instance of the virtual environment.
  - 9. The method of claim 1, wherein generating the report comprises generating the report further identifying an exploit that is present in one or more devices.
  - 10. The method of claim 1, further comprising increasing or decreasing a clock signal within the virtual environment.
  - 11. The method of claim 1, further comprising logging a state of the virtual environment while monitoring the operations of the object.
  - 12. The method of claim 11, wherein instantiating the second instance of the virtual environment with the additional resource as well as the one or more resources comprises halting the virtual environment and re-instantiating the virtual environment with the logged state.

13. A system comprising:
- a processor including circuitry;
  
  a collection module configured to instruct the processor to receive at a second network an object intercepted by a data collector on a first network in response to the data collector on the first network determining that an object transmitted from a first digital device to a second digital device is suspicious;
  
  a virtualization module configured to instruct the processor to instantiate a first virtual environment with the one or more resources, to process the object within the first virtual environment, to identify an additional resource for the object while processing the object within the first virtual environment, the additional resource not provided in the first virtual environment, to instantiate a second virtual environment in addition to the first virtual environment such that the virtualization module is configured to continue to process the object in the first virtual environment, the second virtual environment with the additional resource not provided in the first virtual environment as well as the one or more resources, and to process the object within the second virtual environment;
  
  a control module configured to instruct the processor to determine one or more resources the object will require when the object is processed, to monitor the operations of the object while processing the object within the first virtual environment, to monitor the operations of the object while processing the object within the second virtual environment, and to identify actions of the object from the monitored operations of the object within the second virtual environment, and determining a threat value of the object intercepted by the data collector on the first network based on the actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual; and
  
  a report module configured to instruct the processor to generate a report based on the first virtual environment and the second virtual environment identifying the operations and the actions of the object if the determined threat value of the object intercepted by the data collector on the first network is greater than a threshold.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the object comprises an executable file, a batch file, or a data file.
  - 15. The system of claim 13, further comprising a heuristic module configured to instruct the processor to perform a heuristic process on the object and determining the one or more resources the object requires based on the result of the heuristic process.
  - 16. The system of claim 13, wherein the control module instructs the processor to determine the one or more resources of the object based on metadata associated with the object.
  - 17. The system of claim 13, wherein the one or more resources may include one or more applications.
  - 18. The system of claim 13, wherein the report module configured to instruct the processor to generate the report based on the first virtual environment and the second virtual environment identifying the operations and the actions of the object comprises the report module configured to instruct the processor to generate a signature to be used to detect malware.
  - 19. The system of claim 13, wherein the report module configured to instruct the processor to generate the report based on the first virtual environment and the second virtual environment identifying the operations and the actions of the object comprises the report module configured to instruct the processor to identify a vulnerability in an application based on the operations and the actions of the object.
  - 20. The system of claim 13, wherein the virtualization module configured to instruct the processor to instantiate the second virtual environment with the additional resource not provided in the first virtual environment as well as the one or more resources comprises the virtualization module configured to instruct the processor to instantiate the second instance of a virtual environment with at least one resource that is different than a resource available in the first virtual environment.
  - 21. The system of claim 13, wherein the reporting module is configured to instruct the processor to generate the report further identifying an exploit that is present in one or more devices.
  - 22. The system of claim 13, wherein the control module is further configured to instruct the processor to increase or decrease a clock signal within the first or second virtual environment.
  - 23. The system of claim 13, wherein the control module is further configured to instruct the processor to log a state of the first or second virtual environment while monitoring the operations of the object.
  - 24. The system of claim 23, wherein the virtualization module configured to instruct the processor to instantiate a second virtual environment with the additional resource not provided in the first virtual environment as well as the one or more resources comprises the virtualization module configured to instruct the processor to modify the first virtual environment based on the logged state.

25. A non-transitory computer readable medium comprising instructions, the instructions being executable by a processor for performing a method, the method comprising:
- in response to a data collector on a first network determining that an object transmitted from a first digital device to a second digital device is suspicious, receiving at a second network the object intercepted by the data collector on the first network,at the second network;
  
  determining one or more resources the object will require when the object is executed;
  
  instantiating a first instance of a virtual environment with the one or more resources;
  
  processing the object within the first instance of the virtual environment;
  
  monitoring the operations of the object during the processing within the first instance of the virtual environment;
  
  identifying an additional resource for the object during the processing within the first instance of the virtual environment, the additional resource not being provided in the first instance of the virtual environment;
  
  instantiating a second instance of the virtual environment in addition to the first instance of the virtual environment such that the processing of the object in the first instance of the virtual environment continues, the second instance of the virtual environment with the additional resource not provided in the first instance of the virtual environment as well as the one or more resources;
  
  processing the object within the second instance of the virtual environment;
  
  monitoring the operations of the object during the processing within the second instance of the virtual environment;
  
  identifying actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual environment;
  
  determining a threat value of the object intercepted by the data collector on the first network based on the actions from the monitored operations of the object within the first instance of the virtual environment and the second instance of the virtual; and
  
  if the determined threat value of the object intercepted by the data collector on the first network is greater than a threshold, generating a report based on the first instance of the virtual environment and the second instance of the virtual environment identifying the operations and the actions of the object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Original Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Inventors
Golshan, Ali, Binder, James S.
Primary Examiner(s)
Wang, Harris C

Application Number

US13/288,917
Publication Number

US 20130117849A1
Time in Patent Office

2,175 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

Systems and methods for virtualized malware detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

95 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for virtualized malware detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links