WO2022055470A1 - Activity analysis of virtual machines - Google Patents

Activity analysis of virtual machines Download PDF

Info

Publication number
WO2022055470A1
WO2022055470A1 PCT/US2020/049656 US2020049656W WO2022055470A1 WO 2022055470 A1 WO2022055470 A1 WO 2022055470A1 US 2020049656 W US2020049656 W US 2020049656W WO 2022055470 A1 WO2022055470 A1 WO 2022055470A1
Authority
WO
WIPO (PCT)
Prior art keywords
virtual machine
computing device
micro
application
readable medium
Prior art date
Application number
PCT/US2020/049656
Other languages
French (fr)
Inventor
Tobias Edward Sebastian GRAY
Ratnesh Kumar Pandey
Paulian Bogdan MARINCA
Original Assignee
Hewlett-Packard Development Company, L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, L.P. filed Critical Hewlett-Packard Development Company, L.P.
Priority to PCT/US2020/049656 priority Critical patent/WO2022055470A1/en
Publication of WO2022055470A1 publication Critical patent/WO2022055470A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Definitions

  • Computing devices may face a varieties of threats, such as computer virus, unauthorized access, etc.
  • information technology (IT) administrators may employ different tools.
  • the tools may include anti-virus applications, firewalls, and software updates.
  • FIG. 1 illustrates a block diagram of a computing device including a dedicated analyzer virtual machine to analyze other virtual machines on the computing device, according to an example.
  • FIG. 2 illustrates a block diagram of a dedicated analyzer virtual machine and a plurality of virtual machines according to another example.
  • FIG. 3 illustrates a block diagram of an example man in the middle proxy in a dedicated analyzer virtual machine.
  • FIG. 4 illustrates a flow diagram of an example intrusion detection process that may be carried out by a network intrusion detection engine.
  • FIG. 5 is an example of a computer readable medium comprising instructions to analyze activity of virtual machines according to an example.
  • FIG. 6 is an example of a computer readable medium comprising instructions to analyze activity of virtual machines according to another example.
  • a non-transitory computer readable medium and a computing device that can cause a dedicated virtual machine to perform a threat analysis of other virtual machines on the computing device on which the dedicated virtual machine and other virtual machines are running.
  • the computing device may be an endpoint computing device that can host the dedicated virtual machine and may be connectable to a network on which there may be other endpoint computing devices.
  • Each endpoint computing device may host its own dedicated virtual machine and may be capable of executing other virtual machines that communicate with the dedicated virtual machine.
  • the application when a user of the endpoint computing device wishes to run any application in an endpoint computing device that requires access to either a network or untrusted data wherein untrusted data is any data that originates from outside the endpoint computing device, the application is run inside a virtual machine that is created on-demand on the endpoint computing device based on an image of the endpoint computing device operating system.
  • a virtual machine that is created on-demand on the endpoint computing device based on an image of the endpoint computing device operating system.
  • Such an on-demand virtual machine may be referred to as a micro virtual machine.
  • the dedicated virtual machine, and other virtual machines which communicate with the dedicated virtual machine may be micro virtual machines (micro VMs).
  • the micro virtual machines are therefore virtual machines that can be created, maintained, and destroyed on-demand and may exist for a limited time that the application within the micro virtual machine is running.
  • any activity which is not previously deemed trustworthy may be performed in a separate micro virtual machine, and so all code which may be potentially malicious is executed in its own micro virtual machine that is destroyed after its immediate use is ended, thereby preventing any malicious code from effecting any lasting change to an endpoint computing device or the network.
  • the micro virtual machine may run a local application or an individual web page session. When a user is done running the local application or navigates away from a web page to another page with a different Internet URL domain, the corresponding micro virtual machine can be destroyed or terminated. Upon termination, the content of the micro virtual machine including associated data stored in memory can be discarded.
  • Any new local application or web application can then be run inside a brand new, separate micro virtual machine that may be cloned from a clean micro virtual machine master template.
  • a brand new, separate micro virtual machine that may be cloned from a clean micro virtual machine master template.
  • the dedicated micro virtual machine may be a single micro virtual machine that may perform threat analysis including static analysis or network traffic analysis and the threat analysis may be performed when the dedicated micro virtual machine is interconnected with other micro virtual machines to be analyzed.
  • the static analysis may be performed on files, streams and virtual machine memory, and the network traffic analysis may be performed on interconnected micro virtual machines.
  • the threat analysis performed by the dedicated virtual machine can use a number of different protocols including man in the middle proxy or SSL split to conclude maliciousness.
  • the dedicated micro virtual machine can perform different analysis depending on the type of virtual machine, for example, whether the micro virtual machine is a browser virtual machine running an instance of a web browser application or non-browser virtual machine running an instance of a non-web browser application.
  • Such a dedicated micro virtual machine is centralised in the micro virtual machine environment on the endpoint computing device and can allow enhanced security on an endpoint computing device and optimisation of analysis and detection of malicious activity without detriment to the performance of each micro virtual machine.
  • the malicious activity may be carried out in an application that is running on its own micro virtual machine whilst being analyzed by the dedicated virtual machine without gaining access to a host such as an underlying operating system hosted on the endpoint computing device.
  • System resources can be kept minimal using the dedicated micro virtual machine and other micro virtual machines.
  • an example computing device 100 may include a first storage device 110 and a processor 115.
  • Processor 115 may be in communication with first storage device 110.
  • Processor 115 may control operations of computing device 100.
  • Storage device 110 may store data which includes the instructions to be carried by the processor 115.
  • storage device 110 may be implemented using non-volatile memory, such as hard disk drives, solid state storage, flash memory, Electrically Erasable Programmable Read-Only Memory (EEPROM) etc.
  • the computing device 100 may be an endpoint computing device capable of connecting to a network and executing a virtual machine.
  • the network may comprises a plurality of endpoint computing devices that may have access to a central server.
  • the endpoint computing device may be able to host an operating system and be accessible to a network such as an enterprise’s intranet or the Internet.
  • a network such as an enterprise’s intranet or the Internet.
  • Non-limiting, illustrative examples of computing device 100 include a PC, a laptop computer, a tablet computer, a cell phone, a personal digital assistant (PDA), and the like.
  • the instructions that may be stored in storage device 110 may cause the computing device 100 to generate a first virtual machine 120 which is a dedicated analyzer virtual machine to analyze other virtual machines on the computing device 100 according to the present disclosure.
  • the first virtual machine 120 may be initiated at start-up of the computing device 100 and may remain in a suspended state until an application which may be associated with a file is to be opened in which case the first virtual machine 120 is reactivated to perform analysis.
  • the suspend state the state including any related data of the first virtual machine at or before the suspend operation may be saved in storage device 110 and can be resumed at a later stage from the same state prior to suspend operation without altering any of the related data.
  • the processor 115 may cause the computing device 100 to generate, at run time, a second virtual machine 130 in which an application is to be launched on the computing device 100.
  • the second virtual machine 130 can isolate the application that is launched from an operating system of computing device 100 by running the application and an instance or copy of the operating system of the computing device 100 in the second virtual machine 130 separate from operating system of computing device 100.
  • the first virtual machine 120 can analyze the application on the second virtual machine for malicious activity and the activity of the first virtual machine and second virtual machine is to be isolated from the endpoint computing device such that any malicious activity taking place in relation to the second virtual machine will not be transferred to the operating system of the endpoint computing device or other components of the endpoint computing device.
  • the first virtual machine 120 and second virtual machine 130 may be disposable micro virtual machines that are to be created, maintained, and destroyed on-demand. Such virtual machines may exist for a limited time that an application is running within them.
  • the second micro virtual machine 130 may be created when a non-web browser application such as a word processing application 132 is initiated. The second micro virtual machine 130 can be destroyed once the word processing application 132 is terminated.
  • the second micro virtual machine may be created when a web-browser application is initiated. The second micro virtual machine can destroyed once the web-browser application is terminated.
  • a plurality of micro virtual machines may be running concurrently on the endpoint computing device 100.
  • a word processing application may be running in the second micro virtual machine 130 and a web browser application 142 may be running in a third micro virtual application 140.
  • the third micro virtual machine 140 may be generated on the endpoint computing device 100 when the web browser application 142 is launched.
  • the first micro virtual machine 120 can monitor and assess malicious activity of the second micro virtual machine 130 and third micro virtual machine 140 which are in bidirectional communication with the first micro virtual machine 120 on the endpoint computing device 100.
  • the second and third micro virtual machines 130, 140 may be in bidirectional communication and connected to each other but cannot access components of the host operating system of the endpoint computing device 100 so as to avoid malicious threats that may be present in the second or third micro virtual machines 130, 140 spreading to other areas of the host operating system.
  • the first micro virtual machine 120 may include protocols 122 to perform analysis of the application executed in the second micro virtual machine 130.
  • the protocols 122 may include to perform threat analysis of data that is accessible by the second virtual machine 130, threat analysis of memory that is accessible by the second virtual machine 130, threat analysis of network traffic of the second virtual machine 130, ora combination thereof.
  • the first micro virtual machine 120 may comprise an operating system image 124 of the host operating system of the endpoint computing device 100, which comprises a plurality of components, and the operating system image 124 may contain a subset of components of the endpoint operating system.
  • the subset of components may comprise those that are used for protocols to perform threat analysis on the micro virtual machines to be analyzed by the first micro virtual machine 120.
  • Such subset of components may not include user interface and graphics components.
  • the first micro virtual machine may host a customized operating system different to the operating system of the endpoint computing device 100 in order to provide resource-efficient components to perform threat analysis on the micro virtual machines to be analyzed by the first micro virtual machine.
  • a customized operating system may be a customized Linux operating system in one example.
  • each micro virtual machine 130 and third micro virtual machine 140 are created, respective operating system images 134, 144 of the computing device 100 at the time of creation of the virtual machines 130, 140 will also be created for running in the respective micro virtual machines 130, 140. Therefore each micro virtual machine may possess its own instance or copy of the operating system, which is isolated and separate from the main operating system (including its code and data) executing within the computing device 100.
  • the first micro virtual machine 120 is shown comprising a plurality of protocols 122.
  • the first micro virtual machine 120 may be connected to a plurality of other micro virtual machines including a second micro virtual machine 130, a third micro virtual machine 140, to an nth virtual machine 150.
  • the other virtual machines may be interconnected to each other.
  • the protocols 122 may include functionality that allows detection of adversaries that may be attempting to move laterally within a network and allows monitoring network traffic beyond capturing a destination IP address, port or universal resource locator (URL).
  • the protocols 122 may include a man in the middle proxy 122a, a network intrusion detection engine 122b, a static analysis engine 122c, a global cache 122d, and / or a message parser 122e.
  • the first micro virtual machine 120 may determine the type of application that may be running in the second micro virtual machine as this may influence the protocol to be applied by the first micro virtual machine 120.
  • the first micro virtual machine may determine if the second micro virtual machine is to run an instance of a web browser application in which case it is classified as a browser virtual machine or if the second micro virtual machine is to run an instance of a non-web browser application in which case it is classified as a non-browser virtual machine.
  • the man in the middle proxy 122a protocol may intercept network traffic from the second micro virtual machine 130 and tunnel the second virtual machine data traffic.
  • the man in the middle proxy 122a can assist in obtaining access to decrypted malware network traffic, for example, decrypted transport layer security (TLS) or secure sockets layer (SSL) malware traffic.
  • TLS transport layer security
  • SSL secure sockets layer
  • FIG. 3 shows a micro virtual machine such as second micro virtual machine 130 having network traffic tunnelled through a man in the middle proxy 310 in the first dedicated analyzer micro virtual machine 120.
  • An application 210 such as Microsoft Word, for example, may be running in the second virtual machine 130.
  • the virtual machine is takes an image of the operating system when it is created and, as shown, the virtual machine includes a user part of the operating system and a kernel part of the operating system image.
  • the application 210 in the user part may communicate with network driver 215 of the virtual machine 130 that may be part of the kernel of the virtual machine 130.
  • the network driver 215 communicates with a message parsing layer 220 communicating with the second virtual machine 130 and network messages or data pass from the message parsing layer 220 to a message parsing layer 320 related to the first micro virtual machine 120.
  • the network messages are tunnelled through the man in the middle proxy 310 in the first micro virtual machine 120 and then passed to network driver 315 in the first micro virtual machine after analysis by an intrusion detection engine provided in the man in the middle proxy 310 if not identified as malicious before being passed back to the message parsing layer 320 related to the first micro virtual machine.
  • the network messages are then transferred to a message parsing layer 420 outside the first micro virtual machine 120.
  • FIG. 4 is an example of an intrusion detection process that may be carried out by a network intrusion detection engine 122b of the first virtual machine 120.
  • the man in the middle proxy 310 in the first virtual machine 120 may receive data that may be unencrypted.
  • the network traffic analyzer and detection engine may compare the data with a set of predetermined rules in a rules database.
  • an alert may be issued and the data may be removed such that it cannot access other areas of the endpoint computing device.
  • the first micro virtual machine 120 may capture network data traffic for a particular or predetermined time period or particular or predetermined data amount from the time of generation of the second virtual machine 130. It is noted that the majority of web browser exploits and malicious behaviour takes place within the first few minutes of browser activity so activity after a particular period from the start of the browser activity can be discarded without detriment to the detection of malicious activity.
  • a data file relating to the captured network data traffic may be generated for analysis by the first micro virtual machine 120 at a later time after the second micro virtual machine 130 has terminated.
  • the data file may be a threshold bound packet capture file (PCAP) file to capture packet data.
  • PCAP threshold bound packet capture file
  • the first micro virtual machine 120 may include a network drive that may be shared with other micro virtual machines.
  • the other micro virtual machines may be able to access and attack the shared network drive.
  • Such an attack can be monitored and analyzed by the first virtual machine without compromising the host computing device or its network. Lateral movement of an attack within a device or network can therefore be detected.
  • the first micro virtual machine may include a static analysis engine 122c to analyze activity of other micro virtual machines such as the second virtual machine 130.
  • the second micro virtual machine 130 may send a message to the first virtual machine to analyze a file buffer and / or stream for each section of data that may include a file that is to be executed by the second virtual machine 130.
  • the static analysis engine 122c may analyze the file and provide a response which may include an annotated response to the second micro virtual machine in relation to the maliciousness of the file. This may be achieved by reference to a global cache component 122d associated with the first micro virtual machine.
  • a check of pre-existing data in the global cache 122d may be made and if an entry is found corresponding to the data being checked, status information from the global cache 122d is output to the second virtual machine. If no entry is found in the global cache 122d, the data that is to be checked is scanned and an entry in relation to the data is updated in the global cache 122d.
  • Scanning of the complete second micro virtual machine 130 by the first virtual machine 120 may not be carried out due to the time taken to scan an entire micro virtual machine. Instead, a difference in memory between a snapshot at the start of second virtual machine 130 and a snapshot at the termination of the second virtual machine may be analyzed by the first micro virtual machine to perform static analysis in order to detect any malicious activity by analysing a change in memory. Any malicious activity can be identified by the first micro virtual machine and an alert can be output.
  • FIG. 5 shows a memory 600, which is an example of a computer readable medium storing instructions 601 , and 602 that, when executed by a processor 620 communicably coupled to a computing device, may cause the processor 620 to instruct a first virtual machine to analyze activity of other virtual machines in accordance with any of the examples described above.
  • Instruction 601 is to generate a first virtual machine on the endpoint computing device.
  • Instruction 602 is to generate a second virtual machine in which the application is to be launched on the endpoint computing device in response to receiving a request to launch an application, wherein the first virtual machine is to analyze activity of the second virtual machine on the endpoint computing device.
  • the computer readable medium may be any form of storage system capable of storing executable instructions, such as a non-transient computer readable medium, for example Random Access Memory (RAM), Electrically-Erasable Programmable Read-Only Memory (EEPROM), a storage drive, an optical disc, or the like.
  • FIG. 6 shows a memory 700, which is another example of a computer readable medium storing instructions 701 , and 702 that, when executed by a processor 720 communicably coupled to a computing device, may cause the processor 720 to instruct a first virtual machine to analyze activity of other virtual machines in accordance with any of the examples described above.
  • Instruction 701 is to instantiate a first micro virtual machine on the computing device.
  • Instruction 702 is to instantiate a second micro virtual machine on the computing device, wherein the instantiating of the second virtual machine is performed automatically without human intervention in response to receiving a request to execute an application program.
  • the automatic instantiation includes creating a copy of an operating system image of the computing device that includes the application program to run in the second micro virtual machine.
  • the instantiation of the first and second micro virtual machine may be performed by hypervisor installed on the computing device.
  • the first virtual machine is to analyze for malicious activity in the second micro virtual machine on the computing device.
  • the computer readable medium may be any form of storage system capable of storing executable instructions, such as a non-transient computer readable medium, for example Random Access Memory (RAM), Electrically-Erasable Programmable Read-Only Memory (EEPROM), a storage drive, an optical disc, or the like.
  • RAM Random Access Memory
  • EEPROM Electrically-Erasable Programmable Read-Only Memory
  • storage drive an optical disc, or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

An example non-transitory computer-readable medium and an example computing device is provided. The example non-transitory computer-readable medium may comprise instructions, which when executed, cause a processor of an endpoint computing device to: generate a first virtual machine on the endpoint computing device, in response to receiving a request to launch an application, generate a second virtual machine in which the application is to be launched on the endpoint computing device, wherein the first virtual machine is to analyze activity of the second virtual machine on the endpoint computing device.

Description

ACTIVITY ANALYSIS OF VIRTUAL MACHINES
BACKGROUND
[001] Computing devices may face a varieties of threats, such as computer virus, unauthorized access, etc. To protect the computing devices against the threats, information technology (IT) administrators may employ different tools. For example, the tools may include anti-virus applications, firewalls, and software updates.
BRIEF DESCRIPTION OF THE DRAWINGS
[002] Some examples of the present application are described with respect to the following figures:
[003] FIG. 1 illustrates a block diagram of a computing device including a dedicated analyzer virtual machine to analyze other virtual machines on the computing device, according to an example.
[004] FIG. 2 illustrates a block diagram of a dedicated analyzer virtual machine and a plurality of virtual machines according to another example.
[005] FIG. 3 illustrates a block diagram of an example man in the middle proxy in a dedicated analyzer virtual machine.
[006] FIG. 4 illustrates a flow diagram of an example intrusion detection process that may be carried out by a network intrusion detection engine. [007] FIG. 5 is an example of a computer readable medium comprising instructions to analyze activity of virtual machines according to an example.
[008] FIG. 6 is an example of a computer readable medium comprising instructions to analyze activity of virtual machines according to another example.
DETAILED DESCRIPTION [009] According to the disclosure, a non-transitory computer readable medium and a computing device is provided that can cause a dedicated virtual machine to perform a threat analysis of other virtual machines on the computing device on which the dedicated virtual machine and other virtual machines are running. The computing device may be an endpoint computing device that can host the dedicated virtual machine and may be connectable to a network on which there may be other endpoint computing devices. Each endpoint computing device may host its own dedicated virtual machine and may be capable of executing other virtual machines that communicate with the dedicated virtual machine.
[0010] According to an example, when a user of the endpoint computing device wishes to run any application in an endpoint computing device that requires access to either a network or untrusted data wherein untrusted data is any data that originates from outside the endpoint computing device, the application is run inside a virtual machine that is created on-demand on the endpoint computing device based on an image of the endpoint computing device operating system. Such an on-demand virtual machine may be referred to as a micro virtual machine. The dedicated virtual machine, and other virtual machines which communicate with the dedicated virtual machine, may be micro virtual machines (micro VMs). The micro virtual machines are therefore virtual machines that can be created, maintained, and destroyed on-demand and may exist for a limited time that the application within the micro virtual machine is running. Any activity which is not previously deemed trustworthy may be performed in a separate micro virtual machine, and so all code which may be potentially malicious is executed in its own micro virtual machine that is destroyed after its immediate use is ended, thereby preventing any malicious code from effecting any lasting change to an endpoint computing device or the network. In an example, the micro virtual machine may run a local application or an individual web page session. When a user is done running the local application or navigates away from a web page to another page with a different Internet URL domain, the corresponding micro virtual machine can be destroyed or terminated. Upon termination, the content of the micro virtual machine including associated data stored in memory can be discarded. Any new local application or web application can then be run inside a brand new, separate micro virtual machine that may be cloned from a clean micro virtual machine master template. Thus, if there has been any compromise to the micro virtual machine during the course of running some malicious code that was introduced into the micro virtual machine, then adverse effects of the security breach are isolated to the affected micro virtual machine and are lost when the micro virtual machine is destroyed.
[0011] The dedicated micro virtual machine may be a single micro virtual machine that may perform threat analysis including static analysis or network traffic analysis and the threat analysis may be performed when the dedicated micro virtual machine is interconnected with other micro virtual machines to be analyzed. The static analysis may be performed on files, streams and virtual machine memory, and the network traffic analysis may be performed on interconnected micro virtual machines. The threat analysis performed by the dedicated virtual machine can use a number of different protocols including man in the middle proxy or SSL split to conclude maliciousness. The dedicated micro virtual machine can perform different analysis depending on the type of virtual machine, for example, whether the micro virtual machine is a browser virtual machine running an instance of a web browser application or non-browser virtual machine running an instance of a non-web browser application. [0012] Such a dedicated micro virtual machine is centralised in the micro virtual machine environment on the endpoint computing device and can allow enhanced security on an endpoint computing device and optimisation of analysis and detection of malicious activity without detriment to the performance of each micro virtual machine. The malicious activity may be carried out in an application that is running on its own micro virtual machine whilst being analyzed by the dedicated virtual machine without gaining access to a host such as an underlying operating system hosted on the endpoint computing device. System resources can be kept minimal using the dedicated micro virtual machine and other micro virtual machines.
[0013] With reference to FIG. 1, there is shown an example computing device 100 that may include a first storage device 110 and a processor 115. Processor 115 may be in communication with first storage device 110. Processor 115 may control operations of computing device 100. Storage device 110 may store data which includes the instructions to be carried by the processor 115. In some examples, storage device 110 may be implemented using non-volatile memory, such as hard disk drives, solid state storage, flash memory, Electrically Erasable Programmable Read-Only Memory (EEPROM) etc. The computing device 100 may be an endpoint computing device capable of connecting to a network and executing a virtual machine. The network may comprises a plurality of endpoint computing devices that may have access to a central server. The endpoint computing device may be able to host an operating system and be accessible to a network such as an enterprise’s intranet or the Internet. Non-limiting, illustrative examples of computing device 100 include a PC, a laptop computer, a tablet computer, a cell phone, a personal digital assistant (PDA), and the like.
[0014] The instructions that may be stored in storage device 110 may cause the computing device 100 to generate a first virtual machine 120 which is a dedicated analyzer virtual machine to analyze other virtual machines on the computing device 100 according to the present disclosure. The first virtual machine 120 may be initiated at start-up of the computing device 100 and may remain in a suspended state until an application which may be associated with a file is to be opened in which case the first virtual machine 120 is reactivated to perform analysis. In the suspend state, the state including any related data of the first virtual machine at or before the suspend operation may be saved in storage device 110 and can be resumed at a later stage from the same state prior to suspend operation without altering any of the related data. The processor 115 may cause the computing device 100 to generate, at run time, a second virtual machine 130 in which an application is to be launched on the computing device 100. The second virtual machine 130 can isolate the application that is launched from an operating system of computing device 100 by running the application and an instance or copy of the operating system of the computing device 100 in the second virtual machine 130 separate from operating system of computing device 100. The first virtual machine 120 can analyze the application on the second virtual machine for malicious activity and the activity of the first virtual machine and second virtual machine is to be isolated from the endpoint computing device such that any malicious activity taking place in relation to the second virtual machine will not be transferred to the operating system of the endpoint computing device or other components of the endpoint computing device.
[0015] The first virtual machine 120 and second virtual machine 130 may be disposable micro virtual machines that are to be created, maintained, and destroyed on-demand. Such virtual machines may exist for a limited time that an application is running within them. For example, the second micro virtual machine 130 may be created when a non-web browser application such as a word processing application 132 is initiated. The second micro virtual machine 130 can be destroyed once the word processing application 132 is terminated. Alternatively, the second micro virtual machine may be created when a web-browser application is initiated. The second micro virtual machine can destroyed once the web-browser application is terminated. A plurality of micro virtual machines may be running concurrently on the endpoint computing device 100. For example, a word processing application may be running in the second micro virtual machine 130 and a web browser application 142 may be running in a third micro virtual application 140. The third micro virtual machine 140 may be generated on the endpoint computing device 100 when the web browser application 142 is launched. The first micro virtual machine 120 can monitor and assess malicious activity of the second micro virtual machine 130 and third micro virtual machine 140 which are in bidirectional communication with the first micro virtual machine 120 on the endpoint computing device 100. The second and third micro virtual machines 130, 140 may be in bidirectional communication and connected to each other but cannot access components of the host operating system of the endpoint computing device 100 so as to avoid malicious threats that may be present in the second or third micro virtual machines 130, 140 spreading to other areas of the host operating system.
[0016] The first micro virtual machine 120 may include protocols 122 to perform analysis of the application executed in the second micro virtual machine 130. The protocols 122 (described in more detail later) may include to perform threat analysis of data that is accessible by the second virtual machine 130, threat analysis of memory that is accessible by the second virtual machine 130, threat analysis of network traffic of the second virtual machine 130, ora combination thereof.
[0017] The first micro virtual machine 120 may comprise an operating system image 124 of the host operating system of the endpoint computing device 100, which comprises a plurality of components, and the operating system image 124 may contain a subset of components of the endpoint operating system. The subset of components may comprise those that are used for protocols to perform threat analysis on the micro virtual machines to be analyzed by the first micro virtual machine 120. Such subset of components may not include user interface and graphics components. In another example, the first micro virtual machine may host a customized operating system different to the operating system of the endpoint computing device 100 in order to provide resource-efficient components to perform threat analysis on the micro virtual machines to be analyzed by the first micro virtual machine. Such a customized operating system may be a customized Linux operating system in one example.
[0018] When the second micro virtual machine 130 and third micro virtual machine 140 are created, respective operating system images 134, 144 of the computing device 100 at the time of creation of the virtual machines 130, 140 will also be created for running in the respective micro virtual machines 130, 140. Therefore each micro virtual machine may possess its own instance or copy of the operating system, which is isolated and separate from the main operating system (including its code and data) executing within the computing device 100.
[0019] With reference to FIG. 2, the first micro virtual machine 120 is shown comprising a plurality of protocols 122. The first micro virtual machine 120 may be connected to a plurality of other micro virtual machines including a second micro virtual machine 130, a third micro virtual machine 140, to an nth virtual machine 150. The other virtual machines may be interconnected to each other.
[0020] The protocols 122 may include functionality that allows detection of adversaries that may be attempting to move laterally within a network and allows monitoring network traffic beyond capturing a destination IP address, port or universal resource locator (URL). In an example, the protocols 122 may include a man in the middle proxy 122a, a network intrusion detection engine 122b, a static analysis engine 122c, a global cache 122d, and / or a message parser 122e.
[0021] In this example, reference is made to the first micro virtual machine 120 communicating with the second micro virtual machine 130 but similar communication can occur between the first virtual machine 120 and the other virtual machines of the plurality of micro virtual machines. The first micro virtual machine 120 may determine the type of application that may be running in the second micro virtual machine as this may influence the protocol to be applied by the first micro virtual machine 120. In an example, the first micro virtual machine may determine if the second micro virtual machine is to run an instance of a web browser application in which case it is classified as a browser virtual machine or if the second micro virtual machine is to run an instance of a non-web browser application in which case it is classified as a non-browser virtual machine.
[0022] When the first micro virtual machine 120 determines that the second micro virtual machine 130 is a non-browser virtual machine, the man in the middle proxy 122a protocol may intercept network traffic from the second micro virtual machine 130 and tunnel the second virtual machine data traffic. The man in the middle proxy 122a can assist in obtaining access to decrypted malware network traffic, for example, decrypted transport layer security (TLS) or secure sockets layer (SSL) malware traffic. [0023] A further example of the man in the middle proxy 122a protocol is provided with reference to FIG. 3 which shows a micro virtual machine such as second micro virtual machine 130 having network traffic tunnelled through a man in the middle proxy 310 in the first dedicated analyzer micro virtual machine 120. An application 210 such as Microsoft Word, for example, may be running in the second virtual machine 130. The virtual machine is takes an image of the operating system when it is created and, as shown, the virtual machine includes a user part of the operating system and a kernel part of the operating system image. The application 210 in the user part may communicate with network driver 215 of the virtual machine 130 that may be part of the kernel of the virtual machine 130. The network driver 215 communicates with a message parsing layer 220 communicating with the second virtual machine 130 and network messages or data pass from the message parsing layer 220 to a message parsing layer 320 related to the first micro virtual machine 120. The network messages are tunnelled through the man in the middle proxy 310 in the first micro virtual machine 120 and then passed to network driver 315 in the first micro virtual machine after analysis by an intrusion detection engine provided in the man in the middle proxy 310 if not identified as malicious before being passed back to the message parsing layer 320 related to the first micro virtual machine. The network messages are then transferred to a message parsing layer 420 outside the first micro virtual machine 120.
[0024] FIG. 4 is an example of an intrusion detection process that may be carried out by a network intrusion detection engine 122b of the first virtual machine 120. In an example, in block 501, the man in the middle proxy 310 in the first virtual machine 120 may receive data that may be unencrypted. In block 502, the network traffic analyzer and detection engine may compare the data with a set of predetermined rules in a rules database. In block 503, if there is a match which identifies malicious data, an alert may be issued and the data may be removed such that it cannot access other areas of the endpoint computing device. [0025] When the first micro virtual machine 120 determines that the second micro virtual machine
130 is a browser virtual machine, given that tunnelling traffic may impact performance, the first micro virtual machine 120 may capture network data traffic for a particular or predetermined time period or particular or predetermined data amount from the time of generation of the second virtual machine 130. It is noted that the majority of web browser exploits and malicious behaviour takes place within the first few minutes of browser activity so activity after a particular period from the start of the browser activity can be discarded without detriment to the detection of malicious activity. After capture for the particular time period or particular data amount, a data file relating to the captured network data traffic may be generated for analysis by the first micro virtual machine 120 at a later time after the second micro virtual machine 130 has terminated. In one example, the data file may be a threshold bound packet capture file (PCAP) file to capture packet data. [0026] In an example, the first micro virtual machine 120 may include a network drive that may be shared with other micro virtual machines. The other micro virtual machines may be able to access and attack the shared network drive. Such an attack can be monitored and analyzed by the first virtual machine without compromising the host computing device or its network. Lateral movement of an attack within a device or network can therefore be detected.
[0027] As mentioned above in relation to FIG. 2, the first micro virtual machine may include a static analysis engine 122c to analyze activity of other micro virtual machines such as the second virtual machine 130. The second micro virtual machine 130 may send a message to the first virtual machine to analyze a file buffer and / or stream for each section of data that may include a file that is to be executed by the second virtual machine 130. The static analysis engine 122c may analyze the file and provide a response which may include an annotated response to the second micro virtual machine in relation to the maliciousness of the file. This may be achieved by reference to a global cache component 122d associated with the first micro virtual machine. A check of pre-existing data in the global cache 122d may be made and if an entry is found corresponding to the data being checked, status information from the global cache 122d is output to the second virtual machine. If no entry is found in the global cache 122d, the data that is to be checked is scanned and an entry in relation to the data is updated in the global cache 122d.
[0028] Scanning of the complete second micro virtual machine 130 by the first virtual machine 120 may not be carried out due to the time taken to scan an entire micro virtual machine. Instead, a difference in memory between a snapshot at the start of second virtual machine 130 and a snapshot at the termination of the second virtual machine may be analyzed by the first micro virtual machine to perform static analysis in order to detect any malicious activity by analysing a change in memory. Any malicious activity can be identified by the first micro virtual machine and an alert can be output.
[0029] FIG. 5 shows a memory 600, which is an example of a computer readable medium storing instructions 601 , and 602 that, when executed by a processor 620 communicably coupled to a computing device, may cause the processor 620 to instruct a first virtual machine to analyze activity of other virtual machines in accordance with any of the examples described above. Instruction 601 is to generate a first virtual machine on the endpoint computing device. Instruction 602 is to generate a second virtual machine in which the application is to be launched on the endpoint computing device in response to receiving a request to launch an application, wherein the first virtual machine is to analyze activity of the second virtual machine on the endpoint computing device. The computer readable medium may be any form of storage system capable of storing executable instructions, such as a non-transient computer readable medium, for example Random Access Memory (RAM), Electrically-Erasable Programmable Read-Only Memory (EEPROM), a storage drive, an optical disc, or the like. [0030] FIG. 6 shows a memory 700, which is another example of a computer readable medium storing instructions 701 , and 702 that, when executed by a processor 720 communicably coupled to a computing device, may cause the processor 720 to instruct a first virtual machine to analyze activity of other virtual machines in accordance with any of the examples described above. Instruction 701 is to instantiate a first micro virtual machine on the computing device. Instruction 702 is to instantiate a second micro virtual machine on the computing device, wherein the instantiating of the second virtual machine is performed automatically without human intervention in response to receiving a request to execute an application program. The automatic instantiation includes creating a copy of an operating system image of the computing device that includes the application program to run in the second micro virtual machine. The instantiation of the first and second micro virtual machine may be performed by hypervisor installed on the computing device. The first virtual machine is to analyze for malicious activity in the second micro virtual machine on the computing device. The computer readable medium may be any form of storage system capable of storing executable instructions, such as a non-transient computer readable medium, for example Random Access Memory (RAM), Electrically-Erasable Programmable Read-Only Memory (EEPROM), a storage drive, an optical disc, or the like.

Claims

1. A nan-transitory computer-readable medium comprising instructions, which when executed, cause a processor of an endpoint computing device to: generate a first virtual machine on the endpoint computing device,, in response to receiving a request to launch an application, generate a second virtual machine in which the application is to be launched an the endpoint computing device, wherein the first virtual machine is to analyze activity of the second virtual machine on the endpoint computing device.
2. The non-transitory computer readable medium of claim 1 , wherein the first and second virtual machines are disposable micro virtual machines that are to be created, maintained, and destroyed on-demand and wherein the second virtual machine exists for a limited time that the application is running.
3. The non-transitory computer readable medium of claim 1 , wherein analysis of activity includes static analysis of data in the second virtual machine, network traffic analysis of the second virtual machine, or a combination thereof.
4. The non-transitory computer readable medium of claim 1 , wherein the instructions when executed further cause the processor to: instruct the first virtual machine to determine an application type of the second virtual machine.
5. The non-transitory computer readable medium of claim 1 , wherein the instructions to determine the application type of the second virtual machine include: instructions to determine if the second virtual machine is to run an instance of a web browser application in which case it is classified as a browser virtual machine or if the second virtual machine is to run an instance of a non-web browser application in which case it is classified as a non-browser virtual machine.
6. The non-transitory computer readable medium of claim 1 , wherein when the second virtual machine is a non-browser virtual machine, the first virtual machine is to intercept network traffic from the second virtual machine via tunnelling.
7. The non-transitory computer readable medium of claim 1 , wherein if the second virtual machine is a browser virtual machine, the instructions when executed further cause the processor to: capture network data traffic for a predetermined time period or predetermined data amount from the time of generation of the second virtual machine; and generate a data file relating to the captured network data traffic for analysis by the first virtual machine.
8. A computing device comprising: a processor to: generate a first micro virtual machine on the computing device: generate, at runtime, a second micro virtual machine in which an application is to be launched on the computing device, wherein the first micro virtual machine is to analyze the application on the second micro virtual machine for malicious activity, wherein the computing device is an endpoint computing device, and the activity of the second micro virtual machine is to be isolated in the endpoint computing device.
9. The computing device of claim 8, wherein the first micro virtuai machine is to perform analysis of data that is accessible by the second virtual machine, analysis of memory that is accessible by the second virtual machine, analysis of network traffic of the second virtual machine, or a combination thereof.
10. The computing device of claim 8, wherein the computing device comprises an operating system, and first micro virtual machine comprises an operating system image of the operating system, the operating system image containing a subset of components of the operating system.
11. The computing device of claim 8, wherein the instructions further cause the computing device to: generate a third micro virtual machine in which a further application is be launched on the endpoint computing device, wherein the first micro virtual machine is to monitor and assess malicious activity of the second and third virtual machines which are in bidirectional communication with the first virtual machine on the endpoint computing device.
12. The computing device of claim 11 , wherein the second and third micro virtual machines are in bidirectional communication with each other on the endpoint computing device.
13. A non-transitory computer-readable medium comprising instructions, which when executed, cause a processor of a computing device to:
Instantiate a first micro virtual machine on the computing device;
In response to receiving a request to execute an application program, automatically instantiate a second micro virtuai machine on the computing device, wherein the automatic instantiation includes creating a copy of an operating system image of the computing device that includes the application program to run in the second micro virtual machine, . wherein the first micro virtual machine is to analyze for malicious activity in the second micro virtual machine on the computing device.
14. The non-transitory computer-readable medium of ciaim 13, wherein analysis of malicious activity includes a plurality of protocols to be performed by the first virtual machine.
15. The non-transitory computer-readable medium of claim 13, wherein instructions when executed further cause the processor to: instruct the first virtual machine to perform static analysis of data in the second virtual machine; instruct the first virtual machine to act as a man in the middle proxy by intercepting network traffic from the second virtual machine and via tunnelling; and/or instruct the first virtual machine to capture network data traffic for a particular time period or particular data amount from the time of generation of the second virtual machine and generate a data file relating to the captured network data traffic for analysis by the first virtual machine.
PCT/US2020/049656 2020-09-08 2020-09-08 Activity analysis of virtual machines WO2022055470A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2020/049656 WO2022055470A1 (en) 2020-09-08 2020-09-08 Activity analysis of virtual machines

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2020/049656 WO2022055470A1 (en) 2020-09-08 2020-09-08 Activity analysis of virtual machines

Publications (1)

Publication Number Publication Date
WO2022055470A1 true WO2022055470A1 (en) 2022-03-17

Family

ID=80629734

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2020/049656 WO2022055470A1 (en) 2020-09-08 2020-09-08 Activity analysis of virtual machines

Country Status (1)

Country Link
WO (1) WO2022055470A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130117849A1 (en) * 2011-11-03 2013-05-09 Ali Golshan Systems and Methods for Virtualized Malware Detection
US20150089497A1 (en) * 2013-09-26 2015-03-26 Citrix Systems, Inc. Separate, disposable execution environment for accessing unverified content
US20160132351A1 (en) * 2012-07-03 2016-05-12 Bromium, Inc. Micro-virtual machine forensics and detection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130117849A1 (en) * 2011-11-03 2013-05-09 Ali Golshan Systems and Methods for Virtualized Malware Detection
US20160132351A1 (en) * 2012-07-03 2016-05-12 Bromium, Inc. Micro-virtual machine forensics and detection
US20150089497A1 (en) * 2013-09-26 2015-03-26 Citrix Systems, Inc. Separate, disposable execution environment for accessing unverified content

Similar Documents

Publication Publication Date Title
US10009360B1 (en) Malware detection and data protection integration
RU2714607C2 (en) Double self-test of memory for protection of multiple network endpoints
US9838415B2 (en) Fight-through nodes for survivable computer network
US11381578B1 (en) Network-based binary file extraction and analysis for malware detection
US10242186B2 (en) System and method for detecting malicious code in address space of a process
US11544375B2 (en) Corrective action on malware intrusion detection using file introspection
US11153341B1 (en) System and method for detecting malicious network content using virtual environment components
US9954872B2 (en) System and method for identifying unauthorized activities on a computer system using a data structure model
RU2568295C2 (en) System and method for temporary protection of operating system of hardware and software from vulnerable applications
US10505975B2 (en) Automatic repair of corrupt files for a detonation engine
US8353031B1 (en) Virtual security appliance
US9594881B2 (en) System and method for passive threat detection using virtual memory inspection
US20150244730A1 (en) System And Method For Verifying And Detecting Malware
US20170366563A1 (en) Agentless ransomware detection and recovery
RU2724790C1 (en) System and method of generating log when executing file with vulnerabilities in virtual machine
CN110659478B (en) Method for detecting malicious files preventing analysis in isolated environment
Abed et al. Resilient intrusion detection system for cloud containers
RU2706894C1 (en) System and method of analyzing content of encrypted network traffic
WO2022055470A1 (en) Activity analysis of virtual machines
EP3243313B1 (en) System and method for monitoring a computer system using machine interpretable code
US20250039211A1 (en) Information processing apparatus, information processing method, and computer-readable recording medium
EP4567648A1 (en) Mitigating ransomware activity of a host system using a kernel monitor
KR102156600B1 (en) System and method for creating association between packets collected in network and processes in endpoint computing device
Fujii et al. STARMAP: Multi-machine Malware Analysis System for Lateral Movement Observation
JP6498413B2 (en) Information processing system, information processing apparatus, control server, generation server, operation control method, and operation control program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20953461

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20953461

Country of ref document: EP

Kind code of ref document: A1