Embodiments of the disclosure relate to the field of data security. More specifically, one embodiment of the disclosure relates to a system, apparatus and method that optimizes the allocation of resources used by multiple virtual machine instances operating within a malware content detection system.
Over the last decade, malicious software (malware) has become a pervasive problem for Internet users. In some situations, malware is a program or file that is embedded within downloadable content and designed to adversely influence or attack normal operations of a computer. Examples of different types of malware may include bots, computer viruses, worms, Trojan horses, spyware, adware, or any other programming that operates within an electronic device (e.g. computer, tablet, smartphone, server, router, wearable technology, or other types of electronics with data processing capability) without permission by the user or an administrator.
For instance, content may be embedded with objects associated with a web page hosted by a malicious web site. By downloading this content, malware causing another web page to be requested from a malicious web site may be unknowingly installed on the computer. Similarly, malware may also be installed on a computer upon receipt or opening of an electronic mail (email) message. For example, an email message may contain an attachment, such as a Portable Document Format (PDF) document, with embedded executable malware. Also, malware may exist in files infected through any of a variety of attack vectors, which are uploaded from the infected computer onto a networked storage device such as a file share.
Over the past few years, various types of security appliances have been deployed at different segments of a network. These security appliances use virtual machines to uncover the presence of malware embedded within ingress content propagating over these different segments. However, given that each virtual machine (VM) needs to be allocated a large amount of memory for its virtual operations, conventional security appliances are limited as to the number of concurrently operating VMs for malware analysis due to the substantial and additional costs for increased memory.
Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:
Various embodiments of the disclosure relate to a malware content detection (MCD) system and a corresponding method for optimizing the number and configuration of virtual machine instances being concurrently executed for any given level of resources. This virtual machine (VM) optimization technique is directed to provisioning (e.g., instantiating) multiple VM instances that are based on the same software profile and are adapted to concurrently analyze the suspicious content for malware. This “software profile” includes information that is used for virtualization of an operating environment targeted to receive the suspicious content (e.g. guest operating system “OS” type and/or version; application type(s) and version(s); virtual device(s), etc.). The software profile is used to create the virtual operating environment for the VM instance.
The VM instances are instantiated as “VM clones,” namely VM instances that are adapted to share system resources upon creation such as system memory and virtual disk space for example. These resources are allocated for virtualization of an operating environment having a particular software profile set to a prescribed virtual operating state. Hence, at instantiation, the VM clones associated with the particular software profile are placed into the same virtual operating state.
However, during execution and upon requiring resources different than those allocated, a VM clone may conduct a Copy-On Write (COW) operation, which causes allocation of different resources for use exclusively by that VM clone. At this time, the VM clone now becomes a unique VM instance although it may continue to use the shared resources other than the resource allocated for exclusive use through the COW operation. Hence, by VM instances sharing resources associated with the same software profile, a greater number of VM instances may be used concurrently (i.e. running at least in a partially overlapping manner) for malware analysis with minimal impact on memory capacity as only the different (non-shared) resources need to be allocated.
As an illustrative example, a first VM clone is instantiated by allocating resources (e.g., memory, virtual disk space, etc.) that support the running of the VM clone according to a particular software profile (e.g., guest OS: Windows® 7; application(s): Internet Explorer®, version 9) starting at a prescribed virtual operating state (e.g., after guest OS and web browser initialization). All other subsequent VM clones, which are instantiated while the first VM clone is running and based on the same particular software profile, are adapted to share identical resources allocated for the first VM clone. Hence, all of the VM clones are placed into an identical virtual operating state at instantiation.
During execution and upon requiring additional resources besides the allocated shared resources, the first VM clone conducts a Copy-On Write operation whereby additional resources are allocated (e.g., allocate one or more memory pages different than memory pages being part of the shared resources) that will be used exclusively by the VM instance that originated from the first VM clone. The same operations are applicable for other VM clones during execution.
More specifically, according to one embodiment of the invention, the VM optimization technique utilizes a VM profile database that comprises a number of VM disk files. Each VM disk file includes profile information that describes the configuration of the VM disk file. For example, the profile information may identify a particular software profile supported by the VM disk file, which may include the type and/or version of a guest OS along with at least one or more images of applications (and/or their corresponding version numbers). The VM disk file further includes VM state information that may be the results of a VM snapshot to capture the state, disk data and a configuration of the VM at a specific point in time (i.e. at a prescribed virtual operating state).
When two or more VM instances based on the same software profile are needed to conduct dynamic analysis on “suspicious” content from different data flows for example, the VM disk file supporting that software profile is selected from which these VM clones are instantiated. Contrary to current VM deployment, the VM clones share the same resources during execution and utilize Copy-On-Write functionality to customize their configuration so that the resultant VM instances may run concurrently while minimizing the amount of memory needed for support of these multiple VM instances.
In the following description, certain terminology is used to describe features of the invention. For example, in certain situations, both terms “logic” and “engine” are representative of hardware, firmware and/or software that is configured to perform one or more functions. As hardware, logic (or engine) may include circuitry having data processing or storage functionality. Examples of such circuitry may include, but is not limited or restricted to a microprocessor, one or more processor cores, a programmable gate array, a microcontroller, an application specific integrated circuit, wireless receiver, transmitter and/or transceiver circuitry, semiconductor memory, or combinatorial logic.
Logic (or engine) may be in the form of one or more software modules, such as executable code in the form of an executable application, an application programming interface (API), a subroutine, a function, a procedure, an applet, a servlet, a routine, source code, object code, a shared library/dynamic load library, or one or more instructions. These software modules may be stored in any type of a suitable non-transitory storage medium, or transitory storage medium (e.g., electrical, optical, acoustical or other form of propagated signals such as carrier waves, infrared signals, or digital signals). Examples of non-transitory storage medium may include, but are not limited or restricted to a programmable circuit; a semiconductor memory; non-persistent storage such as volatile memory (e.g., any type of random access memory “RAM”); persistent storage such as non-volatile memory (e.g., read-only memory “ROM”, power-backed RAM, flash memory, phase-change memory, etc.), a solid-state drive, hard disk drive, an optical disc drive, or a portable memory device. As firmware, the executable code is stored in persistent storage.
The term “content” generally refers to information transmitted as one or more messages, where each message(s) may be in the form of a packet, a frame, an Asynchronous Transfer Mode “ATM” cell, or any other series of bits having a prescribed format. The content may be received as a data flow, namely a group of related messages, within ingress data traffic.
Herein, content may include one or more types of data such as text, software, images, audio, metadata and/or other digital data. One example of content may include web content, or any data traffic that may be transmitted using a Hypertext Transfer Protocol (HTTP), Hypertext Markup Language (HTML) protocol, or may be transmitted in a manner suitable for display on a Web browser software application.
Another example of content includes electronic mail (email), which may be transmitted using an email protocol such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), or Internet Message Access Protocol (IMAP4). A further example of content includes an Instant Message, which may be transmitted using Session Initiation Protocol (SIP) or Extensible Messaging and Presence Protocol (XMPP) for example. Yet another example of content includes one or more files that are transferred using a data transfer protocol such as File Transfer Protocol (FTP) for subsequent storage on a file share.
The term “malware” is directed to software that produces an undesired behavior upon execution, where the behavior is deemed to be “undesired” based on customer-specific rules, manufacturer-based rules, any other type of rules formulated by public opinion or a particular governmental or commercial entity, or an indication of a potential exploit in a particular software profile. This undesired behavior may include a communication-based anomaly or an execution-based anomaly that (1) alters the functionality of an electronic device executing an application software in a malicious manner; (2) alters the functionality of an electronic device executing that application software without any malicious intent; and/or (3) provides an unwanted functionality which is generally acceptable in other context.
The term “transmission medium” is a communication path between two or more systems (e.g. any electronic devices with data processing functionality such as, for example, a security appliance, server, mainframe, computer, netbook, tablet, smart phone, router, switch, bridge or brouter). The communication path may include wired and/or wireless segments. Examples of wired and/or wireless segments include electrical wiring, optical fiber, cable, bus trace, or a wireless channel using infrared, radio frequency (RF), or any other wired/wireless signaling mechanism.
In general, a “virtual machine (VM) instance” is a simulation of an electronic device (abstract or real) that is usually different from the electronic device conducting the simulation. VM instances may be based on specifications of a hypothetical computer or emulate the computer architecture and functions of a real world computer. A VM instance can be one of many different types such as, for example, hardware emulation, full virtualization, para-virtualization, and/or operating system-level virtualization virtual machines.
The term “computerized” generally represents that any corresponding operations are conducted by hardware in combination with software and/or firmware.
Lastly, the terms “or” and “and/or” as used herein are to be interpreted as inclusive or meaning any one or any combination. Therefore, “A, B or C” or “A, B and/or C” mean “any of the following: A; B; C; A and B; A and C; B and C; A, B and C.” An exception to this definition will occur only when a combination of elements, functions, steps or acts are in some way inherently mutually exclusive.
As this invention is susceptible to embodiments of many different forms, it is intended that the present disclosure is to be considered as an example of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described.
Referring to
Herein, according to this embodiment of the invention, first MCD system 1101 is an electronic device that is adapted to (i) intercept data traffic that is routed over a communication network 130 between at least one server device 140 and at least one client device 150 and (ii) monitor, in real-time, content within the data traffic. More specifically, first MCD system 1101 may be configured to inspect content received via communication network 130 and identify “suspicious” content. The incoming content is identified as “suspicious” when it is assessed, with a certain level of likelihood, that at least one characteristic identified during inspection of the content indicates the presence of malware.
Thereafter, the suspicious content is further analyzed within a virtual machine (VM) execution environment to detect whether the suspicious content includes malware. The VM execution environment may comprise multiple VM instances supporting the same software profile, especially where the suspicious content is detected within multiple data flows within data traffic directed to the same targeted operating environment. These VM instances are instantiated as “VM clones,” namely VM instances with read-only access to shared resources that are allocated to support a particular software profile at a prescribed virtual operating state. Hence, all of the VM clones support the same software profile and are placed in an identical state at initial runtime.
However, as one of the VM clones executes and requires modification of the resources (e.g. write to particular memory page), that VM instance performs Copy-On Write operations to create additional resources that are accessible only to that VM. Hence, as an illustrative example, the total amount of allocated memory needed to support the multiple VM instances is minimized to be equal to the amount of shared system resources allocated to support the software profile along with the additional resources exclusively required by each of the multiple VM instances.
According to this embodiment of communication system 100, first MCD system 1101 may be a web-based security appliance that is configured to inspect ingress data traffic, identify whether content associated with the data traffic may include malware, and if so, conduct a deeper analysis of the content. This deeper analysis is conducted in the VM instances within the VM execution environment to detect undesired behaviors that would be present if the data traffic were actually processed by an electronic device. The particulars of this analysis are described below.
The communication network 130 may include a public computer network such as the Internet, in which case an optional firewall 155 (represented by dashed lines) may be interposed between communication network 130 and client device 150. Alternatively, the communication network 130 may be a private computer network such as a wireless telecommunication network, wide area network, or local area network, or a combination of networks.
The first MCD system 1101 is shown as being coupled with the communication network 130 (behind the firewall 155) via a network interface 160. The network interface 160 operates as a data capturing device (referred to as a “tap” or “network tap”) that is configured to receive data traffic propagating to/from the client device 150 and provide content from the data traffic to the first MCD system 1101.
In general, the network interface 160 receives and copies the content that is received from and provided to client device 150 normally without an appreciable decline in performance by the server device 140, the client device 150, or the communication network 130. The network interface 160 may copy any portion of the content, for example, any number of data packets.
In some embodiments, the network interface 160 may capture metadata from data traffic intended for client device 150, where the metadata is used to determine whether the data traffic includes any suspicious content as well as the software profile for such content. The metadata may be associated with the server device 140 and/or the client device 150. In other embodiments, a heuristic module 170 (described herein) may determine the software profile by analyzing the content associated with the data traffic.
It is contemplated that, for any embodiments where the first MCD system 1101 is implemented as an dedicated appliance or a dedicated computer system, the network interface 160 may include an assembly integrated into the appliance or computer system that includes network ports, network interface card and related logic (not shown) for connecting to the communication network 130 to non-disruptively “tap” data traffic propagating through firewall 155 and provide a copy of the data traffic to the heuristic module 170. In other embodiments, the network interface 160 can be integrated into an intermediary device in the communication path (e.g. firewall 155, router, switch or other network device) or can be a standalone component, such as an appropriate commercially available network tap. In virtual environments, a virtual tap (vTAP) can be used to copy traffic from virtual networks.
Referring still to
In general, the heuristic engine 170 serves as a filter to permit subsequent malware analysis only on a portion of incoming content, which effectively conserves system resources and provides faster response time in determining the presence of malware within analyzed content. As an ancillary benefit, by analyzing only the portion of incoming content that may have “exploits” (i.e. portions of content that may be exploited by malware), a greater number of VMs may be supported to run concurrently with each other.
As illustrated in
For example, the heuristic engine 170 may examine the metadata or attributes of the captured content and/or the code image (e.g., a binary image of an executable) to determine whether a certain portion of the captured content matches or has a high correlation with a predetermined pattern of attributes that is associated with a malicious attack. According to one embodiment of the disclosure, the heuristic engine 170 flags content from one or more data flows as suspicious after applying this heuristic analysis.
Thereafter, according to one embodiment of the invention, the heuristic module 170 may be adapted to transmit at least a portion of the metadata or attributes of the suspicious content, which identify attributes of the client device 150, to the analysis engine 190. Such metadata or attributes are used to identify the VM instance needed for subsequent malware analysis and formulate software profile information for requesting a corresponding VM clone. In another embodiment of the disclosure, the analysis engine 190 may be adapted to receive one or more messages (e.g. data packets) from the heuristic engine 170 and analyze the message(s) to identify the software profile information associated with the needed VM instance.
For instance, as an illustrative example, the suspicious content under test may include an email message that was generated, under control of Windows® 7 Operating System, using a Windows® Outlook 2007, version 12. The email message further includes a Portable Document Format (PDF) attachment in accordance with Adobe® Acrobat®, version 9.0. Upon determining that the email message includes suspicious content, heuristic engine 170 provides software profile information to identify a particular type of VM instance needed to conduct dynamic analysis of the suspicious content. According to this illustrative example, the software profile information would include (1) Windows® 7 Operating System (OS); (2) Windows® Outlook 2007, version 12; and (3) PDF support through Adobe® Acrobat®, version 9.0.
The analysis engine 190 supplies the software profile information to the scheduler 180, which conducts a search as to whether any of the VM disk files within storage device 185 feature a software profile supporting the above-identified OS and one or more applications. If so and if a VM instance based on the software profile is already running, the scheduler 180 uses the same image used initially to create the VM instance to create a VM clone. Hence, the VM instance and the VM clone are members of the same VM family. In accordance with the illustrated example described above, the VM clone would support execution of a virtual device that is adapted to receive, open and process the email attachment. The VM clone is uploaded to the analysis engine 190 to analyze the suspicious content.
However, if the storage device 185 feature a software profile supporting the above-identified OS and one or more applications but there is no corresponding VM instance currently running, the scheduler 180 obtains an image associated with that software profile from VM provisioning logic (described below). This image may be subsequently used for VM clone generation. Of course, it is contemplated that if the storage device 185 does not feature a software profile supporting the above-identified OS/application(s) and no corresponding VM instance is currently running, the scheduler 180 may simply ignore the VM request or may receive an VM image from the VM provisioning logic that is based on a similar software profile. For example, the scheduler 180 may receive a VM instance based on the same OS but a different version of a targeted application. Alternatively, the scheduler 180 may receive the same OS along with an application different from the targeted application but having similar functionality (e.g. different type of browser, etc.). As another alternative, the scheduler 180 may receive a different OS with a similar architecture.
The scheduler 180 may retrieve and configure a VM clone to mimic the pertinent performance characteristics of the client device 150. In one example, the scheduler 180 may be adapted to configure the characteristics of the VM clone to mimic only those features of the client device 150 that are affected by the data traffic copied by the network interface 160. The scheduler 180 may determine the features of the client device 150 that are affected by the content by receiving and analyzing the data traffic from the network interface 160. Such features of the client device 150 may include ports that are to receive the content, certain device drivers that are to respond to the content, and any other devices coupled to or contained within the client device 150 that can respond to the content.
In another embodiment of the disclosure, the heuristic engine 170 may determine the features of the client device 150 that are affected by the data traffic by receiving and analyzing the content from the network interface 160. The heuristic engine 170 may then transmit the features of the client device to the scheduler 180 and/or analysis engine 190.
For instance, according to one embodiment of the disclosure, it is contemplated that the heuristic engine 170 may be adapted to transmit the metadata identifying the client device 150 to the analysis engine 190, where such metadata is used to identify the desired software profile. Alternatively, the analysis engine 190 may be adapted to receive one or more data packets of a data flow from the heuristic engine 170 and analyze the one or more data packets to identify the software profile. In yet other embodiment of the disclosure, the scheduler 180 may be adapted to receive software profile information, in the form of metadata or data packets, from the network interface 160 or from the heuristic module 170 directly.
The storage device 185 may be configured to store one or more VM disk files forming a VM profile database, where each VM disk file is directed to a different software profile for a VM instance. In one example, the VM profile database may store a VM disk file associated with a single VM instance that can be configured by the scheduler 180 to mimic the performance of a client device 150 on the communication network 130. Alternatively, as shown in
The analysis engine 190 is adapted to execute multiple VM instances, including as one or more VM clones, to simulate the receipt and/or execution of different data flows of “suspicious” content by the client device 150 as well as different operating environments. Furthermore, the analysis engine 190 analyzes the effects of such content upon the client device 150. The analysis engine 190 may identify the effects of malware by analyzing the simulation of the effects of the content upon the client device 150 that is carried out on each VM instance. Such effects may include unusual network transmissions, unusual changes in performance, and the like. This detection process is referred to as a dynamic malicious content detection.
The analysis engine 190 may flag the suspicious content as malware according to the observed behavior of the VM instance. The reporting module 195 may issue alerts indicating the presence of malware, and using pointers and other reference information, identify what message(s) (e.g. packet(s)) of the “suspicious” content may contain malware. Additionally, the server device 140 may be added to a list of malicious network content providers, and future network transmissions originating from the server device 140 may be blocked from reaching their intended destinations, e.g., by firewall 155.
Referring now to
More specifically, a user interface 210 allows the user or network administrator (hereinafter referred to as “user/administrator”) to introduce objects 220 of the suspicious content in accordance with one or more prescribed software profiles 200. The software profile(s) 200 may be preloaded or selected by the user/administrator in order to generate one or more VM instances based on operations of the scheduler 180 and storage device 185 as described above. The VM instances perform dynamic analysis of the objects 220 to uncover undesired behavior during virtual execution of these objects 220 within the VM instances.
Referring now to
Herein, controller 300 may be implemented as part of a VM monitor or manager (VMM), also referred to as a hypervisor for managing or monitoring VM instances, which may be hosted by a host operating system (OS). The VM instance(s) 3101-310N may be hosted by a guest OS. The host OS and the guest OS may be the same type of operating systems or different types of operating systems (e.g., Windows™, Linux™, Unix™, Mac OS™, iOS™, etc.) or different versions thereof.
It is contemplated that multiple VM instances 3101-310i (1<i≤N) may concurrently perform malware analysis on a first content. According to one embodiment of the disclosure, each of these multiple VM instances 3101-310i may be based on substantially similar software profiles (e.g. VMs with same OS and/or application types but different OS version number; VMs with same OS and one or more application types with different version numbers; etc.). Additionally, these multiple VM instances 3101-310i may concurrently perform malware analysis on a second content. Thus, content may be analyzed in one VM instance for a plurality of VM families. Such analysis provides a mechanism to check software vulnerability in different OS and application versions, including patched versions. Of course, it is further contemplated that content may be analyzed in accordance with a single VM family featuring multiple VM instances.
As shown in
Herein, as illustrated, profile information 370 includes information directed to identified items forming the software profile within VM disk file 3601 from which a corresponding VM clone is instantiated. Examples of items within the software profile may include, but are not limited or restricted to a particular OS type/version; type(s)/version(s) of application(s); an amount of requisite memory for a VM instance corresponding to the VM disk file; and/or information for particular virtual devices capable of being supported by the corresponding VM instance.
State information 375 includes states based on a snapshot of the OS, application(s) and/or virtual device(s) after initialization and upon placement into a particular virtual operating state. The state information 375 enables each of the VM clones to be placed into an identical, prescribed virtual operating state from which additional resources are allocated as the VM clone transitions into a VM instance.
According to one embodiment of the invention, when suspicious content 320 is received for dynamic analysis (as opposed to static analysis conducted by heuristic engine 170), scheduler 180 of controller 300 is configured to identify and select one or more VM instances 3101-310N to closely simulate a targeted operating environment in which the suspicious content 320 is to be analyzed. The targeted operating environment is identified by software profile information (e.g., particular versions of OS and application images along with information directed to the virtual device states).
More specifically, the scheduler 180 comprises VM provisioning logic 340 and VM resource logic 345. VM provisioning logic 340 is responsible for creating VM clones and monitoring the number of VM instances concurrently utilized within the MCD system 1101 to ensure that the number of VM instances do not exceed a predetermined VM threshold. The predetermined VM threshold is based on a predetermined amount of resources (e.g., amount of memory) that may be allocated for use by concurrently operating VMs. For example, when the VM instances are based on a small number (M) of software profiles (e.g., less than 10 software profiles), a greater number of VM instances may be supported by the MCD system 1101 (i.e. VM threshold would have a first value). The reason is that, given the low number of software profiles needed, many of these VM instances are instantiated as VM clones which share a substantial portion of the same resources allocated for use by other VM instance(s). Likewise, when the VM instances are based on a larger number of different software profiles (e.g., M≥15), a lesser number of VM instances may be supported (i.e. VM threshold would have a second value less than the first value). Once the VM threshold is reached, the malware analysis testing may be delayed and the incoming content queued until the number of VMs falls below the VM threshold. At that time, the VM provisioning logic 340 is permitted to continue provisioning VM clones.
For VM clone generation, when suspicious content is to be dynamically analyzed, the VM provisioning logic 340 initially determines whether a VM instance having a particular software profile corresponding to the targeted operating environment for the suspicious content is running. The VM instance may be currently operating as a VM clone based on the particular software profile or formerly operated as the VM clone (i.e. additional resources have been allocated for that VM instance). If the VM instance having the particular software profile is running, the VM provisioning logic 340 instantiates a VM clone and no further allocation of resources is necessary at this time. Otherwise, the VM provisioning logic 340 allocates resources in accordance with the VM disk file 360i (1≤i≤M) associated with the particular software profile.
VM resource logic 345 operates as the centralized logic within the MCD system for responding to resource requests, allocating resources and restoring state, and monitoring the allocation of such resources. More specifically, the VM resource logic 345 is adapted to maintain locations in memory for additional resources allocated for Copy-On Write operations performed by each VM instance 3101-310N including clones. More specifically, each VM clone for a given software profile shares the same allocated resources. As the VM clone requires additional resources, VM resource logic 345 allocates the requisite resources (e.g., certain memory page(s)) to that VM clone. Upon resource allocation, the VM resource logic 345 stores addressing information associated with the allocated resource along with an identifier assigned to that VM instance within a memory allocation table.
Upon receipt of one or more VM images corresponding to a particular software profile by the analysis engine 190, the scheduler 180 launches a VM clone 3101 in which a monitoring module 330 is running therein. The monitoring module 330 is configured to monitor activities and behavior of suspicious content 320 and to determine if the incoming content includes malware and whether the particular software profile features any vulnerabilities that are being exploited by malware. In addition, monitoring module 330 maintains a persistent communication channel with event log 350 of controller 300 to communicate certain events or activities of suspicious content 320 during execution of VM clone 3101.
In response to detecting certain undesired behaviors during processing of suspicious content 320, the replay logic 325 now identifies the presence of malware within the content 320 and potential exploits in the particular software profile. Thereafter, monitoring module 330 is configured to send a message via the communication channel to event log 350, where the message may be forwarded via transmission medium 305 for persistently recordation as part of event log 380. The message may include information identifying an event triggered by the suspicious content 320. Event log 350 records events that have been selectively monitored and detected by monitoring module 330, including undesired behaviors. The recordation of the events may be prompted in response to a particular action or inaction (e.g., file creation, registry access, DLL loading, process execution, power management such as sleep). The recorded events may be subsequently analyzed by analysis engine 190 based on a set of rules or policies to determine whether suspicious content 320 includes malware or has a high likelihood of including malware.
Referring to
As VM clone-1410 (VM instance) runs and requires additional or altered resources than provided by shared resources 420, VM clone-1410 is allocated additional resources 430, which may be accomplished by conducting write operations into one or more pages 500 of system resources 440 that are different from memory pages 510 associated with shared resources 420 as shown in
Referring back to
Referring to
Thereafter, a determination is made whether there is at least one VM disk supporting a software profile corresponding to the determined software profile information (block 615). If so, one or more VM clones based on the software profile may be provisioned by VM provisioning logic (block 620), provided that the VM threshold is not reached (block 625). If the VM threshold is reached, the VM clone is not provisioned (a warning or error report message may be generated by display by the user/administrator) and the content may be temporarily buffered until the number of provisioned VM clones falls below the VM threshold (block 630).
However, if there is no VM disk supporting the particular software profile, a secondary determination is made as to whether the software profile information includes information that is correlated to software profile by one or more of the VM disk files (block 635). For instance, according to one embodiment of the disclosure, software profile information is correlated to software profiles in one or more of the VM disks if at least an OS and version number identified in the software profile information matches a software profile within the VM disk file(s). According to other embodiment of the disclosure, the software profile information corresponds to a software profiles if the software profile information includes (i) an OS identified in the software profile within one of the VM disk files independent of version type; (ii) an OS identified in the software profile within one of the VM disk files along with requisite applications regardless of version type; (iii) an OS identified in the software profile within one of the VM disk files along with applications having the same functionality as requisite applications. The correspondence level needed may be set by an administrator/user.
If the OS is not provided and/or there is no support for the identified OS, an error report may be provided to the user/administrator (block 630). However, if the secondary determination detects that the OS is supported by the MCD system for example, VM clones may be generated for all of the software profiles directed to this particular OS type, provided that the VM threshold is not reached (blocks 640-645). The VM threshold may be computed in a variety of ways. If the VM threshold is exceeded, an error report is generated (block 630). Otherwise, the VM clones are generated and supplied to the analysis engine where one of the VM clones will be executed as part of the replay logic.
As an example, the VM threshold may be computed by analyzing the amount of memory allocated for VM operations (e.g. 20 GB) divided by (a) the sum of first predetermined memory sizes (e.g., 1 GB) allocated for each VM clone associated with a different software profile and (b) a sum of second predetermined memory sizes (e.g., 100 MB) for each additional VM clone associated with one of the software profiles of (a). As an illustration, the MCD system could support twenty (20) VM clones each associated with a different software profile; ten (10) VM clones associated with different software profiles and 100 additional VM clones associated with these different software profiles; or five (5) VM clones associated with different software profiles and 150 additional VM clones associated with these different software profiles.
Referring now to
During execution of the first VM clone, in response to a write operation that would alter data within one or more memory pages of the shared resources, the VM resource logic allocates additional resources for receipt of the data to be written (blocks 710 and 715). Thereafter, the first VM clone performs a Copy-On Write (COW) operation to store the data to be written within the additional resources (block 720). Now, given slightly different functionality (e.g., access to the shared resources except for above-described one or more memory pages), the first VM clone is now referred to as a first VM instance. The first VM instance has exclusive access to the additional resources storing the written data. If the first VM clone (instance) has not completed execution and analysis of the suspicious content, the VM resource logic continues to allocate additional resources for use by the first VM clone (instance) as needed (block 725).
Concurrently with operations performed by the first VM clone, as denoted by label “A” and shown in
During execution of the second VM clone, in response to a write operation that would also alter data within one or more memory pages of the shared resources, the VM resource logic allocates other additional resources for receipt of the data to be written (blocks 740 and 745). Thereafter, the first VM clone performs a Copy-On Write (COW) operation to store the data to be written within the other additional resources (block 750). Now having functionality different from its instantiated state (e.g., access to the shared resources except for the noted memory page(s)), the second VM clone is now referred to as a second VM instance.
Hereafter, the second VM instance has exclusive access to the other additional resources storing the written data. If the second VM clone (instance) has not completed execution and analysis of the suspicious content, the VM resource logic continues to allocate additional resources for use by the second VM clone (instance) as needed (block 755). The process may continue for additional VM clones based on the same software profile as used for instantiation of the first VM clone and the second VM clone.
In the foregoing description, the invention is described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims. For instance, in lieu of or in addition to the MCD system 1101-1103 of
Also, one of the embodiments of the invention may be directed to a computerized method comprising (1) instantiating, by the controller, a first virtual machine instance for which resources are allocated, the first virtual machine instance to provide a first virtual operating environment; and (2) instantiating, by the controller, a second virtual machine instance running concurrently with the first virtual machine instance, the second virtual machine instance sharing the resources allocated to the first virtual machine instance and being allocated additional resources upon conducting a Copy-On Write operation. The first virtual machine instance may be based on a first software profile, where the first software profile includes information used for virtualization of the first virtual execution environment (e.g., a specific version of an operating system being executed by the first virtual machine instance; information associated with a specific version of an application being executed by the first virtual machine instance; etc.). The second virtual machine instance may be based on the first software profile and may be instantiated while the first virtual machine instance is running.
According to this embodiment, the first virtual machine instance may be configured for analyzing whether content from a first data flow targeted to operate on a client device having the first software profile has malware and the second virtual machine instance may be configured for analyzing whether content from a second data flow targeted to operate on the client device and different from the first data flow has malware.
After instantiation of a plurality of virtual machine instances including the first virtual machine instance and the second virtual machine instances, the computerized method may further comprise (1) determining whether instantiation of a third virtual machine instance exceeds a threshold, where the threshold represents a predetermined number of concurrently operating virtual machine instances, and (2) instantiating the third virtual machine instance if a sum of the plurality of virtual machine instances does not exceed the threshold or refraining from instantiating the third virtual machine instance if the sum of the plurality of virtual machine instances exceeds the threshold. The threshold may be equal to a first value when a first prescribed number of the plurality of virtual machine instances are virtual machine clones being virtual machine instances operating in an initial operating state upon creation. Alternatively, the threshold may be equal to a second value that is less than the first value when a second prescribed number of the plurality of virtual machine instances are virtual machine clones, where the second prescribed number is less than the first prescribed number.
Another one of the embodiments may include a non-transitory computer readable medium including software that, when executed by one or more hardware processors, performs operations comprising: (1) instantiating a first virtual machine instance for which resources are allocated, the first virtual machine instance to provide a first virtual operating environment; and (2) instantiating a second virtual machine instance running concurrently with the first virtual machine instance, the second virtual machine instance sharing the resources allocated to the first virtual machine instance and being allocated additional resources upon conducting a Copy-On Write operation.
Yet, another of these embodiments may include a malware content detection (MCD) system, which comprises: (1) a network port adapted to receive incoming content; (2) an analysis engine configured to analyze the incoming content in a virtual environment including one or more VM instances adapted to execute on a processor so as to process the incoming content in the virtual environment, each VM instance being associated with a software profile; (3) a VM provisioning logic configured to generate one or more VM clones and monitor the number of VM instances (including the VM clones) concurrently in use to assure the number does not exceed a threshold; and (4) a VM resource logic configured to allocate resources for each VM instance in response to a resource request.
For this MCD system, the VM resource logic comprises an allocation table configured to track allocation of resources to each of the VM instances. The VM resource logic is further configured to allocate the resources to each corresponding VM clone upon generation by the VM provisioning logic. As a result, each VM clone within the same VM family share the same allocated (VM) resources until such time as the VM clone seeks to modify such resources. Thereafter, if the VM clone seeks to modify any of the allocated resources, the VM clone is now considered to be a unique VM instance but remains within the VM family by continuing to share at least a portion of the allocated resources with other VM clone(s) and/or VM instance(s) within the VM family. The VM resource logic allocates an additional resource to the resultant VM instance to replace the resource that was sought to be modified, so as to enable the resultant VM instance to proceed with modifying the additional resource.
This application is a continuation of U.S. patent application Ser. No. 13/892,193, now U.S. Pat. No. 9,495,180, the entire contents of which are incorporated by reference herein.
Number | Name | Date | Kind |
---|---|---|---|
4292580 | Ott et al. | Sep 1981 | A |
5175732 | Hendel et al. | Dec 1992 | A |
5319776 | Hile et al. | Jun 1994 | A |
5440723 | Arnold et al. | Aug 1995 | A |
5490249 | Miller | Feb 1996 | A |
5657473 | Killean et al. | Aug 1997 | A |
5802277 | Cowlard | Sep 1998 | A |
5842002 | Schnurer et al. | Nov 1998 | A |
5960170 | Chen et al. | Sep 1999 | A |
5978917 | Chi | Nov 1999 | A |
5983348 | Ji | Nov 1999 | A |
6088803 | Tso et al. | Jul 2000 | A |
6092194 | Touboul | Jul 2000 | A |
6094677 | Capek et al. | Jul 2000 | A |
6108799 | Boulay et al. | Aug 2000 | A |
6118382 | Hibbs et al. | Sep 2000 | A |
6154844 | Touboul et al. | Nov 2000 | A |
6269330 | Cidon et al. | Jul 2001 | B1 |
6272641 | Ji | Aug 2001 | B1 |
6279113 | Vaidya | Aug 2001 | B1 |
6298445 | Shostack et al. | Oct 2001 | B1 |
6357008 | Nachenberg | Mar 2002 | B1 |
6417774 | Hibbs et al. | Jul 2002 | B1 |
6424627 | Sørhaug et al. | Jul 2002 | B1 |
6442696 | Wray et al. | Aug 2002 | B1 |
6484315 | Ziese | Nov 2002 | B1 |
6487666 | Shanklin et al. | Nov 2002 | B1 |
6493756 | O'Brien et al. | Dec 2002 | B1 |
6550012 | Villa et al. | Apr 2003 | B1 |
6700497 | Hibbs et al. | Mar 2004 | B2 |
6775657 | Baker | Aug 2004 | B1 |
6831893 | Ben Nun et al. | Dec 2004 | B1 |
6832367 | Choi et al. | Dec 2004 | B1 |
6895550 | Kanchirayappa et al. | May 2005 | B2 |
6898632 | Gordy et al. | May 2005 | B2 |
6907396 | Muttik et al. | Jun 2005 | B1 |
6941348 | Petry et al. | Sep 2005 | B2 |
6971097 | Wallman | Nov 2005 | B1 |
6981279 | Arnold et al. | Dec 2005 | B1 |
6995665 | Appelt et al. | Feb 2006 | B2 |
7007107 | Ivchenko et al. | Feb 2006 | B1 |
7028179 | Anderson et al. | Apr 2006 | B2 |
7043757 | Hoefelmeyer et al. | May 2006 | B2 |
7058822 | Edery et al. | Jun 2006 | B2 |
7069316 | Gryaznov | Jun 2006 | B1 |
7080407 | Zhao et al. | Jul 2006 | B1 |
7080408 | Pak et al. | Jul 2006 | B1 |
7093002 | Wolff et al. | Aug 2006 | B2 |
7093239 | van der Made | Aug 2006 | B1 |
7096498 | Judge | Aug 2006 | B2 |
7100201 | Izatt | Aug 2006 | B2 |
7107617 | Hursey et al. | Sep 2006 | B2 |
7159149 | Spiegel et al. | Jan 2007 | B2 |
7213260 | Judge | May 2007 | B2 |
7231667 | Jordan | Jun 2007 | B2 |
7240364 | Branscomb et al. | Jul 2007 | B1 |
7240368 | Roesch et al. | Jul 2007 | B1 |
7243371 | Kasper et al. | Jul 2007 | B1 |
7249175 | Donaldson | Jul 2007 | B1 |
7287278 | Liang | Oct 2007 | B2 |
7308716 | Danford et al. | Dec 2007 | B2 |
7328453 | Merkle, Jr. et al. | Feb 2008 | B2 |
7346486 | Ivancic et al. | Mar 2008 | B2 |
7356736 | Natvig | Apr 2008 | B2 |
7386888 | Liang et al. | Jun 2008 | B2 |
7392542 | Bucher | Jun 2008 | B2 |
7418729 | Szor | Aug 2008 | B2 |
7428300 | Drew et al. | Sep 2008 | B1 |
7441272 | Durham et al. | Oct 2008 | B2 |
7448084 | Apap et al. | Nov 2008 | B1 |
7458098 | Judge et al. | Nov 2008 | B2 |
7464404 | Carpenter et al. | Dec 2008 | B2 |
7464407 | Nakae et al. | Dec 2008 | B2 |
7467408 | O'Toole, Jr. | Dec 2008 | B1 |
7478428 | Thomlinson | Jan 2009 | B1 |
7480773 | Reed | Jan 2009 | B1 |
7487543 | Arnold et al. | Feb 2009 | B2 |
7496960 | Chen et al. | Feb 2009 | B1 |
7496961 | Zimmer et al. | Feb 2009 | B2 |
7519990 | Xie | Apr 2009 | B1 |
7523493 | Liang et al. | Apr 2009 | B2 |
7530104 | Thrower et al. | May 2009 | B1 |
7540025 | Tzadikario | May 2009 | B2 |
7546638 | Anderson et al. | Jun 2009 | B2 |
7565550 | Liang et al. | Jul 2009 | B2 |
7568233 | Szor et al. | Jul 2009 | B1 |
7584455 | Ball | Sep 2009 | B2 |
7603715 | Costa et al. | Oct 2009 | B2 |
7607171 | Marsden et al. | Oct 2009 | B1 |
7639714 | Stolfo et al. | Dec 2009 | B2 |
7644441 | Schmid et al. | Jan 2010 | B2 |
7657419 | van der Made | Feb 2010 | B2 |
7676841 | Sobchuk et al. | Mar 2010 | B2 |
7698548 | Shelest et al. | Apr 2010 | B2 |
7707633 | Danford et al. | Apr 2010 | B2 |
7712136 | Sprosts et al. | May 2010 | B2 |
7730011 | Deninger et al. | Jun 2010 | B1 |
7739740 | Nachenberg et al. | Jun 2010 | B1 |
7779463 | Stolfo et al. | Aug 2010 | B2 |
7784097 | Stolfo et al. | Aug 2010 | B1 |
7832008 | Kraemer | Nov 2010 | B1 |
7836502 | Zhao et al. | Nov 2010 | B1 |
7849506 | Dansey et al. | Dec 2010 | B1 |
7854007 | Sprosts et al. | Dec 2010 | B2 |
7869073 | Oshima | Jan 2011 | B2 |
7877803 | Enstone et al. | Jan 2011 | B2 |
7904959 | Sidiroglou et al. | Mar 2011 | B2 |
7908660 | Bahl | Mar 2011 | B2 |
7930738 | Petersen | Apr 2011 | B1 |
7937387 | Frazier et al. | May 2011 | B2 |
7937761 | Bennett | May 2011 | B1 |
7949849 | Lowe et al. | May 2011 | B2 |
7996556 | Raghavan et al. | Aug 2011 | B2 |
7996836 | McCorkendale et al. | Aug 2011 | B1 |
7996904 | Chiueh et al. | Aug 2011 | B1 |
7996905 | Arnold et al. | Aug 2011 | B2 |
8006305 | Aziz | Aug 2011 | B2 |
8010667 | Zhang et al. | Aug 2011 | B2 |
8020206 | Hubbard et al. | Sep 2011 | B2 |
8028338 | Schneider et al. | Sep 2011 | B1 |
8042184 | Batenin | Oct 2011 | B1 |
8045094 | Teragawa | Oct 2011 | B2 |
8045458 | Alperovitch et al. | Oct 2011 | B2 |
8069484 | McMillan et al. | Nov 2011 | B2 |
8087086 | Lai et al. | Dec 2011 | B1 |
8151263 | Venkitachalam et al. | Apr 2012 | B1 |
8171553 | Aziz et al. | May 2012 | B2 |
8176049 | Deninger et al. | May 2012 | B2 |
8176480 | Spertus | May 2012 | B1 |
8201246 | Wu et al. | Jun 2012 | B1 |
8204984 | Aziz et al. | Jun 2012 | B1 |
8214905 | Doukhvalov et al. | Jul 2012 | B1 |
8220055 | Kennedy | Jul 2012 | B1 |
8225288 | Miller et al. | Jul 2012 | B2 |
8225373 | Kraemer | Jul 2012 | B2 |
8233882 | Rogel | Jul 2012 | B2 |
8234640 | Fitzgerald et al. | Jul 2012 | B1 |
8234709 | Viljoen et al. | Jul 2012 | B2 |
8239944 | Nachenberg et al. | Aug 2012 | B1 |
8260914 | Ranjan | Sep 2012 | B1 |
8266091 | Gubin et al. | Sep 2012 | B1 |
8286251 | Eker et al. | Oct 2012 | B2 |
8291499 | Aziz et al. | Oct 2012 | B2 |
8307435 | Mann et al. | Nov 2012 | B1 |
8307443 | Wang et al. | Nov 2012 | B2 |
8312545 | Tuvell et al. | Nov 2012 | B2 |
8321936 | Green et al. | Nov 2012 | B1 |
8321941 | Tuvell et al. | Nov 2012 | B2 |
8332571 | Edwards, Sr. | Dec 2012 | B1 |
8365286 | Poston | Jan 2013 | B2 |
8365297 | Parshin et al. | Jan 2013 | B1 |
8370938 | Daswani et al. | Feb 2013 | B1 |
8370939 | Zaitsev et al. | Feb 2013 | B2 |
8375444 | Aziz et al. | Feb 2013 | B2 |
8381299 | Stolfo et al. | Feb 2013 | B2 |
8402529 | Green et al. | Mar 2013 | B1 |
8464340 | Ahn et al. | Jun 2013 | B2 |
8479174 | Chiriac | Jul 2013 | B2 |
8479276 | Vaystikh et al. | Jul 2013 | B1 |
8479291 | Bodke | Jul 2013 | B1 |
8510827 | Leake et al. | Aug 2013 | B1 |
8510828 | Guo et al. | Aug 2013 | B1 |
8510842 | Amit et al. | Aug 2013 | B2 |
8516478 | Edwards et al. | Aug 2013 | B1 |
8516590 | Ranadive et al. | Aug 2013 | B1 |
8516593 | Aziz | Aug 2013 | B2 |
8522348 | Chen et al. | Aug 2013 | B2 |
8528086 | Aziz | Sep 2013 | B1 |
8533824 | Hutton et al. | Sep 2013 | B2 |
8539582 | Aziz et al. | Sep 2013 | B1 |
8549638 | Aziz | Oct 2013 | B2 |
8555391 | Demir et al. | Oct 2013 | B1 |
8561177 | Aziz et al. | Oct 2013 | B1 |
8566476 | Shiffer et al. | Oct 2013 | B2 |
8566946 | Aziz et al. | Oct 2013 | B1 |
8584094 | Dadhia et al. | Nov 2013 | B2 |
8584234 | Sobel et al. | Nov 2013 | B1 |
8584239 | Aziz et al. | Nov 2013 | B2 |
8595834 | Xie et al. | Nov 2013 | B2 |
8627476 | Satish et al. | Jan 2014 | B1 |
8635696 | Aziz | Jan 2014 | B1 |
8682054 | Xue et al. | Mar 2014 | B2 |
8682812 | Ranjan | Mar 2014 | B1 |
8689333 | Aziz | Apr 2014 | B2 |
8695096 | Zhang | Apr 2014 | B1 |
8713631 | Pavlyushchik | Apr 2014 | B1 |
8713681 | Silberman et al. | Apr 2014 | B2 |
8726392 | McCorkendale et al. | May 2014 | B1 |
8739280 | Chess et al. | May 2014 | B2 |
8776229 | Aziz | Jul 2014 | B1 |
8782792 | Bodke | Jul 2014 | B1 |
8789172 | Stolfo et al. | Jul 2014 | B2 |
8789178 | Kejriwal et al. | Jul 2014 | B2 |
8793278 | Frazier et al. | Jul 2014 | B2 |
8793787 | Ismael et al. | Jul 2014 | B2 |
8805947 | Kuzkin et al. | Aug 2014 | B1 |
8806647 | Daswani et al. | Aug 2014 | B1 |
8832829 | Manni et al. | Sep 2014 | B2 |
8850570 | Ramzan | Sep 2014 | B1 |
8850571 | Staniford et al. | Sep 2014 | B2 |
8881234 | Narasimhan et al. | Nov 2014 | B2 |
8881271 | Butler, II | Nov 2014 | B2 |
8881282 | Aziz et al. | Nov 2014 | B1 |
8898788 | Aziz et al. | Nov 2014 | B1 |
8935779 | Manni et al. | Jan 2015 | B2 |
8949257 | Shiffer et al. | Feb 2015 | B2 |
8984638 | Aziz et al. | Mar 2015 | B1 |
8990939 | Staniford et al. | Mar 2015 | B2 |
8990944 | Singh et al. | Mar 2015 | B1 |
8997219 | Staniford et al. | Mar 2015 | B2 |
9009822 | Ismael et al. | Apr 2015 | B1 |
9009823 | Ismael et al. | Apr 2015 | B1 |
9027135 | Aziz | May 2015 | B1 |
9071638 | Aziz et al. | Jun 2015 | B1 |
9104867 | Thioux et al. | Aug 2015 | B1 |
9106630 | Frazier et al. | Aug 2015 | B2 |
9106694 | Aziz et al. | Aug 2015 | B2 |
9117079 | Huang et al. | Aug 2015 | B1 |
9118715 | Staniford et al. | Aug 2015 | B2 |
9159035 | Ismael et al. | Oct 2015 | B1 |
9171160 | Vincent et al. | Oct 2015 | B2 |
9176843 | Ismael et al. | Nov 2015 | B1 |
9189627 | Islam | Nov 2015 | B1 |
9195829 | Goradia et al. | Nov 2015 | B1 |
9197664 | Aziz et al. | Nov 2015 | B1 |
9223972 | Vincent et al. | Dec 2015 | B1 |
9225740 | Ismael et al. | Dec 2015 | B1 |
9241010 | Bennett et al. | Jan 2016 | B1 |
9251343 | Vincent et al. | Feb 2016 | B1 |
9262635 | Paithane et al. | Feb 2016 | B2 |
9268936 | Butler | Feb 2016 | B2 |
9275229 | LeMasters | Mar 2016 | B2 |
9282109 | Aziz et al. | Mar 2016 | B1 |
9292686 | Ismael et al. | Mar 2016 | B2 |
9294501 | Mesdaq et al. | Mar 2016 | B2 |
9300686 | Pidathala et al. | Mar 2016 | B2 |
9306960 | Aziz | Apr 2016 | B1 |
9306974 | Aziz et al. | Apr 2016 | B1 |
9311479 | Manni et al. | Apr 2016 | B1 |
9355247 | Thioux et al. | May 2016 | B1 |
9356944 | Aziz | May 2016 | B1 |
9363280 | Rivlin et al. | Jun 2016 | B1 |
9367681 | Ismael et al. | Jun 2016 | B1 |
9398028 | Karandikar et al. | Jul 2016 | B1 |
9413781 | Cunningham et al. | Aug 2016 | B2 |
9426071 | Caldejon et al. | Aug 2016 | B1 |
9430646 | Mushtaq et al. | Aug 2016 | B1 |
9432389 | Khalid et al. | Aug 2016 | B1 |
9438613 | Paithane et al. | Sep 2016 | B1 |
9438622 | Staniford et al. | Sep 2016 | B1 |
9438623 | Thioux et al. | Sep 2016 | B1 |
9459901 | Jung et al. | Oct 2016 | B2 |
9467460 | Otvagin et al. | Oct 2016 | B1 |
9483644 | Paithane et al. | Nov 2016 | B1 |
9495180 | Ismael | Nov 2016 | B2 |
9497213 | Thompson et al. | Nov 2016 | B2 |
9507935 | Ismael et al. | Nov 2016 | B2 |
9516057 | Aziz | Dec 2016 | B2 |
9519782 | Aziz et al. | Dec 2016 | B2 |
9536091 | Paithane et al. | Jan 2017 | B2 |
9537972 | Edwards et al. | Jan 2017 | B1 |
9560059 | Islam | Jan 2017 | B1 |
9565202 | Kindlund et al. | Feb 2017 | B1 |
9591015 | Amin et al. | Mar 2017 | B1 |
9591020 | Aziz | Mar 2017 | B1 |
9594904 | Jain et al. | Mar 2017 | B1 |
9594905 | Ismael et al. | Mar 2017 | B1 |
9594912 | Thioux et al. | Mar 2017 | B1 |
9609007 | Rivlin et al. | Mar 2017 | B1 |
9626509 | Khalid et al. | Apr 2017 | B1 |
9628498 | Aziz et al. | Apr 2017 | B1 |
9628507 | Haq et al. | Apr 2017 | B2 |
9633134 | Ross | Apr 2017 | B2 |
9635039 | Islam et al. | Apr 2017 | B1 |
9641546 | Manni et al. | May 2017 | B1 |
9654485 | Neumann | May 2017 | B1 |
9661009 | Karandikar et al. | May 2017 | B1 |
9661018 | Aziz | May 2017 | B1 |
9674298 | Edwards et al. | Jun 2017 | B1 |
9680862 | Ismael et al. | Jun 2017 | B2 |
9690606 | Ha et al. | Jun 2017 | B1 |
9690933 | Singh et al. | Jun 2017 | B1 |
9690935 | Shifter et al. | Jun 2017 | B2 |
9690936 | Malik et al. | Jun 2017 | B1 |
9736179 | Ismael | Aug 2017 | B2 |
9740857 | Ismael et al. | Aug 2017 | B2 |
9747446 | Pidathala et al. | Aug 2017 | B1 |
9756074 | Aziz et al. | Sep 2017 | B2 |
9773112 | Rathor et al. | Sep 2017 | B1 |
9781144 | Otvagin et al. | Oct 2017 | B1 |
9787700 | Amin et al. | Oct 2017 | B1 |
9787706 | Otvagin et al. | Oct 2017 | B1 |
9792196 | Ismael et al. | Oct 2017 | B1 |
9824209 | Ismael et al. | Nov 2017 | B1 |
9824211 | Wilson | Nov 2017 | B2 |
9824216 | Khalid et al. | Nov 2017 | B1 |
9825976 | Gomez et al. | Nov 2017 | B1 |
9825989 | Mehra et al. | Nov 2017 | B1 |
9838408 | Karandikar et al. | Dec 2017 | B1 |
9838411 | Aziz | Dec 2017 | B1 |
9838416 | Aziz | Dec 2017 | B1 |
9838417 | Khalid et al. | Dec 2017 | B1 |
9846776 | Paithane et al. | Dec 2017 | B1 |
9876701 | Caldejon et al. | Jan 2018 | B1 |
9888016 | Amin et al. | Feb 2018 | B1 |
9888019 | Pidathala et al. | Feb 2018 | B1 |
9910988 | Vincent et al. | Mar 2018 | B1 |
9912644 | Cunningham | Mar 2018 | B2 |
9912681 | Ismael et al. | Mar 2018 | B1 |
9912684 | Aziz et al. | Mar 2018 | B1 |
9912691 | Mesdaq et al. | Mar 2018 | B2 |
9912698 | Thioux et al. | Mar 2018 | B1 |
9916440 | Paithane et al. | Mar 2018 | B1 |
9921978 | Chan et al. | Mar 2018 | B1 |
9934376 | Ismael | Apr 2018 | B1 |
9934381 | Kindlund et al. | Apr 2018 | B1 |
9946568 | Ismael et al. | Apr 2018 | B1 |
9954890 | Staniford et al. | Apr 2018 | B1 |
9973531 | Thioux | May 2018 | B1 |
10002252 | Ismael et al. | Jun 2018 | B2 |
10019338 | Goradia et al. | Jul 2018 | B1 |
10019573 | Silberman et al. | Jul 2018 | B2 |
10025691 | Ismael et al. | Jul 2018 | B1 |
10025927 | Khalid et al. | Jul 2018 | B1 |
10027689 | Rathor et al. | Jul 2018 | B1 |
10027690 | Aziz et al. | Jul 2018 | B2 |
10027696 | Rivlin et al. | Jul 2018 | B1 |
10033747 | Paithane et al. | Jul 2018 | B1 |
10033748 | Cunningham et al. | Jul 2018 | B1 |
10033753 | Islam et al. | Jul 2018 | B1 |
10033759 | Kabra et al. | Jul 2018 | B1 |
10050998 | Singh | Aug 2018 | B1 |
10068091 | Aziz et al. | Sep 2018 | B1 |
10075455 | Zafar et al. | Sep 2018 | B2 |
10083302 | Paithane et al. | Sep 2018 | B1 |
10084813 | Eyada | Sep 2018 | B2 |
10089461 | Ha et al. | Oct 2018 | B1 |
10097573 | Aziz | Oct 2018 | B1 |
10104102 | Neumann | Oct 2018 | B1 |
10108446 | Steinberg et al. | Oct 2018 | B1 |
10121000 | Rivlin et al. | Nov 2018 | B1 |
10122746 | Manni et al. | Nov 2018 | B1 |
10133863 | Bu et al. | Nov 2018 | B2 |
10133866 | Kumar et al. | Nov 2018 | B1 |
10146810 | Shiffer et al. | Dec 2018 | B2 |
10148693 | Singh et al. | Dec 2018 | B2 |
10165000 | Aziz et al. | Dec 2018 | B1 |
10169585 | Pilipenko et al. | Jan 2019 | B1 |
10176321 | Abbasi et al. | Jan 2019 | B2 |
10181029 | Ismael et al. | Jan 2019 | B1 |
10191861 | Steinberg et al. | Jan 2019 | B1 |
10192052 | Singh et al. | Jan 2019 | B1 |
10198574 | Thioux et al. | Feb 2019 | B1 |
10200384 | Mushtaq et al. | Feb 2019 | B1 |
10210329 | Malik et al. | Feb 2019 | B1 |
10216927 | Steinberg | Feb 2019 | B1 |
10218740 | Mesdaq et al. | Feb 2019 | B1 |
10242185 | Goradia | Mar 2019 | B1 |
20010005889 | Albrecht | Jun 2001 | A1 |
20010047326 | Broadbent et al. | Nov 2001 | A1 |
20020018903 | Kokubo et al. | Feb 2002 | A1 |
20020038430 | Edwards et al. | Mar 2002 | A1 |
20020091819 | Melchione et al. | Jul 2002 | A1 |
20020095607 | Lin-Hendel | Jul 2002 | A1 |
20020116627 | Tarbotton et al. | Aug 2002 | A1 |
20020144156 | Copeland | Oct 2002 | A1 |
20020162015 | Tang | Oct 2002 | A1 |
20020166063 | Lachman et al. | Nov 2002 | A1 |
20020169952 | DiSanto et al. | Nov 2002 | A1 |
20020184528 | Shevenell et al. | Dec 2002 | A1 |
20020188887 | Largman et al. | Dec 2002 | A1 |
20020194490 | Halperin et al. | Dec 2002 | A1 |
20030021728 | Sharpe et al. | Jan 2003 | A1 |
20030074578 | Ford et al. | Apr 2003 | A1 |
20030084318 | Schertz | May 2003 | A1 |
20030101381 | Mateev et al. | May 2003 | A1 |
20030115483 | Liang | Jun 2003 | A1 |
20030188190 | Aaron et al. | Oct 2003 | A1 |
20030191957 | Hypponen et al. | Oct 2003 | A1 |
20030200460 | Morota et al. | Oct 2003 | A1 |
20030212902 | van der Made | Nov 2003 | A1 |
20030229801 | Kouznetsov et al. | Dec 2003 | A1 |
20030237000 | Denton et al. | Dec 2003 | A1 |
20040003323 | Bennett et al. | Jan 2004 | A1 |
20040006473 | Mills et al. | Jan 2004 | A1 |
20040015712 | Szor | Jan 2004 | A1 |
20040019832 | Arnold et al. | Jan 2004 | A1 |
20040047356 | Bauer | Mar 2004 | A1 |
20040083408 | Spiegel et al. | Apr 2004 | A1 |
20040088581 | Brawn et al. | May 2004 | A1 |
20040093513 | Cantrell et al. | May 2004 | A1 |
20040111531 | Staniford et al. | Jun 2004 | A1 |
20040117478 | Triulzi et al. | Jun 2004 | A1 |
20040117624 | Brandt et al. | Jun 2004 | A1 |
20040128355 | Chao et al. | Jul 2004 | A1 |
20040165588 | Pandya | Aug 2004 | A1 |
20040236963 | Danford et al. | Nov 2004 | A1 |
20040243349 | Greifeneder et al. | Dec 2004 | A1 |
20040249911 | Alkhatib et al. | Dec 2004 | A1 |
20040255161 | Cavanaugh | Dec 2004 | A1 |
20040268147 | Wiederin et al. | Dec 2004 | A1 |
20050005159 | Oliphant | Jan 2005 | A1 |
20050021740 | Bar et al. | Jan 2005 | A1 |
20050033960 | Vialen et al. | Feb 2005 | A1 |
20050033989 | Poletto et al. | Feb 2005 | A1 |
20050050148 | Mohammadioun et al. | Mar 2005 | A1 |
20050086523 | Zimmer et al. | Apr 2005 | A1 |
20050091513 | Mitomo et al. | Apr 2005 | A1 |
20050091533 | Omote et al. | Apr 2005 | A1 |
20050091652 | Ross et al. | Apr 2005 | A1 |
20050108562 | Khazan et al. | May 2005 | A1 |
20050114663 | Cornell et al. | May 2005 | A1 |
20050125195 | Brendel | Jun 2005 | A1 |
20050149726 | Joshi et al. | Jul 2005 | A1 |
20050157662 | Bingham et al. | Jul 2005 | A1 |
20050183143 | Anderholm et al. | Aug 2005 | A1 |
20050201297 | Peikari | Sep 2005 | A1 |
20050210533 | Copeland et al. | Sep 2005 | A1 |
20050238005 | Chen et al. | Oct 2005 | A1 |
20050240781 | Gassoway | Oct 2005 | A1 |
20050262562 | Gassoway | Nov 2005 | A1 |
20050265331 | Stolfo | Dec 2005 | A1 |
20050283839 | Cowburn | Dec 2005 | A1 |
20060010495 | Cohen et al. | Jan 2006 | A1 |
20060015416 | Hoffman et al. | Jan 2006 | A1 |
20060015715 | Anderson | Jan 2006 | A1 |
20060015747 | Van de Ven | Jan 2006 | A1 |
20060021029 | Brickell et al. | Jan 2006 | A1 |
20060021054 | Costa et al. | Jan 2006 | A1 |
20060031476 | Mathes et al. | Feb 2006 | A1 |
20060047665 | Neil | Mar 2006 | A1 |
20060070130 | Costea et al. | Mar 2006 | A1 |
20060075496 | Carpenter et al. | Apr 2006 | A1 |
20060095968 | Portolani et al. | May 2006 | A1 |
20060101516 | Sudaharan et al. | May 2006 | A1 |
20060101517 | Banzhof et al. | May 2006 | A1 |
20060117385 | Mester et al. | Jun 2006 | A1 |
20060123477 | Raghavan et al. | Jun 2006 | A1 |
20060143709 | Brooks et al. | Jun 2006 | A1 |
20060150249 | Gassen et al. | Jul 2006 | A1 |
20060161983 | Cothrell et al. | Jul 2006 | A1 |
20060161987 | Levy-Yurista | Jul 2006 | A1 |
20060161989 | Reshef et al. | Jul 2006 | A1 |
20060164199 | Gilde et al. | Jul 2006 | A1 |
20060173992 | Weber et al. | Aug 2006 | A1 |
20060179147 | Tran et al. | Aug 2006 | A1 |
20060184632 | Marino et al. | Aug 2006 | A1 |
20060191010 | Benjamin | Aug 2006 | A1 |
20060221956 | Narayan et al. | Oct 2006 | A1 |
20060236393 | Kramer et al. | Oct 2006 | A1 |
20060242709 | Seinfeld et al. | Oct 2006 | A1 |
20060248519 | Jaeger et al. | Nov 2006 | A1 |
20060248582 | Panjwani et al. | Nov 2006 | A1 |
20060251104 | Koga | Nov 2006 | A1 |
20060288417 | Bookbinder et al. | Dec 2006 | A1 |
20070006288 | Mayfield et al. | Jan 2007 | A1 |
20070006313 | Porras et al. | Jan 2007 | A1 |
20070011174 | Takaragi et al. | Jan 2007 | A1 |
20070016951 | Piccard et al. | Jan 2007 | A1 |
20070019286 | Kikuchi | Jan 2007 | A1 |
20070033645 | Jones | Feb 2007 | A1 |
20070038943 | FitzGerald et al. | Feb 2007 | A1 |
20070064689 | Shin et al. | Mar 2007 | A1 |
20070074169 | Chess et al. | Mar 2007 | A1 |
20070074208 | Ling et al. | Mar 2007 | A1 |
20070094730 | Bhikkaji et al. | Apr 2007 | A1 |
20070101435 | Konanka et al. | May 2007 | A1 |
20070128855 | Cho et al. | Jun 2007 | A1 |
20070142030 | Sinha et al. | Jun 2007 | A1 |
20070143827 | Nicodemus et al. | Jun 2007 | A1 |
20070156895 | Vuong | Jul 2007 | A1 |
20070157180 | Tillmann et al. | Jul 2007 | A1 |
20070157306 | Elrod et al. | Jul 2007 | A1 |
20070168988 | Eisner et al. | Jul 2007 | A1 |
20070171824 | Ruello et al. | Jul 2007 | A1 |
20070174915 | Gribble et al. | Jul 2007 | A1 |
20070192500 | Lum | Aug 2007 | A1 |
20070192858 | Lum | Aug 2007 | A1 |
20070198275 | Malden et al. | Aug 2007 | A1 |
20070208822 | Wang et al. | Sep 2007 | A1 |
20070220607 | Sprosts et al. | Sep 2007 | A1 |
20070240218 | Tuvell et al. | Oct 2007 | A1 |
20070240219 | Tuvell et al. | Oct 2007 | A1 |
20070240220 | Tuvell et al. | Oct 2007 | A1 |
20070240222 | Tuvell et al. | Oct 2007 | A1 |
20070250930 | Aziz et al. | Oct 2007 | A1 |
20070256132 | Oliphant | Nov 2007 | A2 |
20070271446 | Nakamura | Nov 2007 | A1 |
20080005782 | Aziz | Jan 2008 | A1 |
20080018122 | Zierler et al. | Jan 2008 | A1 |
20080028463 | Dagon et al. | Jan 2008 | A1 |
20080032556 | Schreier | Feb 2008 | A1 |
20080040710 | Chiriac | Feb 2008 | A1 |
20080046781 | Childs et al. | Feb 2008 | A1 |
20080066179 | Liu | Mar 2008 | A1 |
20080072326 | Danford et al. | Mar 2008 | A1 |
20080077793 | Tan et al. | Mar 2008 | A1 |
20080080518 | Hoeflin et al. | Apr 2008 | A1 |
20080086720 | Lekel | Apr 2008 | A1 |
20080098476 | Syversen | Apr 2008 | A1 |
20080120722 | Sima et al. | May 2008 | A1 |
20080127348 | Largman et al. | May 2008 | A1 |
20080134178 | Fitzgerald et al. | Jun 2008 | A1 |
20080134334 | Kim et al. | Jun 2008 | A1 |
20080141376 | Clausen et al. | Jun 2008 | A1 |
20080163204 | Morgan et al. | Jul 2008 | A1 |
20080181227 | Todd | Jul 2008 | A1 |
20080184367 | McMillan et al. | Jul 2008 | A1 |
20080184373 | Traut et al. | Jul 2008 | A1 |
20080189787 | Arnold et al. | Aug 2008 | A1 |
20080201778 | Guo et al. | Aug 2008 | A1 |
20080209557 | Herley et al. | Aug 2008 | A1 |
20080215742 | Goldszmidt et al. | Sep 2008 | A1 |
20080222729 | Chen et al. | Sep 2008 | A1 |
20080263665 | Ma et al. | Oct 2008 | A1 |
20080295172 | Bohacek | Nov 2008 | A1 |
20080301810 | Lehane et al. | Dec 2008 | A1 |
20080307524 | Singh et al. | Dec 2008 | A1 |
20080313738 | Enderby | Dec 2008 | A1 |
20080320594 | Jiang | Dec 2008 | A1 |
20090003317 | Kasralikar et al. | Jan 2009 | A1 |
20090007100 | Field et al. | Jan 2009 | A1 |
20090013408 | Schipka | Jan 2009 | A1 |
20090031423 | Liu et al. | Jan 2009 | A1 |
20090036111 | Danford et al. | Feb 2009 | A1 |
20090037835 | Goldman | Feb 2009 | A1 |
20090044024 | Oberheide et al. | Feb 2009 | A1 |
20090044274 | Budko et al. | Feb 2009 | A1 |
20090064332 | Porras et al. | Mar 2009 | A1 |
20090077666 | Chen et al. | Mar 2009 | A1 |
20090083369 | Marmor | Mar 2009 | A1 |
20090083855 | Apap et al. | Mar 2009 | A1 |
20090089879 | Wang et al. | Apr 2009 | A1 |
20090094697 | Provos et al. | Apr 2009 | A1 |
20090113425 | Ports et al. | Apr 2009 | A1 |
20090125976 | Wassermann et al. | May 2009 | A1 |
20090126015 | Monastyrsky et al. | May 2009 | A1 |
20090126016 | Sobko et al. | May 2009 | A1 |
20090133125 | Choi et al. | May 2009 | A1 |
20090144823 | Lamastra et al. | Jun 2009 | A1 |
20090158430 | Borders | Jun 2009 | A1 |
20090172815 | Gu et al. | Jul 2009 | A1 |
20090187992 | Poston | Jul 2009 | A1 |
20090193293 | Stolfo et al. | Jul 2009 | A1 |
20090198651 | Shiffer et al. | Aug 2009 | A1 |
20090198670 | Shiffer et al. | Aug 2009 | A1 |
20090198689 | Frazier et al. | Aug 2009 | A1 |
20090199274 | Frazier et al. | Aug 2009 | A1 |
20090199296 | Xie et al. | Aug 2009 | A1 |
20090228233 | Anderson et al. | Sep 2009 | A1 |
20090241187 | Troyansky | Sep 2009 | A1 |
20090241190 | Todd et al. | Sep 2009 | A1 |
20090265692 | Godefroid et al. | Oct 2009 | A1 |
20090271867 | Zhang | Oct 2009 | A1 |
20090300415 | Zhang et al. | Dec 2009 | A1 |
20090300761 | Park et al. | Dec 2009 | A1 |
20090328185 | Berg et al. | Dec 2009 | A1 |
20090328221 | Blumfield et al. | Dec 2009 | A1 |
20100005146 | Drako et al. | Jan 2010 | A1 |
20100011205 | McKenna | Jan 2010 | A1 |
20100017546 | Poo et al. | Jan 2010 | A1 |
20100030996 | Butler, II | Feb 2010 | A1 |
20100031353 | Thomas et al. | Feb 2010 | A1 |
20100037314 | Perdisci et al. | Feb 2010 | A1 |
20100043073 | Kuwamura | Feb 2010 | A1 |
20100054278 | Stolfo et al. | Mar 2010 | A1 |
20100058474 | Hicks | Mar 2010 | A1 |
20100064044 | Nonoyama | Mar 2010 | A1 |
20100077481 | Polyakov et al. | Mar 2010 | A1 |
20100083376 | Pereira et al. | Apr 2010 | A1 |
20100115621 | Staniford et al. | May 2010 | A1 |
20100132038 | Zaitsev | May 2010 | A1 |
20100154056 | Smith et al. | Jun 2010 | A1 |
20100175070 | Baba | Jul 2010 | A1 |
20100180344 | Malyshev et al. | Jul 2010 | A1 |
20100192223 | Ismael et al. | Jul 2010 | A1 |
20100220863 | Dupaquis et al. | Sep 2010 | A1 |
20100235831 | Dittmer | Sep 2010 | A1 |
20100251104 | Massand | Sep 2010 | A1 |
20100281102 | Chinta et al. | Nov 2010 | A1 |
20100281541 | Stolfo et al. | Nov 2010 | A1 |
20100281542 | Stolfo et al. | Nov 2010 | A1 |
20100287260 | Peterson et al. | Nov 2010 | A1 |
20100299754 | Amit et al. | Nov 2010 | A1 |
20100306173 | Frank | Dec 2010 | A1 |
20110004737 | Greenebaum | Jan 2011 | A1 |
20110025504 | Lyon et al. | Feb 2011 | A1 |
20110041179 | St Hlberg | Feb 2011 | A1 |
20110047594 | Mahaffey et al. | Feb 2011 | A1 |
20110047620 | Mahaffey et al. | Feb 2011 | A1 |
20110055907 | Narasimhan et al. | Mar 2011 | A1 |
20110078794 | Manni et al. | Mar 2011 | A1 |
20110093951 | Aziz | Apr 2011 | A1 |
20110099620 | Stavrou et al. | Apr 2011 | A1 |
20110099633 | Aziz | Apr 2011 | A1 |
20110099635 | Silberman et al. | Apr 2011 | A1 |
20110113231 | Kaminsky | May 2011 | A1 |
20110145918 | Jung et al. | Jun 2011 | A1 |
20110145920 | Mahaffey et al. | Jun 2011 | A1 |
20110145934 | Abramovici et al. | Jun 2011 | A1 |
20110167493 | Song et al. | Jul 2011 | A1 |
20110167494 | Bowen et al. | Jul 2011 | A1 |
20110173213 | Frazier et al. | Jul 2011 | A1 |
20110173460 | Ito et al. | Jul 2011 | A1 |
20110219449 | St. Neitzel et al. | Sep 2011 | A1 |
20110219450 | McDougal et al. | Sep 2011 | A1 |
20110225624 | Sawhney et al. | Sep 2011 | A1 |
20110225655 | Niemela et al. | Sep 2011 | A1 |
20110247072 | Staniford et al. | Oct 2011 | A1 |
20110265182 | Peinado et al. | Oct 2011 | A1 |
20110289582 | Kejriwal et al. | Nov 2011 | A1 |
20110302587 | Nishikawa et al. | Dec 2011 | A1 |
20110307954 | Melnik et al. | Dec 2011 | A1 |
20110307955 | Kaplan et al. | Dec 2011 | A1 |
20110307956 | Yermakov et al. | Dec 2011 | A1 |
20110314546 | Aziz et al. | Dec 2011 | A1 |
20110321040 | Sobel et al. | Dec 2011 | A1 |
20120023593 | Puder et al. | Jan 2012 | A1 |
20120054869 | Yen et al. | Mar 2012 | A1 |
20120066698 | Yanoo | Mar 2012 | A1 |
20120079596 | Thomas et al. | Mar 2012 | A1 |
20120084859 | Radinsky et al. | Apr 2012 | A1 |
20120096553 | Srivastava et al. | Apr 2012 | A1 |
20120110667 | Zubrilin et al. | May 2012 | A1 |
20120117652 | Manni et al. | May 2012 | A1 |
20120121154 | Xue et al. | May 2012 | A1 |
20120124426 | Maybee et al. | May 2012 | A1 |
20120174186 | Aziz et al. | Jul 2012 | A1 |
20120174196 | Bhogavilli et al. | Jul 2012 | A1 |
20120174218 | McCoy et al. | Jul 2012 | A1 |
20120198279 | Schroeder | Aug 2012 | A1 |
20120210423 | Friedrichs et al. | Aug 2012 | A1 |
20120216046 | McDougal et al. | Aug 2012 | A1 |
20120222121 | Staniford et al. | Aug 2012 | A1 |
20120255015 | Sahita et al. | Oct 2012 | A1 |
20120255017 | Sallam | Oct 2012 | A1 |
20120260342 | Dube et al. | Oct 2012 | A1 |
20120266244 | Green et al. | Oct 2012 | A1 |
20120278886 | Luna | Nov 2012 | A1 |
20120297257 | Mohr et al. | Nov 2012 | A1 |
20120297489 | Dequevy | Nov 2012 | A1 |
20120330801 | McDougal et al. | Dec 2012 | A1 |
20120331553 | Aziz et al. | Dec 2012 | A1 |
20130014259 | Gribble et al. | Jan 2013 | A1 |
20130036472 | Aziz | Feb 2013 | A1 |
20130047257 | Aziz | Feb 2013 | A1 |
20130074185 | McDougal et al. | Mar 2013 | A1 |
20130086684 | Mohler | Apr 2013 | A1 |
20130097601 | Podvratnik et al. | Apr 2013 | A1 |
20130097699 | Balupari et al. | Apr 2013 | A1 |
20130097706 | Titonis et al. | Apr 2013 | A1 |
20130111587 | Goel et al. | May 2013 | A1 |
20130117849 | Golshan et al. | May 2013 | A1 |
20130117852 | Stute | May 2013 | A1 |
20130117855 | Kim et al. | May 2013 | A1 |
20130139264 | Brinkley et al. | May 2013 | A1 |
20130160125 | Likhachev et al. | Jun 2013 | A1 |
20130160127 | Jeong et al. | Jun 2013 | A1 |
20130160130 | Mendelev et al. | Jun 2013 | A1 |
20130160131 | Madou et al. | Jun 2013 | A1 |
20130167236 | Sick | Jun 2013 | A1 |
20130174214 | Duncan | Jul 2013 | A1 |
20130185789 | Hagiwara et al. | Jul 2013 | A1 |
20130185795 | Winn et al. | Jul 2013 | A1 |
20130185798 | Saunders et al. | Jul 2013 | A1 |
20130191915 | Antonakakis et al. | Jul 2013 | A1 |
20130196649 | Paddon et al. | Aug 2013 | A1 |
20130227691 | Aziz et al. | Aug 2013 | A1 |
20130246370 | Bartram et al. | Sep 2013 | A1 |
20130247186 | LeMasters | Sep 2013 | A1 |
20130263260 | Mahaffey et al. | Oct 2013 | A1 |
20130291109 | Staniford et al. | Oct 2013 | A1 |
20130298243 | Kumar et al. | Nov 2013 | A1 |
20130318038 | Shiffer et al. | Nov 2013 | A1 |
20130318073 | Shiffer et al. | Nov 2013 | A1 |
20130325791 | Shiffer et al. | Dec 2013 | A1 |
20130325792 | Shiffer et al. | Dec 2013 | A1 |
20130325871 | Shiffer et al. | Dec 2013 | A1 |
20130325872 | Shiffer et al. | Dec 2013 | A1 |
20140006734 | Li et al. | Jan 2014 | A1 |
20140032875 | Butler | Jan 2014 | A1 |
20140053260 | Gupta et al. | Feb 2014 | A1 |
20140053261 | Gupta et al. | Feb 2014 | A1 |
20140130158 | Wang et al. | May 2014 | A1 |
20140137180 | Lukacs et al. | May 2014 | A1 |
20140169762 | Ryu | Jun 2014 | A1 |
20140179360 | Jackson et al. | Jun 2014 | A1 |
20140181131 | Ross | Jun 2014 | A1 |
20140181975 | Spernow et al. | Jun 2014 | A1 |
20140189687 | Jung et al. | Jul 2014 | A1 |
20140189866 | Shiffer et al. | Jul 2014 | A1 |
20140189882 | Jung et al. | Jul 2014 | A1 |
20140237600 | Silberman et al. | Aug 2014 | A1 |
20140280245 | Wilson | Sep 2014 | A1 |
20140283037 | Sikorski et al. | Sep 2014 | A1 |
20140283063 | Thompson et al. | Sep 2014 | A1 |
20140328204 | Klotsche et al. | Nov 2014 | A1 |
20140337836 | Ismael | Nov 2014 | A1 |
20140344926 | Cunningham et al. | Nov 2014 | A1 |
20140351935 | Shao et al. | Nov 2014 | A1 |
20140380473 | Bu et al. | Dec 2014 | A1 |
20140380474 | Paithane et al. | Dec 2014 | A1 |
20150007312 | Pidathala et al. | Jan 2015 | A1 |
20150096022 | Vincent et al. | Apr 2015 | A1 |
20150096023 | Mesdaq et al. | Apr 2015 | A1 |
20150096024 | Haq et al. | Apr 2015 | A1 |
20150096025 | Ismael | Apr 2015 | A1 |
20150180886 | Staniford et al. | Jun 2015 | A1 |
20150186645 | Aziz et al. | Jul 2015 | A1 |
20150199513 | Ismael et al. | Jul 2015 | A1 |
20150199531 | Ismael et al. | Jul 2015 | A1 |
20150199532 | Ismael et al. | Jul 2015 | A1 |
20150220735 | Paithane et al. | Aug 2015 | A1 |
20150372980 | Eyada | Dec 2015 | A1 |
20160004869 | Ismael et al. | Jan 2016 | A1 |
20160006756 | Ismael et al. | Jan 2016 | A1 |
20160044000 | Cunningham | Feb 2016 | A1 |
20160127393 | Aziz et al. | May 2016 | A1 |
20160191547 | Zafar et al. | Jun 2016 | A1 |
20160191550 | Ismael et al. | Jun 2016 | A1 |
20160261612 | Mesdaq et al. | Sep 2016 | A1 |
20160285914 | Singh et al. | Sep 2016 | A1 |
20160301703 | Aziz | Oct 2016 | A1 |
20160335110 | Paithane et al. | Nov 2016 | A1 |
20170083703 | Abbasi et al. | Mar 2017 | A1 |
20180013770 | Ismael | Jan 2018 | A1 |
20180048660 | Paithane et al. | Feb 2018 | A1 |
20180121316 | Ismael et al. | May 2018 | A1 |
20180288077 | Siddiqui et al. | Oct 2018 | A1 |
Number | Date | Country |
---|---|---|
2439806 | Jan 2008 | GB |
2490431 | Oct 2012 | GB |
02006928 | Jan 2002 | WO |
0223805 | Mar 2002 | WO |
2007117636 | Oct 2007 | WO |
2008041950 | Apr 2008 | WO |
2011084431 | Jul 2011 | WO |
2011112348 | Sep 2011 | WO |
2012075336 | Jun 2012 | WO |
2012100088 | Jul 2012 | WO |
2012117465 | Sep 2012 | WO |
2012145066 | Oct 2012 | WO |
2013067505 | May 2013 | WO |
Entry |
---|
Lok Kwong et al: “DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis”, Aug. 10, 2012, XP055158513, Retrieved from the Internet: URL:https://www.usenix.org/system/files/conference/usenixsecurity12/sec12- -final107.pdf [retrieved on Dec. 15, 2014]. |
Marchette, David J., “Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint”, (“Marchette”), (2001). |
Margolis, P.E. , “Random House Webster's ‘Computer & Internet Dictionary 3rd Edition’”, ISBN 0375703519, (Dec. 1998). |
Moore, D. , et al., “Internet Quarantine: Requirements for Containing Self-Propagating Code”, INFOCOM, vol. 3, (Mar. 30-Apr. 3, 2003), pp. 1901-1910. |
Morales, Jose A., et al., ““Analyzing and exploiting network behaviors of malware.””, Security and Privacy in Communication Networks. Springer Berlin Heidelberg, 2010. 20-34. |
Mori, Detecting Unknown Computer Viruses, 2004, Springer-Verlag Berlin Heidelberg. |
Natvig, Kurt , “SANDBOXII: Internet”, Virus Bulletin Conference, (“Natvig”), (Sep. 2002). |
NetBIOS Working Group. Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Concepts and Methods. STD 19, RFC 1001, Mar. 1987. |
Newsome, J. , et al., “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software”, In Proceedings of the 12th Annual Network and Distributed System Security, Symposium (NDSS '05), (Feb. 2005). |
Newsome, J. , et al., “Polygraph: Automatically Generating Signatures for Polymorphic Worms”, In Proceedings of the IEEE Symposium on Security and Privacy, (May 2005). |
Nojiri, D. , et al., “Cooperation Response Strategies for Large Scale Attack Mitigation”, DARPA Information Survivability Conference and Exposition, vol. 1, (Apr. 22-24, 2003), pp. 293-302. |
Oberheide et al., CloudAV.sub.—N-Version Antivirus in the Network Cloud, 17th USENIX Security Symposium USENIX Security '08 Jul. 28-Aug. 1, 2008 San Jose, CA. |
PCT/US2013/048739 filed Jun. 28, 2013, International Search Report and Written Opinion dated Feb. 21, 2014. |
Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Roonald Perez, Leendert van Doorn, John Linwood Griffin, Stefan Berger., sHype: Secure Hypervisor Appraoch to Trusted Virtualized Systems (Feb. 2, 2005) (“Sailer”). |
Silicon Defense, “Worm Containment in the Internal Network”, (Mar. 2003), pp. 1-25. |
Singh, S. , et al., “Automated Worm Fingerprinting”, Proceedings of the ACM/USENIX Symposium on Operating System Design and Implementation, San Francisco, California, (Dec. 2004). |
Spitzner, Lance , “Honeypots: Tracking Hackers”, (“Spizner”), (Sep. 17, 2002). |
The Sniffers's Guide to Raw Traffic available at: yuba.stanford.edu/.about.casado/pcap/section1.html, (Jan. 6, 2014). |
Thomas H. Ptacek, and Timothy N. Newsham , “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, Secure Networks, (“Ptacek”), (Jan. 1998). |
U.S. Appl. No. 13/892,193, filed May 10, 2013 Final Office Action dated Nov. 9, 2015. |
U.S. Appl. No. 13/892,193, filed May 10, 2013 Non-Final Office Action dated Jul. 8, 2015. |
U.S. Appl. No. 13/892,193, filed May 10, 2013 Non-Final Office Action dated Mar. 16, 2016. |
U.S. Pat. No. 8,171,553 filed Apr. 20, 2006, Inter Parties Review Decision dated Jul. 10, 2015. |
U.S. Pat. No. 8,291,499 filed Mar. 16, 2012, Inter Parties Review Decision dated Jul. 10, 2015. |
Venezia, Paul , “NetDetector Captures Intrusions”, InfoWorld Issue 27, (“Venezia”), (Jul. 14, 2003). |
Wahid et al., Characterising the Evolution in Scanning Activity of Suspicious Hosts, Oct. 2009, Third International Conference on Network and System Security, pp. 344-350. |
Whyte, et al., “DNS-Based Detection of Scanning Works in an Enterprise Network”, Proceedings of the 12th Annual Network and Distributed System Security Symposium, (Feb. 2005), 15 pages. |
Williamson, Matthew M., “Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code”, ACSAC Conference, Las Vegas, NV, USA, (Dec. 2002), pp. 1-9. |
Xuxian Jiang et al: “Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction”, ACM Transactions on Information and System Security, ACM, New York, NY, US, vol. 13, No. 2, Mar. 5, 2010 (Mar. 5, 2010), pp. 1-28. |
Yuhei Kawakoya et al: “Memory behavior-based automatic malware unpacking in stealth debugging environment”, Malicious and Unwanted Software (Malware), 2010 5th International Conference on, IEEE, Piscataway, NJ, USA, Oct. 19, 2010, pp. 39-46, XP031833827, ISBN:978-1-4244-8-9353-1. |
Zhang et al., The Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation, Sep. 2009, IEEE 28th International Symposium on Reliable Distributed Systems, pp. 73-82. |
EP 13884161.4 filed Nov. 10, 2015 Examination Report dated Jun. 18, 2018. |
Ying Tie, et al., “A malware Sandbox System for Analyzing Multiple Samples in Parallel”, Computer Security Symposium 2012, Information Processing Society of Japan, Oct. 23, 2012, vol. 2012, No. 3, pp. 728-735. |
“Network Security: NetDetector—Network Intrusion Forensic System (NIFS) Whitepaper”, (“NetDetector Whitepaper”), (2003). |
“Packet”, Microsoft Computer Dictionary, Microsoft Press, (Mar. 2002), 1 page. |
“When Virtual is Better Than Real”, IEEEXplore Digital Library, available at, http://ieeexplore.ieee.org/xpl/articleDetails.isp?reload=true&arnumbe- r=990073, (Dec. 7, 2013). |
Abdullah, et al., Visualizing Network Data for Intrusion Detection, 2005 IEEE Workshop on Information Assurance and Security, pp. 100-108. |
Adetoye, Adedayo , et al., “Network Intrusion Detection & Response System”, (“Adetoye”), (Sep. 2003). |
Adobe Systems Incorporated, “PDF 32000-1:2008, Document management—Portable document format—Part1:PDF 1.7”, First Edition, Jul. 1, 2008, 756 pages. |
AltaVista Advanced Search Results. “attack vector identifier”. Http://www.altavista.com/web/results?ltag=ody&pg=aq&aqmode=aqa=Event+Orch- estrator . . . , (Accessed on Sep. 15, 2009). |
AltaVista Advanced Search Results. “Event Orchestrator”. Http://www.altavista.com/web/results?ltag=ody&pg=aq&aqmode=aqa=Event+Orch- esrator . . . , (Accessed on Sep. 3, 2009). |
Apostolopoulos, George; hassapis, Constantinos; “V-eM: A cluster of Virtual Machines for Robust, Detailed, and High-Performance Network Emulation”, 14th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, Sep. 11-14, 2006, pp. 117-126. |
Aura, Tuomas, “Scanning electronic documents for personally identifiable information”, Proceedings of the 5th ACM workshop on Privacy in electronic society. ACM, 2006. |
Baecher, “The Nepenthes Platform: An Efficient Approach to collect Malware”, Springer-verlag Berlin Heidelberg, (2006), pp. 165-184. |
Baldi, Mario; Risso, Fulvio; “A Framework for Rapid Development and Portable Execution of Packet-Handling Applications”, 5th IEEE International Symposium Processing and Information Technology, Dec. 21, 2005, pp. 233-238. |
Bayer, et al., “Dynamic Analysis of Malicious Code”, J Comput Virol, Springer-Verlag, France., (2006), pp. 67-77. |
Boubalos, Chris , “extracting syslog data out of raw pcap dumps, seclists.org, Honeypots mailing list archives”, available at http://seclists.org/honeypots/2003/q2/319 (“Boubalos”), (Jun. 5, 2003). |
Chaudet, C. , et al., “Optimal Positioning of Active and Passive Monitoring Devices”, International Conference on Emerging Networking Experiments and Technologies, Proceedings of the 2005 ACM Conference on Emerging Network Experiment and Technology, CoNEXT '05, Toulousse, France, (Oct. 2005), pp. 71-82. |
Chen, P. M. and Noble, B. D., “When Virtual is Better Than Real, Department of Electrical Engineering and Computer Science”, University of Michigan (“Chen”) (2001). |
Cisco “Intrusion Prevention for the Cisco ASA 5500-x Series” Data Sheet (2012). |
Cisco, Configuring the Catalyst Switched Port Analyzer (SPAN) (“Cisco”), (1992). |
Clark, John, Sylvian Leblanc,and Scott Knight. “Risks associated with usb hardware trojan devices used by insiders.” Systems Conference (SysCon), 2011 IEEE International. IEEE, 2011. |
Cohen, M.I. , “PyFlag—An advanced network forensic framework”, Digital investigation 5, Elsevier, (2008), pp. S112-S120. |
Costa, M. , et al., “Vigilante: End-to-End Containment of Internet Worms”, SOSP '05, Association for Computing Machinery, Inc., Brighton U.K., (Oct. 23-26, 2005). |
Crandall, J.R. , et al., “Minos:Control Data Attack Prevention Orthogonal to Memory Model”, 37th International Symposium on Microarchitecture, Portland, Oregon, (Dec. 2004). |
Deutsch, P. , “Zlib compressed data format specification version 3.3” RFC 1950, (1996). |
Distler, “Malware Analysis: An Introduction”, SANS Institute InfoSec Reading Room, SANS Institute, (2007). |
Dunlap, George W. , et al., “ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay”, Proceeding of the 5th Symposium on Operating Systems Design and Implementation, USENIX Association, (“Dunlap”), (Dec. 9, 2002). |
EP 13884161.4 filed Nov. 10, 2015 European Search Report dated Mar. 8, 2017. |
Excerpt regarding First Printing Date for Merike Kaeo, Designing Network Security (“Kaeo”), (2005). |
Filiol, Eric , et al., “Combinatorial Optimisation of Worm Propagation on an Unknown Network”, International Journal of Computer Science 2.2 (2007). |
FireEye Malware Analysis & Exchange Network, Malware Protection System, FireEye Inc., 2010. |
FireEye Malware Analysis, Modern Malware Forensics, FireEye Inc., 2010. |
FireEye v.6.0 Security Target, pp. 1-35, Version 1.1, FireEye Inc., May 2011. |
Gibler, Clint, et al. AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. Springer Berlin Heidelberg, 2012. |
Goel, et al., Reconstructing System State for Intrusion Analysis, Apr. 2008 SIGOPS Operating Systems Review, vol. 42 Issue 3, pp. 21-28. |
Gregg Keizer: “Microsoft's HoneyMonkeys Show Patching Windows Works”, Aug. 8, 2005, XP055143386, Retrieved from the Internet: URL:http://www.informationweek.com/microsofts-honeymonkeys-show-patching-windows-works/d/d-d/1035069? [retrieved on Jun. 1, 2016]. |
Heng Yin et al, Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis, Research Showcase @ CMU, Carnegie Mellon University, 2007. |
Hjelmvik, Erik , “Passive Network Security Analysis with NetworkMiner”, (IN)Secure, Issue 18, (Oct. 2008), pp. 1-100. |
Idika et al., A-Survey-of-Malware-Detection-Techniques, Feb. 2, 2007, Department of Computer Science, Purdue University. |
IEEE Xplore Digital Library Sear Results for “detection of unknown computer worms”. Http//ieeexplore.ieee.org/searchresult.jsp?SortField=Score&SortOrder=desc- &ResultC . . . , (Accessed on Aug. 28, 2009). |
Isohara, Takamasa, Keisuke Takemori, and Ayumu Kubota. “Kernel-based behavior analysis for android malware detection.” Computational intelligence and Security (CIS), 2011 Seventh International Conference on. IEEE, 2011. |
Kaeo, Merike , “Designing Network Security”, (“Kaeo”), (Nov. 2003). |
Kevin A Roundy et al: “Hybrid Analysis and Control of Malware”, Sep. 15, 2010, Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 317-338, XP019150454 ISBN:978-3-642-15511-6. |
Kim, H. , et al., “Autograph: Toward Automated, Distributed Worm Signature Detection”, Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, (Aug. 2004), pp. 271-286. |
King, Samuel T., et al., “Operating System Support for Virtual Machines”, (“King”) (2003). |
Krasnyansky, Max , et al., Universal TUN/TAP driver, available at https://www.kernel.org/doc/Documentation/networking/tuntap.txt (2002) (“Krasnyansky”). |
Kreibich, C. , et al., “Honeycomb-Creating Intrusion Detection Signatures Using Honeypots”, 2nd Workshop on Hot Topics in Networks (HotNets-11), Boston, USA, (2003). |
Kristoff, J. , “Botnets, Detection and Mitigation: DNS-Based Techniques”, NU Security Day, (2005), 23 pages. |
Leading Colleges Select FireEye to Stop Malware-Related Data Breaches, FireEye Inc., 2009. |
Li et al., A VMM-Based System Call Interposition Framework for Program Monitoring, Dec. 2010, IEEE 16th International Conference on Parallel and Distributed Systems, pp. 706-711. |
Liljenstam, Michael , et al., “Simulating Realistic Network Traffic for Worm Warning System Design and Testing”, Institute for Security Technology studies, Dartmouth College (“Liljenstam”), (Oct. 27, 2003). |
Lindorfer, Martina, Clemens Kolbitsch, and Paolo Milani Comparetti. “Detecting environment-sensitive malware.” Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2011. |
“Mining Specification of Malicious Behavior”—Jha et al, UCSB, Sep. 2007 https://www.cs.ucsb.edu/.about.chris/research/doc/esec07.sub.--mining.pdf-. |
Didier Stevens, “Malicious PDF Documents Explained”, Security & Privacy, IEEE, IEEE Service Center, Los Alamitos, CA, US, vol. 9, No. 1, Jan. 1, 2011, pp. 80-82, XP011329453, ISSN: 1540-7993, DOI: 10.1109/MSP.2011.14. |
Hiroshi Shinotsuka, Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems, Oct. 26, 2012, http://www.symantec.com/connect/blogs/, pp. 1-4. |
Khaled Salah et al: “Using Cloud Computing to Implement a Security Overlay Network”, Security & Privacy, IEEE, IEEE Service Center, Los Alamitos, CA, US, vol. 11, No. 1, Jan. 1, 2013 (Jan. 1, 2013). |
Lastline Labs, The Threat of Evasive Malware, Feb. 25, 2013, Lastline Labs, pp. 1-8. |
Vladimir Getov: “Security as a Service in Smart Clouds—Opportunities and Concerns”, Computer Software and Applications Conference (COMPSAC), 2012 IEEE 36th Annual, IEEE, Jul. 16, 2012 (Jul. 16, 2012). |
Number | Date | Country | |
---|---|---|---|
Parent | 13892193 | May 2013 | US |
Child | 15351112 | US |