Embodiments of the disclosure relate to the field of cyber security. More specifically, embodiments of the disclosure relate to a system and method for selectively virtualizing resources to control associations between resources and processes that are operating within a VM-based sandbox environment and are being monitored to detect a threat in the form of a malicious attack.
Computers and other network devices deployed within an enterprise network rely on virtualization solutions for accessing system resources. For instance, applications, files or even registry values may be virtualized. However, such virtualization requires complete interception and redirection of user/application requests directed to a virtualized system resource, which can interfere with the detection of malicious behavior by the network device that is caused by an exploit or malware present in the device (generally referred to as a “security threat”).
Currently, there exist security appliances that operate within an enterprise network and utilize one or more virtual machines (hereinafter referred to as “VMs”) for analysis of network traffic for maliciousness. According to one deployment, each VM is configured to execute multiple processes concurrently (e.g., operating at least partially at the same time), where two or more of these processes support different versions of application software. Concurrent execution of multiple processes within a VM provides a more comprehensive threat detection solution than single process execution; however, it is extremely difficult to maintain and validate the accuracy of multiple installed applications, as well as to guarantee desired installed software configuration/plugins associations. In fact, installation of multiple versions of the same application may result in a software deployment that does not exist, and perhaps would have never existed on any end-user machine or backend server. Hence, the execution environment may not appear as a “real” machine to a security threat.
For instance, during installation of a new or updated version of application software, some older software components (e.g., dynamic-link library “dll”) may be overwritten with newer versions. As a result, certain malicious attacks may not be observed. For example, multiple versions of Microsoft® Office® may be installed within a system and supported by a VM, such as Office® 2007, Office® 2010 and Office® 2013. During installation, Office® 2007 installs a first dll to the system. During installation of Office® 2010, however, the first dll may be overwritten with a newer version. The removal of the first dll may configure the VM differently than its intended configuration for threat detection, which may cause some malicious attacks to go undetected. Hence, labor intensive reviews are required to ensure that, after undergoing any type of software configuration, a VM maintains an intended software configuration, which are costly and delay malware detection product releases.
More specifically, installing application versions 3.0 and 3.1 may result in an application runtime environment that is a combination of these application versions. If application version 3.0 loads a DLL (module), reads a registry key, or configuration file belonging to version 3.1, then the code path and memory layout result in a hybrid application version 3.0′, which is not equivalent to application version 3.0 or 3.1. If the area of logical change or memory layout change is the target of an exploit, the detection of the actual exploit may fail; however, such detection would have been successful, as the exploit may have run, on a real version 3.0 installation. These levels of runtime behavioral changes are difficult to validate during a quality assurance (QA) verification phase.
Additionally, each process may launch its corresponding application software with a selected software module that adds capabilities to existing application software, such as a unique version of an application plug-in. Hence, the VMs may have the same application software (e.g., Microsoft® Internet Explorer® version 9), but use different flash players (e.g., Adobe® Flash player 13 for one application version and Adobe® Flash player 16 for another application version).
The interchangeability between application software and plug-ins provides a multiplexed virtualization scheme where different versions of virtualized application software may be intentionally associated with different virtualized application plug-ins in order to increase the breadth of malware detection. However, due to the presence of time-out conditions, which require initialization of application plug-ins to be completed within a prescribed period of time after the application software has launched in the VM, it is contemplated that VMs within security appliances may not be configured with an intended application plug-in. Rather, in response to an occurrence of a time-out prior to completing initialization of an application plug-in, the virtualized application software may attempt an association with another application plug-in (e.g., a different version of application plug-in). Hence, again, the VM is now set with a configuration that is different than its intended configuration for threat detection. Without virtualization support it is very difficult to “correctly” simultaneously launch and utilize multiple plugins in multiple applications.
Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:
Various embodiments of the disclosure relate to a platform configured with logic that conducts selective virtualization of resources or even entire applications to enhance malware detection. This selective virtualization may be adapted to control the association between processes and resources in order to provide a more comprehensive analysis for the presence of exploits and/or malicious code (hereinafter collectively referred to as “malware”) in an object under analysis.
According to one embodiment of the disclosure, the selective virtualization may be conducted to individual resources (e.g., files, registry key values, network ports, dynamic-link libraries, plug-in applications, etc.), which generally involves transparently modifying access to that resource and ensuring a reliable association between these resources and processes operating within a virtual machine (VM). Alternatively, the selective virtualization may be conducted in connection with a virtualized application (herein an “application package” described below). Both of these deployments may further utilize selective virtualization to obfuscate the presence of duplicated versions of resources (e.g., multiple versions of application software, dynamic-link libraries, etc.) that, if detected by malware that is present in an object under analysis, may allow the malware to evade detection by delaying activation.
According to a first embodiment of the disclosure, virtualization logic may be implemented as part of the user mode and/or the kernel mode of a virtual machine. The virtualization logic is configured to perform different virtualization operations based, at least in part, on the type of activity to be conducted to a resource in accordance with a monitored request. For instance, the virtualization logic may (i) intercept and redirect the request to a different portion of system code than originally targeted when the request is directed to a first subset of activities; and/or (ii) intercept and service the request when the request is directed to a second subset of activities.
Of course, it is contemplated that, for certain activities that are part of the first subset of activities, the data returned by the system code may be intercepted and manipulated by the virtualization logic prior to returning that data to the portion of the process that initiated the request. For instance, with respect to a Query Process request to list all active processes, the virtualization logic may intercept the returned data from the system code in order to obfuscate the presence of a certain process or processes so that it appears that a lesser number of processes are running on the platform.
More specifically, according to this embodiment of the disclosure, the virtualization logic comprises a first virtualization logic deployed in user mode of the virtual machine and a second virtualization logic deployed in kernel mode of the virtual machine. The first virtualization logic is configured to intercept and redirect a first type of request, which is associated with a particular activity that is independent of kernel involvement, to system code. Additionally, the first virtualization logic is configured to intercept a second type of request, which is associated with a particular activity that can be serviced by returning a value to a portion of the process that initiated that request.
Herein, the virtualization performed by the first virtualization logic is selective based, at least in part, on configuration data that may include a list of usage patterns provided from a source external to the VM. Each of the usage patterns comprises (1) one or more criterion that selectively control where a requested resource is subject to virtualization; and (2) the activities to be undertaken to perform such virtualization. As a result, the usage patterns provided to the first virtualization logic may differ from the usage patterns provided to the second virtualization logic. Alternatively, the configuration data, inclusive of the list of usage patterns, may be provided based on these patterns that are integrated into a VM (software) profile, implemented within a hypervisor (also referred to as a virtual machine monitor “VMM”), and/or implemented within a light hypervisor (VMM-LITE), as described below. The salient aspect is that the configuration data may be externally sourced, internally sourced, static, and/or updateable.
More specifically, the first virtualization logic may receive and store the provided usage patterns, which may be updated in a periodic or aperiodic manner. In response to detecting a request that is directed to a specific resource identified in one of the stored usage patterns, the first virtualization logic conducts one or more activities identified in that stored usage pattern. An example of such activities may involve redirecting the request by changing a file path associated with a Query Process Handle request and providing the modified Query Process Handle request to the system code. Another example may involve servicing a Query Window Handle request with a virtualized foreground window handle to account for keylogging malware that may have initiated the request.
Similarly, the second virtualization logic deployed within kernel mode may (i) intercept and redirect a third type of request, which is directed to a kernel-based activity, to the system code, and/or (ii) intercept a fourth type of request, which is directed to an activity that can be serviced by returning a value to a portion of the process that initiated the request. The first, second, third and fourth types of requests may be mutually exclusive.
The second virtualization logic receives and stores the usage patterns, which also may be updated in a periodic or aperiodic manner. In response to detecting a request that is directed to a particular system resource that matches a resource to undergo virtualization, the second virtualization logic conducts the activities identified in the stored usage pattern. An example of such activities may involve redirecting an Open File request by changing a file path to open a different file and providing the modified Open File request to the system code. Another example may involve servicing a Query Registry Value request by returning a value provided in a corresponding usage pattern.
It is contemplated that, instead of conducting virtualization of a particular resource (e.g., files, registry keys, etc.), which generally involves transparently modifying access to that resource, application software may be virtualized at the time of installation, thereby creating corresponding virtualized application packages. Each virtualized application package comprises registry data, file data, and other information that emulates the functionality of the virtualized application. This allows for virtualization of resources by fetching data within the virtualized application and/or obfuscation of different versions of applications running in the VM.
According to a second embodiment of the disclosure, instead of configuring the VM to conduct virtualization within the user mode and kernel mode, the virtualization logic may be deployed within a hypervisor. The hypervisor is configured to intercept and redirect requests associated with a first subset of activities as well as to intercept and service requests associated with a second subset of activities, as described below.
According to a third embodiment of the disclosure, instead of configuring the VM to conduct virtualization within the user mode and kernel mode as described in connection with the first embodiment, the virtualization logic may be deployed within a thin-hypervisor (sometimes referred to as an “light hypervisor”). In lieu of redirecting requests to system code, however, the light hypervisor is configured to route the redirected requests to the kernel mode and user mode of the platform for processing.
I. Terminology
In the following description, certain terminology is used to describe aspects of the invention. For example, in certain situations, both terms “logic” and “engine” are representative of hardware, firmware and/or software that is configured to perform one or more functions. As hardware, logic (or engine) may include circuitry having data processing or storage functionality. Examples of such processing or storage circuitry may include, but is not limited or restricted to a (hardware) processor; one or more processor cores; a programmable gate array; a microcontroller; an application specific integrated circuit; receiver, transmitter and/or transceiver circuitry; storage medium including semiconductor memory or a drive; or combinatorial logic, or combinations of one or more of the above components.
Logic (or engine) may be in the form of one or more software modules, such as executable code in the form of an executable application, an application programming interface (API), a subroutine, a function, a procedure, an applet, a servlet, a routine, source code, object code, a shared library or dynamic-link library (dll), or one or more instructions. These software modules may be stored in any type of a suitable non-transitory storage medium, or transitory storage medium (e.g., electrical, optical, acoustical or other form of propagated signals such as carrier waves, infrared signals, or digital signals). Examples of a “non-transitory storage medium” may include, but are not limited or restricted to a programmable circuit; non-persistent storage such as volatile memory (e.g., any type of random access memory “RAM”); persistent storage such as non-volatile memory (e.g., read-only memory “ROM”, power-backed RAM, flash memory, phase-change memory, etc.), a solid-state drive, hard disk drive, an optical disc drive, or a portable memory device; and/or a semiconductor memory. As firmware, the executable code is stored in persistent storage.
The term “object” generally refers to a collection of data, whether in transit (e.g., over a network) or at rest (e.g., stored), often having a logical structure or organization that enables it to be classified for purposes of analysis. During analysis, for example, the object may exhibit a set of expected behaviors. The object may also exhibit a set of unexpected behaviors systematic of malicious activity that may provide evidence that the object may be classified as malicious.
In general, a “process” is an instance of software that is executed, sometimes in a virtual environment, for the processing of an object. It is contemplated that multiple processes may operate concurrently within a virtual machine or may operate successively with one process that is active (running) with any other processes being placed in an inactive (wait) state. A process may include multiple threads of execution (“threads”), where each thread is responsible for conducting different operations to the object and may operate successively or concurrently within the process. The processes and/or threads may share state information, memory and other resources.
A “platform” generally refers to an electronic device with connectivity to an external data source (e.g., network, other electronic device, etc.) that typically includes a housing that protects, and sometimes encases, circuitry with data processing and/or data storage. Examples of a platform may include a server or an endpoint device that may include, but is not limited or restricted to a stationary or portable computer including a desktop computer, laptop, electronic reader, netbook or tablet; a smartphone; a video-game console; or wearable technology (e.g., smart watch, etc.).
A “request” generally refers to information transmitted in a prescribed format that is requesting a particular activity to occur, normally in connection with various types of resources. Examples of these types of resources may include a file, a registry key, a socket (network) or other connector.
The term “transmission medium” is a physical or logical communication path with an endpoint device. For instance, the communication path may include wired and/or wireless segments. Examples of wired and/or wireless segments include electrical wiring, optical fiber, cable, bus trace, or a wireless channel using infrared, radio frequency (RF), or any other wired/wireless signaling mechanism.
The term “computerized” generally represents that any corresponding operations are conducted by hardware in combination with software and/or firmware.
Lastly, the terms “or” and “and/or” as used herein are to be interpreted as inclusive or meaning any one or any combination. Therefore, “A, B or C” or “A, B and/or C” mean “any of the following: A; B; C; A and B; A and C; B and C; A, B and C.” An exception to this definition will occur only when a combination of elements, functions, steps or acts are in some way inherently mutually exclusive.
As this invention is susceptible to embodiments of many different forms, it is intended that the present disclosure is to be considered as an example of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described.
II. General Architecture
Referring to
As shown in
In some embodiments, although not shown, interface 136 may be contained within the first TDP 1101. In other embodiments, the interface 136 can be integrated into an intermediary device in the communication path (e.g., a firewall, router, switch or other networked electronic device) or can be a standalone component, such as an appropriate commercially available network tap.
For this illustrative embodiment, however, the interface 136 may be configured to capture data that includes at least one object for analysis, and perhaps its corresponding metadata (or generate metadata based on the captured data). The metadata may be used, at least in part, to determine protocols, application types and other information that may be used by logic (e.g., scheduler 150 or virtual machine monitor) within the first TDP 1101 to determine particular software profile(s) used for virtual machine (VM) configuration and/or VM operation scheduling. For instance, the software profile(s) may be used for selecting and/or configuring one or more virtual machines (VMs) 1631-163M (M≥1) within a virtual analysis environment 162 of the dynamic analysis engine 160. These software profile(s) may be directed to different software or different versions of the same software application extracted from software image(s) fetched from a storage device 155.
As further shown in
The static analysis engine 140 may include processing circuitry that is responsible for extracting and/or generating metadata contained within and/or associated with incoming data from the processing engine 135 (e.g., network traffic, downloaded data). This metadata may be subsequently used for configuring one or more VMs 1631-163M within the virtual analysis environment 162 for conducting a dynamic analysis of the object associated with that metadata.
Referring still to
Upon static analysis of the features of the object 145, the static analysis engine 140 determines whether this object is “suspicious,” namely the object 145 has features that suggest it is associated with a malicious attack. As a result, the static analysis engine 140 may pass this suspicious object 148 to the dynamic analysis engine 160 for more in-depth analysis in a VM-based operating environment.
More specifically, after analysis of the features of the object 145 has been completed, the static analysis engine 140 may provide some or all of the object 145 as the suspicious object 148 to the dynamic analysis engine 160 for in-depth dynamic analysis by one or more VMs 1631-163M of the virtual analysis environment 162. For instance, according to one embodiment of the disclosure, a first VM 1631 may be adapted to execute one or more processes (e.g., process 164) for processing the suspicious object 148 and conduct selective virtualization during such processing.
Herein, according to one embodiment, the first VM 1631 executes process 164, which processes suspicious object 148 and the behaviors during such processing are captured by a first monitoring logic 165 and a second monitoring logic 167. Operating in conjunction or closely with the process 164, the first monitoring logic 165 comprises first virtualization logic 166, which is configured to intercept requests initiated (by process 164) during processing of the suspicious object 148. In response to detecting requests associated with a first subset of activities that are handled by the first VM 1631 in user mode (e.g., actions or inactions associated with a time query, a process handle query, etc.), the first virtualization logic 166 determines whether a resource associated with the request is to be virtualized. Such virtualization ensures an association between process 164 executing in the first VM 1631 and specific resources in an effort to improve threat detection and/or obfuscate the presence of duplicated versions of an application and/or resource that may identify to malware that it is executing within a sandbox environment.
For instance, in response to a request for a handle for a particular application plug-in utilized by application software associated with the process 164, the first virtualization logic 166 accesses stored configuration data, perhaps including usage patterns or an application package, to determine whether the application plug-in is to be virtualized. If, according to the configuration data, the application plug-in identified in the request is to be virtualized to another version (or type) of application plug-in, the first virtualization logic 166 may redirect the request by altering a pointer contained in the request to a different application plug-in. As a result, the handle for the different application plug-in is returned to the portion of the process 164 that initiated the request.
Another virtualization operation may involve the first virtualization logic 166 receiving a time-of-day request, where the process 164 may be configured to focus its analysis on whether the suspicious object 148 includes time-bomb malware. Hence, the process 164 accesses stored configuration data to detect whether the resource (e.g., time-of-day value) is to be virtualized, and in response, the first virtualization logic 166 may service the request by altering the time-of-day to a time value different than the actual time in order to better detect time-bomb malware.
Additionally, in response to detecting requests associated with a second subset of activities that are handled by the first VM 1631 in kernel mode (e.g., opening file, changing a registry key value, and/or establishing a network connection), the second virtualization logic 168 determines whether a system resource associated with the request is to be virtualized. This may be accomplished by the second virtualization logic 168 accessing stored configuration data, perhaps including usage patterns or the application package to determine whether the system resource associated with the request is to be virtualized. If so, the second virtualization logic 168 alters the system resource (e.g., pointer to a first file) to a virtualized resource (e.g., pointer to a second file that is different than the first file). As a result, for this example, the second (virtual) file is opened in lieu of the first file.
Referring still to
According to one embodiment of the disclosure, the dynamic analysis engine 160 may be adapted to execute one or more VMs 1631-163M that simulate processing of the suspicious object 148 within a run-time environment. For instance, dynamic analysis engine 160 may include processing logic 161 to provide anticipated signaling to the VM(s) 1631, . . . , and/or 163M during virtual processing, and as such, emulate a source of and/or destination for communications with the suspicious object 148. As an example, the processing logic 161 may be adapted to operate in combination with process 164 to provide simulated key inputs from a keyboard, keypad or touch screen, as requested by the suspicious object 148.
More specifically, as shown in
Applications may have a single thread 2001 of execution or I-number of threads, 2001-200I. The cases discussing multiple threads of interactions may degenerate to the single thread cases. Not all processes have multiple threads.
The processing of the first thread 2001 may cause certain activities to occur such as opening the browser application, where other threads (not shown) may cause other activities to occur (e.g., establishing I/O connections, detecting keystrokes, and/or displaying data). These activities (sometimes also referred to as “events”) are monitored by second monitoring logic 168. In contrast, the processing of the second thread 2002 may cause certain events to occur such as accessing a real-time clock, where if the event is to be virtualized, may service a different time than provided by the real-time clock.
As still shown in
Referring to both
Referring to
As shown in
Referring now to
Processor(s) 300 is further coupled to persistent storage 340 via a second transmission medium 330. According to one embodiment of the disclosure, persistent storage 340 may include (a) processing engine 135; (b) static analysis engine 140; (c) the dynamic analysis engine 160 that includes the processing logic 161 and the virtual analysis environment 162 that includes VM(s) 1631-163M with at least some of which including virtualization logic 166/168; (d) classification engine 180; (e) reporting engine 190; and/or (f) one or more data stores 350 that are utilized by processing engine 135, static analysis engine 140, dynamic analysis engine 160, classification engine 180, and/or reporting engine 190. Of course, when implemented as hardware, one or more of these engines (or logic units) could be implemented externally from the first TDP 1101.
Collective logic within the dynamic analysis engine 160 may be configured to monitor and virtualize certain resources in order to enhance malware detection by (1) ensuring that certain resources are associated with certain processes so that desired virtual environments are maintained for testing; (2) obfuscating duplicative resources to provide an appearance of a normal operating environment to objects under analysis; and/or (3) alter the operating environment to customize to a particular environment that may be subject to a higher frequency of attack (e.g., content of a network device maintained by a high-ranking government employee, officer of a company, etc.).
III. VM-Based Selective Virtualization
Referring to
The virtualization management logic 410 is responsible for configuring the user-mode configuration data 422 and 602 in
According to one embodiment of the disclosure, the first virtualization logic 166 is initially configured with access to virtualization configuration data 422 (hereinafter “configuration data”), which includes interception points 430 (e.g., hooks, breakpoints, filter drivers, etc.) that are used to identify selected requests for a resource or multiple resources that are to be virtualized.
For some embodiments, as shown for resource-specific virtualization in
Additionally, the configuration data 422 may optionally include obfuscation data 440 that is used by the first virtualization logic 166 to obfuscate the presence of a resource or an entire set of resources (e.g., application package in
It is contemplated that the configuration data 424, which is accessible to the second virtualization logic 168, may be identical or substantially identical to the configuration data 422 (e.g., identical usage patterns but different interception points), as shown. For instance, the interception points 430 accessible to the first virtualization logic 166 may differ from the interception points 432 accessible to the second virtualization logic 168. Alternatively, it is contemplated that the configuration data 422 may differ from the configuration data 424, as the usage patterns that are part of the configuration data 422 may differ from the usage patterns that are part of the configuration data 424 and/or the obfuscation data 440 that is part of the configuration data 422 may differ from the obfuscation data 442 that is part of the configuration data 424.
In general, each of the plurality of usage patterns 4201-420X may include criteria to selectively control which resources are subject to virtualization. Also, each of the plurality of usage patterns 4201-420X identifies the activities to be undertaken to perform such virtualization. According to one embodiment of the disclosure, as shown in
As an illustrative example, with respect to usage pattern 4201, a first parameter 470, a second parameter 472 and/or a third parameter 474 may represent factors that are used to selectively determine whether to conduct a virtualization of one or more requested resources. These factors may be used to restrict the virtualization activities associated with the usage pattern 4201 based on the particular type of object under analysis, the particular type of platform on which the object is being processed, or other metadata that further characterize the object and/or platform type.
For instance, as shown in
As further shown in
As further shown in
Additionally, an eighth parameter 484 may include an identifier of the particular resource that is to undergo virtualization (e.g., a particular handle, a path for accessing data such as a file path, a particular registry key value, etc.), and a ninth parameter 486 may include virtualized data for use in conducting the virtualization operation (e.g., an alternative handle, an alternative path, etc.).
As an optional feature, usage patterns directed to the redirection virtualization scheme (e.g., usage pattern 4201) may further include a tenth parameter 488 that represents a virtualization flag to identify when virtualization occurs for an “intercept and redirect” virtualization scheme. Herein, the virtualization flag 488 may represent with a tri-state value; namely (1) “Enable” for virtualization of pre-operation data (prior to conducting operations associated with the request), (2) “Enable” for virtualization of post-operation data (data after conducting operations associated with the request), and (3) “Enable” for various output operations (Pre-operation and Post-operation).
According to one illustrative embodiment, the actual implementation may involve a multi-bit flag. As an illustrative example, the operations of the virtualization flag may comprise the following: (1) setting a first bit causes virtualization to occur at the input (pre-operation); (2) setting of a second bit causes virtualization to occur at the output (post-operation), in connection with the information returned from the system code; (3) setting of a third bit causes a first type of virtualization scheme to be conducted (e.g., intercept and service); and (4) setting of a fourth bit causes a second type of virtualization scheme (e.g., intercept and redirect) to be conducted. Of course, alternatively, another detection scheme besides use of a virtualization flag, such as a parameterized algorithm for example, may be used.
Referring back to
The virtualization management logic 410 includes the event log 169, event reporting logic 412 and configuration monitoring logic 414. According to one embodiment of the disclosure, the event reporting logic 412 is responsible for generating data 416 associated with the monitored events, which may be uploaded into the data store 170 and subsequently included as part of the VM-based results 175 provided to the classification engine 180 as illustrated in
The configuration monitoring logic 414 is configured to detect an update 426 to the configuration data 422 and/or 424, which may be downloaded from management system 120, cloud services 138 and/or another TDP (e.g., TDP 1102 or 1103) of
Additionally or in the alternative, in lieu of simply uploading and subsequent using the update configuration data 426 without modification, the content within one or more of the update usage patterns 426X+1 may be altered prior to passing them to (i) the first virtualization logic 166 to update the configuration data 422 and/or (ii) the second virtualization logic 168 to update the configuration data 424. Modification in the content of one or more of the usage patterns, interception points and/or obfuscation data within configuration data 422/424 may be conducted by configuration monitoring logic 414 based on signaling 418 from an external source. The signaling 418 allows for customization of usage patterns, interception points and/or obfuscation data by a network administrator, which provides selective virtualization on a per customer basis.
As an illustrative example, when flash dlls are switched between multiple versions of a browser application, the flash-version/browser-version association may be dynamic in nature. Based on an external input, a first version of a browser application may be selected to operate with a particular flash version on a flash dll list. Subsequently, a different version of the browser application may be selected, but based on external input, the same particular flash version may get associated with this version of the browser application. In general terms, associations between resources and/or processes can be selectively controlled by the customer.
Referring still to
Referring now to
Thereafter, the contents of the request 505 are analyzed to determine whether a resource associated with the request 505 is to be virtualized. The virtualization is selectively based, at least in part, on a number of mutually exclusive factors as identified in
As an alternative, it is contemplated that, upon receipt of the request 505, the intercept logic 500 may be configured to determine the active process (or thread) that initiated the request 505 in lieu of reliance on correspondence between a particular interception point and one or more usage patterns. Thereafter, the intercept logic 500 may access some of the usage patterns 4201-420y that are applicable to this process (or thread). It is noted that, for clarity sake, selective virtualization at a process-level is described, although selective virtualization at a thread-level may be conducted.
Upon detecting that the resource is to be virtualized, depending on the type of virtualization scheme to be utilized, the request 505 is provided to either the redirect logic 520 or the servicing logic 540 along with information to complete the request 505.
More specifically, as an illustrative example, upon receipt of the request 505, such as an API call that constitutes a foreground window handle query (hereinafter “Query Foreground Window Handle request”) from the first process 4501 (and/or the particular thread of the first process 4501), the intercept logic 500 may determine whether any of the usage patterns 4201-420X are associated with the identifying intercept point 430.
In response to identifying a subset of the usage patterns 4201-420X (e.g., usage patterns 4201-420Y, where 1≤Y≤X) that are associated with the identifying intercept point 430, the intercept logic 500 determines whether any of these usage patterns 4201-420Y correspond to a foreground window handle query and whether selected criterion within the usage patterns 4201-420Y (e.g., object type, or platform type, etc.) are satisfied by metadata associated with the object and/or information associated with the request 505. If so, the intercept logic 500 determines the virtualization scheme to be undertaken (e.g., intercept and service), and in response, may provide the request 505 and virtualized data 510 for servicing the request 505 via signaling (RTN_1). This virtualized data 510 may include a particular window handle (e.g., the handle for a particular browser type such as Internet Explorer®, FireFox®) and/or an address pointer or other type of identifier for the servicing logic 540 to procure the particular window handle. The particular window handle is returned by the servicing logic 540 to the portion of the first process 4501 that initiated the request 505 in order to complete the request 505.
Of course, prior to servicing the request 505, it is contemplated that the intercept logic 500 may conduct further modifications to the virtualized data 510 in accordance with obfuscation data 440, such as removing one or more variables or other sensitive information associated with the virtualized data 510 or substituting the virtualized data 510 with data that causes the servicing logic 540 to return an error code. Thereafter, the virtualized data 510 would be passed to the servicing logic 540 to complete the request 505.
As another illustrative example, upon intercepting the request 505, such as an API call that constitutes a process handle query (hereinafter “Query Process Handle request”) from the first process 4501, similar to the discussion above, the intercept logic 500 may determine whether any of the usage patterns 4201-420X correspond to the identifying intercept point 430.
In response to identifying a subset of the usage patterns 4201-420X (e.g., usage patterns 4201-420Y) that are applicable to identifying intercept point 430, the intercept logic 500 determines whether any of these usage patterns 4201-420Y correspond to a Query Process Handle request and whether selected criterion within usage patterns 4201-420Y (e.g., object type, or platform type, etc.) is satisfied by metadata associated with the object under analysis and/or information associated with the request 505. If so, according to one embodiment of the disclosure, the intercept logic 500 determines the virtualization scheme to be undertaken (e.g., intercept and redirect).
Responsive to the virtualization flag associated with that usage pattern being set to denote virtualization of input data, the intercept logic 500 provides the request 505 and the virtualized data 515 to the redirect logic 520. Examples of the virtualized data 515 may include an alternative path (C:\Program Files\ Common Files\Microsoft Shared\Backup\process_xyz.dll), which differs from the path (C: \Program Files\Common Files\Microsoft Shared\process_xyz.dll) normally associated with the Query Process Handle request for the first process 4501.
Thereafter, the redirect logic 520 modifies the request 505 and forwards a modified Query Process Handle request 525 to the system code (not shown), which accesses resources targeted by the alternative path. The process handle associated with the alternative path (hereinafter referred to as the “virtualized process handle 530”) is returned to the redirect logic 520 and subsequently passed to the intercept logic 500. The intercept logic 500 provides the virtualized process handle 530 (and/or information associated with request 505) to the servicing logic 540 to complete the request 505.
It is contemplated that, prior to passing the virtualized process handle 530 to the servicing logic 540, the intercept logic 500 may conduct further modifications to the virtualized process handle 530 in accordance with obfuscation data 440, such as removing one or more variables associated with the virtualized process handle 530 so that only a subset of the returned variables are enumerated or substituting the virtualized process handle 530 with data that may cause the servicing logic 540 to return an error code. Thereafter, the modified, virtualized process handle 535 is passed to the servicing logic 540 to complete the request 505. Hence, obfuscation may be conducted after virtualization or, as described in
Alternatively, as shown in
It is contemplated that the intercept logic 500 may conduct further modifications to the modified process handle 537 in accordance with obfuscation data 440 in order to add and/or remove certain information before passing the handle 537 (or perhaps data associated with an error code) to the servicing logic 540 to complete the request 505.
Referring back to
More specifically, the second virtualization logic 168 features intercept logic 550, redirect logic 570 and servicing logic 590. As described above, the request 505 may be intercepted by the intercept logic 550 and analyzed to determine whether a resource associated with the request 505 is to be virtualized. Such analysis may involve (i) determining which of the usage patterns (e.g., usage patterns 4201-420Z) are associated with a particular interception point that identified (e.g., hooked) the request 505 (referred to herein as the “identifying intercept point 432”) and (ii) comparing content within the request 505 and/or metadata associated with the object 148 of
Upon detecting that the resource is to be virtualized, depending on the type of virtualization scheme to be utilized, the request 505 is provided to either the redirect logic 570 or the servicing logic 590 along with virtualized data to complete the request 505.
More specifically, as an illustrative example, upon receipt of the request 505 (e.g., a Query Registry Value request) from the first process 4501, the intercept logic 550 may determine whether any of the usage patterns 4201-420X are associated with the identifying intercept point 432. In response to identifying a subset of the usage patterns 4201-420X (e.g., usage patterns 4201-420Z) that are applicable to identifying intercept point 432, the intercept logic 550 determines whether any of these usage patterns 4201-420Y correspond to a Query Registry Value request and whether selected criterion within usage patterns 4201-420Z (e.g., object type, platform type, or the like in
If so, the intercept logic 550 determines the virtualization scheme to be undertaken (e.g., intercept and service), and in response, provides the request 505 and virtualized data 555 for servicing the request 505. This virtualized data 555 may include a particular registry key value and/or an address pointer or other type of identifier for the servicing logic 590 to procure the particular registry key value. The particular registry key value is returned by the servicing logic 590 via signaling (RTN_2) to the portion of the first process 4501 that initiated the request 505 in order to complete the request 505.
As another illustrative example, upon receipt of the request 505 (e.g., an Open File request) from the first process 4501, the intercept logic 550 may determine whether any of the usage patterns 4201-420X are applicable to the identifying intercept point 432. In response to identifying a subset of the usage patterns 4201-420X (e.g., usage patterns 4201-420Z) that are applicable to identifying intercept point 432, the intercept logic 550 determines whether any of these usage patterns 4201-420Z correspond to an Open File request and whether selected criterion within usage patterns 4201-420Z (e.g., object type, or platform type, etc.) are satisfied by metadata associated with the object under analysis and/or information associated with the request 505.
If so, according to one embodiment of the disclosure where the virtualization flag associated with that usage pattern being set to denote virtualization of input data, the intercept logic 550 determines the virtualization scheme to be undertaken (e.g., intercept and redirect), and in response, provides the request 505 and virtualized data 560, which may include an alternative file path (C://Program Files/Backup/file.pdf) that differs from the path (C://Program Files/Current/file.pdf) normally associated with the particular requested file, to the redirect logic 570.
Thereafter, the redirect logic 570 passes a modified Open File request 575 to the system code (not shown), which accesses a file referenced by the alternative file path. The file handle associated with the alternative file path (hereinafter referred to as the “virtualized file handle 580”) is returned to the redirect logic 570. The virtualized file handle 580 may be subsequently passed via the intercept logic 550 to the servicing logic 590 to complete the request 505. Of course, it is contemplated that the intercept logic 550 may conduct further modification to the virtualized file handle 580 in accordance with the obfuscation data 442, such as removing one or more variables associated with the virtualized file handle 580 or substituting the virtualized file handle 580 with data that causes the servicing logic 590 to return an error code. Thereafter, a modified, virtualized file handle 585 is returned by the servicing logic 590 to complete the request 505.
Alternatively, as shown in
It is contemplated that the intercept logic 550 may conduct further modifications to the modified file handle 587 in accordance with obfuscation data 442 in order to add and/or remove certain information before passing the handle 587 to the servicing logic 590 to complete the request 505.
Referring to
Herein, the obfuscation data 612 includes data that is configured to obfuscate the presence of application software. Illustrative examples of manners of obfuscation that are controlled through use of the obfuscation data 612 by the first virtualization logic 166 may include, but are not limited or restricted to the following: (1) preventing display of certain information associated with a particular application software; (2) altering display of certain information associated with the particular application software so that it appears to be present in the system; and/or (3) renaming the particular application software.
As further shown in
At the time of configuration of the first VM 1631, the first virtualization logic 166, the second virtualization logic 168, and the virtualization management logic 410 are installed. The first virtualization logic 166 and the second virtualization logic 168 are initially configured with access to configuration data 602/604, which includes application obfuscation data 612/614, interception points 622/624 that are used to identify selected requests for resources that are virtualized, and/or application package(s) 632/634 that includes virtualized software components for one or more virtualized applications.
Herein, it is contemplated that application obfuscation data, namely obfuscation data 612 which is accessible to the first virtualization logic 166, may be identical to obfuscation data 614 that is accessible to the second virtualization logic 168. Alternatively, it is contemplated that the obfuscation data 612 may differ from the obfuscation data 614, as requests handled in user mode 400 differ from requests that are handled in kernel mode 460. The interception points 622/624 and/or the application package(s) 632/634 may be identical or may differ from each other as well.
In general, obfuscation data 612/614 identifies which virtualized resources or applications are to be obfuscated. The obfuscation data 612/614 may comprise an application type identifier, a handle (or name) of the application, and a tag that, when set, identifies that the application is to be obfuscated. When an application is obfuscated, the first virtualization logic 166 and/or the second virtualization logic 168 operate to preclude normal servicing of a request, which would identify the presence of an obfuscated application (e.g., particular Query Directory request, Query Application Handle request, etc.). For instance, upon detecting a directory request that would identify the presence of an application tagged for obfuscation, even though the application is running in the first VM 1631, the first virtualization logic 166 or the second virtualization logic 168 that is servicing the request returns an error code or a displayable statement, which is normally generated when the application is actually absent from the platform.
Referring still to
The virtualization management logic 410 includes the configuration monitoring logic 414, which is configured to detect an update to the configuration data 602 and/or 604, where the update configuration data 620 is downloaded from management system 120, cloud services 138 and/or another TDP (e.g., TDP 1102 or 1103) of
Referring still to
More specifically, upon receipt of the Query Directory request 630 (e.g., a Query for retrieval of stored applications, documents and other content) from a calling routine within the process 4501, the first virtualization logic 166 determines which of the interception points 622 identified (e.g., hooked) the Query Directory request 630 (hereinafter referred to as “identifying intercept point 622”).
Thereafter, the contents of the request 505 are analyzed to determine whether a resource associated with the request 630 is to be virtualized. The virtualization is selectively based, at least in part, on the presence of one of the application package(s) 632 that features the requested, virtualized resource. If so, the first virtualization logic 166 determines the virtualization scheme to be undertaken (e.g., intercept and service).
In response to determining that the virtualization scheme for the handling of a Query Directory request 630 is an “intercept and service” virtualization scheme, before servicing the request 505, the first virtualization logic 166 may access the obfuscation data 614 to identify those applications and/or resources that are selected to be hidden. Hence, the first virtualization logic 166 may return handles associated with applications, folders, documents and other items to the first process 4501, but would exclude handles associated with resources that are unique to any of the application package(s) 632 that are identified for obfuscation.
As another illustrative example, upon receipt of the request 640 (e.g., Open File request that is hooked during transmission from user mode 400 to kernel mode 460 by one of the interception points 624), the second virtualization logic 168 may determine which of the application package(s) 634 (e.g., a first application package 634) corresponds to the identifying intercept point 624 that hooked the request 640. According to one embodiment of the disclosure, before servicing the request 640 by fetching a file path from the first application package 634 to complete the Open File request 640, the second virtualization logic 168 may access the obfuscation data 614 to identify the first application package 634 or certain resources within the first application package 634 are subject to obfuscation.
In the event that the requested file is associated with the first application package 634, according to one embodiment of the disclosure, the second virtualization logic 168 generates a modified Open File request having an alternative file path (C://Program Files/error/msg1.txt). The alternative file path obfuscates the presence of the requested file which, in turn, may denote the presence of application software represented by the first application package. This obfuscation is conducted to reduce the possibility of malware evading detection by determining that the object is being processed in a sandbox environment (e.g., on the first VM 1631).
Thereafter, although not shown, the second virtualization logic 168 forwards a modified Open File request to the system code (not shown), which accesses the error message (msg1.txt) referenced by the alternative file path (C://Program Files/error/msg1.txt). The error message may be returned to the second virtualization logic 168 and subsequently serviced to complete the Open File request 640.
As yet another illustrative example, upon receipt of the request 640 (e.g., the Open File request), the second virtualization logic 168 may determine which of the application package(s) 634 (e.g., a first application package 634) correspond to the identifying intercept point 624 that hooked the request 640. In the event that the requested file is associated with the first application package 634, according to one embodiment of the disclosure, the second virtualization logic 168 determines what virtualization scheme is to be undertaken (e.g., intercept and redirect), and in response, the second virtualization logic 168 generates a modified Open File request having an alternative file path to a virtualized file that is part of the first application package 634.
Thereafter, although not shown, the second virtualization logic 168 forwards a modified Open File request to the system code (not shown), which returns information to the second virtualization logic 168 for opening the requested file. Prior to servicing the request 640, the first virtualization logic 166 may access the obfuscation data 614 to identify when applications and/or resources that are selected to be hidden. In response to detecting that the requested file is part of the obfuscated, first application package 634, the first virtualization logic 166 may return and error message (msg1.txt) to complete the Open File request 640.
It is contemplated that a hybrid selective virtualization scheme may be formulated by a combination of the operations described in
IV. VMM-Based Selective Virtualization
Referring now to
As shown, the hypervisor 700, also referred to as a virtual machine monitor (VMM), manages operability of one or more virtual machines (VM) 7201-720J (J≥1), including processing of the guest OS, and is configured to detect and control the handling of requests, including system calls. The hypervisor 700 may be a “Type 1” hypervisor that runs directly on hardware or a “Type 2” hypervisor that runs on a host operating system (Host OS). Herein, the hypervisor 700 runs on a Host 730, which may be hardware associated with the TDP 1101 or its Host OS.
More specifically, according to one embodiment of the disclosure, one or more processes (not shown) may be running in user mode of a first VM 7201. Each process may be assigned a unique process identifier (PID) at start time, or perhaps prior to or subsequent to execution by the first VM 7201.
In communication with the first VM 7201, the hypervisor 700 comprises VMM management logic 735 in communication with intercept logic 750, servicing logic 760 and redirect logic 770. In response to a request 740 (e.g., a system call) generated by process 725 during virtual processing of the suspicious object, the VMM management logic 735 temporarily halts execution the first VM 7201. By halting execution, an instruction pointer is maintained at the virtual memory address associated with the request 740. Thereafter, the VMM management logic 735 invokes and passes operation control to the intercept logic 750.
The intercept logic 750 determines whether the request 740 is directed to a virtualized resource by determining an association between the interception point 753 that identified (e.g., hooked) the request 740 and one or more of the usage patterns 7541-754X. If the request 740 is directed to a virtualized resource, the intercept logic 750 determines what virtualization scheme is to be conducted in connection with the resource (e.g., Intercept & Service; Intercept & Redirect). Additionally, for selective virtualization involving intercepting and redirecting requests, the intercept logic 750 may further determine when the virtualization scheme is to be conducted (e.g., at input and/or output) through the tri-state virtualization flag described above.
For a first type of virtualization scheme (Intercept & Service), the intercept logic 750 invokes servicing logic 760, which analyzes state information associated with the first VM 7201 to determine a memory location for placement of data returned in response to the request 740. Thereafter, the virtualized data is inserted into the memory location, the instruction pointer is changed to reference an end of a function associated with the system call 740, and the first VM 7201 resumes. As a result, the first VM 7201 continues as if the system call 740 has been completed.
For a second type of virtualization scheme (Intercept & Request), the intercept logic 750 invokes redirect logic 770 and provides the virtualized data 755 (e.g., an alternative path, alternative handle, etc.) to the redirect logic 770. Thereafter, the redirect logic 770 modifies the system call 740, returns the modified system call 745 to the first VM 7201 to resume. As an optional feature, the process may be further altered by setting an interception point (e.g., breakpoint, call, etc.) at the end of the system call, which causes the hypervisor 700 to stop the process again and invoke the intercept logic 750. At this point, based on the configuration data, the redirect logic 770 may conduct further changes.
Alternatively, upon determining the virtualization scheme to be undertaken (e.g., intercept and redirect) and the virtualization flag is not set, the intercept logic 750 invokes the redirect logic 770, which inserts an interception point (e.g., breakpoint, API call, etc.) at the end of the system call 740, and causes the first VM 7201 to resume. Upon completion of the system call, a call is initiated that prompts the hypervisor 700 to temporarily halt execution of the first VM 7201 again and invoke the intercept logic 750. At this point, based on the configuration data 751, the redirect logic 770 may alter data associated with the requested resource.
More specifically, as an illustrative example, upon receipt of the request 740 (e.g., a Query Registry Value request) from a calling routine within a process, the hypervisor 700 temporarily halts operations of the first VM 7201 and invokes the intercept logic 750. Initially, the intercept logic 750 accesses the configuration data 751 to determine whether the request 740 is associated with a prescribed interception point 753 (e.g., a particular hook, breakpoint, or API call). If so, the intercept logic 750 further accesses some or all of the usage patterns 7541-754X to determine criteria for conducting virtualization of a requested resource in accordance with the usage patterns 7541-754X, the type of request (“Query”) and the particular resource associated with the request 740 (registry_key_1).
In the event that the request 740 is directed to a virtualized resource (e.g., sufficient compliance with the criteria in at least one of the usage patterns such as usage pattern 7541), the intercept logic 750 determines what virtualization scheme is to be conducted to the resource (e.g., Intercept & Service). The intercept logic 750 invokes and provides the request 740 and virtualized data 755 acquired from the usage pattern 7541 to the servicing logic 760. The servicing logic 760 analyzes state information associated with the first VM 7201 to determine a memory location for placement of the virtualized data to be returned for the value of registry_key_1 in response to the Query Registry Key request 740 and a targeted location for the instruction pointer upon resumption in VM processing. Thereafter, the virtualized data is inserted into the memory location, the instruction pointer is positioned at the end of the Query Registry key function and the first VM 7201 resumes. As a result, the first VM 7201 continues with the virtualized data as the returned registry value.
As another illustrative example, upon detecting the request 740 (e.g., “Open” system call to open a particular file transitioning from a calling routine within the user mode to driver logic within the kernel mode), the hypervisor 700 temporarily halts operations of the first VM 7201 and invokes the intercept logic 750. Initially, the intercept logic 750 accesses the configuration data 751 to determine whether the request 740 is associated with a prescribed interception point 753 (e.g., a particular system call, request between software drivers, etc.). If so, the intercept logic 750 further accesses some or all of the usage patterns 7541-754X to determine whether any of the usage patterns 7541-754X is associated with the prescribed interception point 753 and criteria set forth in the particular usage pattern, which may include object type, platform type, the type of request (“Open”), the particular resource associated with the request 740 (C:\Program Files\Test Files\xyz.pdf), and/or other criterion identified in
In the event that the request 740 is directed to a virtualized resource based on identifying an applicable usage pattern (e.g., usage pattern 7541) that is associated with the interception point 753, the intercept logic 750 may determine what virtualization scheme is to be conducted to the resource (e.g., Intercept & Redirect). In the event that virtualization flag is set to identify that virtualization is to be conducted to input data, the intercept logic 750 invokes the redirect logic 770 and provides the request 740 and the virtualized data 760, namely the alternative file path (C:\Program Files\Test Files\xyz.pdf) acquired from the usage pattern 7541, to the redirect logic 770. The redirect logic 770 modifies the Open File request 740 with the alternative file path, and returns the modified Open File request 747 to the kernel mode 460 and the first VM 7201 resumes. As an optional feature, an interception point (e.g., system call, etc.) may be inserted at the end of the Open File request 740, which causes the hypervisor 700 to stop the first VM 7201 upon completion of the Open File function and invoke the intercept logic 750. At this point, based on the configuration data 751, the redirect logic 770 may alter stored data associated with the request 740.
Alternatively, upon determining the virtualization scheme to be undertaken (e.g., intercept and redirect) and the virtualization flag is set to identify that virtualization is to be conducted to returned data, the intercept logic 750 invokes the redirect logic 770, which inserts an interception point (e.g., API call, syscall, etc.) at the end of the Open File call 740 and causes the first VM 7201 to resume. Upon completion of the Open File call 740, a request is initiated that prompts the hypervisor 700 to temporarily halt execution of the first VM 7201 and invoke the intercept logic 750. At this point, based on the configuration data, the redirect logic 770 analyzes state information associated with the first VM 7201 to determine a virtual memory location in which the file path for the targeted file is stored. Thereafter, the redirect logic 770 substitutes the stored file path with the alternate file path and causes the first VM 7201 to resume.
V. Light Hypervisor-Based Selective Virtualization
Referring now to
While it is contemplated that the invention may be deployed in any device type (e.g., server, network appliance, network appliance), an illustrative embodiment of platform 805 in a smartphone form factor and deploying light hypervisor-based virtualization functionality is shown. Herein, the light hypervisor 800 is stored within a memory 810 encased within a housing 820 of the smartphone 805 having a display 830. Operating during normal run-time at which time an application 840 and/or an operating system (OS) 845 are being executed by processor 825, the light hypervisor 800 is configured to trap requests to the OS 845 (in kernel mode), even requests originating from application 840. Thereafter, if the requests are directed to selected resources that are virtualized, the intercept logic 850, the servicing logic 860 and the redirect logic 870 collectively operate to perform visualization of selected resources in a manner similar to the operations conducted by the hypervisor 700 of
Referring to
Herein, as an illustrative example, the light hypervisor 800 may be disposed or layered beneath the operating system kernel 920 of the platform 805 (and/or directly on native hardware 900) to thereby virtualize the hardware and control privileges (e.g., access control permissions) to hardware 900 of the platform 805 that are typically controlled by the operating system kernel. Illustratively, the hardware 900 may include (physical) processor(s), memory, network interface(s), and/or other devices. The light hypervisor 800 may be configured to control access to one or more resources of the hardware 900 in response to a request to OS functionality in the kernel mode 920.
The light hypervisor 800 may provide a virtualization layer having less functionality than a typical hypervisor. Accordingly, the light hypervisor 800 may cooperate with a hypervisor (VMM) (not shown) to provide additional virtualization functionality in an operationally and resource efficient manner.
The light hypervisor 800 comprises virtualization logic 930 that is configured to virtualize resources by intercepting requests and either (i) redirecting the intercepted requests associated with a first subset of activities or (ii) servicing the intercepted requests associated with a second subset of activities, as described below. These requests may include an API call, a system call for a particular service such as hardware-related services (e.g., access to a storage device such as a hard disk drive), file management (e.g., open, close, etc.) and network connectivity management (e.g., create network connection, terminate network connection, etc.).
More specifically, according to one embodiment of the disclosure, an application running in user mode 910 may initiate a request 940 (e.g., a system call to a software driver within the kernel mode 920), where this type of request may be monitored by the light hypervisor 800. In response to detecting the request 940, the light hypervisor temporarily halts software component functionality in the user mode 910 and kernel mode 920.
Consistent with the above-described operations of the virtualization logic 710 within the hypervisor 700, the virtualization logic 930 of the light hypervisor 800 is invoked to determine whether the request 940 is directed to a virtualized resource, and if so, determines what virtualization scheme is to be conducted to the resource (e.g., Intercept & Service; Intercept & Redirect). Additionally, for selective virtualization involving intercepting and redirecting requests, intercept logic 950 may further determine when the virtualization scheme is to be conducted (e.g., to input information or output information).
For a first type of virtualization scheme (Intercept & Service), the intercept logic 950 invokes servicing logic 960, which analyzes state information of the platform 805 to determine a memory location for placement of data returned in response to the request 940. Thereafter, the virtualized data, which is obtained from an applicable usage pattern 9541 within the configuration data 952, may be inserted into the memory location, the instruction pointer is positioned at the end of the function associated with the request 940, and the application within the user mode resumes.
For a second type of virtualization scheme (Intercept & Request), the intercept logic 950 invokes redirect logic 970 and provides the virtualized data (e.g., an alternative path, alternative handle, etc.) to the redirect logic 970. Thereafter, the redirect logic 970 modifies content of the request 940, returns the modified request 945 to the user mode. The same operations apply to requests 942, which are detected in transition from user mode to kernel mode or detected during inter-communication between software drivers and modified by the redirect logic 970 and returned as modified requests 947 to the kernel mode 920.
In the foregoing description, the invention is described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims.
This application is a continuation of U.S. patent application Ser. No. 15/081,775 filed Mar. 25, 2016, now U.S. Pat. No. 10,417,031 issued Sep. 17, 2019, which claims the benefit of priority on U.S. Provisional Application No. 62/140,963, filed Mar. 31, 2015, the entire contents of which are incorporated by reference.
Number | Name | Date | Kind |
---|---|---|---|
4292580 | Ott et al. | Sep 1981 | A |
5175732 | Hendel et al. | Dec 1992 | A |
5319776 | Hile et al. | Jun 1994 | A |
5440723 | Arnold et al. | Aug 1995 | A |
5490249 | Miller | Feb 1996 | A |
5657473 | Killean et al. | Aug 1997 | A |
5802277 | Cowlard | Sep 1998 | A |
5842002 | Schnurer et al. | Nov 1998 | A |
5960170 | Chen et al. | Sep 1999 | A |
5978917 | Chi | Nov 1999 | A |
5983348 | Ji | Nov 1999 | A |
6088803 | Tso et al. | Jul 2000 | A |
6092194 | Touboul | Jul 2000 | A |
6094677 | Capek et al. | Jul 2000 | A |
6108799 | Boulay et al. | Aug 2000 | A |
6154844 | Touboul et al. | Nov 2000 | A |
6269330 | Cidon et al. | Jul 2001 | B1 |
6272641 | Ji | Aug 2001 | B1 |
6279113 | Vaidya | Aug 2001 | B1 |
6298445 | Shostack et al. | Oct 2001 | B1 |
6357008 | Nachenberg | Mar 2002 | B1 |
6424627 | Sorhaug et al. | Jul 2002 | B1 |
6442696 | Wray et al. | Aug 2002 | B1 |
6484315 | Ziese | Nov 2002 | B1 |
6487666 | Shanklin et al. | Nov 2002 | B1 |
6493756 | O'Brien et al. | Dec 2002 | B1 |
6550012 | Villa et al. | Apr 2003 | B1 |
6775657 | Baker | Aug 2004 | B1 |
6831893 | Ben Nun et al. | Dec 2004 | B1 |
6832367 | Choi et al. | Dec 2004 | B1 |
6895550 | Kanchirayappa et al. | May 2005 | B2 |
6898632 | Gordy et al. | May 2005 | B2 |
6907396 | Muttik et al. | Jun 2005 | B1 |
6941348 | Petry et al. | Sep 2005 | B2 |
6971097 | Wallman | Nov 2005 | B1 |
6981279 | Arnold et al. | Dec 2005 | B1 |
7007107 | Ivchenko et al. | Feb 2006 | B1 |
7028179 | Anderson et al. | Apr 2006 | B2 |
7043757 | Hoefelmeyer et al. | May 2006 | B2 |
7058822 | Edery et al. | Jun 2006 | B2 |
7069316 | Gryaznov | Jun 2006 | B1 |
7080407 | Zhao et al. | Jul 2006 | B1 |
7080408 | Pak et al. | Jul 2006 | B1 |
7093002 | Wolff et al. | Aug 2006 | B2 |
7093239 | van der Made | Aug 2006 | B1 |
7096498 | Judge | Aug 2006 | B2 |
7100201 | Izatt | Aug 2006 | B2 |
7107617 | Hursey et al. | Sep 2006 | B2 |
7159149 | Spiegel et al. | Jan 2007 | B2 |
7213260 | Judge | May 2007 | B2 |
7231667 | Jordan | Jun 2007 | B2 |
7240364 | Branscomb et al. | Jul 2007 | B1 |
7240368 | Roesch et al. | Jul 2007 | B1 |
7243371 | Kasper et al. | Jul 2007 | B1 |
7249175 | Donaldson | Jul 2007 | B1 |
7287278 | Liang | Oct 2007 | B2 |
7308716 | Danford et al. | Dec 2007 | B2 |
7328453 | Merkle, Jr. et al. | Feb 2008 | B2 |
7346486 | Ivancic et al. | Mar 2008 | B2 |
7356736 | Natvig | Apr 2008 | B2 |
7386888 | Liang et al. | Jun 2008 | B2 |
7392542 | Bucher | Jun 2008 | B2 |
7418729 | Szor | Aug 2008 | B2 |
7428300 | Drew et al. | Sep 2008 | B1 |
7441272 | Durham et al. | Oct 2008 | B2 |
7448084 | Apap et al. | Nov 2008 | B1 |
7458098 | Judge et al. | Nov 2008 | B2 |
7464404 | Carpenter et al. | Dec 2008 | B2 |
7464407 | Nakae et al. | Dec 2008 | B2 |
7467408 | O'Toole, Jr. | Dec 2008 | B1 |
7478428 | Thomlinson | Jan 2009 | B1 |
7480773 | Reed | Jan 2009 | B1 |
7487543 | Arnold et al. | Feb 2009 | B2 |
7496960 | Chen et al. | Feb 2009 | B1 |
7496961 | Zimmer et al. | Feb 2009 | B2 |
7519990 | Xie | Apr 2009 | B1 |
7523493 | Liang et al. | Apr 2009 | B2 |
7530104 | Thrower et al. | May 2009 | B1 |
7540025 | Tzadikario | May 2009 | B2 |
7546637 | Agbabian | Jun 2009 | B1 |
7546638 | Anderson et al. | Jun 2009 | B2 |
7565550 | Liang et al. | Jul 2009 | B2 |
7568233 | Szor et al. | Jul 2009 | B1 |
7584455 | Ball | Sep 2009 | B2 |
7603715 | Costa et al. | Oct 2009 | B2 |
7607171 | Marsden et al. | Oct 2009 | B1 |
7639714 | Stolfo et al. | Dec 2009 | B2 |
7644441 | Schmid et al. | Jan 2010 | B2 |
7657419 | van der Made | Feb 2010 | B2 |
7676841 | Sobchuk et al. | Mar 2010 | B2 |
7698548 | Shelest et al. | Apr 2010 | B2 |
7707633 | Danford et al. | Apr 2010 | B2 |
7712136 | Sprosts et al. | May 2010 | B2 |
7730011 | Deninger et al. | Jun 2010 | B1 |
7739740 | Nachenberg et al. | Jun 2010 | B1 |
7779463 | Stolfo et al. | Aug 2010 | B2 |
7784097 | Stolfo et al. | Aug 2010 | B1 |
7832008 | Kraemer | Nov 2010 | B1 |
7836502 | Zhao et al. | Nov 2010 | B1 |
7849506 | Dansey et al. | Dec 2010 | B1 |
7854007 | Sprosts et al. | Dec 2010 | B2 |
7869073 | Oshima | Jan 2011 | B2 |
7877803 | Enstone et al. | Jan 2011 | B2 |
7904959 | Sidiroglou et al. | Mar 2011 | B2 |
7908660 | Bahl | Mar 2011 | B2 |
7930738 | Petersen | Apr 2011 | B1 |
7937387 | Frazier et al. | May 2011 | B2 |
7937761 | Bennett | May 2011 | B1 |
7949849 | Lowe et al. | May 2011 | B2 |
7996556 | Raghavan et al. | Aug 2011 | B2 |
7996836 | McCorkendale et al. | Aug 2011 | B1 |
7996904 | Chiueh et al. | Aug 2011 | B1 |
7996905 | Arnold et al. | Aug 2011 | B2 |
8006305 | Aziz | Aug 2011 | B2 |
8010667 | Zhang et al. | Aug 2011 | B2 |
8020206 | Hubbard et al. | Sep 2011 | B2 |
8028338 | Schneider et al. | Sep 2011 | B1 |
8042184 | Batenin | Oct 2011 | B1 |
8045094 | Teragawa | Oct 2011 | B2 |
8045458 | Alperovitch et al. | Oct 2011 | B2 |
8069484 | McMillan et al. | Nov 2011 | B2 |
8087086 | Lai et al. | Dec 2011 | B1 |
8171553 | Aziz et al. | May 2012 | B2 |
8176049 | Deninger et al. | May 2012 | B2 |
8176480 | Spertus | May 2012 | B1 |
8201246 | Wu | Jun 2012 | B1 |
8204984 | Aziz et al. | Jun 2012 | B1 |
8214905 | Doukhvalov et al. | Jul 2012 | B1 |
8220055 | Kennedy | Jul 2012 | B1 |
8225288 | Miller et al. | Jul 2012 | B2 |
8225373 | Kraemer | Jul 2012 | B2 |
8233882 | Rogel | Jul 2012 | B2 |
8234640 | Fitzgerald et al. | Jul 2012 | B1 |
8234709 | Viljoen et al. | Jul 2012 | B2 |
8239944 | Nachenberg et al. | Aug 2012 | B1 |
8260914 | Ranjan | Sep 2012 | B1 |
8266091 | Gubin et al. | Sep 2012 | B1 |
8286251 | Eker et al. | Oct 2012 | B2 |
8291499 | Aziz et al. | Oct 2012 | B2 |
8307435 | Mann et al. | Nov 2012 | B1 |
8307443 | Wang et al. | Nov 2012 | B2 |
8312545 | Tuvell et al. | Nov 2012 | B2 |
8321936 | Green et al. | Nov 2012 | B1 |
8321941 | Tuvell et al. | Nov 2012 | B2 |
8332571 | Edwards, Sr. | Dec 2012 | B1 |
8365286 | Poston | Jan 2013 | B2 |
8365297 | Parshin et al. | Jan 2013 | B1 |
8370938 | Daswani et al. | Feb 2013 | B1 |
8370939 | Zaitsev et al. | Feb 2013 | B2 |
8375444 | Aziz et al. | Feb 2013 | B2 |
8381299 | Stolfo et al. | Feb 2013 | B2 |
8402529 | Green et al. | Mar 2013 | B1 |
8464340 | Ahn et al. | Jun 2013 | B2 |
8479174 | Chiriac | Jul 2013 | B2 |
8479276 | Vaystikh et al. | Jul 2013 | B1 |
8479291 | Bodke | Jul 2013 | B1 |
8510827 | Leake et al. | Aug 2013 | B1 |
8510828 | Guo et al. | Aug 2013 | B1 |
8510842 | Amit et al. | Aug 2013 | B2 |
8516478 | Edwards et al. | Aug 2013 | B1 |
8516590 | Ranadive et al. | Aug 2013 | B1 |
8516593 | Aziz | Aug 2013 | B2 |
8522348 | Chen et al. | Aug 2013 | B2 |
8528086 | Aziz | Sep 2013 | B1 |
8533824 | Hutton et al. | Sep 2013 | B2 |
8539582 | Aziz et al. | Sep 2013 | B1 |
8549638 | Aziz | Oct 2013 | B2 |
8555391 | Demir et al. | Oct 2013 | B1 |
8561177 | Aziz et al. | Oct 2013 | B1 |
8566476 | Shiffer et al. | Oct 2013 | B2 |
8566946 | Aziz | Oct 2013 | B1 |
8584094 | Dadhia et al. | Nov 2013 | B2 |
8584234 | Sobel et al. | Nov 2013 | B1 |
8584239 | Aziz | Nov 2013 | B2 |
8595834 | Xie et al. | Nov 2013 | B2 |
8627476 | Satish et al. | Jan 2014 | B1 |
8635696 | Aziz | Jan 2014 | B1 |
8682054 | Xue et al. | Mar 2014 | B2 |
8682812 | Ranjan | Mar 2014 | B1 |
8689333 | Aziz | Apr 2014 | B2 |
8695096 | Zhang | Apr 2014 | B1 |
8713631 | Pavlyushchik | Apr 2014 | B1 |
8713681 | Silberman et al. | Apr 2014 | B2 |
8726392 | McCorkendale et al. | May 2014 | B1 |
8739280 | Chess et al. | May 2014 | B2 |
8776229 | Aziz | Jul 2014 | B1 |
8782792 | Bodke | Jul 2014 | B1 |
8789172 | Stolfo et al. | Jul 2014 | B2 |
8789178 | Kejriwal et al. | Jul 2014 | B2 |
8793278 | Frazier et al. | Jul 2014 | B2 |
8793787 | Ismael et al. | Jul 2014 | B2 |
8805947 | Kuzkin et al. | Aug 2014 | B1 |
8806647 | Daswani et al. | Aug 2014 | B1 |
8832829 | Manni et al. | Sep 2014 | B2 |
8839245 | Khajuria | Sep 2014 | B1 |
8850570 | Ramzan | Sep 2014 | B1 |
8850571 | Staniford et al. | Sep 2014 | B2 |
8881234 | Narasimhan et al. | Nov 2014 | B2 |
8881271 | Butler, II | Nov 2014 | B2 |
8881282 | Aziz et al. | Nov 2014 | B1 |
8898788 | Aziz et al. | Nov 2014 | B1 |
8935779 | Manni et al. | Jan 2015 | B2 |
8949257 | Shiffer et al. | Feb 2015 | B2 |
8984638 | Aziz et al. | Mar 2015 | B1 |
8990939 | Staniford et al. | Mar 2015 | B2 |
8990944 | Singh | Mar 2015 | B1 |
8997219 | Staniford et al. | Mar 2015 | B2 |
9009822 | Ismael et al. | Apr 2015 | B1 |
9009823 | Ismael et al. | Apr 2015 | B1 |
9027135 | Aziz | May 2015 | B1 |
9071638 | Aziz et al. | Jun 2015 | B1 |
9104867 | Thioux | Aug 2015 | B1 |
9106630 | Frazier et al. | Aug 2015 | B2 |
9106694 | Aziz et al. | Aug 2015 | B2 |
9117079 | Huang | Aug 2015 | B1 |
9118715 | Staniford et al. | Aug 2015 | B2 |
9159035 | Ismael et al. | Oct 2015 | B1 |
9171160 | Vincent et al. | Oct 2015 | B2 |
9176843 | Ismael et al. | Nov 2015 | B1 |
9189627 | Islam | Nov 2015 | B1 |
9195829 | Goradia et al. | Nov 2015 | B1 |
9197664 | Aziz et al. | Nov 2015 | B1 |
9223962 | Kashyap | Dec 2015 | B1 |
9223972 | Vincent | Dec 2015 | B1 |
9225740 | Ismael et al. | Dec 2015 | B1 |
9241010 | Bennett et al. | Jan 2016 | B1 |
9251343 | Vincent et al. | Feb 2016 | B1 |
9262635 | Paithane et al. | Feb 2016 | B2 |
9268936 | Butler | Feb 2016 | B2 |
9275229 | LeMasters | Mar 2016 | B2 |
9282109 | Aziz et al. | Mar 2016 | B1 |
9292686 | Ismael et al. | Mar 2016 | B2 |
9294501 | Mesdaq et al. | Mar 2016 | B2 |
9300686 | Pidathala et al. | Mar 2016 | B2 |
9306960 | Aziz | Apr 2016 | B1 |
9306974 | Aziz et al. | Apr 2016 | B1 |
9311479 | Manni et al. | Apr 2016 | B1 |
9355247 | Thioux et al. | May 2016 | B1 |
9356944 | Aziz | May 2016 | B1 |
9363280 | Rivlin et al. | Jun 2016 | B1 |
9367681 | Ismael et al. | Jun 2016 | B1 |
9398028 | Karandikar et al. | Jul 2016 | B1 |
9413774 | Liu | Aug 2016 | B1 |
9413781 | Cunningham et al. | Aug 2016 | B2 |
9426071 | Caldejon et al. | Aug 2016 | B1 |
9430646 | Mushtaq et al. | Aug 2016 | B1 |
9432389 | Khalid et al. | Aug 2016 | B1 |
9438613 | Paithane | Sep 2016 | B1 |
9438622 | Staniford et al. | Sep 2016 | B1 |
9438623 | Thioux et al. | Sep 2016 | B1 |
9459901 | Jung et al. | Oct 2016 | B2 |
9467460 | Otvagin et al. | Oct 2016 | B1 |
9483644 | Paithane | Nov 2016 | B1 |
9489516 | Lu | Nov 2016 | B1 |
9495180 | Ismael | Nov 2016 | B2 |
9497213 | Thompson et al. | Nov 2016 | B2 |
9507935 | Ismael et al. | Nov 2016 | B2 |
9516057 | Aziz | Dec 2016 | B2 |
9519782 | Aziz et al. | Dec 2016 | B2 |
9536091 | Paithane et al. | Jan 2017 | B2 |
9537972 | Edwards et al. | Jan 2017 | B1 |
9560059 | Islam | Jan 2017 | B1 |
9565202 | Kindlund et al. | Feb 2017 | B1 |
9591015 | Amin et al. | Mar 2017 | B1 |
9591020 | Aziz | Mar 2017 | B1 |
9594904 | Jain et al. | Mar 2017 | B1 |
9594905 | Ismael et al. | Mar 2017 | B1 |
9594912 | Thioux et al. | Mar 2017 | B1 |
9609007 | Rivlin et al. | Mar 2017 | B1 |
9626509 | Khalid et al. | Apr 2017 | B1 |
9628498 | Aziz et al. | Apr 2017 | B1 |
9628507 | Haq et al. | Apr 2017 | B2 |
9633134 | Ross | Apr 2017 | B2 |
9635039 | Islam et al. | Apr 2017 | B1 |
9641546 | Manni et al. | May 2017 | B1 |
9654485 | Neumann | May 2017 | B1 |
9661009 | Karandikar et al. | May 2017 | B1 |
9661018 | Aziz | May 2017 | B1 |
9674298 | Edwards et al. | Jun 2017 | B1 |
9680862 | Ismael et al. | Jun 2017 | B2 |
9690606 | Ha et al. | Jun 2017 | B1 |
9690933 | Singh et al. | Jun 2017 | B1 |
9690935 | Shiffer et al. | Jun 2017 | B2 |
9690936 | Malik et al. | Jun 2017 | B1 |
9736179 | Ismael | Aug 2017 | B2 |
9740857 | Ismael et al. | Aug 2017 | B2 |
9747446 | Pidathala et al. | Aug 2017 | B1 |
9756074 | Aziz et al. | Sep 2017 | B2 |
9773112 | Rathor et al. | Sep 2017 | B1 |
9781144 | Otvagin et al. | Oct 2017 | B1 |
9787700 | Amin et al. | Oct 2017 | B1 |
9787706 | Otvagin et al. | Oct 2017 | B1 |
9792196 | Ismael et al. | Oct 2017 | B1 |
9824209 | Ismael et al. | Nov 2017 | B1 |
9824211 | Wilson | Nov 2017 | B2 |
9824216 | Khalid et al. | Nov 2017 | B1 |
9825976 | Gomez et al. | Nov 2017 | B1 |
9825989 | Mehra et al. | Nov 2017 | B1 |
9838408 | Karandikar et al. | Dec 2017 | B1 |
9838411 | Aziz | Dec 2017 | B1 |
9838416 | Aziz | Dec 2017 | B1 |
9838417 | Khalid et al. | Dec 2017 | B1 |
9846776 | Paithane et al. | Dec 2017 | B1 |
9876701 | Caldejon et al. | Jan 2018 | B1 |
9888016 | Amin et al. | Feb 2018 | B1 |
9888019 | Pidathala et al. | Feb 2018 | B1 |
9910988 | Vincent et al. | Mar 2018 | B1 |
9912644 | Cunningham | Mar 2018 | B2 |
9912681 | Ismael et al. | Mar 2018 | B1 |
9912684 | Aziz et al. | Mar 2018 | B1 |
9912691 | Mesdaq et al. | Mar 2018 | B2 |
9912698 | Thioux et al. | Mar 2018 | B1 |
9916440 | Paithane et al. | Mar 2018 | B1 |
9921978 | Chan et al. | Mar 2018 | B1 |
9934376 | Ismael | Apr 2018 | B1 |
9934381 | Kindlund et al. | Apr 2018 | B1 |
9946568 | Ismael et al. | Apr 2018 | B1 |
9954890 | Staniford et al. | Apr 2018 | B1 |
9973531 | Thioux | May 2018 | B1 |
10002252 | Ismael et al. | Jun 2018 | B2 |
10019338 | Goradia et al. | Jul 2018 | B1 |
10019573 | Silberman et al. | Jul 2018 | B2 |
10025691 | Ismael et al. | Jul 2018 | B1 |
10025927 | Khalid et al. | Jul 2018 | B1 |
10027689 | Rathor et al. | Jul 2018 | B1 |
10027690 | Aziz et al. | Jul 2018 | B2 |
10027696 | Rivlin et al. | Jul 2018 | B1 |
10033747 | Paithane et al. | Jul 2018 | B1 |
10033748 | Cunningham et al. | Jul 2018 | B1 |
10033753 | Islam et al. | Jul 2018 | B1 |
10033759 | Kabra et al. | Jul 2018 | B1 |
10050998 | Singh | Aug 2018 | B1 |
10068091 | Aziz et al. | Sep 2018 | B1 |
10075455 | Zafar et al. | Sep 2018 | B2 |
10083302 | Paithane et al. | Sep 2018 | B1 |
10084813 | Eyada | Sep 2018 | B2 |
10089461 | Ha et al. | Oct 2018 | B1 |
10097573 | Aziz | Oct 2018 | B1 |
10104102 | Neumann | Oct 2018 | B1 |
10108446 | Steinberg et al. | Oct 2018 | B1 |
10121000 | Rivlin et al. | Nov 2018 | B1 |
10122746 | Manni et al. | Nov 2018 | B1 |
10133863 | Bu et al. | Nov 2018 | B2 |
10133866 | Kumar et al. | Nov 2018 | B1 |
10146810 | Shiffer et al. | Dec 2018 | B2 |
10148693 | Singh et al. | Dec 2018 | B2 |
10165000 | Aziz et al. | Dec 2018 | B1 |
10169585 | Pilipenko et al. | Jan 2019 | B1 |
10176321 | Abbasi et al. | Jan 2019 | B2 |
10181029 | Ismael et al. | Jan 2019 | B1 |
10191861 | Steinberg et al. | Jan 2019 | B1 |
10192052 | Singh et al. | Jan 2019 | B1 |
10198574 | Thioux et al. | Feb 2019 | B1 |
10200384 | Mushtaq et al. | Feb 2019 | B1 |
10210329 | Malik et al. | Feb 2019 | B1 |
10216927 | Steinberg | Feb 2019 | B1 |
10218740 | Mesdaq et al. | Feb 2019 | B1 |
10242185 | Goradia | Mar 2019 | B1 |
20010005889 | Albrecht | Jun 2001 | A1 |
20010047326 | Broadbent et al. | Nov 2001 | A1 |
20020018903 | Kokubo et al. | Feb 2002 | A1 |
20020038430 | Edwards et al. | Mar 2002 | A1 |
20020091819 | Melchione et al. | Jul 2002 | A1 |
20020095607 | Lin-Hendel | Jul 2002 | A1 |
20020116627 | Tarbotton et al. | Aug 2002 | A1 |
20020144156 | Copeland | Oct 2002 | A1 |
20020162015 | Fang | Oct 2002 | A1 |
20020166063 | Lachman et al. | Nov 2002 | A1 |
20020169952 | DiSanto et al. | Nov 2002 | A1 |
20020184528 | Shevenell et al. | Dec 2002 | A1 |
20020188887 | Largman et al. | Dec 2002 | A1 |
20020194490 | Halperin et al. | Dec 2002 | A1 |
20030021728 | Sharpe et al. | Jan 2003 | A1 |
20030074578 | Ford et al. | Apr 2003 | A1 |
20030084318 | Schertz | May 2003 | A1 |
20030101381 | Mateev et al. | May 2003 | A1 |
20030115483 | Liang | Jun 2003 | A1 |
20030188190 | Aaron et al. | Oct 2003 | A1 |
20030191957 | Hypponen et al. | Oct 2003 | A1 |
20030200460 | Morota et al. | Oct 2003 | A1 |
20030212902 | van der Made | Nov 2003 | A1 |
20030229801 | Kouznetsov et al. | Dec 2003 | A1 |
20030237000 | Denton et al. | Dec 2003 | A1 |
20040003323 | Bennett et al. | Jan 2004 | A1 |
20040006473 | Mills et al. | Jan 2004 | A1 |
20040015712 | Szor | Jan 2004 | A1 |
20040019832 | Arnold et al. | Jan 2004 | A1 |
20040047356 | Bauer | Mar 2004 | A1 |
20040083408 | Spiegel et al. | Apr 2004 | A1 |
20040088581 | Brawn et al. | May 2004 | A1 |
20040093513 | Cantrell et al. | May 2004 | A1 |
20040111531 | Staniford et al. | Jun 2004 | A1 |
20040117478 | Triulzi et al. | Jun 2004 | A1 |
20040117624 | Brandt et al. | Jun 2004 | A1 |
20040128355 | Chao et al. | Jul 2004 | A1 |
20040165588 | Pandya | Aug 2004 | A1 |
20040236963 | Danford et al. | Nov 2004 | A1 |
20040243349 | Greifeneder et al. | Dec 2004 | A1 |
20040249911 | Alkhatib et al. | Dec 2004 | A1 |
20040255161 | Cavanaugh | Dec 2004 | A1 |
20040268147 | Wiederin et al. | Dec 2004 | A1 |
20050005159 | Oliphant | Jan 2005 | A1 |
20050021740 | Bar et al. | Jan 2005 | A1 |
20050033960 | Vialen et al. | Feb 2005 | A1 |
20050033989 | Poletto et al. | Feb 2005 | A1 |
20050050148 | Mohammadioun et al. | Mar 2005 | A1 |
20050086523 | Zimmer et al. | Apr 2005 | A1 |
20050091513 | Mitomo et al. | Apr 2005 | A1 |
20050091533 | Omote et al. | Apr 2005 | A1 |
20050091652 | Ross et al. | Apr 2005 | A1 |
20050108562 | Khazan et al. | May 2005 | A1 |
20050114663 | Cornell et al. | May 2005 | A1 |
20050125195 | Brendel | Jun 2005 | A1 |
20050149726 | Joshi et al. | Jul 2005 | A1 |
20050157662 | Bingham et al. | Jul 2005 | A1 |
20050183143 | Anderholm et al. | Aug 2005 | A1 |
20050201297 | Peikari | Sep 2005 | A1 |
20050210533 | Copeland et al. | Sep 2005 | A1 |
20050238005 | Chen et al. | Oct 2005 | A1 |
20050240781 | Gassoway | Oct 2005 | A1 |
20050262562 | Gassoway | Nov 2005 | A1 |
20050265331 | Stolfo | Dec 2005 | A1 |
20050273856 | Huddleston | Dec 2005 | A1 |
20050283839 | Cowburn | Dec 2005 | A1 |
20060010495 | Cohen et al. | Jan 2006 | A1 |
20060015416 | Hoffman et al. | Jan 2006 | A1 |
20060015715 | Anderson | Jan 2006 | A1 |
20060015747 | Van de Ven | Jan 2006 | A1 |
20060021029 | Brickell et al. | Jan 2006 | A1 |
20060021054 | Costa et al. | Jan 2006 | A1 |
20060031476 | Mathes et al. | Feb 2006 | A1 |
20060047665 | Neil | Mar 2006 | A1 |
20060070130 | Costea et al. | Mar 2006 | A1 |
20060075496 | Carpenter et al. | Apr 2006 | A1 |
20060095968 | Portolani et al. | May 2006 | A1 |
20060101516 | Sudaharan et al. | May 2006 | A1 |
20060101517 | Banzhof et al. | May 2006 | A1 |
20060117385 | Mester et al. | Jun 2006 | A1 |
20060123477 | Raghavan et al. | Jun 2006 | A1 |
20060143709 | Brooks et al. | Jun 2006 | A1 |
20060150249 | Gassen et al. | Jul 2006 | A1 |
20060161983 | Cothrell et al. | Jul 2006 | A1 |
20060161987 | Levy-Yurista | Jul 2006 | A1 |
20060161989 | Reshef et al. | Jul 2006 | A1 |
20060164199 | Gilde et al. | Jul 2006 | A1 |
20060173992 | Weber et al. | Aug 2006 | A1 |
20060179147 | Tran et al. | Aug 2006 | A1 |
20060184632 | Marino et al. | Aug 2006 | A1 |
20060191010 | Benjamin | Aug 2006 | A1 |
20060221956 | Narayan et al. | Oct 2006 | A1 |
20060236393 | Kramer et al. | Oct 2006 | A1 |
20060242709 | Seinfeld et al. | Oct 2006 | A1 |
20060248519 | Jaeger et al. | Nov 2006 | A1 |
20060248582 | Panjwani et al. | Nov 2006 | A1 |
20060251104 | Koga | Nov 2006 | A1 |
20060288417 | Bookbinder et al. | Dec 2006 | A1 |
20070006288 | Mayfield et al. | Jan 2007 | A1 |
20070006313 | Porras et al. | Jan 2007 | A1 |
20070011174 | Takaragi et al. | Jan 2007 | A1 |
20070016951 | Piccard et al. | Jan 2007 | A1 |
20070019286 | Kikuchi | Jan 2007 | A1 |
20070033645 | Jones | Feb 2007 | A1 |
20070038943 | FitzGerald et al. | Feb 2007 | A1 |
20070064689 | Shin et al. | Mar 2007 | A1 |
20070074169 | Chess et al. | Mar 2007 | A1 |
20070094730 | Bhikkaji et al. | Apr 2007 | A1 |
20070101435 | Konanka et al. | May 2007 | A1 |
20070128855 | Cho et al. | Jun 2007 | A1 |
20070142030 | Sinha et al. | Jun 2007 | A1 |
20070143827 | Nicodemus et al. | Jun 2007 | A1 |
20070156895 | Vuong | Jul 2007 | A1 |
20070157180 | Tillmann et al. | Jul 2007 | A1 |
20070157306 | Elrod et al. | Jul 2007 | A1 |
20070168988 | Eisner et al. | Jul 2007 | A1 |
20070171824 | Ruello et al. | Jul 2007 | A1 |
20070174915 | Gribble et al. | Jul 2007 | A1 |
20070192500 | Lum | Aug 2007 | A1 |
20070192858 | Lum | Aug 2007 | A1 |
20070198275 | Malden et al. | Aug 2007 | A1 |
20070208822 | Wang et al. | Sep 2007 | A1 |
20070220607 | Sprosts et al. | Sep 2007 | A1 |
20070240218 | Tuvell et al. | Oct 2007 | A1 |
20070240219 | Tuvell et al. | Oct 2007 | A1 |
20070240220 | Tuvell et al. | Oct 2007 | A1 |
20070240222 | Tuvell et al. | Oct 2007 | A1 |
20070250930 | Aziz et al. | Oct 2007 | A1 |
20070256132 | Oliphant | Nov 2007 | A2 |
20070271446 | Nakamura | Nov 2007 | A1 |
20080005782 | Aziz | Jan 2008 | A1 |
20080018122 | Zierler et al. | Jan 2008 | A1 |
20080028463 | Dagon et al. | Jan 2008 | A1 |
20080040710 | Chiriac | Feb 2008 | A1 |
20080046781 | Childs et al. | Feb 2008 | A1 |
20080066179 | Liu | Mar 2008 | A1 |
20080072326 | Danford et al. | Mar 2008 | A1 |
20080077793 | Tan et al. | Mar 2008 | A1 |
20080080518 | Hoeflin et al. | Apr 2008 | A1 |
20080086720 | Lekel | Apr 2008 | A1 |
20080098476 | Syversen | Apr 2008 | A1 |
20080120722 | Sima et al. | May 2008 | A1 |
20080134178 | Fitzgerald et al. | Jun 2008 | A1 |
20080134334 | Kim et al. | Jun 2008 | A1 |
20080141376 | Clausen et al. | Jun 2008 | A1 |
20080184367 | McMillan et al. | Jul 2008 | A1 |
20080184373 | Traut et al. | Jul 2008 | A1 |
20080189787 | Arnold et al. | Aug 2008 | A1 |
20080201778 | Guo et al. | Aug 2008 | A1 |
20080209557 | Herley et al. | Aug 2008 | A1 |
20080215742 | Goldszmidt et al. | Sep 2008 | A1 |
20080222729 | Chen et al. | Sep 2008 | A1 |
20080263665 | Ma et al. | Oct 2008 | A1 |
20080295172 | Bohacek | Nov 2008 | A1 |
20080301810 | Lehane et al. | Dec 2008 | A1 |
20080307524 | Singh et al. | Dec 2008 | A1 |
20080313738 | Enderby | Dec 2008 | A1 |
20080320594 | Jiang | Dec 2008 | A1 |
20090003317 | Kasralikar et al. | Jan 2009 | A1 |
20090007100 | Field et al. | Jan 2009 | A1 |
20090013408 | Schipka | Jan 2009 | A1 |
20090031423 | Liu et al. | Jan 2009 | A1 |
20090036111 | Danford et al. | Feb 2009 | A1 |
20090037835 | Goldman | Feb 2009 | A1 |
20090044024 | Oberheide et al. | Feb 2009 | A1 |
20090044274 | Budko | Feb 2009 | A1 |
20090064332 | Porras et al. | Mar 2009 | A1 |
20090077666 | Chen et al. | Mar 2009 | A1 |
20090083369 | Marmor | Mar 2009 | A1 |
20090083855 | Apap et al. | Mar 2009 | A1 |
20090089879 | Wang et al. | Apr 2009 | A1 |
20090094697 | Provos et al. | Apr 2009 | A1 |
20090113425 | Ports et al. | Apr 2009 | A1 |
20090125976 | Wassermann et al. | May 2009 | A1 |
20090126015 | Monastyrsky et al. | May 2009 | A1 |
20090126016 | Sobko et al. | May 2009 | A1 |
20090133125 | Choi et al. | May 2009 | A1 |
20090144823 | Lamastra et al. | Jun 2009 | A1 |
20090158430 | Borders | Jun 2009 | A1 |
20090172815 | Gu et al. | Jul 2009 | A1 |
20090187992 | Poston | Jul 2009 | A1 |
20090193293 | Stolfo et al. | Jul 2009 | A1 |
20090198651 | Shiffer et al. | Aug 2009 | A1 |
20090198670 | Shiffer et al. | Aug 2009 | A1 |
20090198689 | Frazier et al. | Aug 2009 | A1 |
20090199274 | Frazier et al. | Aug 2009 | A1 |
20090199296 | Xie et al. | Aug 2009 | A1 |
20090228233 | Anderson et al. | Sep 2009 | A1 |
20090241187 | Troyansky | Sep 2009 | A1 |
20090241190 | Todd | Sep 2009 | A1 |
20090265692 | Godefroid et al. | Oct 2009 | A1 |
20090271867 | Zhang | Oct 2009 | A1 |
20090300415 | Zhang et al. | Dec 2009 | A1 |
20090300761 | Park et al. | Dec 2009 | A1 |
20090328185 | Berg et al. | Dec 2009 | A1 |
20090328221 | Blumfield et al. | Dec 2009 | A1 |
20100005146 | Drako et al. | Jan 2010 | A1 |
20100011205 | McKenna | Jan 2010 | A1 |
20100017546 | Poo et al. | Jan 2010 | A1 |
20100030996 | Butler, II | Feb 2010 | A1 |
20100031353 | Thomas et al. | Feb 2010 | A1 |
20100037314 | Perdisci et al. | Feb 2010 | A1 |
20100043073 | Kuwamura | Feb 2010 | A1 |
20100054278 | Stolfo et al. | Mar 2010 | A1 |
20100058474 | Hicks | Mar 2010 | A1 |
20100064044 | Nonoyama | Mar 2010 | A1 |
20100077481 | Polyakov et al. | Mar 2010 | A1 |
20100083376 | Pereira et al. | Apr 2010 | A1 |
20100115621 | Staniford et al. | May 2010 | A1 |
20100132038 | Zaitsev | May 2010 | A1 |
20100154056 | Smith et al. | Jun 2010 | A1 |
20100180344 | Malyshev et al. | Jul 2010 | A1 |
20100192223 | Ismael et al. | Jul 2010 | A1 |
20100220863 | Dupaquis et al. | Sep 2010 | A1 |
20100235831 | Dittmer | Sep 2010 | A1 |
20100251104 | Massand | Sep 2010 | A1 |
20100281102 | Chinta et al. | Nov 2010 | A1 |
20100281541 | Stolfo et al. | Nov 2010 | A1 |
20100281542 | Stolfo et al. | Nov 2010 | A1 |
20100287260 | Peterson et al. | Nov 2010 | A1 |
20100299754 | Amit et al. | Nov 2010 | A1 |
20100306173 | Frank | Dec 2010 | A1 |
20110004737 | Greenebaum | Jan 2011 | A1 |
20110025504 | Lyon et al. | Feb 2011 | A1 |
20110041179 | St Hlberg | Feb 2011 | A1 |
20110047594 | Mahaffey et al. | Feb 2011 | A1 |
20110047620 | Mahaffey et al. | Feb 2011 | A1 |
20110055907 | Narasimhan et al. | Mar 2011 | A1 |
20110078794 | Manni et al. | Mar 2011 | A1 |
20110093951 | Aziz | Apr 2011 | A1 |
20110099620 | Stavrou et al. | Apr 2011 | A1 |
20110099633 | Aziz | Apr 2011 | A1 |
20110099635 | Silberman et al. | Apr 2011 | A1 |
20110113231 | Kaminsky | May 2011 | A1 |
20110145918 | Jung et al. | Jun 2011 | A1 |
20110145920 | Mahaffey et al. | Jun 2011 | A1 |
20110145934 | Abramovici et al. | Jun 2011 | A1 |
20110167493 | Song et al. | Jul 2011 | A1 |
20110167494 | Bowen et al. | Jul 2011 | A1 |
20110173213 | Frazier et al. | Jul 2011 | A1 |
20110173460 | Ito et al. | Jul 2011 | A1 |
20110185436 | Koulinitch | Jul 2011 | A1 |
20110219449 | St. Neitzel et al. | Sep 2011 | A1 |
20110219450 | McDougal et al. | Sep 2011 | A1 |
20110225624 | Sawhney et al. | Sep 2011 | A1 |
20110225655 | Niemela et al. | Sep 2011 | A1 |
20110247072 | Staniford et al. | Oct 2011 | A1 |
20110265182 | Peinado et al. | Oct 2011 | A1 |
20110271342 | Chung | Nov 2011 | A1 |
20110289582 | Kejriwal et al. | Nov 2011 | A1 |
20110302587 | Nishikawa et al. | Dec 2011 | A1 |
20110307954 | Melnik et al. | Dec 2011 | A1 |
20110307955 | Kaplan et al. | Dec 2011 | A1 |
20110307956 | Yermakov et al. | Dec 2011 | A1 |
20110314546 | Aziz et al. | Dec 2011 | A1 |
20120023593 | Puder et al. | Jan 2012 | A1 |
20120054869 | Yen et al. | Mar 2012 | A1 |
20120066698 | Yanoo | Mar 2012 | A1 |
20120079596 | Thomas et al. | Mar 2012 | A1 |
20120084859 | Radinsky et al. | Apr 2012 | A1 |
20120096553 | Srivastava et al. | Apr 2012 | A1 |
20120110667 | Zubrilin et al. | May 2012 | A1 |
20120117652 | Manni et al. | May 2012 | A1 |
20120121154 | Xue et al. | May 2012 | A1 |
20120124426 | Maybee et al. | May 2012 | A1 |
20120144489 | Jarrett | Jun 2012 | A1 |
20120174186 | Aziz et al. | Jul 2012 | A1 |
20120174196 | Bhogavilli et al. | Jul 2012 | A1 |
20120174218 | McCoy et al. | Jul 2012 | A1 |
20120198279 | Schroeder | Aug 2012 | A1 |
20120210423 | Friedrichs et al. | Aug 2012 | A1 |
20120222121 | Staniford et al. | Aug 2012 | A1 |
20120255010 | Sallam | Oct 2012 | A1 |
20120255015 | Sahita et al. | Oct 2012 | A1 |
20120255017 | Sallam | Oct 2012 | A1 |
20120260342 | Dube et al. | Oct 2012 | A1 |
20120266244 | Green et al. | Oct 2012 | A1 |
20120278886 | Luna | Nov 2012 | A1 |
20120297489 | Dequevy | Nov 2012 | A1 |
20120330801 | McDougal et al. | Dec 2012 | A1 |
20120331553 | Aziz et al. | Dec 2012 | A1 |
20130014259 | Gribble | Jan 2013 | A1 |
20130036472 | Aziz | Feb 2013 | A1 |
20130047257 | Aziz | Feb 2013 | A1 |
20130074185 | McDougal et al. | Mar 2013 | A1 |
20130086684 | Mohler | Apr 2013 | A1 |
20130097699 | Balupari et al. | Apr 2013 | A1 |
20130097706 | Titonis et al. | Apr 2013 | A1 |
20130111587 | Goel et al. | May 2013 | A1 |
20130117852 | Stute | May 2013 | A1 |
20130117855 | Kim et al. | May 2013 | A1 |
20130139264 | Brinkley et al. | May 2013 | A1 |
20130160125 | Likhachev et al. | Jun 2013 | A1 |
20130160127 | Jeong et al. | Jun 2013 | A1 |
20130160130 | Mendelev et al. | Jun 2013 | A1 |
20130160131 | Madou et al. | Jun 2013 | A1 |
20130167236 | Sick | Jun 2013 | A1 |
20130174214 | Duncan | Jul 2013 | A1 |
20130185789 | Hagiwara et al. | Jul 2013 | A1 |
20130185795 | Winn et al. | Jul 2013 | A1 |
20130185798 | Saunders et al. | Jul 2013 | A1 |
20130191915 | Antonakakis et al. | Jul 2013 | A1 |
20130196649 | Paddon et al. | Aug 2013 | A1 |
20130227691 | Aziz et al. | Aug 2013 | A1 |
20130246370 | Bartram et al. | Sep 2013 | A1 |
20130246685 | Bhargava | Sep 2013 | A1 |
20130247186 | LeMasters | Sep 2013 | A1 |
20130263260 | Mahaffey et al. | Oct 2013 | A1 |
20130263268 | Kim | Oct 2013 | A1 |
20130291109 | Staniford et al. | Oct 2013 | A1 |
20130298243 | Kumar et al. | Nov 2013 | A1 |
20130312097 | Turnbull | Nov 2013 | A1 |
20130316764 | Mehio | Nov 2013 | A1 |
20130318038 | Shiffer et al. | Nov 2013 | A1 |
20130318073 | Shiffer et al. | Nov 2013 | A1 |
20130325791 | Shiffer et al. | Dec 2013 | A1 |
20130325792 | Shiffer et al. | Dec 2013 | A1 |
20130325871 | Shiffer et al. | Dec 2013 | A1 |
20130325872 | Shiffer et al. | Dec 2013 | A1 |
20140032875 | Butler | Jan 2014 | A1 |
20140053260 | Gupta et al. | Feb 2014 | A1 |
20140053261 | Gupta et al. | Feb 2014 | A1 |
20140130158 | Wang et al. | May 2014 | A1 |
20140137180 | Lukacs et al. | May 2014 | A1 |
20140169762 | Ryu | Jun 2014 | A1 |
20140179360 | Jackson et al. | Jun 2014 | A1 |
20140181131 | Ross | Jun 2014 | A1 |
20140189687 | Jung et al. | Jul 2014 | A1 |
20140189866 | Shiffer et al. | Jul 2014 | A1 |
20140189882 | Jung et al. | Jul 2014 | A1 |
20140237600 | Silberman et al. | Aug 2014 | A1 |
20140279435 | Holman | Sep 2014 | A1 |
20140280245 | Wilson | Sep 2014 | A1 |
20140283037 | Sikorski et al. | Sep 2014 | A1 |
20140283063 | Thompson et al. | Sep 2014 | A1 |
20140304819 | Ignatchenko | Oct 2014 | A1 |
20140328204 | Klotsche et al. | Nov 2014 | A1 |
20140337836 | Ismael | Nov 2014 | A1 |
20140344807 | Bursell | Nov 2014 | A1 |
20140344926 | Cunningham et al. | Nov 2014 | A1 |
20140351935 | Shao et al. | Nov 2014 | A1 |
20140380473 | Bu et al. | Dec 2014 | A1 |
20140380474 | Paithane | Dec 2014 | A1 |
20150007312 | Pidathala et al. | Jan 2015 | A1 |
20150013008 | Lukacs | Jan 2015 | A1 |
20150067862 | Yu | Mar 2015 | A1 |
20150096022 | Vincent | Apr 2015 | A1 |
20150096023 | Mesdaq et al. | Apr 2015 | A1 |
20150096024 | Haq et al. | Apr 2015 | A1 |
20150096025 | Ismael | Apr 2015 | A1 |
20150178113 | Dake | Jun 2015 | A1 |
20150180886 | Staniford et al. | Jun 2015 | A1 |
20150186645 | Aziz et al. | Jul 2015 | A1 |
20150199513 | Ismael et al. | Jul 2015 | A1 |
20150199531 | Ismael et al. | Jul 2015 | A1 |
20150199532 | Ismael et al. | Jul 2015 | A1 |
20150220735 | Paithane et al. | Aug 2015 | A1 |
20150268947 | Ionescu | Sep 2015 | A1 |
20150304716 | Sanchez-Leighton | Oct 2015 | A1 |
20150372980 | Eyada | Dec 2015 | A1 |
20160004869 | Ismael et al. | Jan 2016 | A1 |
20160006756 | Ismael et al. | Jan 2016 | A1 |
20160044000 | Cunningham | Feb 2016 | A1 |
20160127393 | Aziz et al. | May 2016 | A1 |
20160173509 | Ray | Jun 2016 | A1 |
20160191547 | Zafar et al. | Jun 2016 | A1 |
20160191550 | Ismael et al. | Jun 2016 | A1 |
20160241573 | Mixer | Aug 2016 | A1 |
20160261612 | Mesdaq et al. | Sep 2016 | A1 |
20160285914 | Singh et al. | Sep 2016 | A1 |
20160301703 | Aziz | Oct 2016 | A1 |
20160335110 | Paithane et al. | Nov 2016 | A1 |
20170083703 | Abbasi et al. | Mar 2017 | A1 |
20170213030 | Mooring | Jul 2017 | A1 |
20180013770 | Ismael | Jan 2018 | A1 |
20180048660 | Paithane et al. | Feb 2018 | A1 |
20180121316 | Ismael et al. | May 2018 | A1 |
20180288077 | Siddiqui et al. | Oct 2018 | A1 |
Number | Date | Country |
---|---|---|
2439806 | Jan 2008 | GB |
2490431 | Oct 2012 | GB |
0206928 | Jan 2002 | WO |
0223805 | Mar 2002 | WO |
2007117636 | Oct 2007 | WO |
2008041950 | Apr 2008 | WO |
2011084431 | Jul 2011 | WO |
2011112348 | Sep 2011 | WO |
2012075336 | Jun 2012 | WO |
2012145066 | Oct 2012 | WO |
2013067505 | May 2013 | WO |
Entry |
---|
U.S. Appl. No. 15/081,775, filed Mar. 25, 2016 Final Office Action dated Jan. 30, 2018. |
U.S. Appl. No. 15/081,775, filed Mar. 25, 2016 Non-Final Office Action dated Aug. 23, 2017. |
U.S. Appl. No. 15/081,775, filed Mar. 25, 2016 Notice of Allowance dated Apr. 29, 2019. |
U.S. Appl. No. 15/081,775, filed Mar. 25, 2016 Notice of Allowance dated Jan. 15, 2019. |
Venezia, Paul , “NetDetector Captures Intrusions”, InfoWorld Issue 27, (“Venezia”), (Jul. 14, 2003). |
Vladimir Getov: “Security as a Service in Smart Clouds—Opportunities and Concerns”, Computer Software and Applications Conference (COMPSAC), 2012 IEEE 36th Annual, IEEE, Jul. 16, 2012 (Jul. 16, 2012). |
Wahid et al., Characterising the Evolution in Scanning Activity of Suspicious Hosts, Oct. 2009, Third International Conference on Network and System Security, pp. 344-350. |
Whyte, et al., “DNS-Based Detection of Scanning Works in an Enterprise Network”, Proceedings of the 12th Annual Network and Distributed System Security Symposium, (Feb. 2005), 15 pages. |
Williamson, Matthew M., “Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code”, ACSAC Conference, Las Vegas, NV, USA, (Dec. 2002), pp. 1-9. |
Yuhei Kawakoya et al: “Memory behavior-based automatic malware unpacking in stealth debugging environment”, Malicious and Unwanted Software (Malware), 2010 5th International Conference on, IEEE, Piscataway, NJ, USA, Oct. 19, 2010, pp. 39-46, XP031833827, ISBN:978-1-4244-8-9353-1. |
Zhang et al., The Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation, Sep. 2009, IEEE 28th International Symposium on Reliable Distributed Systems, pp. 73-82. |
“Mining Specification of Malicious Behavior”—Jha et al, UCSB, Sep. 2007 https://www.cs.ucsb.edu/.about.chris/research/doc/esec07.sub.--mining.pdf-. |
“Network Security: NetDetector—Network Intrusion Forensic System (NIFS) Whitepaper”, (“NetDetector Whitepaper”), (2003). |
“When Virtual is Better Than Real”, IEEEXplore Digital Library, available at, http://ieeexplore.ieee.org/xpl/articleDetails.so?reload=true&arnumber=990073, (Dec. 7, 2013). |
Abdullah, et al., Visualizing Network Data for Intrusion Detection, 2005 IEEE Workshop on Information Assurance and Security, pp. 100-108. |
Adetoye, Adedayo, et al., “Network Intrusion Detection & Response System”, (“Adetoye”) (Sep. 2003). |
Apostolopoulos, George; hassapis, Constantinos; “V-eM: A cluster of Virtual Machines for Robust, Detailed, and High-Performance Network Emulation”, 14th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, Sep. 11-14, 2006, pp. 117-126. |
Aura, Tuomas, “Scanning electronic documents for personally identifiable information”, Proceedings of the 5th ACM workshop on Privacy in electronic society. ACM, 2006. |
Baecher, “The Nepenthes Platform: An Efficient Approach to collect Malware”, Springer-verlaq Berlin Heidelberg, (2006), pp. 165-184. |
Bayer, et al., “Dynamic Analysis of Malicious Code”, J Comput Virol, Springer-Verlag, France., (2006), pp. 67-77. |
Boubalos, Chris , “extracting syslog data out of raw pcap dumps, seclists.org, Honeypots mailing list archives”, available at http://seclists.org/honeypots/2003/q2/319 (“Boubalos”), (Jun. 5, 2003). |
Chaudet, C. , et al., “Optimal Positioning of Active and Passive Monitoring Devices”, International Conference on Emerging Networking Experiments and Technologies, Proceedings of the 2005 ACM Conference on Emerging Network Experiment and Technology, CoNEXT '05, Toulousse, France, (Oct. 2005), pp. 71-82. |
Chen, P. M. and Noble, B. D., “When Virtual is Better Than Real, Department of Electrical Engineering and Computer Science”, University of Michigan (“Chen”) (2001). |
Cisco “Intrusion Prevention for the Cisco ASA 5500-x Series” Data Sheet (2012). |
Cohen, M.I. , “PyFlag—An advanced network forensic framework”, Digital investigation 5, Elsevier, (2008), pp. S112-S120. |
Costa, M. , et al., “Vigilante: End-to-End Containment of Internet Worms”, SOSP '05, Association for Computing Machinery, Inc., Brighton U.K., (Oct. 23-26, 2005). |
Didier Stevens, “Malicious PDF Documents Explained”, Security & Privacy, IEEE, IEEE Service Center, Los Alamitos, CA, US, vol. 9, No. 1, Jan. 1, 2011, pp. 80-82, XP011329453, ISSN: 1540-7993, DOI: 10.1109/MSP.2011.14. |
Distler, “Malware Analysis: An Introduction”, SANS Institute InfoSec Reading Room, SANS Institute, (2007). |
Dunlap, George W. , et al., “ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay”, Proceeding of the 5th Symposium on Operating Systems Design and Implementation, USENIX Association, (“Dunlap”), (Dec. 9, 2002). |
FireEye Malware Analysis & Exchange Network, Malware Protection System, FireEye Inc., 2010. |
FireEye Malware Analysis, Modern Malware Forensics, FireEye Inc., 2010. |
FireEye v.6.0 Security Target, pp. 1-35, Version 1.1, FireEye Inc., May 2011. |
Goel, et al., Reconstructing System State for Intrusion Analysis, Apr. 2008 SIGOPS Operating Systems Review, vol. 42 Issue 3, pp. 21-28. |
Gregg Keizer: “Microsoft's HoneyMonkeys Show Patching Windows Works”, Aug. 8, 2005, XP055143386, Retrieved from the Internet: URL:http://www.informationweek.com/microsofts-honeymonkeys-show-patching-windows-works/d/d-id/1035069? [retrieved on Jun. 1, 2016]. |
Heng Yin et al, Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis, Research Showcase @ CMU, Carnegie Mellon University, 2007. |
Hiroshi Shinotsuka, Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems, Oct. 26, 2012, http://www.symantec.com/connect/blogs/, pp. 1-4. |
Idika et al., A-Survey-of-Malware-Detection-Techniques, Feb. 2, 2007, Department of Computer Science, Purdue University. |
Isohara, Takamasa, Keisuke Takemori, and Ayumu Kubota. “Kernel-based behavior analysis for android malware detection.” Computational intelligence and Security (CIS), 2011 Seventh International Conference on. IEEE, 2011. |
Kaeo, Merike , “Designing Network Security”, (“Kaeo”), (Nov. 2003). |
Kevin A Roundy et al: “Hybrid Analysis and Control of Malware”, Sep. 15, 2010, Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 317-338, XP019150454 ISBN:978-3-642-15511-6. |
Khaled Salah et al: “Using Cloud Computing to Implement a Security Overlay Network”, Security & Privacy, IEEE, IEEE Service Center, Los Alamitos, CA, US, vol. 11, No. 1, Jan. 1, 2013 (Jan. 1, 2013). |
Kim, H. , et al., “Autograph: Toward Automated, Distributed Worm Signature Detection”, Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, (Aug. 2004), pp. 271-286. |
King, Samuel T., et al., “Operating System Support for Virtual Machines”, (“King”), (2003). |
Kreibich, C. , et al., “Honeycomb-Creating Intrusion Detection Signatures Using Honeypots”, 2nd Workshop on Hot Topics in Networks (HotNets-11), Boston, USA, (2003). |
Kristoff, J. , “Botnets, Detection and Mitigation: DNS-Based Techniques”, NU Security Day, (2005), 23 pages. |
Lastline Labs, The Threat of Evasive Malware, Feb. 25, 2013, Lastline Labs, pp. 1-8. |
Li et al., A VMM-Based System Call Interposition Framework for Program Monitoring, Dec. 2010, IEEE 16th International Conference on Parallel and Distributed Systems, pp. 706-711. |
Lindorfer, Martina, Clemens Kolbitsch, and Paolo Milani Comparetti. “Detecting environment-sensitive malware.” Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2011. |
Marchette, David J., “Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint”, (“Marchette”), (2001). |
Moore, D. , et al., “Internet Quarantine: Requirements for Containing Self-Propagating Code”, INFOCOM, vol. 3, (Mar. 30-Apr. 3, 2003), pp. 1901-1910. |
Morales, Jose A., et al., ““Analyzing and exploiting network behaviors of malware.””, Security and Privacy in Communication Networks. Springer Berlin Heidelberg, 2010. 20-34. |
Mori, Detecting Unknown Computer Viruses, 2004, Springer-Verlag Berlin Heidelberg. |
Natvig, Kurt , “SANDBOXII: Internet”, Virus Bulletin Conference, (“Natvig”), (Sep. 2002). |
NetBIOS Working Group. Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Concepts and Methods. STD 19, RFC 1001, Mar. 1987. |
Newsome, J. , et al., “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software”, in Proceedings of the 12th Annual Network and Distributed System Security, Symposium (NDSS '05), (Feb. 2005). |
Nojiri, D. , et al., “Cooperation Response Strategies for Large Scale Attack Mitigation”, DARPA Information Survivability Conference and Exposition, vol. 1, (Apr. 22-24, 2003), pp. 293-302. |
Oberheide et al., CloudAV.sub.—N-Version Antivirus in the Network Cloud, 17th USENIX Security Symposium USENIX Security '08 Jul. 28-Aug. 1, 2008 San Jose, CA. |
Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Roonald Perez, Leendert van Doorn, John Linwood Griffin, Stefan Berger., sHype: Secure Hypervisor Appraoch to Trusted Virtualized Systems (Feb. 2, 2005) (“Sailer”). |
Silicon Defense, “Worm Containment in the Internal Network”, (Mar. 2003), pp. 1-25. |
Singh, S. , et al., “Automated Worm Fingerprinting”, Proceedings of the ACM/USENIX Symposium on Operating System Design and Implementation, San Francisco, California, (Dec. 2004). |
Thomas H. Ptacek, and Timothy N. Newsham , “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, Secure Networks, (“Ptacek”), (Jan. 1998). |
Number | Date | Country | |
---|---|---|---|
62140963 | Mar 2015 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 15081775 | Mar 2016 | US |
Child | 16572537 | US |