( 12 ) United States Patent
`Derbeko et al .
`
`( 10 ) Patent No .: US 10,536,471 B1
`( 45 ) Date of Patent :
`Jan. 14 , 2020
`
`US010536471B1
`
`( 54 )
`
`( 72 )
`
`( * ) Notice :
`
`MALWARE DETECTION IN VIRTUAL
`MACHINES
`( 71 ) Applicant : EMC IP Holding Company LLC ,
`Hopkinton , MA ( US )
`Inventors : Philip Derbeko , Modiin ( IL ) ; Shai
`Kappel , Bnaya ( IL ) ; Uriya Stern ,
`Lehavim ( IL ) ; Maya Bakshi , Beer
`Sheva ( IL ) ; Yaniv Harel ,
`Neve - Monosson ( IL )
`( 73 ) Assignee : EMC IP Holding Company LLC ,
`Hopkinton , MA ( US )
`Subject to any disclaimer , the term of this
`patent is extended or adjusted under 35
`U.S.C. 154 ( b ) by 139 days .
`( 21 ) Appl . No .: 15 / 086,979
`( 22 ) Filed :
`Mar. 31 , 2016
`( 51 )
`Int . Cl .
`G06F 12/14
`H04L 29/06
`G06F 9/455
`( 52 ) U.S. Cl .
`CPC
`
`( 2006.01 )
`( 2006.01 )
`( 2018.01 )
`H04L 63/1425 ( 2013.01 ) ; G06F 9/45558
`( 2013.01 ) ; H04L 63/145 ( 2013.01 ) ; H04L
`63/1416 ( 2013.01 ) ; GO6F 2009/45587
`( 2013.01 )
`Field of Classification Search
`CPC . GO6F 2009/45587 ; GO6F 2009/45595 ; G06F
`21/552 ; G06F 21/56 ; G06F 21/566 ; GO6F
`21/567 ; G06F 2201/815 ; G06F 9/45533 ;
`G06F 2009/45591 ; GO6F 2201/84 ; H04L
`63/1416 ; H04L 63/20 ; H04L 63/1425
`726/1 , 22-24
`USPC
`See application file for complete search history .
`
`( 58 )
`
`( 56 )
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`Goot
`
`6,775,780 B1 *
`8/2004 Muttik
`8,056,134 B1 * 11/2011 Ogilvie
`8,151,263 B1 *
`4/2012 Venkitachalam
`8,726,083 B1 *
`5/2014 van
`8,904,525 B1 * 12/2014 Hodgman
`2/2015 Xing
`8,949,829 B1 *
`1/2016 Wang
`9,230,100 B2 *
`9,400,886 B1 *
`7/2016 Beloussov
`9,690,936 B1 *
`6/2017 Malik
`8/2017 Chakraborty
`9,740,577 B1 *
`10,048,890 B1 *
`8/2018 Samad
`( Continued )
`FOREIGN PATENT DOCUMENTS
`
`G06F 21/53
`713/165
`G06F 21/566
`713/187
`G06F 9/485
`711/162
`G06F 11/1438
`714/15
`G06F 21/562
`726/22
`G06F 11/1469
`718/1
`G06F 21/53
`G06F 21/566
`G06F 21/562
`G06F 11/1469
`GO6F 3/0619
`
`G06F 21/53
`
`* 11/2015
`105068856 A
`CN
`* 11/2015
`105068856 A
`CN
`3241140 A1 * 11/2017
`EP
`Primary Examiner
`Jason K Gee
`Assistant Examiner
`Lizbeth Torres - Diaz
`( 74 ) Attorney , Agent , or Firm — Ryan , Mason & Lewis ,
`LLP
`ABSTRACT
`( 57 )
`A system , computer program product , and computer - execut
`able method of detecting malware in a virtual machine
`( VM ) , the computer - executable method comprising periodi
`cally creating snapshots of the VM , analyzing each of the
`snapshots in comparison to one or more previous snapshots
`to determine whether anomalies exist , and based on a
`threshold amount of anomalies detected , scanning the VM to
`determine whether malware is detected .
`20 Claims , 10 Drawing Sheets
`
`Create a test VM 600
`
`Take an initial snapshot of the test VM
`610
`
`Infect the test VM with a first type of
`Malware 620
`
`Run the test VM 630
`
`Periodically take snapshots of the test VM
`640
`
`Analyze each of the snapshots to create a
`malware profile
`650
`
`WIZ, Inc. EXHIBIT - 1072
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 10,536,471 B1
`US 10,536,471 B1
`
`Page 2
`Page 2
`
`( 56 )
`(56)
`
`References Cited
`References Cited
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`2007/0240222 AL* 10/2007 Tuvell wu GO6F 21/56
`2007/0240222 A1 * 10/2007 Tuvell
`G06F 21/56
`726/24
`726/24
`6/2009 Zheng
`6/2009 Zheng ....... GO6F 21/562
`G06F 21/562
`726/24
`726/24
`2016/0321455 A1 * 11/2016 Deng
`2016/0321455 Al* 11/2016 Deng we. GO6F 21/577
`G06F 21/577
`... GO6F 21/552
`2017/0034198 Al*
`2/2017 Powers .
`
`2017/0034198 A1 *
`2/2017 Powers
`G06F 21/552
`8/2019 Brewer... GO6F 11/1469
`2019/0235973 AL*
`G06F 11/1469
`2019/0235973 A1 *
`8/2019 Brewer
`* cited by examiner
`* cited by examiner
`
`2009/0158432 Al*
`2009/0158432 A1 *
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jan. 14, 2020
`Jan. 14 , 2020
`
`Sheet 1 of 10
`Sheet 1 of 10
`
`US 10,536,471 B1
`US 10,536,471 B1
`
`User
`135B
`
`VM
`
`140C
`
`User
`135C
`
`VM
`
`140B
`NVM
`
`|
`User
`User
`135A
`10a8A
`140A
`VM
`
`140B
`
`Data Storage System 105
`Hypervisor 110
`
`| Fast Data Storage - Data Management (
`Data Management
`Fast Data Storage
`115
`115
`120
`E
`120
`
`
`
`Data Storage Array 125
`
`100
`
`FIG . 1
`FIG. 1
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jan. 14, 2020
`Jan. 14 , 2020
`
`Sheet 2 of 10
`Sheet 2 of 10
`
`US 10,536,471 B1
`US 10,536,471 B1
`
`
`APPS
`APPS
`APPS
`APPS
`APPS
`
`210-2
`210-1
`210 - N
`20-2
`N01
`|
`
`Vinal Virtual
`Virtual
`Virtual
`Virtual
`Virtual
`Machine
`Machine
`Machine
`Machine
`=, Machine
`Machine
`
`205-2
`205-N
`205-1
`205-2
`205 - N
`205-1
`Hypervisor 215
`Hypervisor 215
`
`
`
`Physical Infrastructure 217
`Physical Infrastructure 217
`Aeeeneensnetnannsnensennsesteansssnsesannsesnenernencesaensenennennenernannesneesennenetnanaysennsenasesnnnnasnsesannsesnnnerneneesanaesnennernenetnanaesnensenasnetnanaseeesennsestnanassneeranneesnnnennennesannesnenne!
`
`FIG . 2
`FIG. 2
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jan. 14, 2020
`Jan. 14 , 2020
`
`Sheet 3 of 10
`Sheet 3 of 10
`
`US 10,536,471 B1
`US 10,536,471 B1
`
`
`User
`User
`365
`365
`
`VM 335
`
`300
`
`Data Storage System 305
`prctectststeeneteenennmenennennnneneanatannnnnnnnnnannennnannennnnmeee
`Hypervisor 310
`
`Malware Detection Module 315
`De
`
`| Fast Data Storage 1 Data Management :
`Data Management
`Fast Data Storage
`320
`325
`|
`-
`320
`325
`
`Data Storage Array 330
`
`FIG . 3A
`FIG. 3A
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jan. 14 , 2020
`Jan. 14, 2020
`
`Sheet 4 of 10
`Sheet 4 of 10
`
`US 10,536,471 B1
`US 10,536,471 B1
`
`
`:OPEUBSrns|
`
`
`
`U-SpEIoUsdeusT-SyEJOYsdeUs
`
`
`
`Hypervisor 310
`
`
`
`
`
`
`
`Malware Detection Module 315
`
`
`
`Data Management 325
`
`
`
`
`
`Fast Data Storage 320
`
`
`
`
`
`Data Storage Array 330
`
`g€“Old
`
`FIG . 3B
`
`VM 335
`
`© o
`
`300
`
`y
`
`
`
`
`
`
`
`Data Storage System 305
`
`---
`
`.
`
`User 365
`Jasn
`SSE
`
`
`
`Snapshot 345 - N
`
`Scan 340
`
`
`
`Snapshot 345-1 Snapshot 345-2
`
`
`
`
`
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jan. 14 , 2020
`Jan. 14, 2020
`
`Sheet 5 of 10
`Sheet 5 of 10
`
`US 10,536,471 B1
`US 10,536,471 B1
`
`SCEOcE
`
`
`
`Data Management 325
`
`
`
`
`
`Fast Data Storage 320
`
`
`
`
`
`Data Storage Array 330
`
`----
`
`... ----
`
`JE“Old
`
`FIG . 3C
`
`
`
`Hypervisor 310
`
`
`
`
`
`Malware Detection Module 315
`
`
`
`
`
`Data Storage System 305
`
`
`
`Snapshot 345 - N
`
`
`
`Snapshot 345-2
`
`
`
`Snapshot 345-1
`
`
`O9€JoYsdeus
`
`Snapshot 360
`
`
`
`
`
`Deep Scan 350
`
`--
`
`|Sse2|SBIOld
`DILMIEI|
`
`Malware Profiles 355
`
`----
`
`OvEYEIS
`Scan 340
`
`VM 335
`
`User 365
`Jasn
`S9E
`
`o *
`
`300
`
`
`
`
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jan. 14, 2020
`Jan. 14 , 2020
`
`Sheet 6 of 10
`Sheet 6 of 10
`
`US 10,536,471 B1
`US 10,536,471 B1
`
`Caneeeeeeeeeeee
`
`Periodically create snapshots of a VM
`Periodically create snapshots of a VM
`400
`400
`
`Analyze each snapshot in comparison to a
`_Analyzeeachsnapshotincomparisontoa_
`previous snapshot
`previous snapshot
`|
`:
`410
`
`If threshold amount of anomalies
`if threshold amount of anomalies
`detected , scan VM
`detected, scan VM
`420
`420
`
`FIG . 4
`FIG. 4
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jan. 14 , 2020
`Jan. 14, 2020
`
`Sheet 7 of 10
`Sheet 7 of 10
`
`US 10,536,471 B1
`US 10,536,471 B1
`
`VM 535
`
`|SESINA[nnN.09S
`
`Malware 560
`BIENIEV
`
`
`
`
`
`Data Storage System 505
`
`
`
`Hypervisor 510
`
`
`
`
`
`Malware Detection Module 515
`
`
`
`Data Management 525
`
`
`
`
`
`Fast Data Storage 520
`
`-
`
`---
`
`-
`
`----
`
`----
`
`----
`
`----
`
`
`
`Snapshot 545 - N
`
`
`
`
`
`
`
`Snapshot 545-1 Snapshot 545-2
`
`
`
`
`
`Profile Creation 540
`
`© u
`
`500
`
`y
`
`
`
`
`
`
`
`Data Storage Array 530
`
`.
`
`FIG . 5
`
`S$‘Old
`
`
`
`Malware Profiles 555
`
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jan. 14, 2020
`Jan. 14 , 2020
`
`Sheet 8 of 10
`Sheet 8 of 10
`
`US 10,536,471 B1
`US 10,536,471 B1
`
`|
`
`Create a test VM 600
`Create a test VM 600
`
`| Take an initial snapshot of the test VM
`Take an initial snapshot of the test VM
`610
`610
`
`Infect the test VM with a first type of
`Infect the test VM with a first type of
`Malware 620
`Malware 620
`|
`
`Run the test VM 630
`Run the test VM 630
`
`( Periodically take snapshots of the test VM
`Periodically take snapshots of the test VM
`640
`640
`
`_Analyzeeachofthesnapshotstocreatea
`Analyze each of the snapshots to create a
`malware profile
`malwareprofile
`:
`650
`
`FIG . 6
`FIG. 6
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jan. 14 , 2020
`Jan. 14, 2020
`
`Sheet 9 of 10
`Sheet 9 of 10
`
`US 10,536,471 B1
`US 10,536,471 B1
`
`062..
`790
`
`780
`
`DISPLAY
`
`789
`
`REPORT
`DEVICE
`LdOdad
`_pI
`
`700
`
`710
`
`MEM 704
`
`705
`PROG LOGIC
`
`
`
`PROC 703
`
`725
`
`1/0 702
`
`£Old
`
`S6L—WALSAS
`PROC . SYSTEM
`795
`2nd
`
`MAGNETIC
`
`OPTIC
`
`
`
`1/0 Device
`
`MEM MEDIA
`
`787
`
`785
`
`783
`
`750
`
`SOURCES 701
`
`SOURCES 701
`
`SOURCES 701
`
`FIG . 7
`
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jan. 14, 2020
`Jan. 14 , 2020
`
`Sheet 10 of 10
`Sheet 10 of 10
`
`US 10,536,471 B1
`US 10,536,471 B1
`
`800
`goo B00
`
`
`
`860
`
`855
`
`PROGRAM
`LOGIC
`
`O
`
`7 .
`
`The
`Atleta
`
`FIG . 8
`FIG. 8
`
`U.S. Patent
`
`Jan. 14, 2020
`
`Sheet 10 of 10
`
`US 10,536,471 B1
`
`
`
`g o o
`
`B 0 0
`
`
`
`
`
`860
`
`855
`
`<
`
`S=
` R S S e e d
`
`
`FIG. 8
`
`

`

`US 10,536,471 B1
`US 10,536,471 B1
`
`TECHNICAL FIELD
`TECHNICAL FIELD
`
`1
`2
`1
`2
`MALWARE DETECTION IN VIRTUAL
`FIG . 2 is a simplified illustration of a hypervisor inter
`MALWARE DETECTION IN VIRTUAL
`FIG. 2 is a simplified illustration of a hypervisor inter-
`MACHINES
`acting with physical infrastructure and virtual machines , in
`MACHINES
`acting with physical infrastructure and virtual machines, in
`accordance with an embodiment of the present disclosure ;
`accordance with an embodimentof the present disclosure;
`A portion of the disclosure of this patent document may
`FIGS . 3A - 3C are simplified illustrations of state diagrams
`FIGS. 3A-3C are simplified illustrations of state diagrams
`A portion of the disclosure of this patent document may
`contain command formats and other computer language 5 of a data storage system protected by a malware detection
`of a data storage system protected by a malware detection
`contain command formats and other computer language
`listings , all of which are subject to copyright protection . The
`module , in accordance with an embodiment of the present
`module, in accordance with an embodiment of the present
`listings, all of which are subject to copyright protection. The
`disclosure ;
`copyright owner has no objection to the facsimile reproduc
`disclosure;
`copyright ownerhas no objection to the facsimile reproduc-
`tion by anyone of the patent document or the patent disclo
`FIG . 4 is a simplified flowchart of a method of detecting
`FIG.4 is a simplified flowchart of a method of detecting
`tion by anyone of the patent documentor the patent disclo-
`malware in a system shown in FIG . 3C , in accordance with
`malware in a system shown in FIG. 3C, in accordance with
`sure , as it appears in the Patent and Trademark Office patent
`sure, as it appears in the Patent and Trademark Office patent
`file or records , but otherwise reserves all copyright rights 10 an embodiment of the present disclosure ;
`an embodimentof the present disclosure;
`file or records, but otherwise reserves all copyright rights
`FIG . 5 is a simplified illustration of a system creating
`whatsoever.
`FIG. 5 is a simplified illustration of a system creating
`whatsoever .
`malware profiles , in accordance with an embodiment of the
`malwareprofiles, in accordance with an embodimentof the
`prese
`disclosure ;
`present disclosure;
`FIG . 6 is a simplified flowchart of a method of creating
`FIG.6 is a simplified flowchart of a method of creating
`15
`15 malware profiles using the system shown in FIG . 5 , in
`This invention relates to data storage .
`malware profiles using the system shown in FIG. 5,
`in
`This invention relates to data storage.
`accordance with an embodiment of the present disclosure ;
`accordance with an embodimentof the present disclosure;
`FIG . 7 is an example of an embodiment of an apparatus
`BACKGROUND
`BACKGROUND
`FIG. 7 is an example of an embodiment of an apparatus
`that may utilize the techniques described herein , in accor
`that may utilize the techniques described herein, in accor-
`dance with an embodiment of the present disclosure ; and
`Computer systems are constantly improving in terms of
`dance with an embodimentofthe present disclosure; and
`Computer systems are constantly improving in terms of
`FIG . 8 is an example of a method embodied on a computer
`speed , reliability , and processing capability . As is known in 20
`FIG.8 is an example of a method embodied on a computer
`speed, reliability, and processing capability. As is known in
`readable storage medium that may utilize the techniques
`the art , computer systems which process and store large
`readable storage medium that may utilize the techniques
`the art, computer systems which process and store large
`described herein , in accordance with an embodiment of the
`amounts of data typically include a one or more processors
`described herein, in accordance with an embodiment of the
`amounts of data typically include a one or more processors
`present disclosure .
`in communication with a shared data storage system in
`present disclosure.
`in communication with a shared data storage system in
`Like reference symbols in the various drawings indicate
`which the data is stored . The data storage system may
`Like reference symbols in the various drawings indicate
`which the data is stored. The data storage system may
`like elements.
`include one or more storage devices , usually of a fairly 25 like elements .
`include one or more storage devices, usually of a fairly
`robust nature and useful for storage spanning various tem
`robust nature and useful for storage spanning various tem-
`DETAILED DESCRIPTION
`poral requirements , e.g. , disk drives . The one or more
`DETAILED DESCRIPTION
`poral requirements, e.g., disk drives. The one or more
`processors perform their respective operations using the
`processors perform their respective operations using the
`Typically , recent advances in virtualization technologies
`storage system . Mass storage systems ( MSS ) typically
`Typically, recent advances in virtualization technologies
`storage system. Mass storage systems (MSS) typically
`include an array of a plurality of disks with on - board 30 have sped up their integration into daily life for both
`have sped up their integration into daily life for both
`include an array of a plurality of disks with on-board
`intelligent and communications electronics and software for
`business and personal use . Generally , virtualization tech
`business and personal use. Generally, virtualization tech-
`intelligent and communications electronics and software for
`nologies enable users to have power computing resources
`making the data on the disks available .
`nologies enable users to have power computing resources
`making the data on the disks available.
`available whenever and wherever they want . Traditionally ,
`Companies that sell data storage systems are very con
`available whenever and wherever they want. Traditionally,
`Companies that sell data storage systems are very con-
`malicious code and/or malware have been isolated to a
`malicious code and / or malware have been isolated to a
`cerned with providing customers with an efficient data
`cerned with providing customers with an eflicient data
`storage solution that minimizes cost while meeting customer 35 single user's account and / or computer . However , recently , as
`single user’s account and/or computer. However, recently, as
`storage solution that minimizes cost while meeting customer
`virtualization technologies are starting to become ubiqui
`data storage needs . It would be beneficial for such compa
`virtualization technologies are starting to become ubiqui-
`data storage needs. It would be beneficial for such compa-
`tous , the mobility that virtualization technologies provide
`nies to have a way for reducing the complexity of imple
`tous, the mobility that virtualization technologies provide
`nies to have a way for reducing the complexity of imple-
`also increases an amount of vulnerability to malware . Tra
`menting data storage .
`also increases an amount of vulnerability to malware. Tra-
`menting data storage.
`ditionally , data storage and service providers have limited
`ditionally, data storage and service providers have limited
`40
`SUMMARY
`40 tools and / or resources available when detecting malware .
`SUMMARY
`tools and/or resources available when detecting malware.
`Conventionally , improvements to malware detection would
`Conventionally, improvements to malware detection would
`be beneficial to the data storage industry .
`A system , computer program product , and computer
`be beneficial to the data storage industry.
`A system, computer program product, and computer-
`Traditionally , detecting and / or tracking malware is very
`executable method of detecting malware in
`a virtual
`Traditionally, detecting and/or tracking malware is very
`executable method of detecting malware in a virtual
`difficult as malware is constantly changing . Typically , cur
`machine ( VM ) , the computer - executable method comprising
`difficult as malware is constantly changing. Typically, cur-
`machine (VM), the computer-executable method comprising
`45
`periodically creating snapshots of the VM , analyzing each of 45 rent malware defense mechanisms are based on signature
`rent malware defense mechanisms are based on signature
`periodically creating snapshots of the VM,analyzing each of
`the snapshots in comparison to one or more previous snap
`recognitions that are often one step behind the latest versions
`recognitions that are often one step behindthelatest versions
`the snapshots in comparison to one or more previous snap-
`shots to determine whether anomalies exist , and based on a
`of malware . Conventionally , agents running on VMS often
`of malware. Conventionally, agents running on VMSoften
`shots to determine whether anomalies exist, and based on a
`are useless as malware has evolved to determine whether
`threshold amount of anomalies detected , scanning the VM to
`are useless as malware has evolved to determine whether
`threshold amount of anomalies detected, scanning the VM to
`detection agents exist and bypass agents as they are running
`determine whether malware is detected.
`determine whether malware is detected .
`detection agents exist and bypass agents as they are running
`50
`50 their scans . Generally , detection agents running on a VM
`their scans. Generally, detection agents running on a VM
`BRIEF DESCRIPTION OF THE DRAWINGS
`also become problematic as they affect the VM and are
`BRIEF DESCRIPTION OF THE DRAWINGS
`also become problematic as they affect the VM and are
`effected by VM . Specifically , agents inside a protected
`effected by VM. Specifically, agents inside a protected
`Objects , features , and advantages of embodiments dis
`machine expands the attack surface . Agents inside a pro
`machine expands the attack surface. Agents inside a pro-
`Objects, features, and advantages of embodiments dis-
`tected machine affects the performance of the VM it is
`closed herein may be better understood by referring to the
`closed herein may be better understood by referring to the
`tected machine affects the performance of the VM it
`is
`55
`following description in conjunction with the accompanying 55 attempting to protect though the scanning and checking of
`following description in conjunction with the accompanying
`attempting to protect though the scanning and checking of
`drawings . The drawings are not meant to limit the scope of
`all incoming and outgoing bytes , whether it is by network ,
`drawings. The drawings are not meant to limit the scope of
`all incoming and outgoing bytes, whetherit is by network,
`the claims included herewith . For clarity , not every element
`storage , or web browsing . Generally , deployment of agents
`the claims included herewith. For clarity, not every element
`storage, or web-browsing. Generally, deployment of agents
`may be labeled in every figure . The drawings are not
`on VMs is also problematic as the number of VMs to be
`may be labeled in every figure. The drawings are not
`on VMsis also problematic as the number of VMsto be
`necessarily to scale , emphasis instead being placed upon
`protected grows exponentially over time , which makes
`necessarily to scale, emphasis instead being placed upon
`protected grows exponentially over time, which makes
`illustrating embodiments , principles , and concepts . Thus , 60 installation and upgrades in these environments extremely
`illustrating embodiments, principles, and concepts. Thus,
`installation and upgrades in these environments extremely
`features and advantages of the present disclosure will
`challenging
`features and advantages of the present disclosure will
`challenging.
`become more apparent from the following detailed descrip
`In many embodiments , the current disclosure may enable
`become more apparent from the following detailed descrip-
`In many embodiments, the current disclosure may enable
`detection of malware within data centers. In various embodi-
`tion of exemplary embodiments thereof taken in conjunction
`detection of malware within data centers . In various embodi
`tion of exemplary embodiments thereof taken in conjunction
`with the accompanying drawings in which :
`ments , the current disclosure may enable a user and / or
`with the accompanying drawings in which:
`ments,
`the current disclosure may enable a user and/or
`administrator to detect malware within virtual machines
`FIG . 1 is a simplified illustration of a data storage system 65 administrator to detect malware within virtual machines
`FIG. 1 is a simplified illustration of a data storage system
`providing virtualization technology resources to users , in
`( VMs ) provided from data storage systems and / or data
`providing virtualization technology resources to users, in
`(VMs) provided from data storage systems and/or data
`accordance with an embodiment of the present disclosure ;
`centers . In certain embodiments , the current disclosure may
`accordance with an embodimentofthe present disclosure;
`centers. In certain embodiments, the current disclosure may
`
`

`

`US 10,536,471 B1
`US 10,536,471 B1
`
`4
`3
`3
`4
`facilitate detection of malware within data centers and/or
`storage system . Upon deployment , a malware detection
`facilitate detection of malware within data centers and / or
`storage system. Upon deployment, a malware detection
`module may be enabled to take periodic snapshots of Virtual
`data storage systems through performing automatic , periodic
`module may be enabled to take periodic snapshots of Virtual
`data storage systems through performing automatic, periodic
`Machines ( VMs ) and may be enabled to analyze the snap
`and / or pro - active forensic analysis of data center resources .
`Machines (VMs) and maybe enabled to analyze the snap-
`and/or pro-active forensic analysis of data center resources.
`shots in comparison to the malware detection module's
`In most embodiments , the current disclosure may enable
`shots in comparison to the malware detection module’s
`In most embodiments, the current disclosure may enable
`agentless detection of malware within data centers and / or 5 internal malware models . Snapshots of VMs may be reduced
`internal malware models. Snapshots of VMs may be reduced
`agentless detection of malware within data centers and/or
`to deltas or considered as-is and fed into the malware
`data storage systems . In some embodiments , data centers
`to deltas or considered as - is and fed into the malware
`data storage systems. In some embodiments, data centers
`and / or data storage systems may provide virtualization ser
`detection module’s model . In most embodiments , if changes
`and/or data storage systems may provide virtualization ser-
`detection module’s model. In most embodiments, if changes
`vices such as , but not limited to , virtual machines ( VMs ) .
`within a snapshot ( or its delta from a previous snapshot )
`vices such as, but not limited to, virtual machines (VMs).
`within a snapshot (or its delta from a previous snapshot)
`In various embodiments , the current disclosure may
`appear to be benign , then the malware detection module may
`In various embodiments,
`the current disclosure may
`appear to be benign, then the malware detection module may
`enable detection of malware in virtualization technology , 10 continue to another VM . In some embodiments , if a snapshot
`enable detection of malware in virtualization technology,
`continue to another VM.In some embodiments, if a snapshot
`such as virtual machines in private , hybrid , and / or public
`( or its delta from a previous snapshot ) appears to be suspi
`such as virtual machines in private, hybrid, and/or public
`(or its delta from a previous snapshot) appears to be suspi-
`clouds . In certain embodiments , the current disclosure may
`cious , a security operator may be alerted and the snapshot
`clouds. In certain embodiments, the current disclosure may
`cious, a security operator may be alerted and the snapshot
`enable analysis and / or detection of malware without expos
`may be further processed . In certain embodiments , suspi
`enable analysis and/or detection of malware without expos-
`may be further processed. In certain embodiments, suspi-
`ing other computers , VMs , detection tools and / or the mecha
`cious snapshots may be analyzed using forensic analysis
`ing other computers, VMs, detection tools and/or the mecha-
`cious snapshots may be analyzed using forensic analysis
`nism itself to the potentially malware infected virtual 15 methods . In various embodiments , a malware detection
`methods. In various embodiments, a malware detection
`nism itself to the potentially malware infected virtual
`machines . In some embodiments , the current disclosure may
`module may determine if a snapshot is suspicious based on
`machines. In some embodiments, the current disclosure may
`module may determine if a snapshot is suspicious based on
`enable detection of previously unknown malware variants ,
`whether a threshold may be met . In some embodiments , a
`enable detection of previously unknown malware variants,
`whether a threshold may be met. In some embodiments, a
`which may include malware having no persistent mecha
`threshold may be met if a user and / or administrator set
`which may include malware having no persistent mecha-
`threshold may be met if a user and/or administrator set
`numberof errors and/or malware indicators are found within
`nism , such as , but not limited to running only in volatile
`number of errors and / or malware indicators are found within
`nism, such as, but not limited to running only in volatile
`20
`memory . In most embodiments , the current disclosure may 20 one or more snapshots . In other embodiments , one or more
`memory. In most embodiments, the current disclosure may
`one or more snapshots. In other embodiments, one or more
`enable a user and/or admin to “look” at a set of resources
`enable a user and / or admin to “ look ” at a set of resources
`errors and / or malware indicators of a set of snapshots of a
`errors and/or malware indicators of a set of snapshots of a
`from outside the set of resources . In various embodiments ,
`single VM may exceed a threshold .
`from outside the set of resources. In various embodiments,
`single VM may exceeda threshold.
`the current disclosure may enable a user and / or administra
`In most embodiments , an administrator and / or user may
`the current disclosure may enable a user and/or administra-
`In most embodiments, an administrator and/or user may
`tor to identify suspicious changes to resources without
`utilize the malware detection module to further investigate
`tor to identify suspicious changes to resources without
`utilize the malware detection module to further investigate
`25
`creating more exposure to the possibly malicious code 25 and / or catalog differences to determine whether information
`creating more exposure to the possibly malicious code
`and/or catalog differences to determine whether information
`relating to the suspicious snapshot should be included in the
`and/or malware.
`and / or malware .
`relating to the suspicious snapshot should be included in the
`malware detection module model of malware behavior. In
`In many embodiments , the current disclosure may enable
`malware detection module model of malware behavior . In
`In many embodiments, the current disclosure may enable
`a user and / or administrator to protect their data centers
`many embodiments , a malware detection module may be
`a user and/or administrator to protect their data centers
`many embodiments, a malware detection module may be
`through a number of stages . In various embodiments , a
`enabled to analyze different aspects of a VM through ana
`through a number of stages. In various embodiments, a
`enabled to analyze different aspects of a VM through ana-
`number of stages may include a preparation stage , a deploy- 30 lyzing a snapshot of the VM . In various embodiments , a
`numberof stages may include a preparation stage, a deploy-
`lyzing a snapshot of the VM. In various embodiments, a
`ment stage , and a learning stage . In most embodiments , a
`malware detection module may search for malware code in
`ment stage, and a learning stage. In most embodiments, a
`malware detection module may search for malware code in
`preparation stage may enable a user and / or administrator to
`memory , unrecognized processes , unexpected open network
`preparation stage may enable a user and/or administrator to
`memory, unrecognized processes, unexpected open network
`conduct analysis and prepare detection tools for a specified
`ports , unexpected network connections , API hooks that may
`conduct analysis and prepare detection tools for a specified
`ports, unexpected network connections, API hooks that may
`set of virtualization technologies for specific types of mal
`have been hi - jacked , as well as other suspicious behavior .
`set of virtualization technologies for specific types of mal-
`have been hi-jacked, as well as other suspicious behavior.
`ware and / or malicious code . In various embodiments , during 35
`In various embodiments , analyzing snapshots of VMs ,
`ware and/or malicious code. In various embodiments, during
`In various embodiments, analyzing snapshots of VMs,
`a preparation stage of malware detection for virtualization
`instead of the VMs while running , may enable isolation of
`a preparation stage of malware detection for virtualization
`instead of the VMs while running, may enable isolation of
`technologies , a data storage system may take a large number
`a detecting module from the malware itself . Further , in some
`technologies, a data storage system maytake a large number
`a detecting module from the malwareitself. Further, in some
`of snapshots on virtual machines , both infected and not
`embodiments , analyzing snapshots may enable a detecting
`of snapshots on virtual machines, both infected and not
`embodiments, analyzing snapshots may enable a detecting
`infected with malware . Each of the large number of snap
`module to analyze VM memory , which may be valuable as
`infected with malware. Each of the large number of snap-
`module to analyze VM memory, which maybe valuable as
`40
`shots may be analyzed and differences between each con- 40 malware has to run in memory and thus , it has to leave traces
`shots may be analyzed and differences between each con-
`malware has to run in memory andthus,it has to leave traces
`secutive pair of snapshots may be fed into a malware
`and clues in memory . In these embodiments , since a snap
`secutive pair of snapshots may be fed into a malware
`and clues in memory. In these embodiments, since a snap-
`detection module.
`shot is taken outside of a VM , malware may not be able to
`detection module .
`shot is taken outside of a VM, malware maynotbe able to
`In certain embodiments , a malware detection module may
`eliminate evidence and / or bypass the check . Thus , a detect
`In certain embodiments, a malware detection module may
`eliminate evidence and/or bypass the check. Thus, a detect-
`ing module may be enabled to identify highly advanced or
`be enabled to utilize a learning algorithm which may be able
`be enabled to utilize a learning algorithm which may be able
`ing module may be enabled to identify highly advanced or
`45
`to detect differences between infected and non-infected
`to detect differences between infected and non - infected 45 seemingly unseen malware does eliminate evidence or
`seemingly unseen malware does eliminate evidence or
`virtualization technologies . In most embodiments , a mal
`attempts to bypass the check . In many embodiments , as a
`virtualization technologies. In most embodiments, a mal-
`attempts to bypass the check. In many embodiments, as a
`ware detection module may create a model of changes
`snapshot may be taken without stopping a virtual machine ,
`ware detection module may create a model of changes
`snapshot may be taken without stopping a virtual machine,
`detected within snapshots of