System and methods for advanced malware detection through placement of transition events
US-10169585-B1 · Jan 1, 2019 · US
Behavioral threat detection virtual machine
US11657149B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11657149-B2 |
| Application number | US-202117345761-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 11, 2021 |
| Priority date | Mar 27, 2019 |
| Publication date | May 23, 2023 |
| Grant date | May 23, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Examples of the present disclosure describe systems and methods for a behavioral threat detection virtual machine. In examples, the virtual machine executes a rule comprising rule instructions. A rule may comprise one or more wait rule instructions that causes the virtual machine to pause execution. As events are added to an event queue for the rule virtual machine, the behavioral threat detection virtual machine evaluates such events in order to identify a positive or, in some instances, a negative match. When a matching event is identified, rule execution resumes. Eventually, a determination is made as a result of processing events and wait packets, thereby indicating the presence or absence of a malicious or potentially malicious behavior, among other examples. Thus, among other things, the behavioral threat detection virtual machine maintains a state associated with rule execution and processes events to identify behaviors accordingly.
First claim
Opening claim text (preview).
The invention claimed is: 1. A system comprising: a processor; and a non-transitory computer readable medium storing instructions for: identifying a rule virtual machine in a pending execution state, wherein the rule virtual machine is associated with a rule, an event queue, and a wait packet queue; determining whether an event packet of an event queue matches a wait packet of a wait packet queue, wherein the wait packet is associated with the rule virtual machine in the pending execution state and the rule virtual machine is associated with a rule, the event queue and the wait packet queue; when the event packet matches the wait packet, resuming execution of the rule virtual machine by processing at least one instruction of the rule; and halting execution of the rule virtual machine when a determination is made for the rule. 2. The system of claim 1 , wherein the rule comprises a set of computer programming language instructions, and the at least one instruction of the rule is one of the set of computer programming language instructions. 3. The system of claim 1 , wherein the rule virtual machine maintains a state for the rule. 4. The system of claim 3 , wherein the state includes the at least one instruction of the rule. 5. The system of claim 1 , wherein the rule virtual machine is associated with an application, process, thread, network connection or file. 6. The system of claim 5 , wherein the event packet indicates a context of the application, process, thread, network connection or file. 7. A system, comprising: a processor; and a non-transitory computer readable medium storing instructions for: receiving a wait packet for a rule executing in a rule virtual machine, wherein the rule virtual machine is associated with an event queue and a wait packet queue; placing the wait packet in the wait packet queue associated with the rule virtual machine; placing the rule virtual machine in a waiting execution state; identifying that the rule virtual machine is in the waiting execution state, wherein the event queue comprises an event packet; determining whether the event packet matches for the wait packet; when it is determined that the event packet matches the wait packet, resuming execution of the rule virtual machine; and halting execution of the rule virtual machine when a determination is made for the rule. 8. The system of claim 7 , wherein the event packet is generated by a behavioral threat detection engine and comprises information relating to an event that occurred, and wherein the virtual machine is placed in the waiting execution state by the behavioral threat detection engine. 9. The system of claim 8 , wherein determining whether the at least one event packet matches the wait packet comprises evaluating an event type associated with the event and at least one event parameter associated with the event. 10. The system of claim 9 , wherein resuming execution of the rule virtual machine comprises executing an instruction of the rule virtual machine for evaluating a value associated with the event parameter. 11. The system of claim 10 , wherein resuming execution of the virtual machine comprises selecting a thread from a thread pool with which to execute the instruction of the rule. 12. The system of claim 7 , wherein the determination is one of: a positive match indicating a presence of a potential threat; a negative match indicating an absence of the potential threat; and an uncertain match indicating a candidate for additional analysis. 13. A non-transitory computer readable medium, comprising instructions for: identifying a rule virtual machine in a pending execution state, wherein the rule virtual machine is associated with a rule, an event queue, and a wait packet queue; determining whether an event packet of an event queue matches a wait packet of a wait packet queue, wherein the wait packet is associated with the rule virtual machine in the pending execution state and the rule virtual machine is associated with a rule, the event queue and the wait packet queue; when the event packet matches the wait packet, resuming execution of the rule virtual machine by processing at least one instruction of the rule; and halting execution of the rule virtual machine when a determination is made for the rule. 14. The non-transitory computer readable medium of claim 13 , wherein the rule comprises a set of computer programming language instructions, and the at least one instruction of the rule is one of the set of computer programming language instructions. 15. The non-transitory computer readable medium of claim 13 , wherein the rule virtual machine maintains a state for the rule. 16. The non-transitory computer readable medium of claim 15 , wherein the state includes the at least one instruction of the rule. 17. The non-transitory computer readable medium of claim 13 , wherein the rule virtual machine is associated with an application, process, thread, network connection or file. 18. The non-transitory computer readable medium of claim 17 , wherein the event packet indicates a context of the application, process, thread, network connection or file.
Assignees
Inventors
Classifications
- G06F21/554Primary
involving event detection and direct action · CPC title
- G06F21/566Primary
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Hypervisor-specific management and integration aspects · CPC title
Isolation or security of virtual machine instances · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11657149B2 cover?
- Examples of the present disclosure describe systems and methods for a behavioral threat detection virtual machine. In examples, the virtual machine executes a rule comprising rule instructions. A rule may comprise one or more wait rule instructions that causes the virtual machine to pause execution. As events are added to an event queue for the rule virtual machine, the behavioral threat detect…
- Who is the assignee on this patent?
- Webroot Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/554. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 23 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).