Behavioral threat detection virtual machine
US-2023252141-A1 · Aug 10, 2023 · US
Behavioral threat detection engine
US12032691B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12032691-B2 |
| Application number | US-202318353491-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 17, 2023 |
| Priority date | Mar 27, 2019 |
| Publication date | Jul 9, 2024 |
| Grant date | Jul 9, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Examples of the present disclosure describe systems and methods for a behavioral threat detection engine. In examples, the behavioral threat detection engine manages execution of one or more virtual machines, wherein each virtual machine processes a rule in relation to a context. The behavioral threat detection engine uses any of a variety of techniques to identify when events occur. Accordingly, the behavioral threat detection engine provides event indications, in the form of event packets, to one or more virtual machines, such that corresponding rules are able to process the events accordingly. Eventually, a rule may make a determination as to the presence or absence of a behavior. As a result, execution of the associated virtual machine may be halted, thereby indicating to the behavioral threat detection engine that a determination has been made. Thus a behavioral threat detection engine employs a behavior-based approach to detecting malicious or potentially malicious behaviors.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: a processor; and a non-transitory computer readable medium comprising instructions for: evaluating a rule in a rule data store to determine an event associated with the rule; generating, based on the evaluation of the rule, a hook for receiving an event indication associated with the event; detecting the event indication received based on the generated hook; identifying the rule associated with the detected event indication; generating an event packet for the detected event indication, the event packet comprising an identifier for the event and a parameter for the event; providing the generated event packet to a rule virtual machine executing the rule; and performing an action based on an evaluation of the event by the rule virtual machine. 2. The system of claim 1 , wherein the generating the hook comprises altering an application programming interface (API) to intercept a call to the API. 3. The system of claim 1 , wherein the generating the hook comprises registering an interrupt for the detecting of the event. 4. The system of claim 1 , wherein the identifying the rule comprises generating a mapping that associates the rule with the event. 5. The system of claim 1 , further comprising: detecting a second event indication from the hook, wherein the second event is associated with the rule; generating a second event packet for the second event; placing the event packet and the second event packet in an event queue of the virtual machine; determining that the rule matches the events in the event queue; and providing an indicator of malicious activity when the rule matches the events. 6. The system of claim 1 , wherein the action comprises one or more of: providing an indication associated with the event, automatically mitigating a behavior associated with the event, or logging the event. 7. The system of claim 1 , wherein evaluating the rule comprises an evaluation of a header associated with the rule. 8. A method, comprising: evaluating a rule in a rule data store to determine an event associated with the rule; generating, based on the evaluation of the rule, a hook for receiving an event indication associated with the event; detecting the event indication received based on the generated hook; identifying the rule associated with the detected event indication; generating an event packet for the detected event indication, the event packet comprising an identifier for the event and a parameter for the event; providing the generated event packet to a rule virtual machine executing the rule; and performing an action based on an evaluation of the event by the rule virtual machine. 9. The method of claim 8 , wherein the generating the hook comprises altering an application programming interface (API) to intercept a call to the API. 10. The method of claim 8 , wherein the generating the hook comprises registering an interrupt for the detecting of the event. 11. The method of claim 8 , wherein the identifying the rule comprises generating a mapping that associates the rule with the event. 12. The method of claim 8 , further comprising: detecting a second event indication from the hook, wherein the second event is associated with the rule; generating a second event packet for the second event; placing the event packet and the second event packet in an event queue of the virtual machine; determining that the rule matches the events in the event queue; and providing an indicator of malicious activity when the rule matches the events. 13. The method of claim 8 , wherein the action comprises one or more of: providing an indication associated with the event, automatically mitigating a behavior associated with the event, or logging the event. 14. The method of claim 8 , wherein evaluating the rule comprises an evaluation of a header associated with the rule. 15. A non-transitory computer readable medium, comprising instructions for: evaluating a rule in a rule data store to determine an event associated with the rule; generating, based on the evaluation of the rule, a hook for receiving an event indication associated with the event; detecting the event indication received based on the generated hook; identifying the rule associated with the detected event indication; generating an event packet for the detected event indication, the event packet comprising an identifier for the event and a parameter for the event; providing the generated event packet to a rule virtual machine executing the rule; and performing an action based on an evaluation of the event by the rule virtual machine. 16. The non-transitory computer readable medium of claim 15 , wherein the generating the hook comprises altering an application programming interface (API) to intercept a call to the API. 17. The non-transitory computer readable medium of claim 15 , wherein the generating the hook comprises registering an interrupt for the detecting of the event. 18. The non-transitory computer readable medium of claim 15 , wherein the identifying the rule comprises generating a mapping that associates the rule with the event. 19. The non-transitory computer readable medium of claim 15 , further comprising: detecting a second event indication from the hook, wherein the second event is associated with the rule; generating a second event packet for the second event; placing the event packet and the second event packet in an event queue of the virtual machine; determining that the rule matches the events in the event queue; and providing an indicator of malicious activity when the rule matches the events. 20. The non-transitory computer readable medium of claim 15 , wherein the action comprises one or more of: providing an indication associated with the event, automatically mitigating a behavior associated with the event, or logging the event.
Assignees
Inventors
Classifications
Creating, deleting, cloning virtual machine instances · CPC title
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
Test or assess a computer or a system · CPC title
Test or assess software · CPC title
- G06F9/45558Primary
Hypervisor-specific management and integration aspects · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12032691B2 cover?
- Examples of the present disclosure describe systems and methods for a behavioral threat detection engine. In examples, the behavioral threat detection engine manages execution of one or more virtual machines, wherein each virtual machine processes a rule in relation to a context. The behavioral threat detection engine uses any of a variety of techniques to identify when events occur. Accordingl…
- Who is the assignee on this patent?
- Open Text Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F9/45558. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jul 09 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).