Malware analysis and recovery
US-2018167403-A1 · Jun 14, 2018 · US
Behavior-based VM resource capture for forensics
US12182604B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12182604-B2 |
| Application number | US-202218048532-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 21, 2022 |
| Priority date | Aug 16, 2019 |
| Publication date | Dec 31, 2024 |
| Grant date | Dec 31, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method for capturing VM resources for forensics includes receiving an indication of compromise (IoC). The indication of compromise indicates an attack is imminent against a virtual machine. The method also includes, in response to receiving the IoC and before the attack begins, snapshotting a memory state of memory used by the virtual machine and increasing a level of auditing of the virtual machine from a standard level of auditing to a heightened level of auditing. The heightened level of auditing generates data representative of all accesses to the memory used by the virtual machine. After the attack against the virtual machine has begun, the method includes maintaining the heightened level of auditing for a threshold period of time, notifying a user of the virtual machine of the indication of compromise, and storing the data in memory external to the virtual machine.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method executed by data processing hardware that causes the data processing hardware to perform operations comprising: monitoring, using a standard level of auditing, one or more processes of a virtual machine; based on monitoring the one or more processes, detecting aberrant behavior indicating that an attack against the virtual machine is imminent; in response to detecting the aberrant behavior indicating that the attack is imminent, monitoring, using a heightened level of auditing, the one or more processes of the virtual machine, the heightened level of auditing generating log data representative of memory accesses performed by the virtual machine; notifying a user of the virtual machine that the imminent attack is detected; during the attack against the virtual machine, maintaining the monitoring of the one or more processes of the virtual machine using the heightened level of auditing; determining that the attack against the virtual machine has concluded; and in response to determining that the attack against the virtual machine has concluded: recording a snapshot of a state of the virtual machine; reconstructing, using the log data and the snapshot, a state of the virtual machine at a point in time during the attack against the virtual machine; and monitoring, using the standard level of auditing, the one or more processes of the virtual machine. 2. The method of claim 1 , wherein the operations further comprise, in response to detecting the aberrant behavior indicating that the attack is imminent, recording a snapshot of the state of the virtual machine. 3. The method of claim 1 , wherein recording a snapshot of the state of the virtual machine comprises recording a volatile-memory state of a volatile-memory used by the virtual machine. 4. The method of claim 3 , wherein recording the snapshot of the volatile-memory state comprises executing a live migration of the volatile-memory. 5. The method of claim 1 , wherein recording a snapshot of the state of the virtual machine comprises recording a non-volatile memory state of non-volatile memory used by the virtual machine. 6. The method of claim 1 , wherein the log data is representative of volatile and non-volatile memory accesses performed by the virtual machine. 7. The method of claim 6 , wherein the log data comprises a list of all commands executed by the virtual machine during the heightened level of auditing. 8. The method of claim 1 , wherein detecting the aberrant behavior comprises receiving an indication of compromise from an intrusion detection system executing on the data processing hardware. 9. The method of claim 8 , wherein the intrusion detection system executes in a first hierarchical protection domain and software resources within a user space of the virtual machine executes in a second hierarchical protection domain. 10. The method of claim 9 , wherein the first hierarchical protection domain has more privileges than the second hierarchical protection domain. 11. A system comprising: data processing hardware; and memory hardware in communication with the data processing hardware, the memory hardware storing instructions that when executed on the data processing hardware cause the data processing hardware to perform operations comprising: monitoring, using a standard level of auditing, one or more processes of a virtual machine; based on monitoring the one or more processes, detecting aberrant behavior indicating that an attack against the virtual machine is imminent; in response to detecting the aberrant behavior indicating that the attack is imminent, monitoring, using a heightened level of auditing, the one or more processes of the virtual machine, the heightened level of auditing generating log data representative of memory accesses performed by the virtual machine; notifying a user of the virtual machine that the imminent attack is detected; during the attack against the virtual machine, maintaining the monitoring of the one or more processes of the virtual machine using the heightened level of auditing; determining that the attack against the virtual machine has concluded; and in response to determining that the attack against the virtual machine has concluded: recording a snapshot of a state of the virtual machine; and reconstructing, using the log data and the snapshot, a state of the virtual machine at a point in time during the attack against the virtual machine; and monitoring, using the standard level of auditing, the one or more processes of the virtual machine. 12. The system of claim 11 , wherein the operations further comprise, in response to detecting the aberrant behavior indicating that the attack is imminent, recording a snapshot of the state of the virtual machine. 13. The system of claim 11 , wherein recording a snapshot of the state of the virtual machine comprises recording a volatile-memory state of a volatile-memory used by the virtual machine. 14. The system of claim 13 , wherein recording the snapshot of the volatile-memory state comprises executing a live migration of the volatile-memory. 15. The system of claim 11 , wherein recording a snapshot of the state of the virtual machine comprises recording a non-volatile memory state of non-volatile memory used by the virtual machine. 16. The system of claim 11 , wherein the log data is representative of volatile and non-volatile memory accesses performed by the virtual machine. 17. The system of claim 16 , wherein the log data comprises a list of all commands executed by the virtual machine during the heightened level of auditing. 18. The system of claim 11 , wherein detecting the aberrant behavior comprises receiving an indication of compromise from an intrusion detection system executing on the data processing hardware. 19. The system of claim 18 , wherein the intrusion detection system executes in a first hierarchical protection domain and software resources within a user space of the virtual machine executes in a second hierarchical protection domain. 20. The system of claim 19 , wherein the first hierarchical protection domain has more privileges than the second hierarchical protection domain.
Assignees
Inventors
Classifications
Using snapshots, i.e. a logical point-in-time copy of the data · CPC title
Isolation or security of virtual machine instances · CPC title
Distribution of virtual machine instances; Migration and load balancing · CPC title
Assessing vulnerabilities and evaluating computer system security · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12182604B2 cover?
- A method for capturing VM resources for forensics includes receiving an indication of compromise (IoC). The indication of compromise indicates an attack is imminent against a virtual machine. The method also includes, in response to receiving the IoC and before the attack begins, snapshotting a memory state of memory used by the virtual machine and increasing a level of auditing of the virtual …
- Who is the assignee on this patent?
- Google Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F9/45558. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 31 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).