What technology area does this patent fall under?

Primary CPC classification G06F21/566. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Nov 29 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Systems and methods for batch processing of samples using a bare-metal computer security appliance

US9507939B1 · US · B1

Patent metadata
Field	Value
Publication number	US-9507939-B1
Application number	US-201514661464-A
Country	US
Kind code	B1
Filing date	Mar 18, 2015
Priority date	Mar 18, 2014
Publication date	Nov 29, 2016
Grant date	Nov 29, 2016

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Described systems and methods allow conducting computer security operations, such as detecting malware and spyware, in a bare-metal computer system. In some embodiments, a first processor of a computer system executes the code samples under assessment, whereas a second, distinct processor is used to carry out the assessment and to control various hardware components involved in the assessment. The described computer systems may be used in conjunction with a conventional anti-malware filter to increase throughput and/or the efficacy of malware scanning.

First claim

Opening claim text (preview).

What is claimed is: 1. A computer system comprising a first hardware processor, a first memory, a memory shadower, and an interrupt generator, wherein the memory shadower comprises a second memory and logic configured to take snapshots of the first memory, wherein each snapshot comprises a current content of a memory section of the first memory, wherein taking snapshots comprises copying the current content from the first memory to the second memory, wherein the computer system is configured to: employ the first hardware processor to execute a batch of code samples loaded into the first memory, the batch selected from a corpus prior to loading the batch into the first memory, wherein selecting the batch comprises: employing a malware filter to determine whether a candidate sample of the corpus is malicious, and in response, when the candidate sample is not malicious according to the malware filter, including the candidate sample into the batch; employ the interrupt generator to inject a hardware interrupt into the first hardware processor, the hardware interrupt causing the computer system to transition into a sleeping state, wherein the sleeping state is a state wherein the first hardware processor is not executing instructions and the first memory is powered; in response to the computer system transitioning into the sleeping state, employ the memory shadower to take a first snapshot of the first memory; and in response to taking the first snapshot, employ the memory shadower to transmit at least a part of the first snapshot to a second hardware processor, wherein the second hardware processor is configured to: determine whether the first snapshot is indicative of malicious activity resulting from executing the batch of code samples, and in response, when the first snapshot is not indicative of malicious activity, determine that no sample of the batch is malicious. 2. The computer system of claim 1 , wherein the second hardware processor is further configured, when the first snapshot is indicative of malicious activity, to: select a subset of code samples from the batch; instruct the first hardware processor to execute the subset of code samples; instruct the interrupt generator to inject a second hardware interrupt into the first hardware processor, the second hardware interrupt causing the computer system to transition into the sleeping state; in response to the computer system transitioning into the sleeping state, instruct the memory shadower to take a second snapshot of the first memory; determine whether the second snapshot is indicative of malicious activity resulting from executing the subset of code samples; and in response, when the second snapshot is not indicative of malicious activity, determine that none of the subset of code samples is malicious. 3. The computer system of claim 2 , wherein the second hardware processor is further configured to identify a malicious code sample of the batch according to whether the second snapshot is indicative of malicious activity. 4. The computer system of claim 1 , wherein selecting the batch further comprises, in response to including the candidate sample into the batch, determining whether a batch accumulation condition is satisfied, and instructing the computer system to load the batch into the first memory only when the batch accumulation condition is satisfied. 5. The computer system of claim 1 , wherein transitioning to the sleeping state comprises the first hardware processor saving a current state of the first hardware processor to the first memory before entering the sleeping state. 6. The computer system of claim 1 , wherein transitioning to the sleeping state comprises at least partially powering down the first hardware processor. 7. The computer system of claim 1 , wherein taking snapshots comprises: employing the memory shadower to compare the current content to a reference content, and in response, employing the memory shadower to write the current content to the second memory only when the current content differs from the reference content. 8. The computer system of claim 1 , further configured to employ the memory shadower to take a baseline snapshot of the first memory prior to the first hardware processor starting to execute the batch of code samples, and wherein determining whether the first snapshot is indicative of malicious activity comprises comparing the first snapshot to the baseline snapshot. 9. The computer system of claim 8 , further configured, in response to the second hardware processor determining whether the first snapshot is indicative of malicious activity, to: stop executing the batch of code samples; and in response to stopping execution of the batch, employ the memory shadower to restore a content of the baseline snapshot to the memory section. 10. The computer system of claim 1 , wherein the malware filter executes within a virtual machine. 11. A method comprising: assembling a sample batch comprising a plurality of code samples selected from a corpus, wherein assembling the sample batch comprises: employing a malware filter to determine whether a candidate sample of the corpus is malicious, and in response, when the candidate sample is not malicious according to the malware filter, including the candidate sample into the sample batch; in response to assembling the sample batch, employing a first hardware processor to instruct a computer system to load the sample batch into a first memory of the computer system, the computer system further comprising a second hardware processor configured to execute the sample batch, the computer system further comprising a memory shadower and an interrupt generator, wherein the memory shadower comprises a second memory and logic configured to take snapshots of the first memory, wherein each snapshot comprises a current content of a memory section of the first memory, wherein taking snapshots comprises copying the current content from the first memory to the second memory; employing the first hardware processor to instruct the interrupt generator to inject a hardware interrupt into the second hardware processor, the hardware interrupt causing the computer system to transition into a sleeping state, wherein the sleeping state is a state wherein the second hardware processor is not executing instructions and the first memory is powered; in response to the computer system transitioning into the sleeping state, employing the first hardware processor to instruct the memory shadower to take a first snapshot of the first memory; employing the first hardware processor to determine whether the first snapshot is indicative of malicious activity resulting from executing the sample batch; and in response, when the first snapshot is not indicative of malicious activity, employing the first hardware processor to determine that none of the plurality of code samples is malicious. 12. The method of claim 11 , further comprising, when the first snapshot is indicative of malicious activity, employing the first hardware processor to: select a subset of code samples from the sample batch; instruct the second hardware processor to execute the subset of code samples; instruct the interrupt generator to inject a second hardware interrupt into the second hardware processor, the second hardware interrupt causing the computer system to transition into the sleeping state; in response to the computer system transitioning into the sleeping state, instruct the memory shadower to take a second snapshot of the first memory; determine whether the second snapshot is indicative of malicious activity resulting from executing the subset of code samples; an

Assignees

Bitdefender Ipr Man Ltd

Inventors

Classifications

G06F21/566Primary
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
G06F2221/034
Test or assess a computer or a system · CPC title
G06F21/562Primary
Static detection · CPC title
G06F3/067
Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS] · CPC title
G06F12/1433
for a module or a part of a module · CPC title

Patent family

Related publications grouped by family.

View patent family 56234892

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9507939B1 cover?: Described systems and methods allow conducting computer security operations, such as detecting malware and spyware, in a bare-metal computer system. In some embodiments, a first processor of a computer system executes the code samples under assessment, whereas a second, distinct processor is used to carry out the assessment and to control various hardware components involved in the assessment. …
Who is the assignee on this patent?: Bitdefender Ipr Man Ltd
What technology area does this patent fall under?: Primary CPC classification G06F21/566. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Nov 29 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).