Micro-virtual machine forensics and detection

摘要

The execution of a process within a VM may be monitored, and when a trigger event occurs, additional monitoring is initiated, including storing behavior data describing the real-time events taking place inside the VM. This behavior data may then be compared to information about the expected behavior of that type of process in order to determine whether malware has compromised the VM.

主权项

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed by one or more processors, cause:
identifying an action performed by a process executing within an isolated environment, wherein identifying comprises:
monitoring a list of processes to determine when a new process is initiated within the isolated environment,monitoring events associated with a guest operating system executing within said isolated environment, andmonitoring events associated with said isolated environment, wherein said events includes attempts to modify page tables and attempts to access CPU registers; determining whether an actual behavior of said process executing within said isolated environment deviates from an expected behavior of the execution of the process; upon determining that that the process deviates from the expected behavior, initiating monitoring activity of the process by storing behavior data that describes the actual behavior of the process during execution; and determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.