| 发明名称 |
MICRO-VIRTUAL MACHINE FORENSICS AND DETECTION |
| 摘要 |
An isolated environment is instantiated in response to receiving a request to execute a process. One or more events occurring within the isolated environment in which the process executes are identified. Whether the actual behavior of the process executing within the isolated environment deviates from an expected behavior of the execution of the process is determined. Only when it is determined that the process deviates from the expected behavior is behavior data, which describes the actual behavior of the process during execution, stored. A determination is then made as to whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process. |
| 申请公布号 |
US2017076092(A1) |
申请公布日期 |
2017.03.16 |
| 申请号 |
US201615358004 |
申请日期 |
2016.11.21 |
| 申请人 |
Bromium, Inc. |
发明人 |
Kashyap Rahul C.;Navaraj J. McEnroe Samuel;Singh Baibhav;Passi Arun;Wojtczuk Rafal;Taylor Adrian |
| 分类号 |
G06F21/55;G06F9/455 |
主分类号 |
G06F21/55 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for monitoring process behavior, which when executed by one or more processors, cause:
identifying one or more events occurring within an isolated environment in which a process executes, wherein said isolated environment is instantiated in response to receiving a request to execute said process; determining whether an actual behavior of said process executing within said isolated environment deviates from an expected behavior of the execution of the process; only upon determining that the process deviates from the expected behavior, storing behavior data that describes the actual behavior of the process during execution; and determining whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process. |
| 地址 |
Cupertino CA US |
