`
`
`
`
`
`
`
`I IIIII IIIIIIII IIIIIIIIIIIII!Islo11111111111111111111IIII 111111 IIII
`
`US010536471B1
`
`( 12 ) United States Patent
`(12) United States Patent
`Derbeko et al .
`Derbeko et al.
`
`( 10 ) Patent No .: US 10,536,471 B1
`(10) Patent No.: US 10,536,471 B1
`( 45 ) Date of Patent :
`Jan. 14 , 2020
`Jan. 14, 2020
`(45) Date of Patent:
`
`( 54 )
`(54)
`
`( 72 )
`(72)
`
`MALWARE DETECTION IN VIRTUAL
`MALWARE DETECTION IN VIRTUAL
`MACHINES
`MACHINES
`( 71 ) Applicant : EMC IP Holding Company LLC ,
`(71)
`Applicant: EMC IP Holding Company LLC,
`Hopkinton , MA ( US )
`Hopkinton, MA (US)
`Inventors : Philip Derbeko , Modiin ( IL ) ; Shai
`Inventors: Philip Derbeko, Modiin (IL); Shai
`Kappel , Bnaya ( IL ) ; Uriya Stern ,
`Kappel, Bnaya (IL); Uriya Stern,
`Lehavim ( IL ) ; Maya Bakshi , Beer
`Lehavim (IL); Maya Bakshi, Beer
`Sheva ( IL ) ; Yaniv Harel ,
`Sheva (IL); Yaniv Harel,
`Neve - Monosson ( IL )
`Neve-Monosson (IL)
`( 73 ) Assignee : EMC IP Holding Company LLC ,
`Assignee: EMC IP Holding Company LLC,
`(73)
`Hopkinton , MA ( US )
`Hopkinton, MA (US)
`Subject to any disclaimer , the term of this
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`patent is extended or adjusted under 35
`U.S.C. 154 ( b ) by 139 days .
`U.S.C. 154(b) by 139 days.
`( 21 ) Appl . No .: 15 / 086,979
`(21)
`Appl. No.: 15/086,979
`( 22 ) Filed :
`Mar. 31 , 2016
`Mar. 31, 2016
`(22)
`Filed:
`( 51 )
`Int . Cl .
`(51)
`Int. Cl.
`G06F 12/14
`G06F 12/14
`H04L 29/06
`H04L 29/06
`G06F 9/455
`G06F 9/455
`( 52 ) U.S. Cl .
`U.S. Cl.
`(52)
`CPC
`CPC
`
`( * ) Notice :
`Notice:
`(*)
`
`( 2006.01 )
`(2006.01)
`( 2006.01 )
`(2006.01)
`( 2018.01 )
`(2018.01)
`H04L 63/1425 ( 2013.01 ) ; G06F 9/45558
`H04L 63/1425 (2013.01); G06F 9/45558
`( 2013.01 ) ; H04L 63/145 ( 2013.01 ) ; H04L
`(2013.01); H04L 63/145 (2013.01); H04L
`63/1416 ( 2013.01 ) ; GO6F 2009/45587
`63/1416 (2013.01); G06F 2009/45587
`( 2013.01 )
`(2013.01)
`( 58 )
`Field of Classification Search
`(58) Field of Classification Search
`CPC . GO6F 2009/45587 ; GO6F 2009/45595 ; G06F
`CPC . G06F 2009/45587; G06F 2009/45595; G06F
`21/552 ; G06F 21/56 ; G06F 21/566 ; GO6F
`21/552; G06F 21/56; G06F 21/566; G06F
`21/567 ; G06F 2201/815 ; G06F 9/45533 ;
`21/567; G06F 2201/815; G06F 9/45533;
`G06F 2009/45591 ; GO6F 2201/84 ; H04L
`G06F 2009/45591; G06F 2201/84; H04L
`63/1416 ; H04L 63/20 ; H04L 63/1425
`63/1416; H04L 63/20; H04L 63/1425
`726/1 , 22-24
`USPC
` 726/1, 22-24
`USPC
`See application file for complete search history .
`See application file for complete search history.
`
`( 56 )
`(56)
`
`References Cited
`References Cited
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`
`6,775,780 B1 *
`G06F 21/53
`8/2004 Muttik
`8/2004 Muttik
`6,775,780 Bl *
`G06F 21/53
`713/165
`713/165
`8,056,134 B1 * 11/2011 Ogilvie
`G06F 21/566
`8,056,134 Bl * 11/2011 Ogilvie
`G06F 21/566
`713/187
`713/187
`G06F 9/485
`8,151,263 B1 *
`4/2012 Venkitachalam
`8,151,263 Bl* 4/2012 Venkitachalam
`G06F 9/485
`711/162
`711/162
`8,726,083 B1 *
`G06F 11/1438
`5/2014 van
`8,726,083 Bl *
`5/2014 van der Goot G06F 11/1438
`Goot
`714/15
`714/15
`8,904,525 B1 * 12/2014 Hodgman
`G06F 21/562
`8,904,525 Bl* 12/2014 Hodgman
`G06F 21/562
`726/22
`726/22
`2/2015 Xing
`8,949,829 B1 *
`G06F 11/1469
`8,949,829 Bl * 2/2015 Xing
`G06F 11/1469
`718/1
`718/1
`1/2016 Wang
`9,230,100 B2 *
`G06F 21/53
`G06F 21/53
`1/2016 Wang
`9,230,100 B2 *
`9,400,886 B1 *
`7/2016 Beloussov
`G06F 21/566
`G06F 21/566
`7/2016 Beloussov
`9,400,886 Bl *
`9,690,936 B1 *
`6/2017 Malik
`G06F 21/562
`G06F 21/562
`9,690,936 Bl * 6/2017 Malik
`8/2017 Chakraborty
`9,740,577 B1 *
`G06F 11/1469
`G06F 11/1469
`9,740,577 B1 * 8/2017 Chakraborty
`10,048,890 B1 *
`8/2018 Samad
`GO6F 3/0619
`G06F 3/0619
`10,048,890 B1 * 8/2018 Samad
`( Continued )
`(Continued)
`FOREIGN PATENT DOCUMENTS
`FOREIGN PATENT DOCUMENTS
`
`
`
`G06F 21/53
` G06F 21/53
`
`105068856 A
`* 11/2015
`CN
`105068856 A * 11/2015
`CN
`105068856 A
`* 11/2015
`105068856 A * 11/2015
`CN
`CN
`3241140 A1 * 11/2017
`EP
`3241140 Al * 11/2017
`EP
`Primary Examiner
`Jason K Gee
`Primary Examiner — Jason K Gee
`Assistant Examiner
`Lizbeth Torres - Diaz
`Assistant Examiner — Lizbeth Torres-Diaz
`( 74 ) Attorney , Agent , or Firm — Ryan , Mason & Lewis ,
`(74) Attorney, Agent, or Firm — Ryan, Mason & Lewis,
`LLP
`LLP
`ABSTRACT
`( 57 )
`ABSTRACT
`(57)
`A system , computer program product , and computer - execut
`A system, computer program product, and computer-execut-
`able method of detecting malware in a virtual machine
`able method of detecting malware in a virtual machine
`( VM ) , the computer - executable method comprising periodi
`(VM), the computer-executable method comprising periodi-
`cally creating snapshots of the VM , analyzing each of the
`cally creating snapshots of the VM, analyzing each of the
`snapshots in comparison to one or more previous snapshots
`snapshots in comparison to one or more previous snapshots
`to determine whether anomalies exist , and based on a
`to determine whether anomalies exist, and based on a
`threshold amount of anomalies detected , scanning the VM to
`threshold amount of anomalies detected, scanning the VM to
`determine whether malware is detected .
`determine whether malware is detected.
`20 Claims , 10 Drawing Sheets
`20 Claims, 10 Drawing Sheets
`
`Create a test VM 600
`Create a test VM 600
`
`Take an initial snapshot of the test VM
`Take an initial snapshot of the test VM
`610
`610
`
`Infect the test VM with a first type of
`Infect the test VM with a first type of
`Malware 620
`Malware 620
`
`Run the test VM 630
`Run the test VM 630
`
`Periodically take snapshots of the test VM
`Periodically take snapshots of the test VM
`640
`640
`
`Analyze each of the snapshots to create a
`Analyze each of the snapshots to create a
`malware profile
`malware profile
`650
`650
`
`WIZ, Inc. EXHIBIT - 1072
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1072
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 10,536,471 B1
`Page 2
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`2007/0240222 Al * 10/2007 Tuvell
`
`2009/0158432 Al *
`
`6/2009 Zheng
`
`2016/0321455 Al* 11/2016 Deng
`2017/0034198 Al* 2/2017 Powers
`2019/0235973 Al *
`8/2019 Brewer
`
`* cited by examiner
`
`G06F 21/56
`726/24
`G06F 21/562
`726/24
`G06F 21/577
`G06F 21/552
`G06F 11/1469
`
`

`

`U.S. Patent
`
`Jan. 14, 2020
`
`Sheet 1 of 10
`
`US 10,536,471 B1
`
`140A
`
`User
`135A
`
`VM
`
`User
`135B
`
`VM
`
`User
`135C
`140O....÷.. VM
`
`1408
`
`Data Storage System 105
`
`Hypervisor 110
`
`100
`
`FIG. 1
`
`Fast Data Storage
`115
`
`Data Management
`120
`
`1
`
`Data Storage Array 125
`
`

`

`U.S. Patent
`
`Jan. 14, 2020
`
`Sheet 2 of 10
`
`US 10,536,471 B1
`
`APPS
`210-1
`
`Virtual
`Machine
`205-1
`
`APPS
`210-2
`
`Virtual
`Machine
`205-2
`
`APPS
`210-N
`
`Virtual
`Machine
`205-N
`
`Hypervisor 215
`
`Physical infra-structure 217
`
`FIG.2
`
`

`

`U.S. Patent
`
`Jan. 14, 2020
`
`Sheet 3 of 10
`
`US 10,536,471 B1
`
`User
`365
`
`VM 335
`
`300
`
`Data Storage System 305
`
`Hypervisor 310
`
`Malware Detection Module 315
`
`Fast Data Storage
`320
`
`-1 E
`
`J L
`
`Data Management
`325
`
`Data Storage Array 330
`
`FIG. 3A
`
`

`

`lualud °S11
`
`ozoz 171 •u1r
`
`in JO 17 PM'S
`
`Ill IL17`9£SIII Sf1
`
`300
`
`User
`365
`
`VM 335
`
`Scan 340
`Snapshot 345-1 Snapshot 345-2
`
`Snapshot 345-N
`
`Data Storage System 305
`
`Hypervisor 310
`
`N
`
`Maiware Detection Module 315
`
`Fast Data Storage
`320
`
`Data Management
`325
`
`Data Storage Array 330
`
`HG. 3B
`
`

`

`lualud °S11
`
`ozoz 171 •u1r
`
`OI JO S WIN
`
`Ill IL17`9£SIII Sf1
`
`300
`
`User
`365
`
`VM 335
`
`Snapshot 345-1
`
`Scan 340
`napshot 345-2
`
`Snapshot 345-N
`
`Data Storage System 305
`
`Hypervisor 310
`
`Deep Scan 350
`
`Malware Detection Module 315
`
`Snapshot 360
`
`Fast Data Storage
`320
`
`Data Management
`325
`
`Malware Profiles
`355
`
`FIG. 3C
`
`Data Storage Array 330
`
`

`

`U.S. Patent
`
`Jan. 14, 2020
`
`Sheet 6 of 10
`
`US 10,536,471 B1
`
`Periodically create snapshots of a VM
`400
`
`Analyze each snapshot in comparison to a
`previous snapshot
`410
`
`If threshold amount of anomalies
`detected, scan VM
`420
`
`FIG. 4
`
`

`

`lualud °S11
`
`ozoz 171 •u1r
`
`01 JO L WIN
`
`Ill IL17`9£SIII Sf1
`
`500
`
`Malware
`560
`
`VM 535
`
`Profile Creation 540
`
`Snapshot 545-1 Snapshot 545-2
`
`Snapshot 545-N
`
`Malware Profiles
`555
`
`FIG. 5
`
`Data Storage System 505
`
`Hypervisor 510
`
`Malware Detection Module 515
`
`Fast Data Storage
`520
`
`Data Management
`525
`
`Data Storage Array 530
`
`

`

`U.S. Patent
`
`Jan. 14, 2020
`
`Sheet 8 of 10
`
`US 10,536,471 B1
`
`Create a test VM 600
`
`.4:
`
`Take an initial snapshot of the test VM
`610
`
`Infect the test VM with a first type of
`Malware 620
`
`Run the test VM 630
`
`Periodically take snapshots of the test VM
`640
`
`Analyze each of the snapshots to create a
`malware profile
`650
`
`FIG. 6
`
`

`

`lualud °S11
`
`ozoz 171 •u1r
`
`OI JO 6 WIN
`
`Ill IL17`9£SIII Sf1
`
`710
`
`750
`
`700
`
`MEM
`704
`
`725
`
`PROC 703
`PROG
`LOGIC
`
`705
`
`I/O
`702
`
`REPORT
`DEVICE
`
`- 790
`
`780
`
`DISPLAY
`
`789
`
`MEM
`MEDIA
`
`I/O Device
`
`MAGNETIC
`OPTIC
`
`783
`
`785
`
`787
`
`2nd PROC.
`SYSTEM
`
`795
`
`SOURCES
`701
`
`SOURCES
`701
`
`SOURCES
`701
`
`FIG. 7
`
`

`

`U.S. Patent
`
`Jan. 14, 2020
`
`Sheet 10 of 10
`
`US 10,536,471 B1
`
`800
`
`860
`
`855
`
`PROGRAM
`LOGIC
`
`FIG. 8
`
`U.S. Patent
`
`Jan. 14, 2020
`
`Sheet 10 of 10
`
`US 10,536,471 B1
`
`
`
`g o o
`
`B 0 0
`
`
`
`
`
`860
`
`855
`
`<
`
`S=
` R S S e e d
`
`
`FIG. 8
`
`

`

`1
`MALWARE DETECTION IN VIRTUAL
`MACHINES
`
`US 10,536,471 B1
`
`A portion of the disclosure of this patent document may
`contain command formats and other computer language
`listings, all of which are subject to copyright protection. The
`copyright owner has no objection to the facsimile reproduc-
`tion by anyone of the patent document or the patent disclo-
`sure, as it appears in the Patent and Trademark Office patent
`file or records, but otherwise reserves all copyright rights
`whatsoever.
`
`TECHNICAL FIELD
`
`This invention relates to data storage.
`
`BACKGROUND
`
`Computer systems are constantly improving in terms of
`speed, reliability, and processing capability. As is known in
`the art, computer systems which process and store large
`amounts of data typically include a one or more processors
`in communication with a shared data storage system in
`which the data is stored. The data storage system may
`include one or more storage devices, usually of a fairly
`robust nature and useful for storage spanning various tem-
`poral requirements, e.g., disk drives. The one or more
`processors perform their respective operations using the
`storage system. Mass storage systems (MSS) typically
`include an array of a plurality of disks with on-board
`intelligent and communications electronics and software for
`making the data on the disks available.
`Companies that sell data storage systems are very con-
`cerned with providing customers with an efficient data
`storage solution that minimizes cost while meeting customer
`data storage needs. It would be beneficial for such compa-
`nies to have a way for reducing the complexity of imple-
`menting data storage.
`
`SUMMARY
`
`A system, computer program product, and computer-
`executable method of detecting malware in a virtual
`machine (VM), the computer-executable method comprising
`periodically creating snapshots of the VM, analyzing each of
`the snapshots in comparison to one or more previous snap-
`shots to determine whether anomalies exist, and based on a
`threshold amount of anomalies detected, scanning the VM to
`determine whether malware is detected.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Objects, features, and advantages of embodiments dis-
`closed herein may be better understood by referring to the
`following description in conjunction with the accompanying
`drawings. The drawings are not meant to limit the scope of
`the claims included herewith. For clarity, not every element
`may be labeled in every figure. The drawings are not
`necessarily to scale, emphasis instead being placed upon
`illustrating embodiments, principles, and concepts. Thus,
`features and advantages of the present disclosure will
`become more apparent from the following detailed descrip-
`tion of exemplary embodiments thereof taken in conjunction
`with the accompanying drawings in which:
`FIG. 1 is a simplified illustration of a data storage system
`providing virtualization technology resources to users, in
`accordance with an embodiment of the present disclosure;
`
`2
`FIG. 2 is a simplified illustration of a hypervisor inter-
`acting with physical infrastructure and virtual machines, in
`accordance with an embodiment of the present disclosure;
`FIGS. 3A-3C are simplified illustrations of state diagrams
`5 of a data storage system protected by a malware detection
`module, in accordance with an embodiment of the present
`disclosure;
`FIG. 4 is a simplified flowchart of a method of detecting
`malware in a system shown in FIG. 3C, in accordance with
`10 an embodiment of the present disclosure;
`FIG. 5 is a simplified illustration of a system creating
`malware profiles, in accordance with an embodiment of the
`present disclosure;
`FIG. 6 is a simplified flowchart of a method of creating
`15 malware profiles using the system shown in FIG. 5, in
`accordance with an embodiment of the present disclosure;
`FIG. 7 is an example of an embodiment of an apparatus
`that may utilize the techniques described herein, in accor-
`dance with an embodiment of the present disclosure; and
`FIG. 8 is an example of a method embodied on a computer
`readable storage medium that may utilize the techniques
`described herein, in accordance with an embodiment of the
`present disclosure.
`Like reference symbols in the various drawings indicate
`25 like elements.
`
`20
`
`DETAILED DESCRIPTION
`
`Typically, recent advances in virtualization technologies
`30 have sped up their integration into daily life for both
`business and personal use. Generally, virtualization tech-
`nologies enable users to have power computing resources
`available whenever and wherever they want. Traditionally,
`malicious code and/or malware have been isolated to a
`35 single user's account and/or computer. However, recently, as
`virtualization technologies are starting to become ubiqui-
`tous, the mobility that virtualization technologies provide
`also increases an amount of vulnerability to malware. Tra-
`ditionally, data storage and service providers have limited
`40 tools and/or resources available when detecting malware.
`Conventionally, improvements to malware detection would
`be beneficial to the data storage industry.
`Traditionally, detecting and/or tracking malware is very
`difficult as malware is constantly changing. Typically, cur-
`45 rent malware defense mechanisms are based on signature
`recognitions that are often one step behind the latest versions
`of malware. Conventionally, agents running on VMS often
`are useless as malware has evolved to determine whether
`detection agents exist and bypass agents as they are running
`so their scans. Generally, detection agents running on a VM
`also become problematic as they affect the VM and are
`effected by VM. Specifically, agents inside a protected
`machine expands the attack surface. Agents inside a pro-
`tected machine affects the performance of the VM it is
`55 attempting to protect though the scanning and checking of
`all incoming and outgoing bytes, whether it is by network,
`storage, or web-browsing. Generally, deployment of agents
`on VMs is also problematic as the number of VMs to be
`protected grows exponentially over time, which makes
`60 installation and upgrades in these environments extremely
`challenging.
`In many embodiments, the current disclosure may enable
`detection of malware within data centers. In various embodi-
`ments, the current disclosure may enable a user and/or
`65 administrator to detect malware within virtual machines
`(VMs) provided from data storage systems and/or data
`centers. In certain embodiments, the current disclosure may
`
`

`

`US 10,536,471 B1
`
`3
`facilitate detection of malware within data centers and/or
`data storage systems through performing automatic, periodic
`and/or pro-active forensic analysis of data center resources.
`In most embodiments, the current disclosure may enable
`agentless detection of malware within data centers and/or
`data storage systems. In some embodiments, data centers
`and/or data storage systems may provide virtualization ser-
`vices such as, but not limited to, virtual machines (VMs).
`In various embodiments, the current disclosure may
`enable detection of malware in virtualization technology,
`such as virtual machines in private, hybrid, and/or public
`clouds. In certain embodiments, the current disclosure may
`enable analysis and/or detection of malware without expos-
`ing other computers, VMs, detection tools and/or the mecha-
`nism itself to the potentially malware infected virtual
`machines. In some embodiments, the current disclosure may
`enable detection of previously unknown malware variants,
`which may include malware having no persistent mecha-
`nism, such as, but not limited to running only in volatile
`memory. In most embodiments, the current disclosure may
`enable a user and/or admin to "look" at a set of resources
`from outside the set of resources. In various embodiments,
`the current disclosure may enable a user and/or administra-
`tor to identify suspicious changes to resources without
`creating more exposure to the possibly malicious code
`and/or malware.
`In many embodiments, the current disclosure may enable
`a user and/or administrator to protect their data centers
`through a number of stages. In various embodiments, a
`number of stages may include a preparation stage, a deploy-
`ment stage, and a learning stage. In most embodiments, a
`preparation stage may enable a user and/or administrator to
`conduct analysis and prepare detection tools for a specified
`set of virtualization technologies for specific types of mal-
`ware and/or malicious code. In various embodiments, during
`a preparation stage of malware detection for virtualization
`technologies, a data storage system may take a large number
`of snapshots on virtual machines, both infected and not
`infected with malware. Each of the large number of snap-
`shots may be analyzed and differences between each con-
`secutive pair of snapshots may be fed into a malware
`detection module.
`In certain embodiments, a malware detection module may
`be enabled to utilize a learning algorithm which may be able
`to detect differences between infected and non-infected
`virtualization technologies. In most embodiments, a mal-
`ware detection module may create a model of changes
`detected within snapshots of virtualization technologies. The
`changes may include benign changes and malicious changes
`within virtualization technologies. In most embodiments,
`virtualization technologies may include, but are not limited
`to, a hypervisor, virtual machines, and/or hardware and
`software facilitating use of hypervisors and virtual
`machines. As the malware detection module receives more
`examples of malware vs non-malware changes, the malware
`detection module may be enabled to associated probabilities
`of malware infection based on one or more changes made to
`virtualization technologies. In many embodiments, a mal-
`ware detection module may be enabled to create a dataset of
`snapshots of different virtual machines, both infected and
`not infected. In various embodiments, a malware detection
`module may be enabled to analyze the snapshots to deter-
`mine differences between the infected and non-infected
`VMs.
`In many embodiments, a deployment stage may enable a
`user and/or administrator to deploy a malware detection
`module on a private, hybrid, public cloud, and/or data
`
`5
`
`4
`storage system. Upon deployment, a malware detection
`module may be enabled to take periodic snapshots of Virtual
`Machines (VMs) and may be enabled to analyze the snap-
`shots in comparison to the malware detection module's
`internal malware models. Snapshots of VMs may be reduced
`to deltas or considered as-is and fed into the malware
`detection module's model. In most embodiments, if changes
`within a snapshot (or its delta from a previous snapshot)
`appear to be benign, then the malware detection module may
`10 continue to another VM. In some embodiments, if a snapshot
`(or its delta from a previous snapshot) appears to be suspi-
`cious, a security operator may be alerted and the snapshot
`may be further processed. In certain embodiments, suspi-
`cious snapshots may be analyzed using forensic analysis
`15 methods. In various embodiments, a malware detection
`module may determine if a snapshot is suspicious based on
`whether a threshold may be met. In some embodiments, a
`threshold may be met if a user and/or administrator set
`number of errors and/or malware indicators are found within
`20 one or more snapshots. In other embodiments, one or more
`errors and/or malware indicators of a set of snapshots of a
`single VM may exceed a threshold.
`In most embodiments, an administrator and/or user may
`utilize the malware detection module to further investigate
`25 and/or catalog differences to determine whether information
`relating to the suspicious snapshot should be included in the
`malware detection module model of malware behavior. In
`many embodiments, a malware detection module may be
`enabled to analyze different aspects of a VM through ana-
`30 lyzing a snapshot of the VM. In various embodiments, a
`malware detection module may search for malware code in
`memory, unrecognized processes, unexpected open network
`ports, unexpected network connections, API hooks that may
`have been hi-jacked, as well as other suspicious behavior.
`In various embodiments, analyzing snapshots of VMs,
`instead of the VMs while running, may enable isolation of
`a detecting module from the malware itself. Further, in some
`embodiments, analyzing snapshots may enable a detecting
`module to analyze VM memory, which may be valuable as
`40 malware has to run in memory and thus, it has to leave traces
`and clues in memory. In these embodiments, since a snap-
`shot is taken outside of a VM, malware may not be able to
`eliminate evidence and/or bypass the check. Thus, a detect-
`ing module may be enabled to identify highly advanced or
`45 seemingly unseen malware does eliminate evidence or
`attempts to bypass the check. In many embodiments, as a
`snapshot may be taken without stopping a virtual machine,
`a detecting module may be enabled to analyze a VM without
`causing an impact to the VM. Once a snapshot is taken, a
`so detecting module may be enabled to scan the snapshot,
`network, and/or memory without impacting the VM or
`anything the VM may be doing. In most embodiments, a
`detecting module may include a malware detecting module.
`In most embodiments, in a learning stage, a malware detec-
`55 tion module may incorporate results back into its own
`models to adapt to new malware and/or variations of cir-
`cumstances in which malware was detected.
`In various embodiments, a malware detection module
`may use a two phased approach to detecting malware and/or
`60 malicious code on a VM, including a scan and a deep scan.
`In certain embodiments, during a scan, a malware detection
`module may periodically create snapshots of a VM being
`monitored. These snapshots may be analyzed for suspicious
`activity, such as, but not limited to, atypical memory usage,
`65 extraneous port usage, superfluous network connections,
`and/or other unusual activity given the implementation on a
`VM. In other embodiments, a malware detection module
`
`35
`
`

`

`US 10,536,471 B1
`
`5
`may compare a recent snapshot with one or more previously
`taken snapshot of a VM to determine whether malware has
`infected the VM. In some embodiments, a malware detec-
`tion module may analyze one or more snapshots to deter-
`mine whether a VM has a threshold amount of suspicious
`activity to proceed to using a deep scan to analyze the VM.
`In most embodiments, during a deep scan, a malware
`detection module compares each suspicious snapshot with
`malware profiles. In various embodiments, each malware
`profile may contain typical behavior, locations, and/or foren-
`sic evidence associated with each type of malware.
`Refer to the example embodiment of FIG. 1. FIG. 1 is a
`simplified illustration of a data storage system providing
`virtualization technology resources to users, in accordance
`with an embodiment of the present disclosure. As shown,
`system 100 includes data storage system 105 and data
`storage array 125. Data storage system 105 includes hyper-
`visor 110, fast data storage 115, and data management
`module 120. Data storage system 105 is in communication
`with data storage array 125. Data storage system 105 is
`enabled to provide virtual machines (VMs) (140A-C, 140
`generally) to users (135A-C, 135 generally) using hypervi-
`sor 110. Users 135 are in communication with data storage
`system 105 to gain access to hypervisor 100, which provides
`each of Users 135 with a virtual machine. Data storage
`system 105 provides data storage for VMs 140 using fast
`data storage 115 and data storage array 125.
`Refer to the example embodiment of FIG. 2. FIG. 2 is a
`simplified illustration of a hypervisor interacting with physi-
`cal infrastructure and virtual machines, in accordance with
`an embodiment of the present disclosure. As shown, hyper-
`visor 215 runs on physical infrastructure 217. In many
`embodiments, physical infrastructure may include a data
`storage system that may be enabled to run one or more
`hypervisors and may be enabled to communicate with one or
`more data storage arrays. In various embodiments, data
`storage systems may include one or more flash cache drives
`to facilitate quicker access of frequently used data also
`stored on one or more data storage arrays. In this embodi-
`ment, hypervisor 215 is enabled to run virtual machines
`(205-1, 205-2, 205-N, 205 generally). As shown, virtual
`machine 205-1 is running application 210-1, virtual machine
`205-2 is running application 210-2, and virtual machine
`205-N is running application 210-N. In many embodiments,
`each virtual machine may be enabled to run one or more
`applications.
`Refer to the example embodiment of FIGS. 3A-3C. FIGS.
`3A-3C are simplified illustrations of state diagrams of a data
`storage system protected by a malware detection module, in
`accordance with an embodiment of the present disclosure.
`FIG. 3A is a simplified illustration of a first state of a data
`storage system, in accordance with an embodiment of the
`present disclosure. System 300 includes data storage system
`305 and data storage array 330. Data storage system 305 is
`enabled to provide virtual machine (VM) 335 for User 365.
`Data storage utilizes data management module 325, fast data
`storage 320, and data storage array 330 to provide data
`storage for VM 335. Malware detection module 315 detects,
`monitors, and/or quarantines VMs running on hypervisor
`310 based on analysis of snapshots.
`FIG. 3B is a simplified illustration of a second state of a
`data storage system, in accordance with an embodiment of
`the present disclosure. As shown, system 300 includes data
`storage system 305 and data storage array 330. Data storage
`system 305 includes hypervisor 310, malware detection
`module 315, fast data storage 320, and data management
`module 325. In this embodiment, malware detection 315 is
`
`6
`enabled to protect VM 335 provided using hypervisor 310
`on data storage system 305. Malware detection module 315
`initiates scan 340 on VM 335. During scan 340, malware
`detection module 315 periodically takes snapshots (345-1,
`5 345-2, 345-N, 345 generally) of VM 335. Malware detection
`module 315 is enabled to analyze each of snapshots 345. In
`many embodiments, a malware detection module may ana-
`lyze each snapshot by comparing each snapshot to one or
`more previous snapshots. In other embodiments, a malware
`10 detection module may analyze each snapshot by searching
`for malware indicative behavior, such as memory usage, port
`usage, unusual network connections, and other superfluous
`activities that may be indicative of a malware infection. In
`15 this embodiment, malware detection module 315 is enabled
`to determine whether VM 335 has a threshold amount of
`suspected malware type behavior by analyzing snapshots
`345. In many embodiments, an administrator or user may be
`enabled to specify a threshold for malware type behavior. In
`20 various embodiments, a threshold may be determined by the
`amount of malware type behavior typically shown by known
`malware infected VMs.
`FIG. 3C is a simplified illustration of a third state of a data
`storage system, in accordance with an embodiment of the
`25 present disclosure. As shown, system 300 includes data
`storage system 305 and data storage array 330. Data storage
`system 305 includes hypervisor 310, malware detection
`module 315, fast data storage 320, and data management
`module 325. In this embodiment, Malware detection module
`30 315 is enabled to monitor VM 335 for malware infection.
`Malware detection module 315 is enabled to use a two-phase
`process to protect VM 335. Malware detection module 315
`initially uses a scan 340 of one or more snapshots 345 of VM
`335. If any of the snapshots 345 reach a threshold level of
`35 suspicious activity for malware infection, malware detection
`module 315 is enabled to use deep scan 350 to further
`process snapshots 345. As shown, during deep scan 350,
`malware detection module 315 compares malware profiles
`355 with snapshot 360. Snapshot 360 is enabled to be one or
`40 more of snapshots 345 which have surpassed a threshold
`level of malware type activity. Though analysis of snapshot
`360 using malware profiles 355, malware detection module
`315 is enabled to determine whether a known malware
`and/or set of malicious code (described in malware profiles
`45 355) has infected VM 335. Upon identifying a type of
`malware using malware profiles 355, malware detection
`module 315 is enabled to incorporate other suspicious
`activities detected in snapshot 360 to the associated malware
`in malware profiles 355.
`Refer to the example embodiment of FIG. 4. FIG. 4 is a
`simplified flowchart of a method of detecting malware in a
`system shown in FIG. 3C, in accordance with an embodi-
`ment of the present disclosure. As shown, system 300
`includes data storage system 305 and data storage array 330.
`55 Data storage system 305 includes hypervisor 310, malware
`detection module 315, fast data storage 320, and data
`management module 325. Data storage system 305 provides
`VM 335 to user 365 using hypervisor 310. Malware detec-
`tion module 315 periodically creates snapshots 345 of VM
`60 335 (Step 400). Malware detection module 315 executes
`scan 340 which analyzes each of snapshot 345 by comparing
`each of snapshot 345 to previously created snapshots (Step
`410). If malware detection module 315 determines that a
`threshold amount of malware anomalies exist in any of
`65 snapshots 345, malware detection module 315 executes deep
`scan 350 on one or more of snapshots 345 (Step 420). Deep
`scan 350 includes malware detection module 315 analyzing
`
`50
`
`

`

`US 10,536,471 B1
`
`7
`and/or comparing snapshot 360, which has achieved a
`minimum threshold of anomalies, with malware profiles
`355.
`Refer to the example embodiment of FIG. 5. FIG. 5 is a
`simplified illustration of a system creating malware profiles,
`in accordance with an embodiment of the present disclosure.
`As shown, system 500 includes data storage system 505 and
`data storage array 530. Data storage system 505 includes
`hypervisor 510, malware detection module 515, fast data
`storage 520, and data management module 525. Data storage
`system 505 is in communication with data storage array 530.
`Data storage system 505 is enabled to create VM 535.
`Malware detection module 515 is enabled to create malware
`profiles 555 using profile creation 540. Malware detection
`module 515 creates multiple snapshots (545-1, 545-2, 545-
`N, 545 generally) of VM 535. Malware detection module
`515 is enabled to infect VM 535 with malware 560 to
`determine an effect of malware 560 on VM 535, such as, but
`not limited to, anomalies in memory, ports, network con-
`nections, and/or other portions of VM 535. Malware detec-
`tion module 515 is enabled to create malware profiles 555
`based on differences found between snapshots 545 at times
`when VM 535 was not infected with malware 560 and when
`VM 535 was infected with malware 560.
`Refer to the example embodiment of FIG. 6. FIG. 6 is a
`simplified flowchart of a method of creating malware pro-
`files using the system shown in FIG. 5, in accordance with
`an embodiment of the prese