Anup K. Ghosh - Centreville VA, US Sushil Jajodia - Oakton VA, US Yih Huang - Fairfax VA, US Jiang Wang - Fairfax VA, US
International Classification:
G06F 9/455
US Classification:
718 1
Abstract:
An on-demand disposable virtual work system that includes: a virtual machine monitor to host virtual machines, a virtual machine pool manager, a host operating system, a host program permissions list, and a request handler module. The virtual machine pool manager manages virtual machine resources. The host operating system interfaces with a user and virtual machines created with an image of a reference operating system. The host program permissions list may be a black list and/or a white list used to indicate allowable programs. The request handler module allows execution of the program if the program is allowable. If the program is not allowable, the host request handler module: denies program execution and urges a virtual machine specified by the virtual machine pool manager to execute the program. The virtual machine is terminated when the program closes.
Distributed Sensor For Detecting Malicious Software
Anup Ghosh - Centreville VA, US Yih Huang - Fairfax VA, US Jiang Wang - Fairfax VA, US Angelos Stavrou - Springfield VA, US
International Classification:
G06F 11/00
US Classification:
726 23
Abstract:
Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s)operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.
Anup K. Ghosh - Centreville VA, US Sushil Jajodia - Oakton VA, US Yih Huang - Fairfax VA, US Jiang Wang - Fairfax VA, US
International Classification:
G06F 21/00 G06F 3/048 G06F 15/16
US Classification:
726 23, 715733
Abstract:
An embodiment for providing a secure virtual browsing environment includes creating a virtual browsing environment with a virtualized operating system sharing an operating system kernel of a supporting operating system and executing the browser application within the virtual browsing environment. Another embodiment includes receiving a website selection within a browser application, determining if the website selection corresponds to a secure bookmark, and creating a second virtual browsing environment and executing the browser application within the second virtual browsing environment to access the website selection when the website selection corresponds to a website specified as a secure bookmark. Yet another embodiment includes monitoring operation of the operating system within the at least one virtual browsing environment, determining when the operation of the operating system includes potential malicious activity, and terminating the virtual browsing environment when the operation includes potential malicious activity.
Anup K. Ghosh - Centreville VA, US Kun Sun - Fairfax VA, US Jiang Wang - Fairfax VA, US Angelos Stavrou - Springfield VA, US
International Classification:
G06F 15/173
US Classification:
709224
Abstract:
A hardware-assisted integrity monitor may include one or more target machines and/or monitor machines. A target machine may include one or more processors, which may include one or more system management modes (SMM). A SMM may include one or more register checking modules, which may be configured to determine one or more current CPU register states. A SMM may include one or more acquiring modules, which may be configured to determine one or more current memory states. A SMM may include one or more network modules, which may be configured to direct one or more communications, for example of one or more current CPU register states and/or current memory states, to a monitor machine. A monitor machine may include one or more network modules and/or analysis modules. An analysis module may be configured to determine memory state differences and/or determine CPU register states differences.
Anup K. Ghosh - Centerville VA, US Kun Sun - Fairfax VA, US Jiang Wang - Fairfax VA, US Angelos Stavrou - Springfield VA, US
International Classification:
G06F 15/177
US Classification:
713 2
Abstract:
An interoperable firmware memory containing a Basic Input Output System (BIOS) and a trusted platform module (TPSM). The BIOS includes CPU System Management Mode (SMM) firmware configured as read-only at boot. The SMM firmware configured to control switching subsequent to boot between at least: a first memory and second isolated memory; and a first and second isolated non-volatile storage device. The first memory including a first operating system and the second memory including a second operating system. The first non-volatile storage device configured to be used by the first operating system and the second non-volatile storage device configured to be used by the second operating system. The trusted platform module (TPSM) configured to check the integrity of the CPU system Management Mode (SMM) during the boot process.
- Fairfax VA, US Yih HUANG - Fairfax VA, US Jiang WANG - Fairfax VA, US Angelos STAVROU - Springfield VA, US
Assignee:
George Mason Research Foundation, Inc. - Fairfax VA
International Classification:
H04L 29/06 G06F 21/55 G06F 9/455 G06F 21/53
Abstract:
Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.
- Fairfax VA, US Yih HUANG - Fairfax VA, US Jiang WANG - Fairfax VA, US Angelos STAVROU - Springfield VA, US
Assignee:
George Mason Research Foundation, Inc. - Fairfax VA
International Classification:
H04L 29/06 G06F 9/455 G06F 21/53 G06F 21/55
Abstract:
Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.
- Fairfax VA, US Yih HUANG - Fairfax VA, US Jiang WANG - Fairfax VA, US Angelos STAVROU - Springfield VA, US
Assignee:
George Mason Research Foundation, Inc. - Fairfax VA
International Classification:
H04L 29/06 G06F 21/55 G06F 21/53 G06F 9/455
Abstract:
Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OSVM. A detection module operates under the guest OSVM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.