| CPC G06F 21/56 (2013.01) [G06F 9/45558 (2013.01); G06F 2009/45587 (2013.01); G06F 2221/034 (2013.01)] | 11 Claims |
|
1. A non-transitory computer-readable storage medium storing thereon instructions that, when executed, cause a processor of a computing device to:
receive an indication associated with a first virtual machine, the first virtual machine containing a first application, the indication indicating that a first operation in the first virtual machine is to use a second application;
receive information associated with a second virtual machine, the second virtual machine created in response to the first operation and containing the second application;
store information describing a chain of virtual machines, the chain of virtual machines including the first and second virtual machines, the stored information including a relationship between the first virtual machine and the second virtual machine, based on the received indication and the received information; and
in response to an identification of malware in the chain of virtual machines, identify a particular virtual machine in the chain of virtual machines that is in a kill chain of the malware based on the stored information,
wherein the first virtual machine is a primary virtual machine and other virtual machines in the chain of virtual machines are secondary virtual machines, wherein a secondary virtual machine is created in response to an operation in a respective preceding virtual machine in the chain of virtual machines, wherein the stored information stores information on a relationship between a secondary virtual machine and the respective preceding virtual machine,
wherein the instructions, when executed, further cause the processor to:
identify the malware in a virtual machine in the chain of virtual machines,
in response to the identification of the malware in the virtual machine, flag the virtual machine as malicious, and
when a secondary virtual machine is flagged as malicious, determine that its respective preceding virtual machine is in the kill chain of the malware, and flag that preceding virtual machine as malicious.
|