KILL CHAIN IDENTIFICATIONS

Abstract

An example storage medium stores instructions that, when executed, cause a processor of a computing device to receive an indication associated with a first virtual machine, the first virtual machine containing a first application, the indication indicating that a first operation in the first virtual machine is to use a second application; receive information associated with a second virtual machine, the second virtual machine created in response to the first operation and containing the second application; store information describing a chain of virtual machines, the chain of virtual machines including the first and second virtual machines, the stored information including a relationship between the first virtual machine and the second virtual machine, based on the received indication and the received information; and in response to an identification of malware in the chain of virtual machines, identify a particular virtual machine in the chain of virtual machines that is in a kill chain of the malware based on the stored information.

IPC Classes  ?

• G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
• G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
• G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements