Intrusion prevention and remedy system
US-2015372980-A1 · Dec 24, 2015 · US
Method and apparatus for encrypting messages based on encryption group association
US11087006B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11087006-B2 |
| Application number | US-201414320582-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 30, 2014 |
| Priority date | Jun 30, 2014 |
| Publication date | Aug 10, 2021 |
| Grant date | Aug 10, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host. When two different GVMs are part of two different logical overlay networks that are implemented on common network fabric, the method in some embodiments encrypts the data messages exchanged between the GVMs of one logical network differently than the data messages exchanged between the GVMs of another logical network. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce encryption rules in response to dynamically detected events, such as malware infections.
First claim
Opening claim text (preview).
We claim: 1. A method of providing encryption services on a computer which executes a plurality of software machines including first and second machines, the method comprising: at a module executing on the computer separately from the first and second machines: receiving contextual information about a dynamically detected event that relates to the first machine from an introspection agent installed on the first machine; based on the received contextual information, dynamically adding the second machine as a member of an encryption group that comprises a set of machines that transmit unencrypted data messages that need to be encrypted; based on the addition of the second machine to the encryption group, generating an encryption rule to specify that unencrypted data messages transmitted by the second machine to a machine operating outside of the computer have to be encrypted; and providing the encryption rule to an encryptor executing on the computer separately from the first and second machines so that, based on the generated rule, the encryptor encrypts unencrypted data messages transmitted by the second machine before the data messages are transmitted out of the computer, wherein before adding the second machine to the encryption group, no encryption rule enforced outside of the second machine specified that unencrypted data messages transmitted by the second machine to the machine operating outside of the computer had to he encrypted. 2. The method of claim 1 , wherein the first and second machines are virtual machines. 3. The method of claim 1 , wherein the received contextual information is used to determine that the first machine is infected with malware. 4. The method of claim 1 , wherein generating an encryption rule is based on a set of encryption policies defined for the encryption group. 5. The method of claim 1 , wherein the method further comprises: based on another dynamically detected event that relates to the first machine, dynamically removing the second machine as a member of the encryption group; and discarding the encryption rule that specifies that the data messages transmitted by the second machine have to be encrypted. 6. The method of claim 1 , wherein when an encryption group is initially defined, the encryption group has no machine as a member. 7. The method of claim 1 , wherein the contextual information about the dynamically detected event is received by a third machine that maintains information about group membership. 8. The method of claim 1 , wherein membership criteria for a plurality of groups of machines that includes the encryption group is defined at a third machine. 9. The method of claim 8 , wherein the machine operating outside of the computer does not meet the membership criteria for the encryption group. 10. The method of claim 8 , wherein the second machine meets the membership criteria for the encryption group based on the dynamically detected event. 11. A non-transitory machine readable medium storing a program for providing encryption services on a computer which executes a plurality of software machines including first and second machines, the program comprising sets of instructions for: at a module executing on the computer separately from the first and second machines: receiving contextual information about a dynamically detected event that relates to the first machine from an introspection agent installed on the first machine, based on the received contextual information, dynamically adding the second machine as a member of an encryption group that comprises a set of machines that transmit unencrypted data messages that need to be encrypted; based on the addition of the second machine to the encryption group, generating an encryption rule to specify that unencrypted data messages transmitted by the second machine to a machine operating outside of the computer have to be encrypted; and providing the encryption rule to an encryptor executing on the computer separately from the first and second machines so that based on the generated rule, the encryptor encrypts unencrypted data messages transmitted by the second machine before the data messages are transmitted out of the computer, wherein before adding the second machine to the encryption group, no encryption rule enforced outside of the second machine specified that unencrypted data messages transmitted by the second machine to the machine operating outside of the computer had to be encrypted. 12. The non-transitory machine readable medium of claim 11 , wherein the program further comprises sets of instructions for: based on another dynamically detected event that relates to the first machine, dynamically removing the second machine as a member of the group; and discarding the encryption rule that specifies that the data messages transmitted by the second machine have to be encrypted. 13. The non-transitory machine readable medium of claim 11 , wherein when an encryption group is initially defined, the encryption group has no machine as a member. 14. The non-transitory machine readable medium of claim 11 , wherein generating an encryption rule includes generating an encryption rule based on a set of encryption policies defined for the encryption group. 15. The non-transitory machine readable medium of claim 11 , wherein the first and second machines are virtual machines. 16. The non-transitory machine readable medium of claim 11 , wherein the received contextual information is used to determine that the first machine is infected with malware. 17. The non-transitory machine readable medium of claim 11 , wherein the contextual information about the dynamically detected event is received by a third machine that maintains information about group membership. 18. The non-transitory machine readable medium of claim 11 , wherein membership criteria for a plurality of groups of machines that includes the encryption group is defined at a third machine. 19. The non-transitory machine readable medium of claim 18 , wherein the machine operating outside of the computer does not meet the membership criteria for the encryption group. 20. The non-transitory machine readable medium of claim 18 , wherein the second machine meets the membership criteria for the encryption group based on the dynamically detected event.
Assignees
Inventors
Classifications
Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system (cryptographic typewriters G09C3/00) · CPC title
between heterogeneous systems · CPC title
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Event management; Broadcasting; Multicasting; Notifications · CPC title
Hypervisor-specific management and integration aspects · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11087006B2 cover?
- For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determ…
- Who is the assignee on this patent?
- Nicira Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/602. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Aug 10 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).