Intrusion prevention and remedy system
US-2015372980-A1 · Dec 24, 2015 · US
Method and apparatus for dynamically creating encryption rules
US12093406B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12093406-B2 |
| Application number | US-202217669344-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 10, 2022 |
| Priority date | Jun 30, 2014 |
| Publication date | Sep 17, 2024 |
| Grant date | Sep 17, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host. When two different GVMs are part of two different logical overlay networks that are implemented on common network fabric, the method in some embodiments encrypts the data messages exchanged between the GVMs of one logical network differently than the data messages exchanged between the GVMs of another logical network. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce encryption rules in response to dynamically detected events, such as malware infections.
First claim
Opening claim text (preview).
We claim: 1. A method of providing encryption services on a computer that executes a plurality of virtual machines (VMs), the method comprising: on the computer: detecting an event on a particular VM of the plurality of VMs; based on the detected event, dynamically generating an encryption rule for encrypting data messages that are sent from the particular VM, the encryption rule specifying a set of header values identifying a data message flow requiring encryption, the encryption rule being generated based on a logical network associated with the particular VM; providing the generated encryption rule to an encryptor that executes on the computer and that (i) receives data messages sent by the particular VM, (ii) compares the set of header values in the encryption rule to header values of received data messages in order to identify data messages to which the encryption rule should be applied, and (iii) applies the encryption rule to the identified data messages. 2. The method of claim 1 , wherein generating the encryption rule comprises examining a plurality of encryption policies to determine whether an encryption rule needs to be specified for the detected event, wherein generating the encryption rule comprises generating the encryption rule based on the examination of the encryption policies. 3. The method of claim 1 , wherein the event is a flow-based event. 4. The method of claim 1 , wherein detecting the event comprises detecting an initiation of a flow between the particular VM and another VM. 5. The method of claim 1 , wherein detecting the event comprises detecting existence of malware on the particular VM. 6. The method of claim 1 , wherein detecting the event comprises detecting existence of malware on another VM of the plurality of VMs. 7. The method of claim 1 , wherein generating the encryption rule comprises forwarding the detected event to a set of controllers, said controller set determining whether an encryption rule needs to be specified for the detected event based on a set of encryption policies that are stored by the controller set, wherein generating the encryption rule comprises receiving the generated encryption rule from the controller set. 8. The method of claim 1 , wherein generating the encryption rule comprises forwarding the detected event to a set of controllers, said controller set determining whether an encryption policy has to be provided to the computer to generate, at the computer, an encryption rule for the detected event. 9. The method of claim 1 , wherein, after applying the encryption rule, the encryptor provides the intercepted data messages to a software forwarding element that executes on the computer that forwards the data messages to the data messages' destination. 10. The method of claim 1 , wherein the encryption rule specifies an encryption key identifier that identifies an encryption key to use to encrypt the data messages, wherein the encryption key is also supplied to the encryptor, wherein before supplying the encryption key, the encryption key is retrieved from a key manager. 11. A non-transitory machine readable medium storing sets of instructions for providing encryption services on a computer that executes a plurality of virtual machines (VMs), the sets of instructions for: detecting an event on a particular VM of the plurality of VMs; based on the detected event, dynamically generating an encryption rule for encrypting data messages that are sent from the particular VM, the encryption rule specifying a set of header values identifying a data message flow requiring encryption the encryption rule being generated based on a logical network associated with the particular VM; providing the generated encryption rule to an encryptor that executes on the computer and that (i) receives data messages sent by the particular VM, (ii) compares the set of header values in the encryption rule to header values of received data messages in order to identify data messages to which the encryption rule should be applied, and (iii) applies the encryption rule to the identified data messages. 12. The non-transitory machine readable medium of claim 11 , wherein the program further comprises a set of instructions for using the encryption rule to encrypt messages sent by the particular VM. 13. The non-transitory machine readable medium of claim 11 , wherein the event is a flow-based event. 14. The non-transitory machine readable medium of claim 11 , wherein the set of instruction for detecting the event comprises a set of instructions for detecting an initiation of a flow between the particular VM and another machine. 15. The non-transitory machine readable medium of claim 11 , wherein the set of instruction for detecting the event comprises a set of instructions for detecting existence of malware on the particular VM. 16. The non-transitory machine readable medium of claim 11 , wherein the set of instruction for detecting the event comprises a set of instructions for detecting for existence of malware on another VM. 17. The non-transitory machine readable medium of claim 11 , wherein the set of instruction for examining the set of encryption policies comprises a set of instructions for forwarding the detected event to a set of controllers, said controller set examining the set of encryption policies to determine whether an encryption rule needs to be specified for the detected event. 18. The non-transitory machine readable medium of claim 11 , wherein the set of instruction for examining the set of encryption policies comprises a set of instructions for forwarding the detected event to a set of controllers, said controller set determining whether an encryption policy has to be provided to the computer to generate, at the computer, an encryption rule for the detected event.
Assignees
Inventors
Classifications
received data contents, e.g. message integrity · CPC title
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
Key scheduling, i.e. generating round keys or sub-keys for block encryption · CPC title
using a plurality of keys or algorithms · CPC title
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12093406B2 cover?
- For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determ…
- Who is the assignee on this patent?
- Nicira Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/602. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Sep 17 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).