Method and apparatus for fine grain memory protection
US-2015378633-A1 · Dec 31, 2015 · US
Security event detection through virtual machine introspection
US2016241573A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016241573-A1 |
| Application number | US-201514622224-A |
| Country | US |
| Kind code | A1 |
| Filing date | Feb 13, 2015 |
| Priority date | Feb 13, 2015 |
| Publication date | Aug 18, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods and apparatus are disclosed for security event detection through virtual machine introspection. Example methods involve monitoring usage of a plurality of resources by a first virtual machine executing on a computing device by a monitoring agent, the monitoring agent executing on the computing device separate from the first virtual machine. Example methods further involve detecting a potential security event by comparing the usage of the plurality of resources to resource usage patterns. Example methods further involve assigning a severity level to the detected potential security event, and initiating a security action defined for the assigned severity level.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method of security event detection in a computing device of a process control system, comprising: monitoring usage of a plurality of resources by a first virtual machine executing on the computing device by a monitoring agent, the monitoring agent executing on the computing device separate from the first virtual machine; detecting a potential security event by comparing the usage of the plurality of resources to resource usage patterns; assigning a severity level to the detected potential security event; and initiating a security action based on the assigned severity level. 2 . A method as defined in claim 1 , wherein the monitoring agent communicates with a hypervisor managing the first virtual machine to monitor the usage of the plurality of resources by the first virtual machine. 3 . A method as defined in claim 1 , wherein the monitoring agent is executing in a second virtual machine on the computing device. 4 . A method as defined in claim 1 , wherein the monitoring agent is part of a hypervisor that manages the first virtual machine. 5 . A method as defined in claim 1 , wherein monitoring agent monitors at least one of memory usage, storage disk usage, network usage, and hardware usage of the first virtual machine. 6 . A method as defined in claim 1 , wherein, in response to assigning a highest severity level to the detected potential security event, initiating the security action comprises: causing a second virtual machine to instantiate on the computing device based on a snapshot of the first virtual machine created before the potential security event was detected; migrating functionality of the first virtual machine to the second virtual machine; and terminating the first virtual machine. 7 . A method as defined in claim 1 , further comprising: assigning an integrity level to the first virtual machine; in response to detecting the potential security event, reducing the integrity level of the first virtual machine; and when the integrity level of the first virtual machine is below an integrity level threshold, initiating the security action based on the integrity level of the first virtual machine. 8 . An apparatus comprising: a resource monitor to, via a processor: monitor usage of a plurality of resources by a first virtual machine executing on a computing device, the resource monitor being separate from the first virtual machine, and detect a potential security event by comparing the usage of the plurality of resources to resource usage patterns; and a security event handler to: assign a severity level to the detected potential security event, and initiate a security action defined for the assigned severity level. 9 . An apparatus as defined in claim 8 , wherein the resource monitor is to communicate with a hypervisor managing the first virtual machine to monitor the usage of the plurality of resources of the first virtual machine. 10 . An apparatus as defined in claim 8 , wherein the resource monitor is part of a hypervisor that manages the first virtual machine. 11 . An apparatus as defined in claim 8 , wherein resource monitor is to monitor at least one of memory usage, storage disk usage, network usage, and hardware usage of the first virtual machine. 12 . An apparatus as defined in claim 8 , wherein, in response to assigning a highest severity level to the detected potential security event, the security event handler is to: cause a second virtual machine to instantiate on the computing device based on a snapshot of the first virtual machine created before the potential security event was detected; migrate functionality of the first virtual machine to the second virtual machine; and terminate the first virtual machine. 13 . An apparatus as defined in claim 8 , wherein the security event handler is to: assign an integrity level to the first virtual machine; in response to detecting potential security event, reduce the integrity level of the first virtual machine; and when the integrity level of the first virtual machine is below an integrity level threshold, initiate a security action based on the integrity level of the first virtual machine. 14 . A tangible computer readable storage medium comprising instructions which, when executed, cause a monitoring agent to at least: monitor usage of a plurality of resources by a first virtual machine executing on a computing device, the monitoring agent to execute on the computing device separate from the first virtual machine; detect a potential security event by comparing the usage of the plurality of resources to resource usage patterns; assign a severity level to the detected potential security event; and initiate a security action defined for the assigned severity level. 15 . A tangible computer readable storage medium as defined in claim 14 , wherein the instructions, when executed, cause the monitoring agent further to communicate with a hypervisor managing the first virtual machine to monitor the usage of the plurality of resources of the first virtual machine. 16 . A tangible computer readable storage medium as defined in claim 14 , wherein the monitoring agent is to execute in a second virtual machine on the computing device. 17 . A tangible computer readable storage medium as defined in claim 14 , wherein the monitoring agent is part of a hypervisor that manages the first virtual machine. 18 . A tangible computer readable storage medium as defined in claim 14 , wherein the instructions, when executed, cause the monitoring agent to monitor at least one of memory usage, storage disk usage, network usage, and hardware usage of the first virtual machine. 19 . A tangible computer readable storage medium as defined in claim 14 , wherein, in response to assigning a highest severity level to the detected potential security event, the instructions, when executed, cause the monitoring agent to: cause a second virtual machine to instantiate on the computing device based on a snapshot of the first virtual machine created before the potential security event was detected; migrate functionality of the first virtual machine to the second virtual machine; and terminate the first virtual machine. 20 . A tangible computer readable storage medium as defined in claim 14 , comprising instructions that, when executed, cause the monitoring agent to: assign an integrity level to the first virtual machine; in response to detecting potential security event, reduce the integrity level of the first virtual machine; and when the integrity level of the first virtual machine is below an integrity level threshold, initiate a security action based on the integrity level of the first virtual machine.
Assignees
Inventors
Classifications
Hypervisor-specific management and integration aspects · CPC title
- G06F21/554Primary
involving event detection and direct action · CPC title
Monitoring or debugging support · CPC title
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
Distribution of virtual machine instances; Migration and load balancing · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016241573A1 cover?
- Methods and apparatus are disclosed for security event detection through virtual machine introspection. Example methods involve monitoring usage of a plurality of resources by a first virtual machine executing on a computing device by a monitoring agent, the monitoring agent executing on the computing device separate from the first virtual machine. Example methods further involve detecting a po…
- Who is the assignee on this patent?
- Fisher Rosemount Systems Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/554. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Aug 18 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).