What technology area does this patent fall under?

Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.

When was this patent published?

Publication date Thu May 11 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Technologies for handling malicious activity of a virtual network driver

US2017134403A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2017134403-A1
Application number	US-201514934142-A
Country	US
Kind code	A1
Filing date	Nov 5, 2015
Priority date	Nov 5, 2015
Publication date	May 11, 2017
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Technologies for handling malicious activity of a virtual network driver include a network computing device on which a virtual machine is being executed and the virtual network driver is managing communication between the physical network interface controller and the virtual function network adapter. The network computing device is configured to monitor events handled by the virtual network driver to detect malicious activity and update one or more malicious event tracking variables corresponding to a type of malicious activity event detected. The network computing device is further configured to compare one or more of the malicious event tracking variables to a corresponding malicious event threshold and perform an action on the virtual function driver in response to a determination that one or more of the malicious event tracking variables indicates that the corresponding malicious event threshold has been violated. Other embodiments are described and claimed herein.

First claim

Opening claim text (preview).

1 . A network computing device for handling malicious activity of a virtual network driver, the network computing device comprising: one or more processors; and one or more data storage devices having stored therein a plurality of instructions that, when executed by the one or more processors, cause the network computing device to: monitor events handled by a virtual network driver of a virtual machine of the network computing device to detect malicious activity; update, in response to a determination that malicious activity by the virtual network driver was detected, one or more malicious event tracking variables corresponding to a type of event of the detected malicious activity of the virtual network driver; compare, subsequent to updating the malicious event tracking variables, one or more of the malicious event tracking variables to a corresponding malicious event threshold; and perform an action on the virtual function driver in response to a determination that one or more of the malicious event tracking variables indicates that the corresponding malicious event threshold has been violated. 2 . The network computing device of claim 1 , wherein to monitor events handled by the virtual network driver to detect malicious activity comprises to at least one of analyze network packets received by the network computing device for evidence of malicious content, monitor memory access requests by the virtual network driver, and monitor hardware access requests by the virtual network driver. 3 . The network computing device of claim 1 , wherein the one or more malicious event tracking variables includes a counter, wherein to update the one or more malicious event tracking variables comprises to increment a value of the counter based on the type of event of the detected malicious activity of the virtual network driver, wherein to compare each of the malicious event tracking variables to the corresponding malicious event threshold comprises to compare the counter value to a counter threshold corresponding to the type of event of the detected malicious activity of the virtual network driver, and wherein to perform the action on the virtual function driver comprises to perform the action in response to a determination the counter value exceeds the counter threshold. 4 . The network computing device of claim 1 , wherein the one or more malicious event tracking variables includes a list of event-detected timestamps, wherein each of the event-detected timestamps of the list corresponds to a time at which a corresponding malicious activity was detected, wherein to update the one or more malicious event tracking variables comprises to log a timestamp corresponding to a time at which the malicious activity was detected in the list, wherein the plurality of instructions further cause the network computing device to determine a frequency of malicious events as a function of the list of event-detected timestamps, wherein to compare each of the malicious event tracking variables to the corresponding malicious event threshold comprises to compare the frequency of malicious events to a frequency threshold corresponding to the type of event of the detected malicious activity by the virtual network driver, and wherein to perform the action on the virtual function driver comprises to perform the action in response to a determination the frequency of malicious events is less than the frequency threshold. 5 . The network computing device of claim 1 , wherein to compare each of the malicious event tracking variables to a corresponding malicious event threshold comprises to compare each of the malicious event tracking variables to a corresponding warning threshold and a corresponding removal threshold, wherein the corresponding warning threshold comprises a lower threshold than the corresponding removal threshold. 6 . The network computing device of claim 5 , wherein to perform the action on the virtual function driver comprises to remove a virtual function interface of the virtual function driver in response to a determination that one or more of the malicious event tracking variables violates the corresponding removal threshold. 7 . The network computing device of claim 5 , wherein to perform the action on the virtual function driver further comprises to transmit, in response to a determination that one or more of the malicious event tracking variables violates the corresponding warning threshold, a notification to an administrator of the network computing device. 8 . The network computing device of claim 1 , wherein the plurality of instructions further cause the network computing device to reset the virtual function driver in response to a determination that malicious activity by the virtual network driver was detected. 9 . One or more computer-readable storage media comprising a plurality of instructions stored thereon that in response to being executed cause a network computing device to: monitor events handled by a virtual network driver of a virtual machine of the network computing device to detect malicious activity; update, in response to a determination that malicious activity by the virtual network driver was detected, one or more malicious event tracking variables corresponding to a type of event of the detected malicious activity of the virtual network driver; compare, subsequent to updating the malicious event tracking variables, one or more of the malicious event tracking variables to a corresponding malicious event threshold; and perform an action on the virtual function driver in response to a determination that one or more of the malicious event tracking variables indicates that the corresponding malicious event threshold has been violated. 10 . The one or more computer-readable storage media of claim 9 , wherein to monitor events handled by the virtual network driver to detect malicious activity comprises to at least one of analyze network packets received by the network computing device for evidence of malicious content, monitor memory access requests by the virtual network driver, and monitor hardware access requests by the virtual network driver. 11 . The one or more computer-readable storage media of claim 9 , wherein the one or more malicious event tracking variables includes a counter, wherein to update the one or more malicious event tracking variables comprises to increment a value of the counter based on the type of event of the detected malicious activity of the virtual network driver, wherein to compare each of the malicious event tracking variables to the corresponding malicious event threshold comprises to compare the counter value to a counter threshold corresponding to the type of event of the detected malicious activity of the virtual network driver, and wherein to perform the action on the virtual function driver comprises to perform the action in response to a determination the counter value exceeds the counter threshold. 12 . The one or more computer-readable storage media of claim 9 , wherein the one or more malicious event tracking variables includes a list of event-detected timestamps, wherein each of the event-detected timestamps of the list corresponds to a time at which a corresponding malicious activity was detected, wherein to update the one or more malicious event tracking variables comprises to log a timestamp corresponding to a time at which the malicious activity was detected in the list, wherein the plurality of instructions further cause the network computing device to determine a frequency of malicious events as a function of the list of event-detected timestamps, wherein to compare each of the malicious event tracking vari

Assignees

Intel Corp

Inventors

Classifications

H04L63/1425
Traffic logging, e.g. anomaly detection · CPC title
H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
G06F21/552
involving long-term monitoring or reporting · CPC title
H04L63/14
for detecting or protecting against malicious traffic · CPC title
H04L63/145
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title

Patent family

Related publications grouped by family.

View patent family 58662665

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2017134403A1 cover?: Technologies for handling malicious activity of a virtual network driver include a network computing device on which a virtual machine is being executed and the virtual network driver is managing communication between the physical network interface controller and the virtual function network adapter. The network computing device is configured to monitor events handled by the virtual network dri…
Who is the assignee on this patent?: Intel Corp
What technology area does this patent fall under?: Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
When was this patent published?: Publication date Thu May 11 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).