I III IIIIIIII a IIIIII uiu imi uiu mu imi uiii uui imi uui IIIII 111111 mi IIII mi
`
`US 201701 80318A1
`
`(19) United States
`(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2017/0180318 A1
`(12) Patent Application Publication (10) Pub. No.: US 2017/0180318 Al
`Jun. 22, 2017
`LUTAS et al.
`(43) Pub. Date:
`Jun. 22, 2017
`LUTAS et al.
`(43) Pub. Date:
`
`(54) DUAL MEMORY INTROSPECTION FOR
`(54) DUAL MEMORY INTROSPECTION FOR
`SECURING MULTIPLE NETWORK
`SECURING MULTIPLE NETWORK
`ENDPOINTS
`ENDPOINTS
`
`(71) Applicant: Bitclefender IPR Management Ltd.,
`(71) Applicant: Bitdefender IPR Management Ltd.,
`Nicosia (CY)
`Nicosia (CY)
`(72) Inventors: Dan H. LUTAS, Cluj-Napoca (RO);
`Inventors: Dan H. LUTAS, Cluj-Napoca (RO);
`(72)
`Daniel I. TICLE, Turda (RO); Radu I.
`Daniel I. TICLE, Turda (RO); Radu I.
`CIOCAS, Cluj-Napoca (RO); Sandor
`CIOCAS, Cluj-Napoca (RO); Sandor
`LUKACS, Floresti (RO); Ionel C.
`LUKACS, Floresti (RO); Ionel C.
`ANICHITEI, Cluj-Napoca (RO)
`ANICHITEI, Cluj-Napoca (RO)
`s
`(21) Appl. No.: 15/383,082
`(21) Appl. No.: 15/383,082
`
`(22) Filed:
`(22) Filed:
`
`Dec. 19, 2016
`Dec. 19, 2016
`
`Related U.S. Application Data
`Related U.S. Application Data
`(60) Provisional application No. 62/269,952, filed on Dec.
`(60) Provisional application No. 62/269,952, filed on Dec.
`19, 2015.
`19, 2015.
`O
`O
`Publication Classification
`Publication Classification
`
`(51) Int. Cl.
`(51) Int. Cl.
`H04L 29/06
`H04L 29/06
`G06F 9/54
`G06F 9/54
`G06F 9/455
`G06F 9/455
`
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`
`(52) U.S. Cl.
`(52) U.S. Cl.
`CPC ...... H04L 63/0254 (2013.01); G06F 9/45558
`H04L 63/0254 (2013.01); G06F 9/45558
`CPC
`(2013.01); G06F 9/542 (2013.01); H04L
`(2013.01); G06F 9/542 (2013.01); H04L
`63/0245 (2013.01); H04L 63/0272 (2013.01);
`63/0245 (2013.01); H04L 63/0272 (2013.01);
`H04L 63/14 (2013.01); G06F 2009/45587
`H04L 63/14 (2013.01); G06F 2009/45587
`(2013.01)
`(2013.01)
`
`(57)
`ABSTRACT
`(57)
`ABSTRACT
`Described systems and methods enable protecting multiple
`Described systems and methods enable protecting multiple
`client Systems (e.g., a corporate network) from computer
`client systems (e.g., a corporate network) from computer
`security threats such as malicious software and intrusion. In
`security threats Such as malicious Software and intrusion. In
`Some embodiments, each protected client operates a live
`some embodiments, each protected client operates a live
`introspection engine and an on-demand introspection
`introspection engine and an on-demand introspection
`engine. The live introspection engine detects the occurrence
`engine. The live introspection engine detects the occurrence
`of certain events within a protected virtual machine exposed
`of certain events within a protected virtual machine exposed
`on the respective client system, and communicates the
`on the respective client system, and communicates the
`occurrence to a remote security server. In turn, the server
`occurrence to a remote security server. In turn, the server
`may request a forensic analysis of the event from the client
`may request a forensic analysis of the event from the client
`system, by indicating a forensic tool to be executed by the
`system, by indicating a forensic tool to be executed by the
`client. Forensic tools may be stored in a central repository
`client. Forensic tools may be stored in a central repository
`accessible to the client. In response to receiving the analysis
`accessible to the client. In response to receiving the analysis
`request, the on-demand introspection engine may retrieve
`request, the on-demand introspection engine may retrieve
`and execute the forensic tool, and communicate a result of
`and execute the forensic tool, and communicate a result of
`the forensic analysis to the security server. The server may
`the forensic analysis to the security server. The server may
`use the information to determine whether the respective
`use the information to determine whether the respective
`client is under attack by malicious Software or an intruder.
`client is under attack by malicious software or an intruder.
`
`
`
`
`
`
`
`
`
`Client
`system
`
`[ 50
`50
`
`Event indicator
`
`52
`52
`
`Analysis request
`request
`
`.-.-------------t
`
` Forensic report
`
`
`
`12
`
`54
`54
`
`Security alert
`Security alert
`
`56
`
`14
`14
`
`O
`0
`
`Security
`Security
`server
`SeWe
`
`
`
`
`
`Mitigation indicator
`Mitigation indicator
`
`58
`58
`
`WIZ, Inc. EXHIBIT - 1064
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1064
`WIZ, Inc. v. Orca Security LTD.
`
`
`
`US 201701 80318A1
`
`(19) United States
`(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2017/0180318 A1
`(12) Patent Application Publication (10) Pub. No.: US 2017/0180318 Al
`Jun. 22, 2017
`LUTAS et al.
`(43) Pub. Date:
`Jun. 22, 2017
`LUTAS et al.
`(43) Pub. Date:
`
`(54) DUAL MEMORY INTROSPECTION FOR
`(54) DUAL MEMORY INTROSPECTION FOR
`SECURING MULTIPLE NETWORK
`SECURING MULTIPLE NETWORK
`ENDPOINTS
`ENDPOINTS
`
`(71) Applicant: Bitclefender IPR Management Ltd.,
`(71) Applicant: Bitdefender IPR Management Ltd.,
`Nicosia (CY)
`Nicosia (CY)
`(72) Inventors: Dan H. LUTAS, Cluj-Napoca (RO);
`Inventors: Dan H. LUTAS, Cluj-Napoca (RO);
`(72)
`Daniel I. TICLE, Turda (RO); Radu I.
`Daniel I. TICLE, Turda (RO); Radu I.
`CIOCAS, Cluj-Napoca (RO); Sandor
`CIOCAS, Cluj-Napoca (RO); Sandor
`LUKACS, Floresti (RO); Ionel C.
`LUKACS, Floresti (RO); Ionel C.
`ANICHITEI, Cluj-Napoca (RO)
`ANICHITEI, Cluj-Napoca (RO)
`s
`(21) Appl. No.: 15/383,082
`(21) Appl. No.: 15/383,082
`
`(22) Filed:
`(22) Filed:
`
`Dec. 19, 2016
`Dec. 19, 2016
`
`Related U.S. Application Data
`Related U.S. Application Data
`(60) Provisional application No. 62/269,952, filed on Dec.
`(60) Provisional application No. 62/269,952, filed on Dec.
`19, 2015.
`19, 2015.
`O
`O
`Publication Classification
`Publication Classification
`
`(51) Int. Cl.
`(51) Int. Cl.
`H04L 29/06
`H04L 29/06
`G06F 9/54
`G06F 9/54
`G06F 9/455
`G06F 9/455
`
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`
`(52) U.S. Cl.
`(52) U.S. Cl.
`CPC ...... H04L 63/0254 (2013.01); G06F 9/45558
`H04L 63/0254 (2013.01); G06F 9/45558
`CPC
`(2013.01); G06F 9/542 (2013.01); H04L
`(2013.01); G06F 9/542 (2013.01); H04L
`63/0245 (2013.01); H04L 63/0272 (2013.01);
`63/0245 (2013.01); H04L 63/0272 (2013.01);
`H04L 63/14 (2013.01); G06F 2009/45587
`H04L 63/14 (2013.01); G06F 2009/45587
`(2013.01)
`(2013.01)
`
`(57)
`ABSTRACT
`(57)
`ABSTRACT
`Described systems and methods enable protecting multiple
`Described systems and methods enable protecting multiple
`client Systems (e.g., a corporate network) from computer
`client systems (e.g., a corporate network) from computer
`security threats such as malicious software and intrusion. In
`security threats Such as malicious Software and intrusion. In
`Some embodiments, each protected client operates a live
`some embodiments, each protected client operates a live
`introspection engine and an on-demand introspection
`introspection engine and an on-demand introspection
`engine. The live introspection engine detects the occurrence
`engine. The live introspection engine detects the occurrence
`of certain events within a protected virtual machine exposed
`of certain events within a protected virtual machine exposed
`on the respective client system, and communicates the
`on the respective client system, and communicates the
`occurrence to a remote security server. In turn, the server
`occurrence to a remote security server. In turn, the server
`may request a forensic analysis of the event from the client
`may request a forensic analysis of the event from the client
`system, by indicating a forensic tool to be executed by the
`system, by indicating a forensic tool to be executed by the
`client. Forensic tools may be stored in a central repository
`client. Forensic tools may be stored in a central repository
`accessible to the client. In response to receiving the analysis
`accessible to the client. In response to receiving the analysis
`request, the on-demand introspection engine may retrieve
`request, the on-demand introspection engine may retrieve
`and execute the forensic tool, and communicate a result of
`and execute the forensic tool, and communicate a result of
`the forensic analysis to the security server. The server may
`the forensic analysis to the security server. The server may
`use the information to determine whether the respective
`use the information to determine whether the respective
`client is under attack by malicious Software or an intruder.
`client is under attack by malicious software or an intruder.
`
`
`
`
`
`
`
`
`
`Client
`system
`
`[ 50
`50
`
`Event indicator
`
`52
`52
`
`Analysis request
`request
`
`.-.-------------t
`
` Forensic report
`
`
`
`12
`
`54
`54
`
`Security alert
`Security alert
`
`56
`
`14
`14
`
`O
`0
`
`Security
`Security
`server
`SeWe
`
`
`
`
`
`Mitigation indicator
`Mitigation indicator
`
`58
`58
`
`WIZ, Inc. EXHIBIT - 1064
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1064
`WIZ, Inc. v. Orca Security LTD.
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Jun. 22, 2017 Sheet 1 of 8
`Jun. 22, 2017 Sheet 1 of 8
`
`US 2017/O180318A1
`US 2017/0180318 Al
`
`
`
`
`
`
`
`
`
`es_n12d
`
`12d
`
`Client database
`Client database
`
`Client
`system
`
`Client
`system
`
`17
`17
`
`Security
`Security
`server
`Server
`
`14
`
`15
`
`Communication
`Communication
`network
`network
`
`
`
`Client
`system
`
`12a
`
`/
`
`Client
`system
`
`
`
`O
`
`Central tool
`Central tool
`repository
`repository
`
`FIG. 1
`FIG. 1
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Jun. 22, 2017 Sheet 2 of 8
`Jun. 22, 2017 Sheet 2 of 8
`
`US 2017/O180318A1
`US 2017/0180318 Al
`
`16
`16
`
`28
`28
`
`20
`20
`
`24
`24
`
`Processor
`
`Input devices
`Input devices
`
`St
`devi
`Storage devices
`Orage devices
`
`Con
`trol-
`ler
`hub
`
`Client system
`
`FIG. 2-A
`FIG. 2-A
`
`18
`18
`
`Memory
`
`Output devices
`Output devices
`
`Network
`NetWOrk
`adapter(s)
`adaptcr(s)
`
`22
`
`26
`
`12
`
`
`
`124
`124
`
`116
`116
`
`128
`128
`
`118
`118
`
`Server processor
`Server processor
`
`Server Memory
`Server Memory
`
`Server
`Server
`storage devices
`storage devices
`
`Server
`Server
`controller
`controller
`hub
`hub
`
`Security server
`Security server
`
`FIG. 2-B
`FIG. 2-B
`
`Server network
`Server network
`adapter(s)
`adapter(s)
`
`126
`126
`
`14
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Jun. 22, 2017 Sheet 3 of 8
`Jun. 22, 2017 Sheet 3 of 8
`
`US 2017/O180318A1
`US 2017/0180318 Al
`
`7 32
`32
`
`33
`33
`
`
`
`
`
`Gucst virtual machine
`36
`
`
`
`(
`
`Security virtual machine
`Security virtual machine
`44
`44
`42
`42
`
`Application
`Application
`
`34
`
`Guest OS
`
`On-demand
`)n-demand
`intro-
`intro-
`spection
`spection
`engine
`engine
`
`Network
`Network
`filter
`filter
`
`Hypervisor
`
`40
`
`Event handler
`Event handler
`
`Live introspection engine
`Live introspection engine
`
`\
`
`Client system hardware
`Client system hardware
`
`46a
`46a
`
`FIG. 3-A
`FIG 3-A
`
`
`
`30
`
`_
`
`12
`12
`
`32
`32
`
`Guest virtual machine
`Guest virtual machine
`/ 36
`
`34
`
`App.
`
`Guest OS 46b
`46b
`Guest OS
`
`Event handler
`Event handler
`
`33
`33
`
`(
`
`Security virtual machine
`
`42
`
`44
`
`On-demand
`On-demand
`intro
`intro-
`spection
`spection
`engine
`engine
`
`Network
`filter
`
`30
`30
`
`_
`
`IIypervisor
`I Iypervisor
`
`40
`40
`
`
`
`10
`10
`
`Live introspection engine
`
`Client system hardware
`Client system hardware
`
`FIG. 3-B
`FIG 3-B
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Jun. 22, 2017 Sheet 4 of 8
`Jun. 22, 2017 Sheet 4 of 8
`
`US 2017/O180318A1
`US 2017/0180318 Al
`
`
`
`launch Hypervisor
`launch Hypervisor
`
`Move executing software
`Move executing software
`to guest VM
`to guest VM
`
`
`
`Set up security VM
`Set up security VM
`
`200
`
`202
`
`204
`
`Set up remote administrative
`Set up remote administrative
`access from security server
`access from security server
`to security VM
`to security VM
`
`
`
`2O6
`206
`
`Launch live introspection
`Launch live introspection
`engine
`engine
`
`208
`208
`
`FIG. 4
`FIG. 4
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Jun. 22, 2017 Sheet 5 of 8
`Jun. 22, 2017 Sheet 5 of 8
`
`US 2017/O180318A1
`US 2017/0180318 Al
`
`
`
`
`
`
`
`
`
`
`
`Client
`system
`
`
`
`12
`
`Client
`sys tem
`
`12
`
`
`
`48
`
`Tunnel
`Tunnel
`request
`request
`
`Secure tunnel
`Secure tunnel
`
`49
`
`FIG5
`FIG.5
`
`14
`14
`
`Security
`Security
`server
`Server
`
`50
`50
`
`14
`14
`
`.--------
`
`Event indicator
`LEvent indicator
`
`52
`
`Analysis request
` [Analysis request
`r Forensic report
`
`
`
`54
`54
`
`Security alert
`
`(O
`
`O
`0
`
`
`
`Security
`Security
`server
`Server
`
`56
`
`Mitigation indicator
`Mitigation indicator
`
`58
`58
`
`FIG. G
`FIG. 6
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Jun. 22, 2017 Sheet 6 of 8
`Jun. 22, 2017 Sheet 6 of 8
`
`US 2017/O180318A1
`US 2017/0180318 Al
`
`236
`
`Assist On-demand
`Assist on-demand
`introspection engine
`introspection engine
`
`
`
`
`
`Display Warning message
`Display warning message
`to user
`tO uSer
`
`234
`
`220
`220
`
`I is ten for
`Listen for
`notifications
`notifications
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NO
`
`Notification
`Notification
`received?
`received?
`
`222
`
`YES
`
`Notification
`Notification
`from event
`from event
`handler?
`handler?
`
`224
`
`NO
`
`
`
`YES
`YES
`Perform light analysis
`Perform light analysis
`Of event
`of event
`
`226
`
`228
`
`Event
`Event
`worth reporting
`worth reporting
`tO server?
`to server?
`
`NO
`
`
`
`230
`[230
`
`TS
`Send event indicator
`Send event indicator
`to security server
`to security server
`
`Resume execution
`Resume execution
`of guest VM
`of guest VM
`
`231
`
`232'
`
`NO
`
`Notification
`Notification
`from security
`from security
`VMP
`VM?
`
`YES
`
`FIG 7
`FIG. 7
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Jun. 22, 2017 Sheet 7 of 8
`Jun. 22, 2017 Sheet 7 of 8
`
`US 2017/O180318A1
`US 2017/0180318 Al
`
`
`
`
`
`-
`
`
`
`I
`
`
`
`
`
`
`
`
`
`
`
`
`
`Listen for analysis
`Listen for analysis
`requests
`requests
`
`NO
`
`Request
`Request
`received?
`received?
`
`f--
`
`250
`250
`
`52
`252
`2
`
`r_-254
`
`254
`
`Receive instruction to access
`ccess Receive instruction to a
`
`selected forensic tools
`selected forensic tools
`
`
`256
` 256
`
`
`
`Access selected
`Access selected
`forensic tools
`forensic tools
`
`Execute selected
`Execute selected
`forensic tools
`forensic tools
`
`Transmit forensic report
`Transmit forensic report
`to security server
`to security server
`
`Discard security
`Discard security
`tools/resources
`tools/resources
`
` /----
`
`
`
`258
`258
`
`
`
`R0
`
` /----
`
`262
`262
`
`FIG. 8
`FIG. 8
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Jun. 22, 2017 Sheet 8 of 8
`Jun. 22, 2017 Sheet 8 of 8
`
`US 2017/O180318A1
`US 2017/0180318 Al
`
`280
`280
`
`Listen for COmmunication
`Listen for communication
`from clients
`from clients
`
`NO
`
`Communication
`Communication
`received?
`received?
`
`YES
`
`282
`
`-284
`
`Comm.
`Comm.
`comprises event
`comprises event
`indicator?
`indicator?
`
`NO
`
`306.
`
`YES
`Log trigger event
`Log trigger event
`
`
`
`
`
`286
`
`Send mitigation indicator
`Send mitigation indicator
`to clicnt systcm
`to client system
`
`Query client database
`Query client database
`
`290
`
`Alert administrator and/or
`Alert administrator and/or
`client system
`client system
`
`NO
`
`Trigger
`Trigger
`event warrants
`eVent Warrants
`forensic anal
`forensic anal-
`ysis?
`ysis?
`YES
`
`Sclect resources and/or
`Select resources and/or
`forensic tools according
`forensic tools according
`to trigger event
`to trigger event
`
`Scind analysis request
`Send analysis request
`to client system(s)
`to client system(s)
`
`292
`
`294
`
`296
`
`298
`
`NO
`
`Comm.
`Comprises forensic
`comprises forensic
`report?
`
`YES
`
`304
`
`YES
`
`302
`
`I likelihood
`Likelihood
`Of an attack?
`of an attack?
`
`NO
`
`Analyze forensic report
`
`300
`
`FIG 9
`FIG. 9
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 2017/01 80318 A1
`US 2017/0180318 Al
`
`1
`
`Jun. 22, 2017
`Jun. 22, 2017
`
`DUAL MEMORY INTROSPECTION FOR
`DUAL MEMORY INTROSPECTION FOR
`SECURING MULTIPLE NETWORK
`SECURING MULTIPLE NETWORK
`ENDPOINTS
`ENDPOINTS
`
`RELATED APPLICATIONS
`RELATED APPLICATIONS
`
`0001. This application claims the benefit of the filing date
`[0001] This application claims the benefit of the filing date
`of U.S. provisional patent application No. 62/269,952, filed
`of U.S. provisional patent application No. 62/269,952, filed
`on Dec. 19, 2015, entitled “Dual Memory Introspection for
`on Dec. 19, 2015, entitled "Dual Memory Introspection for
`Securing Multiple Network Endpoints, the entire contents
`Securing Multiple Network Endpoints," the entire contents
`of which are incorporated by reference herein.
`of which are incorporated by reference herein.
`
`BACKGROUND
`BACKGROUND
`
`0002 The invention relates to computer security systems
`[0002] The invention relates to computer security systems
`and methods, and in particular to systems and methods for
`and methods, and in particular to systems and methods for
`protecting hardware virtualization environments from com
`protecting hardware virtualization environments from com-
`puter security threats.
`puter security threats.
`0003. Malicious software, also known as malware,
`[0003] Malicious software, also known as malware,
`affects a great number of computer systems worldwide. In its
`affects a great number of computer systems worldwide. In its
`many forms, such as computer viruses, worms, rootkits, and
`many forms, such as computer viruses, worms, rootkits, and
`spyware, malware presents a serious risk to millions of
`spyware, malware presents a serious risk to millions of
`computer users, making them vulnerable to loss of data and
`computer users, making them vulnerable to loss of data and
`sensitive information, identity theft, and loss of productivity,
`sensitive information, identity theft, and loss of productivity,
`among others.
`among others.
`0004 Computer security software may be used to protect
`[0004] Computer security software may be used to protect
`computer systems from malicious Software. However, in
`computer systems from malicious software. However, in
`distributed computing systems such as corporate networks
`distributed computing systems such as corporate networks
`and cloud computing systems, conventional security soft
`and cloud computing systems, conventional security soft-
`ware typically does not respond well to attacks. Even when
`ware typically does not respond well to attacks. Even when
`the security software is capable of detecting an attack,
`the security software is capable of detecting an attack,
`analysis and remediation may still require that a human
`analysis and remediation may still require that a human
`operator be dispatched to the affected client system, for
`operator be dispatched to the affected client system, for
`instance to apply a patch, recover lost data, etc. In addition,
`instance to apply a patch, recover lost data, etc. In addition,
`once a new threat is detected and analyzed, updated versions
`once a new threat is detected and analyzed, updated versions
`of the security software must be distributed promptly to all
`of the security software must be distributed promptly to all
`protected computer systems.
`protected computer systems.
`0005. An alternative computer security system may
`[0005] An alternative computer security system may
`execute on a central server computer, receiving relevant data
`execute on a central server computer, receiving relevant data
`from Security clients over a communication network. The
`from security clients over a communication network. The
`server may determine according to the received data whether
`server may determine according to the received data whether
`the respective client is infected with malware, and may
`the respective client is infected with malware, and may
`communicate a verdict to the respective client. While such
`communicate a verdict to the respective client. While such
`configurations are better equipped to deal with emerging
`configurations are better equipped to deal with emerging
`threats, they require Substantial server-side computational
`threats, they require substantial server-side computational
`power.
`power.
`0006 Computer security operations were further compli
`[0006] Computer security operations were further compli-
`cated by the advent of hardware virtualization. As more and
`cated by the advent of hardware virtualization. As more and
`more goods and services are traded online, and as work
`more goods and services are traded online, and as work
`becomes progressively de-localized, infrastructure as a ser
`becomes progressively de-localized, infrastructure as a ser-
`vice (IAAS) has become a viable alternative to owning
`vice (IAAS) has become a viable alternative to owning
`computer hardware. A substantial proportion of computing
`computer hardware. A substantial proportion of computing
`activities are currently conducted using virtual machines. In
`activities are currently conducted using virtual machines. In
`typical applications, such as server farms and cloud com
`typical applications, such as server farms and cloud com-
`puting, hundreds of virtual machines may execute concur
`puting, hundreds of virtual machines may execute concur-
`rently on a single hardware platform. All Such virtual
`rently on a single hardware platform. All such virtual
`machines may require malware protection.
`machines may require malware protection.
`0007 Adapting to the ever-changing nature of malicious
`[0007] Adapting to the ever-changing nature of malicious
`software and to the challenges of a mobile workforce
`software and to the challenges of a mobile workforce
`requires the development of innovative computer security
`requires the development of innovative computer security
`systems and protocols, and especially of systems and meth
`systems and protocols, and especially of systems and meth-
`ods enabling an efficient management of computer security
`ods enabling an efficient management of computer security
`operations across multiple distributed clients.
`operations across multiple distributed clients.
`
`SUMMARY
`SUMMARY
`0008 According to one aspect, a client computer system
`[0008] According to one aspect, a client computer system
`comprises a hardware processor configured to execute a
`comprises a hardware processor configured to execute a
`hypervisor, a live introspection engine, and an on-demand
`hypervisor, a live introspection engine, and an on-demand
`introspection engine. The hypervisor is configured to expose
`introspection engine. The hypervisor is configured to expose
`a guest virtual machine (VM) and a security VM distinct
`a guest virtual machine (VM) and a security VM distinct
`from the guest VM, wherein the on-demand introspection
`from the guest VM, wherein the on-demand introspection
`engine executes within the security VM, and wherein the
`engine executes within the security VM, and wherein the
`live introspection engine executes outside of the guest and
`live introspection engine executes outside of the guest and
`security VMS. The live introspection engine is configured, in
`security VMs. The live introspection engine is configured, in
`response to detecting an occurrence of an event within the
`response to detecting an occurrence of an event within the
`guest VM, to transmit an indicator of the event to a remote
`guest VM, to transmit an indicator of the event to a remote
`server computer system over a communication network. The
`server computer system over a communication network. The
`on-demand introspection engine is configured, in response
`on-demand introspection engine is configured, in response
`to the live introspection engine transmitting the indicator of
`to the live introspection engine transmitting the indicator of
`the event to the remote server computer system, to receive
`the event to the remote server computer system, to receive
`an analysis request from the remote server computer system,
`an analysis request from the remote server computer system,
`the analysis request indicating a security tool residing in a
`the analysis request indicating a security tool residing in a
`remote tool repository configured to distribute security tools
`remote tool repository configured to distribute security tools
`to a plurality of clients including the client computer system,
`to a plurality of clients including the client computer system,
`the security tool comprising Software configured to analyze
`the security tool comprising software configured to analyze
`the occurrence of the event, the security tool selected by the
`the occurrence of the event, the security tool selected by the
`remote server computer system according to an event type of
`remote server computer system according to an event type of
`the event. The on-demand introspection engine is further
`the event. The on-demand introspection engine is further
`configured, in response to receiving the analysis request, to
`configured, in response to receiving the analysis request, to
`identify the security tool according to the analysis request,
`identify the security tool according to the analysis request,
`and in response, to selectively retrieve the security tool from
`and in response, to selectively retrieve the security tool from
`the tool repository, wherein retrieving the security tool
`the tool repository, wherein retrieving the security tool
`comprises connecting to the central tool repository over the
`comprises connecting to the central tool repository over the
`communication network. The on-demand introspection
`communication network. The on-demand introspection
`engine is further configured, in response to selectively
`engine is further configured, in response to selectively
`retrieving the security tool, to execute the security tool and
`retrieving the security tool, to execute the security tool and
`to transmit a result of executing the security tool to the
`to transmit a result of executing the security tool to the
`remote server computer system.
`remote server computer system.
`0009. According to another aspect, a server computer is
`[0009] According to another aspect, a server computer is
`configured to perform computer security transactions with a
`configured to perform computer security transactions with a
`plurality of client systems. The server computer system
`plurality of client systems. The server computer system
`comprises a hardware processor configured, in response to
`comprises a hardware processor configured, in response to
`receiving an event indicator from a client system of the
`receiving an event indicator from a client system of the
`plurality of client systems, the event indicator indicative of
`plurality of client systems, the event indicator indicative of
`an occurrence of an event within a guest VM executing on
`an occurrence of an event within a guest VM executing on
`the client system, to select a security tool residing in a
`the client system, to select a security tool residing in a
`remote tool repository configured to distribute security tools
`remote tool repository configured to distribute security tools
`to the plurality of client systems, the security tool compris
`to the plurality of client systems, the security tool compris-
`ing software configured to analyze the occurrence of the
`ing software configured to analyze the occurrence of the
`event, wherein selecting the security tool is performed
`event, wherein selecting the security tool is performed
`according to an event type of the event. The hardware
`according to an event type of the event. The hardware
`processor is further configured, in response to selecting the
`processor is further configured, in response to selecting the
`security tool, to transmit an analysis request to the client
`security tool, to transmit an analysis request to the client
`system over a communication network, the analysis request
`system over a communication network, the analysis request
`comprising an identifier of the security tool; and in response,
`comprising an identifier of the security tool; and in response,
`to receive from the client system a result of executing the
`to receive from the client system a result of executing the
`security tool on the client system. The client system is
`security tool on the client system. The client system is
`configured to execute a hypervisor, a live introspection
`configured to execute a hypervisor, a live introspection
`engine, and an on-demand introspection engine. Tthe hyper
`engine, and an on-demand introspection engine. Tthe hyper-
`visor is configured to expose the guest VM and a security
`visor is configured to expose the guest VM and a security
`VM distinct from the guest VM, wherein the on-demand
`VM distinct from the guest VM, wherein the on-demand
`introspection engine executes within the security VM, and
`introspection engine executes within the security VM, and
`wherein the live introspection engine executes outside of the
`wherein the live introspection engine executes outside of the
`guest and security VMS. The live introspection engine is
`guest and security VMs. The live introspection engine is
`configured, in response to detecting the occurrence of the
`configured, in response to detecting the occurrence of the
`event, to transmit the event indicator to the server computer
`event, to transmit the event indicator to the server computer
`system. The on-demand introspection engine is configured,
`system. The on-demand introspection engine is configured,
`in response to receiving the analysis request, to identify the
`in response to receiving the analysis request, to identify the
`
`
`
`US 2017/01 80318 A1
`US 2017/0180318 Al
`
`2
`
`Jun. 22, 2017
`Jun. 22, 2017
`
`security tool according to the analysis request. The on
`security tool according to the analysis request. The on-
`demand introspection engine is further configured, in
`demand introspection engine is further configured, in
`response to identifying the security tool, to selectively
`response to identifying the security tool, to selectively
`retrieve the security tool from the tool repository, wherein
`retrieve the security tool from the tool repository, wherein
`retrieving the security tool comprises the client system
`retrieving the security tool comprises the client system
`connecting to the remote tool repository over the commu
`connecting to the remote tool repository over the commu-
`nication network. The on-demand introspection engine is
`nication network. The on-demand introspection engine is
`further configured, in response to retrieving the security tool,
`further configured, in response to retrieving the security tool,
`to execute the security tool to produce the result.
`to execute the security tool to produce the result.
`0010. According to another aspect, a non-transitory com
`[0010] According to another aspect, a non-transitory com-
`puter-readable medium comprises a set of instructions
`puter-readable medium comprises a set of instructions
`which, when executed on a hardware processor of a client
`which, when executed on a hardware processor of a client
`computer system, causes the client computer system to form
`computer system, causes the client computer system to form
`a hypervisor, a live introspection engine, and an on-demand
`a hypervisor, a live introspection engine, and an on-demand
`introspection engine. The hypervisor is configured to expose
`introspection engine. The hypervisor is configured to expose
`a guest virtual machine (VM) and a security VM distinct
`a guest virtual machine (VM) and a security VM distinct
`from the guest VM, wherein the on-demand introspection
`from the guest VM, wherein the on-demand introspection
`engine executes within the security VM, and wherein the
`engine executes within the security VM, and wherein the
`live introspection engine executes outside of the guest and
`live introspection engine executes outside of the guest and
`security VMS. The live introspection engine is configured, in
`security VMs. The live introspection engine is configured, in
`response to detecting an occurrence of an event within the
`response to detecting an occurrence of an event within the
`guest VM, to transmit an indicator of the event to a remote
`guest VM, to transmit an indicator of the event to a remote
`server computer system over a communication network. The
`server computer system over a communication network. The
`on-demand introspection engine is configured, in response
`on-demand introspection engine is configured, in response
`to the live introspection engine transmitting the indicator of
`to the live introspection engine transmitting the indicator of
`the event to the remote server computer system, to receive
`the event to the remote server computer system, to receive
`an analysis request from the remote server computer system,
`an analysis request from the remote server computer system,
`the analysis request indicating a security tool residing in a
`the analysis request indicating a security tool residing in a
`remote tool repository configured to distribute security tools
`remote tool repository configured to distribute security tools
`to a plurality of clients including the client computer system,
`to a plurality of clients including the client computer system,
`the security tool comprising Software configured to analyze
`the security tool comprising software configured to analyze
`the occurrence of the event, the security tool selected by the
`the occurrence of the event, the security tool selected by the
`remote server computer system according to an event type of
`remote server computer system according to an event type of
`the event. The on-demand introspection engine is further
`the event. The on-demand introspection engine is further
`configured, in response to receiving the analysis request, to
`configured, in response to receiving the analysis request, to
`identify the security tool according to the analysis request,
`identify the security tool according to the analysis request,
`and in response, to selectively retrieve the security tool from
`and in response, to selectively retrieve the security tool from
`the tool repository, wherein retrieving the security tool
`the tool repository, wherein retrieving the security tool
`comprises connecting to the central tool repository over the
`comprises connecting to the central tool repository over the
`communication network. The on-demand introspection
`communication network. The on-demand introspection
`engine is further configured, in response to selectively
`engine is further configured, in response to selectively
`retrieving the security tool, to execute the security tool and
`retrieving the security tool, to execute the security tool and
`to transmit a result of executing the security tool to the
`to transmit a result of executing the security tool to the
`remote server computer system.
`remote server computer system.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`BRIEF DESCRIPTION OF THE DRAWINGS
`0.011 The foregoing aspects and advantages of the pres
`[0011] The foregoing aspects and advantages of the pres-
`ent invention will become better understood upon reading
`ent invention will become better understood upon reading
`the following detailed description and upon reference to the
`the following detailed description and upon reference to the
`drawings where:
`drawings where:
`0012 FIG. 1 illustrates an exemplary configuration
`[0012] FIG. 1 illustrates an exemplary configuration
`wherein multiple client systems are protected against com
`wherein multiple client systems are protected against com-
`puter security threats according to some embodiments of the
`puter security threats according to some embodiments of the
`present invention.
`present invention.
`0013 FIG. 2-A illustrates an exemplary hardware con
`[0013] FIG. 2-A illustrates an exemplary hardware con-
`figuration of a client system according to some embodiments
`figuration of a client system according to some embodiments
`of the present invention.
`of the present invention.
`0014 FIG. 2-B shows an exemplary hardware configu
`[0014] FIG. 2-B shows an exemplary hardware configu-
`ration of a security server computer system according to
`ration of a security server computer system according to
`Some embodiments of the present invention.
`some embodiments of the present invention.
`0015 FIG. 3-A shows an exemplary set of virtual
`[0015] FIG. 3-A shows an exemplary set of virtual
`machines exposed by a hypervisor executing on a protected
`machines exposed by a hypervisor executing on a protected
`
`client system, and an exemplary pair of introspection
`client system, and an exemplary pair of introspection
`engines according to Some embodiments of the present
`engines according to some embodiments of the present
`invention.
`invention.
`0016 FIG. 3-B shows an alternative configuration of
`[0016] FIG. 3-B shows an alternative configuration of
`security components according to Some embodiments of the
`security components according to some embodiments of the
`present invention.
`present invent
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
