Protecting computing devices from unauthorized access

US 10,140,452 B2
Filed: 03/29/2018
Issued: 11/27/2018
Est. Priority Date: 10/13/2006
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

(a) a distributed computer network comprising multiple computing devices at multiple locations, each location comprising at least one network node;

(b) at least one protected computing device at a first location configured for communication through said network with a storage controller to access secure data from a secure data storage repository at a second location;

(c) said at least one protected computing device having an operating system and a virtual machine, said operating system and said virtual machine each associated with said at least one protected computing device and a virtual machine manager;

(d) said virtual machine manager implemented in one or more computer code segments and configured to be launched between boot-up of said at least one protected computing device and launch of said operating system;

(e) an authentication server located remotely from said at least one protected computing device and configured for authenticating said at least one protected computing device for access to said secure data;

(f) a control console configured to access and exert a measure of control over said at least one protected computing device, wherein said control console is operable within a console device at a third location;

(g) said virtual machine manager implemented in one or more computer code segments to be executed on said at least one protected computing device;

(h) said virtual machine manager configured to be launched between boot-up of said protected computing device and launch of said operating system, said virtual machine manager configured to cause said authentication server to provide indicia for use in authenticating said at least one protected computing device, said virtual machine manager configured to make a decision based on said indicia from said authentication server whether to allow said at least one protected computing device to either launch or not launch said operating system based upon whether said at least one protected computing device is either authenticated or not, respectively, by said authentication server, said virtual machine manager further comprising a hypervisor configured to control the protected computing device to either launch or not launch the operating system based upon the decision.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for performing an authenticated boot; performing a continuous data protection; performing automatic protection and optionally a consolidation; and performing other defenses and protection of a protected computing device (such as a computer system) are provided. The aspects include integrating security mechanisms (which may include a “call home” function, role and rule-based policies, validating technologies, encryption and decryption technologies, data compression technologies, protected and segmented boot technologies, and virtualization technologies. Booting and operating (either fully or in a restricted manner) are permitted only under a control of a specified role-set, rule-set, and/or a controlling supervisory process or server system(s). The methods and systems make advantageous use of hypervisors and other virtual machine monitors or managers.

85 Citations

View as Search Results

28 Claims

1. A system comprising:
- (a) a distributed computer network comprising multiple computing devices at multiple locations, each location comprising at least one network node;
  
  (b) at least one protected computing device at a first location configured for communication through said network with a storage controller to access secure data from a secure data storage repository at a second location;
  
  (c) said at least one protected computing device having an operating system and a virtual machine, said operating system and said virtual machine each associated with said at least one protected computing device and a virtual machine manager;
  
  (d) said virtual machine manager implemented in one or more computer code segments and configured to be launched between boot-up of said at least one protected computing device and launch of said operating system;
  
  (e) an authentication server located remotely from said at least one protected computing device and configured for authenticating said at least one protected computing device for access to said secure data;
  
  (f) a control console configured to access and exert a measure of control over said at least one protected computing device, wherein said control console is operable within a console device at a third location;
  
  (g) said virtual machine manager implemented in one or more computer code segments to be executed on said at least one protected computing device;
  
  (h) said virtual machine manager configured to be launched between boot-up of said protected computing device and launch of said operating system, said virtual machine manager configured to cause said authentication server to provide indicia for use in authenticating said at least one protected computing device, said virtual machine manager configured to make a decision based on said indicia from said authentication server whether to allow said at least one protected computing device to either launch or not launch said operating system based upon whether said at least one protected computing device is either authenticated or not, respectively, by said authentication server, said virtual machine manager further comprising a hypervisor configured to control the protected computing device to either launch or not launch the operating system based upon the decision.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein said at least one protected computing device is a portable, handheld electronic device.
  - 3. The system of claim 1, wherein said at least one protected computing device is a computer.
  - 4. The system of claim 1, wherein said at least one protected computing device is a server.
  - 5. The system of claim 4, wherein said at least one virtual machine manager does not reside in any part on said authentication server.
  - 6. The system of claim 4, wherein said authentication server is located at a fourth location.
  - 7. The system of claim 5, wherein said control console enables direct or indirect control over said at least one protected computing device and at least one policy related to one or more of input/output, memory, or storage associated with said at least one protected computing device flows from said control console.
  - 8. The system of claim 7, wherein said virtual machine manager is distributed across said distributed network and includes a computer code segment for communicating with said authentication server.
  - 9. The system of claim 7, wherein said storage controller is located remotely from said secure data storage repository.
  - 10. The system of claim 7, wherein said virtual machine is launched before the launch of said operating system and after the launch of said virtual machine manager.
  - 11. The system of claim 10, wherein said indicia comprises a token.
  - 12. The system of claim 11, wherein said operating system is a host operating system.

13. A distributed computer system with multiple network nodes for exercising control over whether to launch an operating system on at least one protected computing device in order to improve efficient operation of said at least one protected computing device free from unwarranted intrusion, said distributed computer system comprising:
- (a) at least one protected computing device further comprising a processor at a first node configured for communication through a network with a storage controller to access secure data at a second node;
  
  (b) at least one operating system configured to operate on said at least one protected computing device,(c) a virtual machine configured to operate on said at least one protected computing device, said virtual machine configured to be launched during boot of said at least one protected computing device but prior to launch of said at least one operating system;
  
  (d) a control console configured to exert a measure of control through said network over said at least one protected computing device, and wherein said control console is operable within a console device located remotely from said at least one protected computing device;
  
  (e) an authentication server, configured for authenticating said at least one protected computing device for access to said secure data;
  
  (f) a virtual machine manager associated with said virtual machine, said virtual machine manager configured to execute based on one or more policies, said virtual machine manager further comprising a hypervisor configured to operate on said at least one protected computing device, said virtual machine manager further configured to be launched after powering on said at least one protected computing device and before booting said operating system to operate on said at least one protected computing device, said virtual machine manager further configured to interact with said authentication server, wherein an authentication routine is used to authenticate said at least one protected computing device, and wherein said authentication server provides indicia relating to said authentication routine to said virtual machine manager, said virtual machine manager configured to receive indicia from said authentication server relating to the result of said an authentication routines, and said hypervisor of said virtual machine manager is configured to either launch or not launch said operating system based upon said indicia.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 14. The system of claim 13, wherein said one or more policies include one or more policies related to input/output, memory, or storage associated with said at least one protected computing device.
  - 15. The system of claim 13, wherein said at least one protected computing device is a portable, handheld electronic device.
  - 16. The system of claim 14, wherein said at least one protected computing device is a computer.
  - 17. The system of claim 14, wherein said at least one protected computing device is a server.
  - 18. The system of claim 17, wherein said virtual machine manager does not reside in any part on said authentication server.
  - 19. The system of claim 17, wherein said authentication server is located at a third network node.
  - 20. The system of claim 17, wherein said control console enables direct or indirect control over said at least one protected computing device and at least one policy related to one or more of input/output, memory, or storage associated with said at least one protected computing device flows from said control console.
  - 21. The system of claim 20, wherein said virtual machine manager is distributed over multiple network nodes and includes a computer code segment for communicating with said authentication server.
  - 22. The system of claim 21, wherein said storage controller is located remotely from said secure data storage repository.
  - 23. The system of claim 22, wherein said virtual machine is launched before the launch of said operating system, and after the launch of said virtual machine manager.
  - 24. The system of claim 23, wherein said indicia comprises a token, said token representing an attribute of said at least one protected computing device.
  - 25. The system of claim 24, wherein said operating system is a host operating system.
  - 26. The system of claim 24, wherein said hypervisor is a paravirtualized virtual machine.

27. A system for protecting data stored in a secure data storage server, said system comprising:
- (a) a main computer having memory, said main computer configured to operate in a networked environment using logical connections to a plurality of remote network nodes comprising a secure data storage node and an authentication server;
  
  (b) a virtual machine manager configured to begin operation on said main computer, said virtual machine manager configured to communicate with at least one of said plurality of remote network nodes after power-on of said main computer as part of a boot process, said plurality of remote network nodes comprising an authentication server, a secure data storage node, and a control console, said authentication server configured to perform an authentication procedure that generates a response indicia for controlling whether said virtual machine manager is permitted to launch an operating system on said main computer as part of a boot process, said secure data storage node configured to provide access to stored data to said virtual machine manager on said main computer based on communication with said authentication server prior to launching said operating system, said virtual machine manager further comprising a hypervisor;
  
  (c) said control console implemented in at least one of said plurality of remote network nodes, wherein said control console is configured to identify an administrator and push a policy for said main computer as part of said authentication procedure, said control console enabling direct or indirect control over said main computer, wherein at least one policy related to limiting said memory or a storage associated with said main computer flows from said control console, wherein said operating system is executed on a virtual machine that is managed by said virtual machine manager based in whole or in part on said response indicia.
- View Dependent Claims (28)
- - 28. The system of claim 27, wherein said virtual machine manager is distributed over multiple network nodes and includes a computer code segment for communicating with said authentication server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Protection IP, LLC
Original Assignee
Computer Protection IP, LLC
Inventors
Silverstone, Ariel
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Almeida, Devin E

Application Number

US15/939,802
Publication Number

US 20180268147A1
Time in Patent Office

243 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/44   Program or device authentic...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/575   Secure boot

G06F 21/602   Providing cryptographic fac...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

Protecting computing devices from unauthorized access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

85 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting computing devices from unauthorized access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links