Detection of unauthorized use of virtual resources

US 10,180,851 B2
Filed: 01/14/2013
Issued: 01/15/2019
Est. Priority Date: 01/14/2013
Status: Active Grant

First Claim

Patent Images

1. A method, executed by a processor, comprising:

in response to deployment of a virtual machine, generating a physical profile for the virtual machine, wherein the physical profile includes a stored value for at least one physical characteristic of a network device associated with the virtual machine;

storing the physical profile for the virtual machine at a remote server;

accessing a current value of the at least one physical characteristic;

comparing the current value of the at least one physical characteristic to the stored value of the at least one physical characteristic;

identifying a migration of the virtual machine based on a difference between the current value of the at least one physical characteristic and the stored value of the at least one physical characteristic;

when the migration of the virtual machine is identified, transitioning the virtual machine to a restricted state;

when in the restricted state;

accessing at least one network connection configuration characteristic of the virtual machine based on the migration of the virtual machine; and

comparing, using the processor, the at least one network connection configuration characteristic of the virtual machine to an expected value for the at least one network connection configuration characteristic, wherein the expected value for the at least one network connection configuration characteristic is based on a prior configuration stored at the remote server,wherein the network connection configuration characteristic includes a numerical value that describes a quantity of physical network interfaces of the network device, wherein a first of the physical network interfaces is assigned a first media access control (MAC) address and a second of the physical network interfaces is assigned a second MAC address, wherein the first physical network interface and the second physical network interface are interfaces of a same type;

generating, using the processor, a warning message for an endpoint indicative of an error when the at least one network connection configuration characteristic of the virtual machine differs from the expected value for the at least one network connection configuration characteristic; and

disabling the virtual machine by removing physical resources assigned to the virtual machine when the at least one configuration characteristic of the virtual machine differs from the expected value for the at least one network connection configuration characteristic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one implementation, an original physical profile file and a configuration baseline are stored for a virtual machine. The physical profile file includes physical characteristics of a physical device running the virtual machine. The configuration baseline includes configuration settings or attributes of the instance of the virtual machine. A network device detects current value for at least one physical characteristic and compares the current value to the original physical profile file. When the current values deviate enough from the original physical profile file to exceed a threshold amount of deviation that is permissible, the network device determines that the virtual machine has been moved to another physical device. In response, the network device monitors current configuration settings or attributes with respect to the configuration baseline in order to detect an unauthorized usage of the virtual machine.

12 Citations

View as Search Results

20 Claims

1. A method, executed by a processor, comprising:
- in response to deployment of a virtual machine, generating a physical profile for the virtual machine, wherein the physical profile includes a stored value for at least one physical characteristic of a network device associated with the virtual machine;
  
  storing the physical profile for the virtual machine at a remote server;
  
  accessing a current value of the at least one physical characteristic;
  
  comparing the current value of the at least one physical characteristic to the stored value of the at least one physical characteristic;
  
  identifying a migration of the virtual machine based on a difference between the current value of the at least one physical characteristic and the stored value of the at least one physical characteristic;
  
  when the migration of the virtual machine is identified, transitioning the virtual machine to a restricted state;
  
  when in the restricted state;
  
  accessing at least one network connection configuration characteristic of the virtual machine based on the migration of the virtual machine; and
  
  comparing, using the processor, the at least one network connection configuration characteristic of the virtual machine to an expected value for the at least one network connection configuration characteristic, wherein the expected value for the at least one network connection configuration characteristic is based on a prior configuration stored at the remote server,wherein the network connection configuration characteristic includes a numerical value that describes a quantity of physical network interfaces of the network device, wherein a first of the physical network interfaces is assigned a first media access control (MAC) address and a second of the physical network interfaces is assigned a second MAC address, wherein the first physical network interface and the second physical network interface are interfaces of a same type;
  
  generating, using the processor, a warning message for an endpoint indicative of an error when the at least one network connection configuration characteristic of the virtual machine differs from the expected value for the at least one network connection configuration characteristic; and
  
  disabling the virtual machine by removing physical resources assigned to the virtual machine when the at least one configuration characteristic of the virtual machine differs from the expected value for the at least one network connection configuration characteristic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the at least one physical characteristic includes interface information, address information, identity information, processor performance information, or virtual machine identification information.
  - 3. The method of claim 1, wherein the current value is a first value, the method further comprising:
    - accessing a second value of the at least one physical characteristic;
      
      comparing the current value of the at least one physical characteristic to the stored value of the at least one physical characteristic; and
      
      identifying a return of the virtual machine when the current value of the at least one physical characteristic matches the stored value of the at least one physical characteristic.
  - 4. The method of claim 1, further comprising:
    - updating the expected value for the at least one network connection configuration characteristic before the migration of the virtual machine is identified.
  - 5. The method of claim 1, wherein the at least one physical characteristic includes a processor model number.
  - 6. The method of claim 1, wherein the at least one network connection configuration characteristic of the virtual machine includes interface parameters, address parameters, processor parameters, memory parameters, geographic parameters, virtual machine parameters, and user parameters.
  - 7. The method of claim 1, wherein the at least one network connection configuration characteristic is one of a plurality of physical characteristics, the method further comprising:
    - performing a comparison of each of the plurality of physical characteristics to a reference physical profile file; and
      
      determining a compliance value from the comparisons of each of the plurality of physical characteristics to a reference physical profile file,wherein the warning message is based on the compliance value being less than a threshold.
  - 8. The method of claim 1, wherein the numerical value in the network connection configuration characteristic includes reflects two or more physical interfaces.

9. An apparatus comprising:
- a storage device to store a physical fingerprint of a network device associated with a virtual machine and a configuration profile associated with operation of the virtual machine, wherein the physical fingerprint includes stored values for a plurality of physical characteristics of the network device; and
  
  a processor to generate the physical fingerprint of the network device in response to deployment of the virtual machine;
  
  the processor is further configured to identify a first weight for a first characteristic of the plurality of physical characteristics and a second weight for a second characteristic of the plurality of physical characteristics, wherein the first weight and the second weight are unequal;
  
  the processor further configured to monitor the plurality of physical characteristic as received from the virtual machine with respect to the configuration profile,the processor is further configured to identify a migration of the virtual machine when a combination of the first and second weights for each of the plurality of physical characteristicdeviates from an expected value of the plurality of physical characteristics, wherein the expected value is based on a prior configuration of physical characteristics of the virtual machine;
  
  when the processor identifies the migration of the virtual machine, the processor is further configured to transition the virtual machine to a restricted state;
  
  when in the restricted state, the processor is further configured to monitor at least one network configuration characteristic of the virtual machine as one of the plurality of physical characteristics at a predetermined periodic time interval to identify unauthorized usage of the virtual machine when the at least one network configuration characteristic deviates from the configuration profile; and
  
  when unauthorized usage of the virtual machine is identified, the processor is further configured to disable the virtual machine by removing physical resources assigned to the virtual machine.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The apparatus of claim 9, wherein the at least one physical characteristic includes interface information, address information, identity information, processor performance information, or virtual machine identification information.
  - 11. The apparatus of claim 9, wherein the processor is configured to generate a warning message based on unauthorized usage of the virtual machine.
  - 12. The apparatus of claim 9, wherein the first characteristic describes a number of Ethernet interfaces.
  - 13. The apparatus of claim 12, wherein the second characteristic describes a time zone of the network device.
  - 14. The apparatus of claim 13, wherein the first weight for the number of Ethernet interfaces is different than the second weight for the time zone.

15. A non-transitory computer readable medium containing instructions that when executed are configured to:
- in response to deployment of a virtual machine, generate a reference physical profile file for the virtual machine, wherein the reference physical profile file includes values of physical characteristics of a physical device running the virtual machine;
  
  store the reference physical profile file for the virtual machine at a remote server;
  
  access the reference physical profile file for a virtual machine detect a current value for a plurality of physical characteristics;
  
  assign a first weight to a first characteristic of the plurality of physical characteristics;
  
  assign a second weight to a second characteristic of the plurality of physical characteristics;
  
  perform a weighting algorithm to unequally weigh the first weight of the first characteristic and the second weight of the second characteristic;
  
  compare the current values for each of the plurality of physical characteristics to the reference physical profile file;
  
  generate a compliance value based on the first and second weights for the number of current values for the plurality of physical characteristics that are different than a corresponding expected physical characteristic of the reference physical profile file and based on the weighting algorithm, wherein the corresponding expected physical characteristic of the reference physical profile file is based on a prior configuration of the virtual machine stored at the remote server;
  
  identify a migration of the virtual machine based on the compliance value;
  
  when there is a migration of the virtual machine, transition the virtual machine to a restricted state;
  
  when in the restricted state, compare the compliance value of the virtual machine to a threshold value to identify unauthorized usage of the virtual machine; and
  
  when unauthorized usage of the virtual machine is identified, disable the virtual machine by removing physical resources assigned to the virtual machine.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable medium of claim 15, wherein the instructions are configured to:
    - in response to the comparison of the compliance value and the threshold value, generating an invalidation command.
  - 17. The non-transitory computer readable medium of claim 16, wherein the invalidation command is configured to disable the virtual machine.
  - 18. The non-transitory computer readable medium of claim 15, wherein the first characteristic describes a number of Ethernet interfaces and the second characteristic describes a time zone.
  - 19. The non-transitory computer readable medium of claim 18, wherein the first weight for the number of Ethernet interfaces is different than the second weight for the time zone.
  - 20. The non-transitory computer readable medium of claim 15, wherein the first physical characteristic includes interface information, address information, identity information, processor performance information, or virtual machine identification information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Haag, Jeffrey David, Booth, III, Earl Hardin, Holland, Jr., James Ronald
Primary Examiner(s)
Aquino, Wynuel S

Application Number

US13/740,441
Publication Number

US 20140201732A1
Time in Patent Office

2,192 Days
Field of Search

718 1
US Class Current
CPC Class Codes

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 21/10   Protecting distributed prog...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

Detection of unauthorized use of virtual resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of unauthorized use of virtual resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links