Detection of unauthorized use of virtual resources
First Claim
1. A method, executed by a processor, comprising:
- in response to deployment of a virtual machine, generating a physical profile for the virtual machine, wherein the physical profile includes a stored value for at least one physical characteristic of a network device associated with the virtual machine;
storing the physical profile for the virtual machine at a remote server;
accessing a current value of the at least one physical characteristic;
comparing the current value of the at least one physical characteristic to the stored value of the at least one physical characteristic;
identifying a migration of the virtual machine based on a difference between the current value of the at least one physical characteristic and the stored value of the at least one physical characteristic;
when the migration of the virtual machine is identified, transitioning the virtual machine to a restricted state;
when in the restricted state;
accessing at least one network connection configuration characteristic of the virtual machine based on the migration of the virtual machine; and
comparing, using the processor, the at least one network connection configuration characteristic of the virtual machine to an expected value for the at least one network connection configuration characteristic, wherein the expected value for the at least one network connection configuration characteristic is based on a prior configuration stored at the remote server,wherein the network connection configuration characteristic includes a numerical value that describes a quantity of physical network interfaces of the network device, wherein a first of the physical network interfaces is assigned a first media access control (MAC) address and a second of the physical network interfaces is assigned a second MAC address, wherein the first physical network interface and the second physical network interface are interfaces of a same type;
generating, using the processor, a warning message for an endpoint indicative of an error when the at least one network connection configuration characteristic of the virtual machine differs from the expected value for the at least one network connection configuration characteristic; and
disabling the virtual machine by removing physical resources assigned to the virtual machine when the at least one configuration characteristic of the virtual machine differs from the expected value for the at least one network connection configuration characteristic.
1 Assignment
0 Petitions
Accused Products
Abstract
In one implementation, an original physical profile file and a configuration baseline are stored for a virtual machine. The physical profile file includes physical characteristics of a physical device running the virtual machine. The configuration baseline includes configuration settings or attributes of the instance of the virtual machine. A network device detects current value for at least one physical characteristic and compares the current value to the original physical profile file. When the current values deviate enough from the original physical profile file to exceed a threshold amount of deviation that is permissible, the network device determines that the virtual machine has been moved to another physical device. In response, the network device monitors current configuration settings or attributes with respect to the configuration baseline in order to detect an unauthorized usage of the virtual machine.
12 Citations
20 Claims
-
1. A method, executed by a processor, comprising:
- in response to deployment of a virtual machine, generating a physical profile for the virtual machine, wherein the physical profile includes a stored value for at least one physical characteristic of a network device associated with the virtual machine;
storing the physical profile for the virtual machine at a remote server; accessing a current value of the at least one physical characteristic;
comparing the current value of the at least one physical characteristic to the stored value of the at least one physical characteristic;identifying a migration of the virtual machine based on a difference between the current value of the at least one physical characteristic and the stored value of the at least one physical characteristic; when the migration of the virtual machine is identified, transitioning the virtual machine to a restricted state;
when in the restricted state;
accessing at least one network connection configuration characteristic of the virtual machine based on the migration of the virtual machine; and
comparing, using the processor, the at least one network connection configuration characteristic of the virtual machine to an expected value for the at least one network connection configuration characteristic, wherein the expected value for the at least one network connection configuration characteristic is based on a prior configuration stored at the remote server,wherein the network connection configuration characteristic includes a numerical value that describes a quantity of physical network interfaces of the network device, wherein a first of the physical network interfaces is assigned a first media access control (MAC) address and a second of the physical network interfaces is assigned a second MAC address, wherein the first physical network interface and the second physical network interface are interfaces of a same type; generating, using the processor, a warning message for an endpoint indicative of an error when the at least one network connection configuration characteristic of the virtual machine differs from the expected value for the at least one network connection configuration characteristic; and disabling the virtual machine by removing physical resources assigned to the virtual machine when the at least one configuration characteristic of the virtual machine differs from the expected value for the at least one network connection configuration characteristic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- in response to deployment of a virtual machine, generating a physical profile for the virtual machine, wherein the physical profile includes a stored value for at least one physical characteristic of a network device associated with the virtual machine;
-
9. An apparatus comprising:
-
a storage device to store a physical fingerprint of a network device associated with a virtual machine and a configuration profile associated with operation of the virtual machine, wherein the physical fingerprint includes stored values for a plurality of physical characteristics of the network device; and a processor to generate the physical fingerprint of the network device in response to deployment of the virtual machine; the processor is further configured to identify a first weight for a first characteristic of the plurality of physical characteristics and a second weight for a second characteristic of the plurality of physical characteristics, wherein the first weight and the second weight are unequal; the processor further configured to monitor the plurality of physical characteristic as received from the virtual machine with respect to the configuration profile, the processor is further configured to identify a migration of the virtual machine when a combination of the first and second weights for each of the plurality of physical characteristic deviates from an expected value of the plurality of physical characteristics, wherein the expected value is based on a prior configuration of physical characteristics of the virtual machine; when the processor identifies the migration of the virtual machine, the processor is further configured to transition the virtual machine to a restricted state; when in the restricted state, the processor is further configured to monitor at least one network configuration characteristic of the virtual machine as one of the plurality of physical characteristics at a predetermined periodic time interval to identify unauthorized usage of the virtual machine when the at least one network configuration characteristic deviates from the configuration profile; and when unauthorized usage of the virtual machine is identified, the processor is further configured to disable the virtual machine by removing physical resources assigned to the virtual machine. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable medium containing instructions that when executed are configured to:
-
in response to deployment of a virtual machine, generate a reference physical profile file for the virtual machine, wherein the reference physical profile file includes values of physical characteristics of a physical device running the virtual machine; store the reference physical profile file for the virtual machine at a remote server; access the reference physical profile file for a virtual machine detect a current value for a plurality of physical characteristics;
assign a first weight to a first characteristic of the plurality of physical characteristics;
assign a second weight to a second characteristic of the plurality of physical characteristics;perform a weighting algorithm to unequally weigh the first weight of the first characteristic and the second weight of the second characteristic; compare the current values for each of the plurality of physical characteristics to the reference physical profile file; generate a compliance value based on the first and second weights for the number of current values for the plurality of physical characteristics that are different than a corresponding expected physical characteristic of the reference physical profile file and based on the weighting algorithm, wherein the corresponding expected physical characteristic of the reference physical profile file is based on a prior configuration of the virtual machine stored at the remote server; identify a migration of the virtual machine based on the compliance value; when there is a migration of the virtual machine, transition the virtual machine to a restricted state;
when in the restricted state, compare the compliance value of the virtual machine to a threshold value to identify unauthorized usage of the virtual machine; andwhen unauthorized usage of the virtual machine is identified, disable the virtual machine by removing physical resources assigned to the virtual machine. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification