Dynamic guest image creation and rollback
First Claim
Patent Images
1. A computerized method comprising:
- relating, by a system including the virtual machine having access to information within a Lightweight Directory Access Protocol (LDAP) server, a plurality of master images to a corresponding plurality of groups, each master image representing a base amount of content to be loaded into a client device for use by a member of a particular group of the plurality of groups;
automatically generating a software guest image for a targeted client device assigned to or associated with a first group of the plurality of groups in response to a change of storage volume in the targeted client device, the software guest image being based, at least in part, on an image upload message and a prior software guest image of an operating state of the targeted client device that is prior to the change of storage volume, the image upload message includes changes in the operating state of the targeted client device that have occurred after generation of the prior software guest image, the prior software guest image includes either (i) the master image of the first group or (ii) a guest image based on the master image of the first group;
dynamically configuring a virtual machine with the software guest image representing a current operating state of the targeted client device, the software guest image representing content and structure of the storage volume for the targeted client device at a time of configuring the virtual machine; and
processing an object by the virtual machine in order to detect any anomalous behaviors that may cause the object to be classified as an exploit, the object being data associated with network traffic directed to the targeted client device.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a computerized method comprises three operations. First, an incoming object is analyzed to determine if the incoming object is suspicious by having characteristics that suggest the object is an exploit. Next, a virtual machine is dynamically configured with a software image representing a current operating state of a targeted client device. The software image represents content and structure of a storage volume for the targeted client device at a time of configuring the virtual machine. Lastly, the object is processed by the virtual machine in order to detect any anomalous behaviors that may cause the object to be classified as an exploit.
681 Citations
26 Claims
-
1. A computerized method comprising:
-
relating, by a system including the virtual machine having access to information within a Lightweight Directory Access Protocol (LDAP) server, a plurality of master images to a corresponding plurality of groups, each master image representing a base amount of content to be loaded into a client device for use by a member of a particular group of the plurality of groups; automatically generating a software guest image for a targeted client device assigned to or associated with a first group of the plurality of groups in response to a change of storage volume in the targeted client device, the software guest image being based, at least in part, on an image upload message and a prior software guest image of an operating state of the targeted client device that is prior to the change of storage volume, the image upload message includes changes in the operating state of the targeted client device that have occurred after generation of the prior software guest image, the prior software guest image includes either (i) the master image of the first group or (ii) a guest image based on the master image of the first group; dynamically configuring a virtual machine with the software guest image representing a current operating state of the targeted client device, the software guest image representing content and structure of the storage volume for the targeted client device at a time of configuring the virtual machine; and processing an object by the virtual machine in order to detect any anomalous behaviors that may cause the object to be classified as an exploit, the object being data associated with network traffic directed to the targeted client device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system comprising:
-
one or more memory blades; and one or more processor blades communicatively coupled to the one or more memory blades, the one or more processor blades includes a first processor blade that includes logic to automatically generate a software guest image for a targeted client device in response to a change of storage volume in the targeted client device, wherein the targeted client device is associated with a first group of a plurality of groups based on communications with a Lightweight Directory Access Protocol (LDAP) server and each group is assigned a master image representing a base amount of content to be loaded into client devices associated with a particular group of the plurality of groups, the software guest image being based, at least in part, on an image upload message received from the targeted client device and a prior software guest image of an operating state of the targeted client device that is prior to the change of storage volume, the image upload message includes changes in the operating state of the targeted client device that have occurred after generation of the prior software guest image, the prior software guest image includes either (i) a master image associated with the first group or (ii) a guest image based on the master image; determine that an incoming object, including data associated with network traffic directed to the targeted client device, is suspicious by having characteristics that suggest the object is an exploit, dynamically configure a virtual machine with the software guest image representing a current operating state of the targeted client device to which the object is directed, the software guest image representing content and structure of the storage volume for the targeted client device at a time of configuring the virtual machine, and process the object by the virtual machine in order to detect any anomalous behaviors that may cause the object to be classified as an exploit. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification