System for distributing virtual entity behavior profiling in cloud deployments

US 10,291,648 B2
Filed: 12/22/2015
Issued: 05/14/2019
Est. Priority Date: 12/22/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a memory that stores instructions;

a processor that executes the instructions to perform operations, the operations comprising;

accessing, at a hypervisor server, a log including data associated with activities performed by a virtual machine executing on the hypervisor server, wherein the activities are performed by the virtual machine during a first time period, wherein the log including the data associated with the activities performed by the virtual machine is accessed at the hypervisor server without the system transferring the log to a central processing system, thereby reducing bandwidth consumption of the system, wherein the hypervisor server is located in a same server that the log including the data is generated so as to enable faster processing of the data in the log when compared to processing the data in the log at the central processing system;

compressing and encoding the data associated with activities performed by the virtual machine into a format only usable by a behavior profiling algorithm;

executing, by utilizing the hypervisor server, the behavior profiling algorithm on the data associated with the activities performed by the virtual machine, wherein executing the behavior profiling algorithm on the data comprises comparing a historical behavior profile for the virtual machine for a second time period to the data associated with the activities performed by the virtual machine during the first time period;

determining, by utilizing the hypervisor server, if a change in behavior for the virtual machine has occurred based on executing the behavior profiling algorithm on the data associated with the activities performed by the virtual machine, wherein the change in behavior of the virtual machine is determined to have occurred based on detecting a change in a type of connection made by the virtual machine during the first time period when compared with the historical behavior profile for the second time period and based on detecting a change in an efficiency of processing conducted by the virtual machine during the first time period when compared to the historical behavior profile for the second time period; and

generating, if the change in behavior is determined to have occurred and if the change in behavior exceeds a threshold, a report including the data associated with the activities performed by the virtual machine.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for distributing virtual entity behavior profiling in cloud deployments is disclosed. In particular, the system may include conducting entity behavior profiling closer to where data and data logs are generated, such as at a hypervisor server, in a distributed fashion. By doing so, the system may reduce bandwidth consumption typically associated with transferring data to a central processing system, may be able to use more data collected closer to sources of data generation, and may provide faster reaction times because of the faster processing of data enabled by the system. Additionally, the system may assist with reducing false positives associated with malware detection and other compromises associated with entities by aggregating the results of distributed computations at different sites.

27 Citations

20 Claims

1. A system, comprising:
- a memory that stores instructions;
  
  a processor that executes the instructions to perform operations, the operations comprising;
  
  accessing, at a hypervisor server, a log including data associated with activities performed by a virtual machine executing on the hypervisor server, wherein the activities are performed by the virtual machine during a first time period, wherein the log including the data associated with the activities performed by the virtual machine is accessed at the hypervisor server without the system transferring the log to a central processing system, thereby reducing bandwidth consumption of the system, wherein the hypervisor server is located in a same server that the log including the data is generated so as to enable faster processing of the data in the log when compared to processing the data in the log at the central processing system;
  
  compressing and encoding the data associated with activities performed by the virtual machine into a format only usable by a behavior profiling algorithm;
  
  executing, by utilizing the hypervisor server, the behavior profiling algorithm on the data associated with the activities performed by the virtual machine, wherein executing the behavior profiling algorithm on the data comprises comparing a historical behavior profile for the virtual machine for a second time period to the data associated with the activities performed by the virtual machine during the first time period;
  
  determining, by utilizing the hypervisor server, if a change in behavior for the virtual machine has occurred based on executing the behavior profiling algorithm on the data associated with the activities performed by the virtual machine, wherein the change in behavior of the virtual machine is determined to have occurred based on detecting a change in a type of connection made by the virtual machine during the first time period when compared with the historical behavior profile for the second time period and based on detecting a change in an efficiency of processing conducted by the virtual machine during the first time period when compared to the historical behavior profile for the second time period; and
  
  generating, if the change in behavior is determined to have occurred and if the change in behavior exceeds a threshold, a report including the data associated with the activities performed by the virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the operations further comprise determining, based on an analysis of the report, if the virtual machine was compromised.
  - 3. The system of claim 2, wherein the operations further comprise determining, if the virtual machine was compromised, an internet protocol address of a victim of a denial of service attack.
  - 4. The system of claim 1, wherein the operations further comprise generating the report including the data associated with the activities performed by the virtual machine, wherein the report further comprises a list of destination ports accessed by the virtual machine, a number of connections made by the virtual machine during the second time period, a list of internet protocol addresses that the virtual machine established a connection with, a list of ports accessed by the virtual machine during the second time period, an identification of a type of action performed by the virtual machine during the second time period, or a combination thereof.
  - 5. The system of claim 1, wherein the operations further comprise determining that the change in behavior for the virtual machine has occurred based upon determining that an unknown destination was accessed by the virtual machine during the second time period.
  - 6. The system of claim 1, wherein the operations further comprise executing the behavior profiling algorithm on the data associated with the activities performed by the virtual machine at the hypervisor server.
  - 7. The system of claim 1, wherein the operations further comprise accessing, at the hypervisor server, the log including data associated with activities performed by the virtual machine executing on the hypervisor server without transporting the log to the central processing system.
  - 8. The system of claim 1, wherein the operations further comprise determining that an entity identified in the report is not malicious if the entity is present in a whitelist.
  - 9. The system of claim 1, wherein the operations further comprise collecting behavior features for the virtual machine in a moving time window.
  - 10. The system of claim 1, wherein the operations further comprise utilizing a bloom filter to detect whether the virtual machine has been compromised.
  - 11. The system of claim 1, wherein the operations further comprise executing the behavior profiling algorithm at a virtual switch entity executing on the hypervisor server.
  - 12. The system of claim 1, wherein the operations further comprise not generating the report if the change in behavior is not determined to not have occurred.
  - 13. The system of claim 1, wherein the operations further comprise accessing a different log associated with different activities performed by the virtual machine during a third time period.

14. A method, comprising:
- accessing, at a hypervisor server, a log including data associated with activities performed by a virtual machine executing on the hypervisor server, wherein the activities are performed by the virtual machine during a first time period, wherein the log including the data associated with the activities performed by the virtual machine is accessed at the hypervisor server without the system transferring the log to a central processing system, thereby reducing bandwidth consumption of the system, wherein the hypervisor server is located in a same server that the log including the data is generated so as to enable faster processing of the data in the log when compared to processing the data in the log at the central processing system;
  
  compressing and encoding the data associated with activities performed by the virtual machine into a format only usable by a behavior profiling algorithm;
  
  executing, by utilizing the hypervisor server, the behavior profiling algorithm on the data associated with the activities performed by the virtual machine, wherein executing the behavior profiling algorithm on the data comprises comparing a historical behavior profile for the virtual machine for a second time period to the data associated with the activities performed by the virtual machine during the first time period;
  
  determining, by utilizing instructions from a memory that are executed by a processor and by utilizing the hypervisor server, if a change in behavior for the virtual machine has occurred based on executing the behavior profiling algorithm on the data associated with the activities performed by the virtual machine, wherein the change in behavior of the virtual machine is determined to have occurred based on detecting a change in a type of connection made by the virtual machine during the first time period when compared with the historical behavior profile for the second time period and based on detecting a change in an efficiency of processing conducted by the virtual machine during the first time period when compared to the historical behavior profile for the second time period; and
  
  generating, if the change in behavior is determined to have occurred and if the change in behavior exceeds a threshold, a report including the data associated with the activities performed by the virtual machine.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14, further comprising determining, based on an analysis of the report, if the virtual machine was compromised.
  - 16. The method of claim 15, further comprising determining, if the virtual machine was compromised, an internet protocol address of a victim of a denial of service attack.
  - 17. The method of claim 16, further comprising generating an alert identifying the victim of the denial of service attack.
  - 18. The method of claim 14, further comprising determining that an entity identified in the report is not malicious if the entity is present in a whitelist.
  - 19. The method of claim 14, further comprising determining that the change in behavior for the virtual machine has occurred based upon determining that an unknown destination was accessed by the virtual machine during the second time period.

20. A computer-readable device comprising instructions, which when executed by a processor, cause the processor to perform operations comprising:
- accessing, at a hypervisor server, a log including data associated with activities performed by a virtual machine executing on the hypervisor server, wherein the activities are performed by the virtual machine during a first time period, wherein the log including the data associated with the activities performed by the virtual machine is accessed at the hypervisor server without the system transferring the log to a central processing system, thereby reducing bandwidth consumption of the system, wherein the hypervisor server is located in a same server that the log including the data is generated so as to enable faster processing of the data in the log when compared to processing the data in the log at the central processing system;
  
  compressing and encoding the data associated with activities performed by the virtual machine into a format only usable by a behavior profiling algorithm;
  
  executing, by utilizing the hypervisor server, the behavior profiling algorithm on the data associated with the activities performed by the virtual machine, wherein executing the behavior profiling algorithm on the data comprises comparing a historical behavior profile for the virtual machine for a second time period to the data associated with the activities performed by the virtual machine during the first time period;
  
  determining, by utilizing the hypervisor server, if a change in behavior for the virtual machine has occurred based on executing the behavior profiling algorithm on the data associated with the activities performed by the virtual machine, wherein the change in behavior of the virtual machine is determined to have occurred based on detecting a change in a type of connection made by the virtual machine during the first time period when compared with the historical behavior profile for the second time period and based on detecting a change in an efficiency of processing conducted by the virtual machine during the first time period when compared to the historical behavior profile for the second time period; and
  
  generating, if the change in behavior is determined to have occurred and if the change in behavior exceeds a threshold, a report including the data associated with the activities performed by the virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Giura, Paul, de los Reyes, Gustavo
Primary Examiner(s)
Shaifer Harriman, Dant B

Application Number

US14/978,971
Publication Number

US 20170180416A1
Time in Patent Office

1,239 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

System for distributing virtual entity behavior profiling in cloud deployments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System for distributing virtual entity behavior profiling in cloud deployments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links