Technologies for managing compromised sensors in virtualized environments
First Claim
1. A method comprising:
- receiving, from a first capturing agent deployed in a virtualization layer of a first device, a first data report generated by the first capturing agent based on traffic at the first device captured by the first capturing agent at the virtualization layer of the first device;
receiving, from a second capturing agent deployed in a hardware layer of a second device different than the first device, a second data report generated by the second capturing agent based on traffic at the second device captured by the second capturing agent at the hardware layer of the second device;
based on the first data report and the second data report, determining a first set of characteristics of the traffic captured by the first capturing agent and a second set of characteristics of the traffic captured by the second capturing agent;
comparing the first set of characteristics of the traffic captured by the first capturing agent with the second set of characteristics captured by the second capturing agent to determine a multi-layer difference in traffic characteristics; and
based on the multi-layer difference in traffic characteristics, determining that one of the first capturing agent or the second capturing agent is in a faulty state,wherein,the first data report and the second data report are of a plurality of data reports generated during reporting intervals based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the first device and the second device.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and computer-readable media for managing compromised sensors in multi-tiered virtualized environments. In some embodiments, a system can receive, from a first capturing agent deployed in a virtualization layer of a first device, data reports generated based on traffic captured by the first capturing agent. The system can also receive, from a second capturing agent deployed in a hardware layer of a second device, data reports generated based on traffic captured by the second capturing agent. Based on the data reports, the system can determine characteristics of the traffic captured by the first capturing agent and the second capturing agent. The system can then compare the characteristics to determine a multi-layer difference in traffic characteristics. Based on the multi-layer difference in traffic characteristics, the system can determine that the first capturing agent or the second capturing agent is in a faulty state.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, from a first capturing agent deployed in a virtualization layer of a first device, a first data report generated by the first capturing agent based on traffic at the first device captured by the first capturing agent at the virtualization layer of the first device; receiving, from a second capturing agent deployed in a hardware layer of a second device different than the first device, a second data report generated by the second capturing agent based on traffic at the second device captured by the second capturing agent at the hardware layer of the second device; based on the first data report and the second data report, determining a first set of characteristics of the traffic captured by the first capturing agent and a second set of characteristics of the traffic captured by the second capturing agent; comparing the first set of characteristics of the traffic captured by the first capturing agent with the second set of characteristics captured by the second capturing agent to determine a multi-layer difference in traffic characteristics; and based on the multi-layer difference in traffic characteristics, determining that one of the first capturing agent or the second capturing agent is in a faulty state, wherein, the first data report and the second data report are of a plurality of data reports generated during reporting intervals based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the first device and the second device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
one or more processors; and one or more computer-readable storage devices having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising; receiving, from a first capturing agent deployed in a virtualization layer of a first device, a first data report generated by the first capturing agent based on traffic at the first device captured by the first capturing agent at the virtualization layer of the first device; receiving, from a second capturing agent deployed in a hardware layer of a second device different than the first device, a second data report generated by the second capturing agent based on traffic at the second device captured by the second capturing agent at the hardware layer of the second device; based on the first data report and the second data report, determining a first set of characteristics of the traffic captured by the first capturing agent and a second set of characteristics of the traffic captured by the second capturing agent; comparing the first set of characteristics of the traffic captured by the first capturing agent with the second set of characteristics captured by the second capturing agent to determine a multi-layer difference in traffic characteristics; and based on the multi-layer difference in traffic characteristics, determining that one of the first capturing agent or the second capturing agent is in a faulty state, wherein, the first data report and the second data report are of a plurality of data reports generated during reporting intervals based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the first device and the second device. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A computer-readable storage device storing instructions which, when executed by a processor, cause the processor to perform operations comprising:
-
receiving, from a first capturing agent deployed in a virtualization layer of a first device, one or more data reports generated by the first capturing agent based on traffic at the first device captured by the first capturing agent at the virtualization layer of the first device; receiving, from a second capturing agent deployed in a hardware layer of a second device different than the first device, one or more data reports generated by the second capturing agent based on traffic at the second device captured by the second capturing agent at the hardware layer of the second device; based on the one or more data reports from the first capturing agent and the second capturing agent, determining a first set of characteristics of the traffic captured by the first capturing agent and a second set of characteristics of the traffic captured by the second capturing agent; comparing the first set of characteristics of the traffic captured by the first capturing agent with the second set of characteristics captured by the second capturing agent to determine a multi-layer difference in traffic characteristics; and based on the multi-layer difference in traffic characteristics, determining that one of the first capturing agent or the second capturing agent is in a faulty state, wherein, the first data report and the second data report are of a plurality of data reports generated during reporting intervals based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the first device and the second device.
-
Specification