Hardware-based detection and containment of an infected host computing device

US 20080163370A1
Filed: 12/28/2006
Published: 07/03/2008
Est. Priority Date: 12/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method for network traffic analysis, comprising:

receiving network traffic at a traffic analyzer of a system over an internal connection of the system, the system coupled to an external network;

comparing a traffic pattern of the network traffic to an expected pattern; and

performing a security-policy-driven action based on a result of the comparing of the traffic pattern to the expected pattern.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses enable a traffic analyzer to monitor an internal connection of a computing system for one or more traffic patterns. The traffic analyzer compares traffic on the internal connection to an expected traffic pattern, and performs a policy based action based on the result of comparing the traffic pattern to the expected pattern. The traffic analyzer can exist in a stack of a VMM or a monitoring VM or be implemented in a management engine of the computing system. In one embodiment, the computing system includes traffic analyzer components in both a VMM or monitoring VM and a management engine.

49 Citations

View as Search Results

21 Claims

1. A method for network traffic analysis, comprising:
- receiving network traffic at a traffic analyzer of a system over an internal connection of the system, the system coupled to an external network;
  
  comparing a traffic pattern of the network traffic to an expected pattern; and
  
  performing a security-policy-driven action based on a result of the comparing of the traffic pattern to the expected pattern.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein receiving network traffic at the traffic analyzer comprises:
    - receiving the network traffic at an embedded management engine of the system.
  - 3. The method of claim 1, wherein receiving network traffic at the traffic analyzer comprises:
    - receiving the network traffic at a virtual machine of the system.
  - 4. The method of claim 1, wherein receiving the network traffic over the internal connection comprises:
    - receiving the network traffic via a network interface driver.
  - 5. The method of claim 1, wherein receiving the network traffic over the internal connection comprises:
    - receiving the network traffic over a network internal to the system and private to virtual machines of the system.
  - 6. The method of claim 1, wherein comparing the traffic pattern to the expected traffic pattern comprises:
    - determining whether there is network traffic on the internal connection when no network traffic should be on the internal connection.
  - 7. The method of claim 1, wherein comparing the traffic pattern to the expected traffic pattern further comprises:
    - identifying a type of the network traffic; and
      
      determining whether the type of the network traffic is a type of traffic expected on the internal connection.
  - 8. The method of claim 1, wherein performing the security-policy-driven action comprises:
    - reporting the results of the comparing to a security policy enforcement entity.
  - 9. The method of claim 1, wherein performing the security-policy-driven action comprises:
    - limiting traffic on a network interface of the system.
  - 10. The method of claim 9, wherein limiting traffic on the network interface comprises:
    - disabling the network interface to all network traffic.

11. An article of manufacture comprising a machine-readable storage medium having content stored thereon to provide instructions to result in a device performing operations including:
- monitoring network traffic of an internal connection of a system, the internal connection between components of a hardware platform of the system;
  
  comparing a traffic pattern of the network traffic to an expected pattern; and
  
  performing a security-policy-driven action based on a result of the comparing of the traffic pattern to the expected pattern.
- View Dependent Claims (12, 13, 14)
- - 12. The article of manufacture of claim 11, wherein the content to provide instructions for monitoring network traffic on the internal connection of the system comprises content to provide instructions for:
    - monitoring a specific port of the system.
  - 13. The article of manufacture of claim 12, wherein the content to provide instructions for monitoring the specific port of the system comprises content to provide instructions for:
    - monitoring a specific protocol port.
  - 14. The article of manufacture of claim 11, wherein the content to provide instructions for comparing the traffic pattern of the network traffic to the expected pattern comprises content to provide instructions for:
    - identifying a protocol of the network traffic; and
      
      comparing the identified protocol to an expected protocol.

15. A traffic analyzer comprising:
- an internal connection interface coupled to an internal connection of a computing system, the internal connection interface to receive traffic from the internal connection;
  
  a traffic recognition module coupled to the internal connection interface to compare a the received traffic to an expected traffic pattern to generate a traffic pattern comparison result; and
  
  a policy-based decision module to select a policy-driven action in response to the generated traffic pattern comparison result.
- View Dependent Claims (16, 17, 18)
- - 16. The traffic analyzer of claim 15, wherein the internal connection interface comprises part of a management engine module that provides traffic analysis capability to a management engine of the computing system.
  - 17. The traffic analyzer of claim 15, wherein the internal connection interface comprises part of a module that provides traffic analysis capability to a VM of the computing system.
  - 18. The traffic analyzer of claim 15, further comprising:
    - a heuristic analysis module coupled to the policy-based decision module, the heuristic analysis module to coordinate an analysis of multiple policy decision engines.

19. A system comprising:
- a traffic analyzer having an internal connection interface coupled to an internal connection of a computing system, the internal connection interface to receive traffic from the internal connection, a traffic recognition module coupled to the internal connection interface to compare a the received traffic to an expected traffic pattern to generate a traffic pattern comparison result, and a policy-based decision module to select a policy-driven action in response to the generated traffic pattern comparison result; and
  
  an out-of-band (OOB) channel to an external network coupled to the traffic analyzer, the OOB channel coupled to a network administrator of the external network.
- View Dependent Claims (20, 21)
- - 20. The system of claim 19, wherein the policy based decision module selects a policy-driven action of restricting network access to an originator of the traffic from which the traffic pattern comparison result was generated.
  - 21. The system of claim 20, wherein the policy based decision module further provides parameters to a network interface device to restrict the network access of the originator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Maynard, William P.

Granted Patent

US 8,220,049 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 43/00 Arrangements for monitoring...

H04L 63/1416 Event detection, e.g. attac...

Hardware-based detection and containment of an infected host computing device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware-based detection and containment of an infected host computing device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links