ZERO-DAY SECURITY SYSTEM

US 20080181227A1
Filed: 01/31/2007
Published: 07/31/2008
Est. Priority Date: 01/31/2007
Status: Active Grant

First Claim

Patent Images

1. A method of securing a network from vulnerability exploits, comprising:

receiving on a security engine a packet destined for a user'"'"'s internal network;

forwarding the received packet to at least one virtual machine based upon a virtual machine configuration table;

processing the forwarded packet on the at least one virtual machine; and

releasing the packet received on the security engine to the user'"'"'s internal network based upon results of the processing.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for protecting networks from vulnerability exploits comprises a security engine operable to receive a packet destined for a user'"'"'s network and forward the packet to at least one host virtual machine for processing. The security engine is further operable to forward the stored packet to the user'"'"'s internal network based upon a result of the processed packet. A method of securing a network from vulnerability exploits is described. The method comprises receiving a packet destined for a user'"'"'s internal network; forwarding the packet to at least one virtual machine based upon a virtual machine configuration table; processing the forwarded packet on the at least one virtual machine; and releasing the packet to the user'"'"'s internal network based upon results of the processing.

92 Citations

View as Search Results

20 Claims

1. A method of securing a network from vulnerability exploits, comprising:
- receiving on a security engine a packet destined for a user'"'"'s internal network;
  
  forwarding the received packet to at least one virtual machine based upon a virtual machine configuration table;
  
  processing the forwarded packet on the at least one virtual machine; and
  
  releasing the packet received on the security engine to the user'"'"'s internal network based upon results of the processing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - releasing the packet to the user'"'"'s internal network based upon a policy configuration.
  - 3. The method of claim 1, further comprising:
    - forwarding the received packet to at least one virtual machine configured to process services on a port associated with the received packet.
  - 4. The method of claim 1, further comprising:
    - storing the packet received by the security engine in a buffer; and
      
      forwarding the received packet to at least one virtual machine.
  - 5. The method of claim 1, wherein processing the forwarded packet comprises:
    - tracking a packet sequence number and destination port of the forwarded packet;
      
      checking, after a predetermined time, status of the destination port of the forwarded packet; and
      
      transmitting the packet sequence number and the status of the destination port to the security engine.
  - 6. The method of claim 5, wherein checking the status of the destination port of the forwarded packet comprises:
    - polling application services on the virtual machine to which the packet was forwarded to determine whether the application services are in a “
      
      LISTEN”
      
      state for the destination port associated with the packet.
  - 7. The method of claim 1, further comprising:
    - monitoring an operational state of each of the at least one virtual machine; and
      
      executing a back-up virtual machine if a virtual machine fails.
  - 8. The method of claim 7, further comprising:
    - saving at least a portion of the failed virtual machine for further analysis.
  - 9. The method of claim 7, further comprising:
    - configuring at least one of a policy configuration and a virtual machine configuration table.

10. A computer program product, comprising:
- a computer-readable medium comprising;
  
  a first set of codes for causing a security engine to receive, on a zero-day engine, a packet destined for a user'"'"'s internal network;
  
  a second set of codes for causing the security engine to forward the packet to at least one virtual machine based upon a virtual machine configuration table;
  
  a third set of codes for causing the at least one virtual machine to process the forwarded packet on an application executing on the at least one virtual machine; and
  
  a fourth set of codes for causing the security engine to one of blocking or releasing the stored packet to the user'"'"'s internal network based upon results of the processed forwarded packet.
- View Dependent Claims (11)
- - 11. The computer-readable medium of claim 10 further comprising:
    - a fifth set of codes for causing the security engine to block the stored packet based upon at least one predetermined security policy.

12. A security system for protecting networks from vulnerability exploits, comprising:
- a security engine operable to receive an incoming packet destined for a user'"'"'s network and forward the packet to at least one host virtual machine; and
  
  at least one virtual machine comprising an operating system and services operable to process the forwarded packet;
  
  wherein the security engine is further operable to release the packet to the user'"'"'s network based upon a result of the processed packet.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein the security engine is further operable to forward the packet to the user'"'"'s network based upon a stored security policy.
  - 14. The system of claim 12, wherein each virtual machine includes a watching program operable to:
    - track a packet sequence number and destination port of the forwarded packet;
      
      check, after a predetermined time, status of the destination port of the forwarded packet; and
      
      transmit the packet sequence number and the status of the destination port to the security engine.
  - 15. The security system of claim 12, further comprising:
    - at least one back-up virtual machine operable to execute upon determination of a failure of a monitored virtual machine.
  - 16. The security system of claim 12, further comprising:
    - a utility engine in communication with each virtual machine and the security engine, the utility engine operable to monitor status of each virtual machine and execute a back-up virtual machine based upon a status of a monitored virtual machine.
  - 17. The security system of claim 12, wherein the security engine includes a packet buffer operable to store the incoming packet and forward the packet to the user'"'"'s network based upon a result of the processed packet.
  - 18. The security system of claim 12, comprising a server further comprising:
    - the security engine; and
      
      the at least one virtual machine; and
      
      a utility engine operable to monitor status of each virtual machine and execute a virtual machine based upon a status of a monitored virtual machine.
  - 19. The security system of claim 18, wherein the utility engine comprises at least one security configuration accessible by the security engine.
  - 20. The security system of claim 12, further comprising a user interface operable to configure at least one of a security configuration and a virtual memory configuration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Todd, Michael

Granted Patent

US 8,391,288 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

ZERO-DAY SECURITY SYSTEM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ZERO-DAY SECURITY SYSTEM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links