Containment of Unknown and Polymorphic Fast Spreading Worms
First Claim
1. A worm containment system, comprising:
- a) a host computing machine having a host operating system, the host operating system configured to manage at least one host application;
b) a virtual machine running under the control of a virtual machine monitor, the virtual machine having;
i) a clone of the host operating system; and
ii) a clone of the at least one host application;
c) a worm detector configured to monitor the virtual machine traffic for signs of worm propagation;
d) a splitter configured to duplicate packets intended for the host computing machine into;
(1) diverted packets; and
(2) buffered packets;
e) a diverter configured to route the diverted packets to the virtual machine; and
f) a buffer configured to;
i) store the buffered packets; and
ii) forward the buffered packets to the host operating system on indication from the worm detector that no worm propagation behavior was detected.
2 Assignments
0 Petitions
Accused Products
Abstract
A worm containment system comprising a host computing machine, a virtual machine running under the control of a virtual machine monitor, a worm detector, a diverter and a buffer. The host computing machine has a host operating system and host application(s). The virtual machine has a clone of the host operating system and a clone of the host application(s). The worm detector is configured to monitor the virtual machine traffic for signs of worm propagation. The splitter is configured to duplicate packets intended for the host computing machine into diverted packets and buffered packets. The diverter is configured to route the diverted packets to the virtual machine. The buffer is configured to store the buffered packets and then forward the buffered packets to the host operating system on indication from the worm detector that no worm propagation behavior was detected.
-
Citations
20 Claims
-
1. A worm containment system, comprising:
-
a) a host computing machine having a host operating system, the host operating system configured to manage at least one host application; b) a virtual machine running under the control of a virtual machine monitor, the virtual machine having; i) a clone of the host operating system; and ii) a clone of the at least one host application; c) a worm detector configured to monitor the virtual machine traffic for signs of worm propagation; d) a splitter configured to duplicate packets intended for the host computing machine into; (1) diverted packets; and (2) buffered packets; e) a diverter configured to route the diverted packets to the virtual machine; and f) a buffer configured to; i) store the buffered packets; and ii) forward the buffered packets to the host operating system on indication from the worm detector that no worm propagation behavior was detected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-readable media tangibly embodying a program of instructions executable by a computer to perform a method for containing worms on the computing machine, the method comprising:
-
a) duplicating packets intended for a host computing machine into;
diverted packets and buffered packets, the host computing machine having a host operating system configured to manage at least one host application;b) storing the buffered packets in a buffer; c) routing the diverted packets to a virtual machine, the virtual machine running under the control of a virtual machine monitor, the virtual machine having; i) a clone of a host operating system; and ii) a clone of the at least one host application; d) monitoring virtual machine traffic for signs of worm propagation; and e) forwarding the buffered packets to the host computing machine when no worm propagation behavior was monitored. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method for containing worms on a computing machine, the method comprising:
-
a) duplicating packets intended for a host computing machine into;
diverted packets and buffered packets, the host computing machine having;i) a host operating system; and ii) at least one host application; b) routing the diverted packets to a virtual machine, the virtual machine running under the control of a virtual machine monitor, the virtual machine having; i) a clone of a host operating system; and ii) a clone of the at least one host application; c) storing the buffered packets in a buffer; d) monitoring virtual machine traffic for signs of worm propagation; and e) forwarding the buffered packets to the host computing machine when no worm propagation behavior was monitored.
-
Specification