METHODS, HARDWARE PRODUCTS, AND COMPUTER PROGRAM PRODUCTS FOR IMPLEMENTING INTROSPECTION DATA COMPARISON UTILIZING HYPERVISOR GUEST INTROSPECTION DATA

US 20090282481A1
Filed: 05/08/2008
Published: 11/12/2009
Est. Priority Date: 05/08/2008
Status: Active Grant

First Claim

Patent Images

1. A method for implementing introspection data comparison utilizing hypervisor guest introspection data, the method comprising:

using a hypervisor shim on a hypervisor to construct one or more workload management components that are independent from a participating pool member of a pool comprising a guest having a guest memory and a guest operating system;

the hypervisor collecting a first set of data;

the guest sending a second set of data comprising guest memory data from the guest memory;

comparing the first set of data with the second set of data to detect at least one of a potential security intrusion or an anomalous deviation between the first set of data and the second set of data; and

a policy manager taking action based upon a result of the comparison of the first and second sets of data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Introspection data comparison is implemented utilizing hypervisor guest introspection data. A hypervisor shim on a hypervisor is used to construct one or more workload management components that are independent from a participating pool member of a pool comprising a guest having a guest memory and a guest operating system. The hypervisor collects a first set of data. The guest sends a second set of data comprising guest memory data from the guest memory. The first set of data is compared with the second set of data to detect at least one of a potential security intrusion or an anomalous deviation between the first set of data and the second set of data. A policy manager takes action based upon a result of the comparison of the first and second sets of data.

50 Citations

View as Search Results

18 Claims

1. A method for implementing introspection data comparison utilizing hypervisor guest introspection data, the method comprising:
- using a hypervisor shim on a hypervisor to construct one or more workload management components that are independent from a participating pool member of a pool comprising a guest having a guest memory and a guest operating system;
  
  the hypervisor collecting a first set of data;
  
  the guest sending a second set of data comprising guest memory data from the guest memory;
  
  comparing the first set of data with the second set of data to detect at least one of a potential security intrusion or an anomalous deviation between the first set of data and the second set of data; and
  
  a policy manager taking action based upon a result of the comparison of the first and second sets of data.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the one or more workload management components are constructed by:
    - performing introspection of the guest memory wherein the guest memory has a guest memory layout;
      
      accepting an operating system (OS) memory map;
      
      comparing the guest memory layout with the OS memory map wherein, when the guest memory layout matches the OS memory map, the OS memory map is used to obtain one or more interested memory segments from the guest memory layout; and
      
      using an OS corresponding to the OS memory map and using the one or more interested memory segments to perform data processing.
  - 3. The method of claim 2 wherein the hypervisor shim requires no instrumentation on the participating pool member to provide constructed workload management components for implementing a zero trust policy.
  - 4. The method of claim 3 wherein the hypervisor shim is leveraged underneath one or more participating OS'"'"'s to be resource managed/monitored.
  - 5. The method of claim 4 wherein the hypervisor shim is used in conjunction with memory layout fingerprinting to examine the guest memory layout to identify an installed OS.
  - 6. The method of claim 5 wherein, once the installed OS has been identified, a policy is then identified that specifies how to manually inspect one or more memory segments comprising one or more memory pages of the installed OS for statistical observation.

7. A computer program product for implementing introspection data comparison utilizing hypervisor guest introspection data, the computer program product including a storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for facilitating a method including:
- using a hypervisor shim on a hypervisor to construct one or more workload management components that are independent from a participating pool member of a pool comprising a guest having a guest memory and a guest operating system;
  
  the hypervisor collecting a first set of data;
  
  the guest sending a second set of data comprising guest memory data from the guest memory;
  
  comparing the first set of data with the second set of data to detect at least one of a potential security intrusion or an anomalous deviation between the first set of data and the second set of data; and
  
  a policy manager taking action based upon a result of the comparison of the first and second sets of data.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7 further comprising instructions for:
    - performing introspection of the guest memory wherein the guest memory has a guest memory layout;
      
      accepting an operating system (OS) memory map;
      
      comparing the guest memory layout with the OS memory map wherein, when the guest memory layout matches the OS memory map, the OS memory map is used to obtain one or more interested memory segments from the guest memory layout; and
      
      using an OS corresponding to the OS memory map and using the one or more interested memory segments to perform data processing.
  - 9. The computer program product of claim 8 wherein the hypervisor shim requires no instrumentation on the participating pool member to provide constructed workload management components for implementing a zero trust policy.
  - 10. The computer program product of claim 9 wherein the hypervisor shim is leveraged underneath one or more participating OS'"'"'s to be resource managed/monitored.
  - 11. The computer program product of claim 10 wherein the hypervisor shim is used in conjunction with memory layout fingerprinting to examine the guest memory layout to identify an installed OS.
  - 12. The computer program product of claim 11 wherein, once the installed OS has been identified, a policy is then identified that specifies how to manually inspect one or more memory segments comprising one or more memory pages of the installed OS for statistical observation.

13. A hardware product for implementing introspection data comparison utilizing hypervisor guest introspection data, the hardware product including a storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for facilitating a method including:
- using a hypervisor shim on a hypervisor to construct one or more workload management components that are independent from a participating pool member of a pool comprising a guest having a guest memory and a guest operating system;
  
  the hypervisor collecting a first set of data;
  
  the guest sending a second set of data comprising guest memory data from the guest memory;
  
  comparing the first set of data with the second set of data to detect at least one of a potential security intrusion or an anomalous deviation between the first set of data and the second set of data; and
  
  a policy manager taking action based upon a result of the comparison of the first and second sets of data.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The hardware product of claim 13 further including instructions for:
    - performing introspection of the guest memory wherein the guest memory has a guest memory layout;
      
      accepting an operating system (OS) memory map;
      
      comparing the guest memory layout with the OS memory map wherein, when the guest memory layout matches the OS memory map, the OS memory map is used to obtain one or more interested memory segments from the guest memory layout; and
      
      using an OS corresponding to the OS memory map and using the one or more interested memory segments to perform data processing.
  - 15. The hardware product of claim 14 wherein the hypervisor shim requires no instrumentation on the participating pool member to provide constructed workload management components for implementing a zero trust policy.
  - 16. The hardware product of claim 15 wherein the hypervisor shim is leveraged underneath one or more participating OS'"'"'s to be resource managed/monitored.
  - 17. The hardware product of claim 16 wherein the hypervisor shim is used in conjunction with memory layout fingerprinting to examine the guest memory layout to identify an installed OS.
  - 18. The hardware product of claim 17 wherein, once the installed OS has been identified, a policy is then identified that specifies how to manually inspect one or more memory segments comprising one or more memory pages of the installed OS for statistical observation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Dow, Eli M., Laser, Marie R., Yu, Jessie, Dhuvur, Charulatha

Granted Patent

US 8,336,099 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/554 involving event detection a...

METHODS, HARDWARE PRODUCTS, AND COMPUTER PROGRAM PRODUCTS FOR IMPLEMENTING INTROSPECTION DATA COMPARISON UTILIZING HYPERVISOR GUEST INTROSPECTION DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

METHODS, HARDWARE PRODUCTS, AND COMPUTER PROGRAM PRODUCTS FOR IMPLEMENTING INTROSPECTION DATA COMPARISON UTILIZING HYPERVISOR GUEST INTROSPECTION DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others