SECURITY VIRTUAL MACHINE FOR ADVANCED AUDITING

US 20100325727A1
Filed: 06/17/2009
Published: 12/23/2010
Est. Priority Date: 06/17/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for receiving auditing information, the method comprising:

receiving an indication to start collecting auditing information from one or more protected virtual machines from outside of the protected virtual machines;

identifying an auditing information source, wherein the source indicates a protected virtual machine;

receiving auditing information from the identified source; and

storing the received auditing information in a location outside of the protected virtual machine along with identifying information of the source,wherein the preceding steps are performed by at least one processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system collects an audit trail on a computer outside of a boundary created by one or more virtual machines. The security system uses a privileged virtual machine to collect audit logs for each protected virtual machine. As the protected virtual machines run, they send auditing information to the privileged virtual machine. The privileged virtual machine can collect auditing information from protected virtual machines much more quickly than a network server, as well as collecting auditing events from multiple protected virtual machines. Because the auditing destination is located on the same computer as the virtual machine monitored by the audit trail, no network dependency is present. Thus, the security system allows for monitoring the activity of administrators and other users while preventing tampering with the audit trail of each user'"'"'s actions.

Citations

20 Claims

1. A computer-implemented method for receiving auditing information, the method comprising:
- receiving an indication to start collecting auditing information from one or more protected virtual machines from outside of the protected virtual machines;
  
  identifying an auditing information source, wherein the source indicates a protected virtual machine;
  
  receiving auditing information from the identified source; and
  
  storing the received auditing information in a location outside of the protected virtual machine along with identifying information of the source,wherein the preceding steps are performed by at least one processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the method is invoked by a host operating system that starts a privileged virtual machine that performs the method.
  - 3. The method of claim 1 wherein receiving an indication to start collecting auditing information comprises running an application on a host operating system to collect auditing information from the one or more protected virtual machines.
  - 4. The method of claim 1 wherein identifying an auditing information source comprises enumerating a protected virtual machine for which the component will collect auditing information.
  - 5. The method of claim 1 further comprising repeating the steps of identifying an auditing information source, receiving auditing information, and storing auditing information for each of the protected virtual machines hosted by a host operating system.
  - 6. The method of claim 1 wherein receiving auditing information from the identified source comprises receiving auditing information via a virtualization bus.
  - 7. The method of claim 1 wherein receiving auditing information from the identified source comprises receiving auditing information via a network interface.
  - 8. The method of claim 1 wherein receiving auditing information from the identified source comprises receiving auditing information via a file system interface.
  - 9. The method of claim 1 wherein receiving auditing information from the identified source comprises receiving information about one or more events as the events occur on a protected virtual machine.
  - 10. The method of claim 9 wherein the events include one or more actions taken by an administrator on the protected virtual machine.
  - 11. The method of claim 1 wherein storing the received auditing information comprises aggregating auditing information from multiple protected virtual machines along with information indicating which protected virtual machine is the source of each event.

12. A computer system for securely collecting auditing information, the system comprising:
- a processor and memory configured to execute software instructions;
  
  a host component configured to provide a root partition that hosts one or more virtual child partitions that each includes a protected virtual machine;
  
  a virtualization component configured to abstract differences between physical hardware associated with the computer system and virtual hardware provided to each virtual machine;
  
  an audit component configured to receive auditing information from each of the protected virtual machines; and
  
  a communication component configured to provide a channel through which the audit component receives auditing information from the protected virtual machines.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12 wherein the host component is further configured to run an operating system that includes a virtualization stack and devices drivers through which one or more virtual machines can interact with physical hardware on the same computer system, and wherein the host component interacts with the virtualization component to communicate with the physical hardware and the communication component to communicate with the virtual machines.
  - 14. The system of claim 12 wherein the virtualization component is further configured to operate as a hypervisor that sits in a conceptual stack below the host operating system and each of the virtual machines to abstract the physical hardware from the root and child partitions.
  - 15. The system of claim 12 wherein the audit component is further configured as a privileged virtual machine that the host operating system runs alongside the protected virtual machines.
  - 16. The system of claim 12 wherein the virtualization component is further configured to authorize one or more audit components to receive auditing information from each protected virtual machine through a hypervisor.
  - 17. The system of claim 12 wherein the audit component runs directly as an application of the host operating system to collect audit information from the protected virtual machines.
  - 18. The system of claim 12 further comprising a guest agent component configured to execute within each protected virtual machine to collect auditing information and send the auditing information to the auditing component.

19. A computer-readable storage medium comprising instructions for controlling a computer system to configure a privileged virtual machine, wherein the instructions, when executed, cause a processor to perform actions comprising:
- receiving configuration information defining the privileged virtual machine;
  
  selecting one or more protected virtual machines for which the privileged virtual machine will be authorized to collect auditing information;
  
  setting a communication method that will be used by the protected virtual machines to send auditing information to the privileged virtual machine;
  
  setting a log destination to store the auditing information that the privileged virtual machine collects; and
  
  authorizing the privileged virtual machine to collect audit information from the selected protected virtual machines.
- View Dependent Claims (20)
- - 20. The medium of claim 19 wherein authorizing the privileged virtual machine includes registering the privileged virtual machine with a hypervisor that each virtual machine accesses to interact with physical hardware and wherein the hypervisor controls which virtual machines can access other virtual machines and receive information such as audit logs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Neystadt, John, Verny, Leonid, Fitzgerald, R. Eric

Granted Patent

US 8,955,108 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 11/3476   Data logging G06F11/14, G06...

G06F 21/53   by executing in a restricte...

G06F 2201/815   Virtual

SECURITY VIRTUAL MACHINE FOR ADVANCED AUDITING

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY VIRTUAL MACHINE FOR ADVANCED AUDITING

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links