Hypervisor-Based Enterprise Endpoint Protection

US 20140137180A1
Filed: 11/13/2012
Published: 05/15/2014
Est. Priority Date: 11/13/2012
Status: Active Grant

First Claim

Patent Images

1. A client system comprising at least one processor configured to operate a hypervisor, the hypervisor configured to execute:

a client virtual machine (VM); and

a security VM distinct from the client VM, the security VM configurable by a centralized security manager executing on a remote server connected to the client system by a network, wherein the remote server is programmed to configure a plurality of client systems including the client system, wherein the security VM is configured to control a network adapter of the client system according to a security policy received from the remote server, and wherein the security VM is further configured to;

receive a data unit from the network adapter, the data unit comprising a header and a payload, the data unit destined for the client VM,in response to receiving the data unit, determine whether the data unit is malicious according to a content of the payload,in response, when the data unit is not malicious, transmit the data unit to the hypervisor for transmission to the client VM, andin response, when the data unit is malicious,send a security report to the remote server, the security report indicative of the maliciousness of the data unit, andrestrict access of the client VM to the network adapter according to the security policy,wherein the hypervisor is further configured, in response to receiving the data unit from the security VM, to transmit the data unit to the client VM, and wherein the hypervisor comprises a memory introspection engine configured to;

determine whether the client VM comprises malware according to a content of a section of memory of the client VM, andin response, when the client VM comprises malware, send a security alert to the security VM.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described systems and methods allow the detection and prevention of malware and/or malicious activity within a network comprising multiple client computer systems, such as an enterprise network with multiple endpoints. Each endpoint operates a hardware virtualization platform, including a hypervisor exposing a client virtual machine (VM) and a security VM. The security VM is configured to have exclusive use of the network adapter(s) of the respective endpoint, and to detect whether data traffic to/from the client VM comprises malware or is indicative of malicious behavior. Upon detecting malware/malicious behavior, the security VM may block access of the client VM to the network, thus preventing the spread of malware to other endpoints. The client system may further comprise a memory introspection engine configured to perform malware scanning of the client VM from the level of the hypervisor.

296 Citations

18 Claims

1. A client system comprising at least one processor configured to operate a hypervisor, the hypervisor configured to execute:
- a client virtual machine (VM); and
  
  a security VM distinct from the client VM, the security VM configurable by a centralized security manager executing on a remote server connected to the client system by a network, wherein the remote server is programmed to configure a plurality of client systems including the client system, wherein the security VM is configured to control a network adapter of the client system according to a security policy received from the remote server, and wherein the security VM is further configured to;
  
  receive a data unit from the network adapter, the data unit comprising a header and a payload, the data unit destined for the client VM,in response to receiving the data unit, determine whether the data unit is malicious according to a content of the payload,in response, when the data unit is not malicious, transmit the data unit to the hypervisor for transmission to the client VM, andin response, when the data unit is malicious,send a security report to the remote server, the security report indicative of the maliciousness of the data unit, andrestrict access of the client VM to the network adapter according to the security policy,wherein the hypervisor is further configured, in response to receiving the data unit from the security VM, to transmit the data unit to the client VM, and wherein the hypervisor comprises a memory introspection engine configured to;
  
  determine whether the client VM comprises malware according to a content of a section of memory of the client VM, andin response, when the client VM comprises malware, send a security alert to the security VM.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The client system of claim 1, wherein the security VM is further configured, in response to the hypervisor sending the security alert, to restrict access of the client VM to the network adapter.
  - 3. The client system of claim 1, wherein the security policy is determined according to the security report.
  - 4. The client system of claim 1, wherein the security VM is further configured to:
    - receive a second security policy from the remote server, the second security policy instructing the security VM to restrict network access of the client VM to a second client system of the plurality of client systems, andin response, restrict network access of the client VM to the second client system according to the second security policy.
  - 5. The client system of claim 1, wherein the hypervisor is further configured to:
    - intercept an attempt of the client VM to send a second data unit to the network adapter, the second data unit comprising a second header and a second payload, andin response to intercepting the attempt, transmit the second data unit to the security VM,and wherein the security VM is further configured, in response to receiving the second data unit, to;
      
      determine whether the second data unit is malicious according to a content of the second payload, andin response, when the second data unit is not malicious, transmit the second data unit to the network adapter.
  - 6. The client system of claim 1, wherein the client VM comprises a security agent, the agent configured to receive from the hypervisor a report indicating whether the client VM comprises malware, and in response, to display a content of the report on an output device of the client system.

7. A server system comprising at least one processor programmed to remotely configure a plurality of client systems, wherein configuring a client system of the plurality of the client systems comprises sending a security policy to the client system, and wherein the client system comprises at least one processor configured to operate a hypervisor, the hypervisor configured to execute:
- a client virtual machine (VM); and
  
  a security VM distinct from the client VM, the security VM configured to control a network adapter of the client system, and further configured to;
  
  receive a data unit from the network adapter, the data unit comprising a header and a payload, the data unit destined for the client VM,in response to receiving the data unit, determine whether the data unit is malicious according to a content of the payload,in response, when the data unit is not malicious, transmit the data unit to the hypervisor for transmission to the client VM, andin response, when the data unit is malicious,send a security report to the server system, the security report indicative of the maliciousness of the data unit, andin response to receiving the security policy, restrict access of the client VM to the network adapter according to the security policy,wherein the hypervisor is further configured, in response to receiving the data unit from the security VM, to transmit the data unit to the client VM, and wherein the hypervisor comprises a memory introspection engine configured to;
  
  determine whether the client VM comprises malware according to a content of a section of memory of the client VM, andin response, when the client VM comprises malware, send a security alert to the security VM.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The server system of claim 7, further configured to:
    - perform an attestation of the client system; and
      
      determine the security policy according to a result of the attestation.
  - 9. The server system of claim 7, further configured to determine the security policy according to the security report received from the client system.
  - 10. The server system of claim 7, further configured to:
    - in response to receiving the security report from the client system, retrieve a software update from a remote software distribution server; and
      
      in response, transmit the update to the client system over the network.
  - 11. The server system of claim 7, further configured, in response to receiving the security report from the client system, to send a second security policy to a second client system of the plurality of client systems, the second security policy restricting network access of the second client system to the client system.
  - 12. The server system of claim 7, further configured, in response to receiving the security report from the client system, to send an electronic message to a system administrator, the electronic message determined according to the security report.
  - 13. The server system of claim 7, wherein the security VM is further configured, in response to the hypervisor sending the security alert, to restrict access of the client VM to the network adapter.
  - 14. The server system of claim 7, wherein the security VM is further configured to:
    - receive a second security policy from the remote server, the second security policy indicating that a second client system of the plurality of client systems is malicious, andin response, restrict access of the client VM to the second client system according to the second security policy.
  - 15. The server system of claim 7, wherein the hypervisor is further configured to:
    - intercept an attempt of the client VM to send a second data unit to the network adapter, the second data unit comprising a second header and a second payload, andin response to intercepting the attempt, transmit the second data unit to the security VM,and wherein the security VM is further configured, in response to receiving the second data unit, to;
      
      determine whether the second data unit is malicious according to a content of the second payload, andin response, when the second data unit is not malicious, transmit the second data unit to the network adapter.
  - 16. The server system of claim 7, wherein the client VM comprises a security agent, the agent configured to receive from the hypervisor a report indicating whether the client VM comprises malware, and in response, to display a content of the report on an output device of the client system.

17. A method comprising employing at least one processor of a client system to form a hypervisor configured to expose:
- a client virtual machine (VM); and
  
  a security VM distinct from the client VM, the security VM configured to control a network adapter of the client system, the security VM configurable by a centralized security manager executing on a remote server connected to the client system by a network, wherein the remote server is programmed to configure a plurality of client systems including the client system, and wherein configuring the client system comprises the remote server sending a security policy to the client system;
  
  wherein the method further comprises;
  
  employing the security VM to receive a data unit from the network adapter, the data unit comprising a header and a payload, the data unit destined for the client VM,employing the security VM, in response to receiving the data unit, to determine whether the data unit is malicious according to a content of the payload, and in response,when the data unit is not malicious, to transmit the data unit to the hypervisor for transmission to the client VM, andwhen the data unit is malicious,to send a security report to the remote server, the security report indicative of the maliciousness of the data unit, andto restrict access of the client VM to the network adapter according to the security policy, andwherein the method further comprises employing the hypervisor, in response to receiving the data unit from the security VM, to transmit the data unit to the client VM, wherein the hypervisor further comprises a memory introspection engine configured to;
  
  determine whether the client VM comprises malware according to a content of a section of memory of the client VM, andin response, when the client VM comprises malware, send a security alert to the security VM.

18. A method comprising:
- employing at least one processor of a server system to remotely configure a plurality of client systems connected to the server system by a network, wherein configuring a client system of the plurality of client systems comprises sending a security policy to the client system; and
  
  in response to configuring the plurality of client systems, employing at least one processor of the server system to receive a security report from the client system,wherein the client system comprises a hypervisor configured to execute;
  
  a client virtual machine (VM); and
  
  a security VM distinct from the client VM, the security VM configured to control a network adapter of the client system and further configured to;
  
  receive a data unit from the network adapter, the data unit comprising a header and a payload, the data unit destined for the client VM,in response to receiving the data unit, determine whether the data unit is malicious according to a content of the payload,in response, when the data unit is not malicious, transmit the data unit to the hypervisor for transmission to the client VM, andin response, when the data unit is malicious,send the security report to the server system, the security report indicative of the maliciousness of the data unit, andrestrict access of the client VM to the network adapter according to the security policy,wherein the hypervisor is further configured, in response to receiving the data unit from the security VM, to transmit the data unit to the client VM, and wherein the hypervisor comprises a memory introspection engine configured to;
  
  determine whether the client VM comprises malware according to a content of a section of memory of the client VM, andin response, when the client VM comprises malware, send a security alert to the security VM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bitdefender IPR Management Limited (Bitdefender LLC)
Original Assignee
Bitdefender IPR Management Limited (Bitdefender LLC)
Inventors
LUKACS, Sandor, LUTAS, Dan H., TOSA, Raul V.

Granted Patent

US 8,910,238 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/53 by executing in a restricte...

Hypervisor-Based Enterprise Endpoint Protection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

296 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Hypervisor-Based Enterprise Endpoint Protection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

296 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links