Method and Apparatus for Encrypting Data Messages after Detecting Infected VM

US 20150379279A1
Filed: 06/30/2014
Published: 12/31/2015
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. For a host computer on which a set of virtual machines (VMs) execute, an encryption method comprising:

detecting malware on a first VM; and

encrypting data messages transmitted by at least a second VM after the malware is detected.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host. When two different GVMs are part of two different logical overlay networks that are implemented on common network fabric, the method in some embodiments encrypts the data messages exchanged between the GVMs of one logical network differently than the data messages exchanged between the GVMs of another logical network. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce encryption rules in response to dynamically detected events, such as malware infections.

35 Citations

View as Search Results

43 Claims

1. For a host computer on which a set of virtual machines (VMs) execute, an encryption method comprising:
- detecting malware on a first VM; and
  
  encrypting data messages transmitted by at least a second VM after the malware is detected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein before the malware was detected, the data messages from the second VM was not encrypted.
  - 3. The method of claim 1, wherein the second VM is the first VM.
  - 4. The method of claim 1, wherein encrypting data messages comprises encrypting data messages on a plurality of VMs that execute on the host, said plurality of VMs including the second VM.
  - 5. The method of claim 4, wherein the plurality of VMs include VMs that are not detected with malware.
  - 6. The method of claim 5, wherein the plurality of VMs further includes the first VM with the detected malware.
  - 7. The method of claim 1, wherein detecting malware comprises detecting that the first VM has been tagged as a malware-infected VM.
  - 8. The method of claim 7 further comprising:
    - examining a set of encryption policies to determine whether a set of encryption rules needs to be specified because the first VM has been detected with malware; and
      
      based on the examination of the encryption policy set, specifying at least one encryption rule that specifies that data messages transmitted by the second VM should be encrypted.
  - 9. The method of claim 8, wherein specifying the encryption rule comprises specifying a plurality of encryption rules that each specify the encryption of data messages for a different VM that executes on the host.
  - 10. The method of claim 8, wherein the specified encryption rule specifies the encryption of data messages from a plurality of VMs that executes on the host.
  - 11. The method of claim 10, wherein the plurality of VMs include VMs that are not infected with malware.
  - 12. The method of claim 10, wherein the plurality of VMs include the first VM with the detected malware.
  - 13. The method of claim 8, wherein the encryption policies are stored on the host computer.
  - 14. The method of claim 7, wherein detecting malware further comprises installing an agent on the VMs to provide VM introspection data about the VM'"'"'s operation, wherein the malware is detected by analyzing the introspection data.
  - 15. The method of claim 14, wherein the VMs are guest VMs (GVMs), wherein the malware data is collected from the VM agents by a service VM (SVM) executing on the host, wherein the SVM analyzes the introspection data to determine whether a GVM has been infected with malware, and assigns a malware-infected tag to a particular GVM when the SVM determines that the particular GVM has been infected with malware.
  - 16. The method of claim 1 further comprising:
    - inserting an encryption identifier in at least one encrypted data message, said encryption identifier for allowing destinations of the data message to decrypt the encrypted data message.
  - 17. The method of claim 16, wherein the encryption identifier is a key identifier that identifies an encryption key that was used to encrypt the data message.
  - 18. The method of claim 16, wherein the encryption identifier is a key identifier that identifies decryption key that is needed to decrypt the data message.
  - 19. The method of claim 16, wherein the encryption identifier is an encryption identifier that identifies an encryption process that was used to encrypt the data message.
  - 20. The method of claim 16, wherein the encryption identifier is a decryption identifier that identifies decryption process that is needed to decrypt the data message.
  - 21. The method of claim 16, wherein the encryption identifier is inserted in a header field of the data message.

22. A non-transitory machine readable medium storing a program for encrypting messages from a virtual machine (VM) that executes on a host computer, the program comprising sets of instructions for:
- detecting malware on a first VM; and
  
  encrypting data messages transmitted by at least a second VM after the malware is detected.
- View Dependent Claims (43)
- - 43. The non-transitory machine readable medium of claim 22, wherein the set of instructions for encrypting data messages comprises sets of instructions for:
    - using a set of message attribute values to identify one encryption rule from a plurality of stored encryption rules, said identified encryption rule being an encryption rule that is defined for the data messages sent by the second VM;
      
      retrieving an encryption parameter for an encryption process from the identified encryption rule; and
      
      using the identified encryption parameter to encrypt the data messages of the flow.

23-42. -42. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Feroz, Azeem, Thota, Kiran Kumar, Wiese, James C.

Granted Patent

US 9,489,519 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

G06F 21/602   Providing cryptographic fac...

G06F 21/6236   between heterogeneous systems

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/542   Event management; Broadcast...

G09C 1/00   Apparatus or methods whereb...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/0428   wherein the data content is...

H04L 63/123   received data contents, e.g...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 9/14   using a plurality of keys o...

Method and Apparatus for Encrypting Data Messages after Detecting Infected VM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Encrypting Data Messages after Detecting Infected VM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links