SECURITY EVENT DETECTION THROUGH VIRTUAL MACHINE INTROSPECTION
First Claim
1. A method of security event detection in a computing device of a process control system, comprising:
- monitoring usage of a plurality of resources by a first virtual machine executing on the computing device by a monitoring agent, the monitoring agent executing on the computing device separate from the first virtual machine;
detecting a potential security event by comparing the usage of the plurality of resources to resource usage patterns;
assigning a severity level to the detected potential security event; and
initiating a security action based on the assigned severity level.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparatus are disclosed for security event detection through virtual machine introspection. Example methods involve monitoring usage of a plurality of resources by a first virtual machine executing on a computing device by a monitoring agent, the monitoring agent executing on the computing device separate from the first virtual machine. Example methods further involve detecting a potential security event by comparing the usage of the plurality of resources to resource usage patterns. Example methods further involve assigning a severity level to the detected potential security event, and initiating a security action defined for the assigned severity level.
-
Citations
20 Claims
-
1. A method of security event detection in a computing device of a process control system, comprising:
-
monitoring usage of a plurality of resources by a first virtual machine executing on the computing device by a monitoring agent, the monitoring agent executing on the computing device separate from the first virtual machine; detecting a potential security event by comparing the usage of the plurality of resources to resource usage patterns; assigning a severity level to the detected potential security event; and initiating a security action based on the assigned severity level. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
a resource monitor to, via a processor; monitor usage of a plurality of resources by a first virtual machine executing on a computing device, the resource monitor being separate from the first virtual machine, and detect a potential security event by comparing the usage of the plurality of resources to resource usage patterns; and a security event handler to; assign a severity level to the detected potential security event, and initiate a security action defined for the assigned severity level. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A tangible computer readable storage medium comprising instructions which, when executed, cause a monitoring agent to at least:
-
monitor usage of a plurality of resources by a first virtual machine executing on a computing device, the monitoring agent to execute on the computing device separate from the first virtual machine; detect a potential security event by comparing the usage of the plurality of resources to resource usage patterns; assign a severity level to the detected potential security event; and initiate a security action defined for the assigned severity level. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification