Detecting Malicious Instructions in a Virtual Machine Memory
First Claim
1. A system comprising:
- a hypervisor associated with a guest virtual machine;
the guest virtual machine in communication with the hypervisor, and comprising;
virtual machine measurement points implemented by a processor; and
a hypervisor control point implemented by the processor, and configured to;
collect virtual machine memory metadata from the guest virtual machine using a first virtual machine measurement point;
collect hypervisor memory metadata that corresponds with the virtual machine memory metadata from the hypervisor using a second virtual machine measurement point;
compare the virtual machine memory metadata to the hypervisor memory metadata;
determine whether the virtual machine memory metadata is the same as the hypervisor memory metadata; and
communicate the virtual machine memory metadata to a virtual vault machine in response to determining that the virtual machine memory metadata is the same as the hypervisor memory metadata; and
the virtual vault machine in communication with the hypervisor, and configured to classify the state of the guest virtual based on the virtual machine memory metadata.
3 Assignments
0 Petitions
Accused Products
Abstract
A system that includes a guest virtual machine is in communication with a hypervisor. The guest virtual machine comprises virtual machine measurement points and a hypervisor control point. The hypervisor control point is configured to collect virtual machine memory metadata from the guest virtual machine and from the hypervisor, and to compare the virtual machine memory metadata to the hypervisor memory metadata. The hypervisor control point is further configured to determine whether the virtual machine memory metadata is the same as the hypervisor memory metadata and to communicate the virtual machine memory metadata to the virtual vault machine in response to determining that the virtual machine memory metadata is the same as the hypervisor memory metadata. The virtual vault machine is in communication with the hypervisor and configured to classify the state of the guest virtual based on the virtual machine memory metadata.
8 Citations
20 Claims
-
1. A system comprising:
-
a hypervisor associated with a guest virtual machine; the guest virtual machine in communication with the hypervisor, and comprising; virtual machine measurement points implemented by a processor; and a hypervisor control point implemented by the processor, and configured to; collect virtual machine memory metadata from the guest virtual machine using a first virtual machine measurement point; collect hypervisor memory metadata that corresponds with the virtual machine memory metadata from the hypervisor using a second virtual machine measurement point; compare the virtual machine memory metadata to the hypervisor memory metadata; determine whether the virtual machine memory metadata is the same as the hypervisor memory metadata; and communicate the virtual machine memory metadata to a virtual vault machine in response to determining that the virtual machine memory metadata is the same as the hypervisor memory metadata; and the virtual vault machine in communication with the hypervisor, and configured to classify the state of the guest virtual based on the virtual machine memory metadata. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A virtual machine intrusion detection method comprising:
-
collecting, by a hypervisor control point implemented by a processor, virtual machine memory metadata from a guest virtual machine using a first virtual machine measurement point from a plurality of virtual machine measurement points implemented by the processor; collecting, by the hypervisor control point, hypervisor memory metadata that corresponds with the virtual machine memory metadata from a hypervisor associated with the guest virtual machine using a second virtual machine measurement point from the plurality of virtual machine measurement points; comparing, by the hypervisor control point, the virtual machine memory metadata to the hypervisor memory metadata; determining, by the hypervisor control point, whether the virtual machine memory metadata is the same as the hypervisor memory metadata; and communicating, by the hypervisor control point, the virtual machine memory metadata to a virtual vault machine in response to determining that the virtual machine memory metadata is the same as the hypervisor memory metadata. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An apparatus comprising:
-
virtual machine measurement points implemented by a processor; and a hypervisor control point implemented by the processor, and configured; collect virtual machine memory metadata from a guest virtual machine using a first virtual machine measurement point; collect hypervisor memory metadata that corresponds with the virtual machine memory metadata from a hypervisor associated with the guest virtual machine using a second virtual machine measurement point; compare the virtual machine memory metadata to the hypervisor memory metadata; determine whether the virtual machine memory metadata is the same as the hypervisor memory metadata; and communicate the virtual machine memory metadata to a virtual vault machine in response to determining that the virtual machine memory metadata is the same as the hypervisor memory metadata. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification