SYSTEMS AND METHODS FOR PROCESSING HYPERVISOR-GENERATED EVENT DATA

US 20180124079A1
Filed: 10/28/2016
Published: 05/03/2018
Est. Priority Date: 10/28/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

for each server of a plurality servers identified in a server list;

determining, based on a mapping of servers to hypervisor types, a type of hypervisor running on the server; and

further determining, based on a mapping of hypervisor types to event definitions, a set of event definitions associated with the determined type of hypervisor running on the server;

wherein each event definition of the set of event definitions indicates whether occurrences of hypervisor events corresponding to the event definition are detected based on one of a push operation or a pull operation;

detecting, based on the set of event definitions, occurrences of a plurality of hypervisor events;

determining whether an occurrence of one or more hypervisor events of the plurality of hypervisor events satisfies a defined event list, the defined event list representing a normalized event; and

in response to determining that the occurrence of the one or more hypervisor events satisfies an internal event list, generating a normalized event.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatuses enable a network security system to more efficiently process and respond to events generated by hypervisors and other associated components of a networked computer system. In this context, a hypervisor event refers broadly to any action that occurs related to one or more components of a hypervisor (including the hypervisor itself, virtual servers hosted by the hypervisor, etc.) and/or to data identifying the occurrence of the action(s) (e.g., a log entry, a notification message, etc.). A security service obtains and analyzes event data from any number of different types of hypervisors, where each different type of hypervisor may represent events differently and/or make event data accessible in different ways, among other differences.

13 Citations

View as Search Results

30 Claims

1. A computer-implemented method, comprising:
- for each server of a plurality servers identified in a server list;
  
  determining, based on a mapping of servers to hypervisor types, a type of hypervisor running on the server; and
  
  further determining, based on a mapping of hypervisor types to event definitions, a set of event definitions associated with the determined type of hypervisor running on the server;
  
  wherein each event definition of the set of event definitions indicates whether occurrences of hypervisor events corresponding to the event definition are detected based on one of a push operation or a pull operation;
  
  detecting, based on the set of event definitions, occurrences of a plurality of hypervisor events;
  
  determining whether an occurrence of one or more hypervisor events of the plurality of hypervisor events satisfies a defined event list, the defined event list representing a normalized event; and
  
  in response to determining that the occurrence of the one or more hypervisor events satisfies an internal event list, generating a normalized event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein each server of the plurality of servers is managed by a computing security service.
  - 3. The method of claim 1, wherein the mapping of servers to hypervisor types is stored as a list of server definitions, wherein each server definition specifies a server name, a server address, and a server hypervisor type.
  - 4. The method of claim 1, wherein the mapping of hypervisor types to event definitions includes a list of hypervisor event definitions, wherein each hypervisor event definition specifies a hypervisor event name, a hypervisor event type, a hypervisor event method, and an internal event name.
  - 5. The method of claim 1, wherein detecting an occurrence of at least one hypervisor event of the plurality of hypervisor events comprises polling a hypervisor hosted by a server of the plurality of servers.
  - 6. The method of claim 1, wherein detecting an occurrence of at least one hypervisor event of the plurality of hypervisor events comprises polling a hypervisor hosted by a server of the plurality of servers, wherein the hypervisor is polled using a network address stored for the hypervisor in the mapping of servers to hypervisor types.
  - 7. The method of claim 1, wherein detecting an occurrence of at least one hypervisor event of the plurality of hypervisor events comprises receiving a pushed event from a hypervisor hosted by a server of the plurality of servers.
  - 8. The method of claim 1, wherein the defined event list is one of a plurality of defined event lists.
  - 9. The method of claim 1, wherein the defined event list is one of a plurality of defined event lists, and wherein at least one defined event list of the plurality of defined event lists is satisfied based on identifying an occurrence of a single hypervisor event.
  - 10. The method of claim 1, wherein a security service performs one or more security measures based on the normalized event.

11. A non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause performance of:
- for each server of a plurality servers identified in a server list;
  
  determining, based on a mapping of servers to hypervisor types, a type of hypervisor running on the server; and
  
  further determining, based on a mapping of hypervisor types to event definitions, a set of event definitions associated with the determined type of hypervisor running on the server;
  
  wherein each event definition of the set of event definitions indicates whether occurrences of hypervisor events corresponding to the event definition are detected based on one of a push operation or a pull operation;
  
  detecting, based on the set of event definitions, occurrences of a plurality of hypervisor events;
  
  determining whether an occurrence of one or more hypervisor events of the plurality of hypervisor events satisfies a defined event list, the defined event list representing a normalized event; and
  
  in response to determining that the occurrence of the one or more hypervisor events satisfies an internal event list, generating a normalized event.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer-readable storage medium of claim 11, wherein each server of the plurality of servers is managed by a computing security service.
  - 13. The non-transitory computer-readable storage medium of claim 11, wherein the mapping of servers to hypervisor types is stored as a list of server definitions, wherein each server definition specifies a server name, a server address, and a server hypervisor type.
  - 14. The non-transitory computer-readable storage medium of claim 11, wherein the mapping of hypervisor types to event definitions includes a list of hypervisor event definitions, wherein each hypervisor event definition specifies a hypervisor event name, a hypervisor event type, a hypervisor event method, and an internal event name.
  - 15. The non-transitory computer-readable storage medium of claim 11, wherein detecting an occurrence of at least one hypervisor event of the plurality of hypervisor events comprises polling a hypervisor hosted by a server of the plurality of servers.
  - 16. The non-transitory computer-readable storage medium of claim 11, wherein detecting an occurrence of at least one hypervisor event of the plurality of hypervisor events comprises polling a hypervisor hosted by a server of the plurality of servers, wherein the hypervisor is polled using a network address stored for the hypervisor in the mapping of servers to hypervisor types.
  - 17. The non-transitory computer-readable storage medium of claim 11, wherein detecting an occurrence of at least one hypervisor event of the plurality of hypervisor events comprises receiving a pushed event from a hypervisor hosted by a server of the plurality of servers.
  - 18. The non-transitory computer-readable storage medium of claim 11, wherein the defined event list is one of a plurality of defined event lists.
  - 19. The non-transitory computer-readable storage medium of claim 11, wherein the defined event list is one of a plurality of defined event lists, and wherein at least one defined event list of the plurality of defined event lists is satisfied based on identifying an occurrence of a single hypervisor event.
  - 20. The non-transitory computer-readable storage medium of claim 11, wherein a security service performs one or more security measures based on the normalized event.

21. An apparatus, comprising:
- one or more processors;
  
  a non-transitory computer-readable storage medium coupled to the one or more processors, the computer-readable storage medium storing instructions which, when executed by the one or more processors, causes the apparatus to;
  
  for each server of a plurality servers identified in a server list;
  
  determine, based on a mapping of servers to hypervisor types, a type of hypervisor running on the server; and
  
  further determine, based on a mapping of hypervisor types to event definitions, a set of event definitions associated with the determined type of hypervisor running on the server;
  
  wherein each event definition of the set of event definitions indicates whether occurrences of hypervisor events corresponding to the event definition are detected based on one of a push operation or a pull operation;
  
  detect, based on the set of event definitions, occurrences of a plurality of hypervisor events;
  
  determine whether an occurrence of one or more hypervisor events of the plurality of hypervisor events satisfies a defined event list, the defined event list representing a normalized event; and
  
  in response to determining that the occurrence of the one or more hypervisor events satisfies an internal event list, generate a normalized event.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The apparatus of claim 21, wherein each server of the plurality of servers is managed by a computing security service.
  - 23. The apparatus of claim 21, wherein the mapping of servers to hypervisor types is stored as a list of server definitions, wherein each server definition specifies a server name, a server address, and a server hypervisor type.
  - 24. The apparatus of claim 21, wherein the mapping of hypervisor types to event definitions is stored as a list of hypervisor event definitions, wherein each hypervisor event definition specifies a hypervisor event name, a hypervisor event type, a hypervisor event method, and an internal event name.
  - 25. The apparatus of claim 21, wherein detecting an occurrence of at least one hypervisor event of the plurality of hypervisor events comprises polling a hypervisor hosted by a server of the plurality of servers.
  - 26. The apparatus of claim 21, wherein detecting an occurrence of at least one hypervisor event of the plurality of hypervisor events comprises polling a hypervisor hosted by a server of the plurality of servers, wherein the hypervisor is polled using a network address stored for the hypervisor in the mapping of servers to hypervisor types.
  - 27. The apparatus of claim 21, wherein detecting an occurrence of at least one hypervisor event of the plurality of hypervisor events comprises receiving a pushed event from a hypervisor hosted by a server of the plurality of servers.
  - 28. The apparatus of claim 21, wherein the defined event list is one of a plurality of defined event lists.
  - 29. The apparatus of claim 21, wherein the defined event list is one of a plurality of defined event lists, and wherein at least one defined event list of the plurality of defined event lists is satisfied based on identifying an occurrence of a single hypervisor event.
  - 30. The apparatus of claim 21, wherein a security service performs one or more security measures based on the normalized event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
ShieldX Networks, Inc. (Fortinet Inc.)
Inventors
Ahuja, Ratinder Paul Singh, Nedbal, Manuel, Sitpure, Pankaj

Granted Patent

US 10,447,716 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

SYSTEMS AND METHODS FOR PROCESSING HYPERVISOR-GENERATED EVENT DATA

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR PROCESSING HYPERVISOR-GENERATED EVENT DATA

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links