Providing server security via a security sensor application shared by multiple operating system partitions

US 7,844,744 B2
Filed: 04/25/2008
Issued: 11/30/2010
Est. Priority Date: 04/25/2008
Status: Expired due to Fees

First Claim

Patent Images

1. In a computer server, a method comprising:

in response to a hypervisor receiving input/output (I/O) data traffic;

sending said I/O data traffic to a security sensor application shared by a plurality of operating system (OS) partitions within said computer server, wherein said security sensor application is not included within the plurality of OS partitions, wherein the I/O data traffic is addressed to one of;

an external destination via routing by said computer server and one of said plurality of OS partitions within said computer server;

determining if said computer server is configured as a router;

in response to a determination that said I/O data traffic meets pre-defined security standards and said I/O data traffic is addressed to one of said plurality of OS partitions, sending said I/O data traffic to said one of said plurality of OS partitions;

in response to a determination that said I/O data traffic meets said pre-defined security standards and said computer server is configured as a router and said I/O data traffic is not addressed to one of said plurality of OS partitions, dynamically routing said I/O data traffic to the external destination in a network coupled to said computer server; and

in response to a determination that said computer server is not configured as a router and said I/O data traffic is not addressed to one of said plurality of OS partitions;

identifying the I/O data traffic as malicious,logging a routing error on the I/O data traffic, andpurging the I/O data traffic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

When a hypervisor in a computer server receives input/output (I/O) data traffic, the hypervisor sends the I/O data traffic to a security sensor application shared by multiple operating system (OS) partitions. If the security sensor application indicates that the I/O data traffic meets pre-defined security standards in the security sensor application, and the I/O data traffic is addressed to one of the OS partitions in the computer server, the hypervisor sends the I/O data traffic to the applicable OS partition. If the I/O data traffic meets the pre-defined security standards, and the I/O data traffic is not addressed to one of the OS partitions, the hypervisor sends the I/O data traffic to an external destination in a network coupled to the computer server.

118 Citations

18 Claims

1. In a computer server, a method comprising:
- in response to a hypervisor receiving input/output (I/O) data traffic;
  
  sending said I/O data traffic to a security sensor application shared by a plurality of operating system (OS) partitions within said computer server, wherein said security sensor application is not included within the plurality of OS partitions, wherein the I/O data traffic is addressed to one of;
  
  an external destination via routing by said computer server and one of said plurality of OS partitions within said computer server;
  
  determining if said computer server is configured as a router;
  
  in response to a determination that said I/O data traffic meets pre-defined security standards and said I/O data traffic is addressed to one of said plurality of OS partitions, sending said I/O data traffic to said one of said plurality of OS partitions;
  
  in response to a determination that said I/O data traffic meets said pre-defined security standards and said computer server is configured as a router and said I/O data traffic is not addressed to one of said plurality of OS partitions, dynamically routing said I/O data traffic to the external destination in a network coupled to said computer server; and
  
  in response to a determination that said computer server is not configured as a router and said I/O data traffic is not addressed to one of said plurality of OS partitions;
  
  identifying the I/O data traffic as malicious,logging a routing error on the I/O data traffic, andpurging the I/O data traffic.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said security sensor application is located in a virtual I/O server (VIOS) that is in communication with said hypervisor.
  - 3. The method of claim 2, wherein said security sensor application communicates directly with said hypervisor.
  - 4. The method of claim 1, wherein said security sensor application is located in a specialized security partition that is in communication with said hypervisor.
  - 5. The method of claim 1, wherein an I/O data interface is dedicated to said plurality of OS partitions.
  - 6. The method of claim 1, wherein an I/O data interface is shared by said plurality of OS partitions through a virtual I/O server (VIOS) that is in communication with said hypervisor.

7. A computer server system comprising:
- a processor;
  
  an input/output (I/O) interface coupled to an external network;
  
  a memory coupled to said I/O data interface and said processor, wherein said memory is configured to store code that is configured to provide;
  
  a hypervisor;
  
  a plurality of operating system (OS) partitions; and
  
  a security sensor application shared by said plurality of OS partitions, wherein said security sensor application is not included within the plurality of OS partitions; and
  
  program instructions executing on the processor, said program instructions comprising instructions executable by said processor and configured for;
  
  the hypervisor sending said I/O data traffic to a security sensor application shared by the plurality of operating system (OS) partitions within said computer server, wherein the I/O data traffic is addressed to one of;
  
  an external destination via routing by said computer server and one of said plurality of OS partitions within said computer server;
  
  determining if said computer server is configured as a router;
  
  in response to a determination that said I/O data traffic meets pre-defined security standards and said I/O data traffic is addressed to one of said plurality of OS partitions, sending said I/O data traffic to said one of said plurality of OS partitions;
  
  in response to a determination that said I/O data traffic meets said pre-defined security standards and said computer server is configured as a router and said I/O data traffic is not addressed to one of said plurality of OS partitions, dynamically routing said I/O data traffic to the external destination in a network coupled to said computer server; and
  
  in response to a determination that said computer server is not configured as a router and said I/O data traffic is not addressed to one of said plurality of OS partitions;
  
  identifying the I/O data traffic as malicious,logging a routing error on the I/O data traffic, andpurging the I/O data traffic.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer system of claim 7, wherein said security sensor application is located in a virtual I/O server (VIOS) that is in communication with said hypervisor.
  - 9. The computer system of claim 8, wherein said security sensor application communicates directly with said hypervisor.
  - 10. The computer system of claim 7, wherein said security sensor application is located in a specialized security partition that is in communication with said hypervisor.
  - 11. The computer system of claim 7, wherein said I/O data interface is dedicated to said plurality of OS partitions.
  - 12. The computer system of claim 7, wherein said I/O data interface is shared by said plurality of OS partitions through a virtual I/O server (VIOS) that is in communication with said hypervisor.

13. A computer program product comprising:
- a non-transitory computer storage medium; and
  
  program code on said computer storage medium that that when executed provides the functions of;
  
  in response to a hypervisor of a computer server receiving input/output (I/O) data traffic;
  
  sending said I/O data traffic to a security sensor application that is shared by a plurality of operating system (OS) partitions of the computer server, wherein said security sensor application is not included within the plurality of OS partitions, wherein the I/O data traffic is addressed to one of;
  
  an external destination via routing by said computer server and one of said plurality of OS partitions within said computer server;
  
  determining if said computer server is configured as a router;
  
  in response to a determination that said I/O data traffic meets pre-defined security standards and said I/O data traffic is addressed to one of said plurality of OS partitions, sending said I/O data traffic to said one of said plurality of OS partitions;
  
  in response to a determination that said I/O data traffic meets said pre-defined security standards and said computer server is configured as a router and said I/O data traffic is not addressed to one of said plurality of OS partitions, dynamically routing said I/O data traffic to the external destination in a network coupled to said computer server; and
  
  in response to a determination that said computer server is not configured as a router and said I/O data traffic is not addressed to one of said plurality of OS partitions;
  
  identifying the I/O data traffic as malicious,logging a routing error on the I/O data traffic, andpurging the I/O data traffic.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 13, wherein said code for said security sensor application is located in a virtual I/O server (VIOS) that is in communication with said hypervisor.
  - 15. The computer program product of claim 14, wherein said code for said security sensor application is in direct communication with said hypervisor.
  - 16. The computer program product of claim 13, wherein said code for said security sensor application is located in a specialized security partition that is in communication with said hypervisor.
  - 17. The computer program product of claim 13, wherein an I/O data interface is dedicated to said plurality of OS partitions.
  - 18. The computer program product of claim 13, wherein an I/O data interface is shared by said plurality of OS partitions through a virtual I/O server (VIOS) that is in communication with said hypervisor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Abercrombie, David K., Brown, Aaron Ches, Recio, Renato J., Kovacs, Robert George
Primary Examiner(s)
Chea; Philip J

Application Number

US12/109,452
Publication Number

US 20090271494A1
Time in Patent Office

949 Days
Field of Search

709/225, 709/229, 709/238, 709/250, 726/11, 726/13, 726/27, 718/1, 710/36
US Class Current

709/250
CPC Class Codes

G06F 21/52 during program execution, e...

H04L 63/1416 Event detection, e.g. attac...

Providing server security via a security sensor application shared by multiple operating system partitions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

118 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Providing server security via a security sensor application shared by multiple operating system partitions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links