Fight-through nodes with disposable virtual machines and rollback of persistent state
First Claim
1. A method comprising:
- receiving, by a computing system, a plurality of messages from one or more client computing devices, each of the plurality of messages corresponding to a transaction in a plurality of transactions;
for each respective transaction in the plurality of transactions;
initializing, by the computing system and from a common template that has been determined to be free of malware infection, a respective one of a plurality of virtual machines that execute at one or more computing devices of the computing system, wherein initializing comprises initializing an instance of an application on the respective virtual machine in accordance with application state stored within a shared database;
wherein the plurality of messages includes a request to initiate a respective communication session between the computing system and a particular client computing device among the one or more client computing devices;
in response to receiving the request to initiate the respective communication session, assigning, by the computing system, the respective transaction to the respective virtual machine from the plurality of virtual machines, wherein the respective transaction is the first transaction assigned to the respective virtual machine;
generating, by the respective virtual machine, as part of the respective virtual machine completing the respective transaction, a database modification request associated with the respective transaction;
performing a modification to the shared database in response to the database modification request associated with the respective transaction, wherein the database modification request requests modification, within the shared database, of the application state for the application running on the respective virtual machine, and wherein the shared database is persisted independently of the plurality of virtual machines;
generating checkpoint data associated with the respective transaction;
in response to determining that processing of the respective transaction is complete upon detecting termination of the respective communication session, discarding, by the computing system, the respective virtual machine; and
in response to determining that the respective transaction is associated with a cyber-attack, using the checkpoint data associated with the respective transaction to roll back the modification to the shared database performed in response to the database modification request associated with the respective transaction.
1 Assignment
0 Petitions
Accused Products
Abstract
A server system receives messages from client computing devices. Each of the messages corresponds to a transaction. The server system assigns each respective transaction to a respective fresh virtual machine. Furthermore, the server system performs, as part of a respective virtual machine processing a respective transaction, a modification associated with the respective transaction to a shared database. The shared database is persisted independently of the plurality of virtual machines. In response to determining that processing of the respective transaction is complete, the server system discards the respective virtual machine. In response to determining that the respective transaction is associated with a cyber-attack, the server system uses checkpoint data associated with the respective transaction to roll back the modifications associated with the respective transaction to the shared database.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, by a computing system, a plurality of messages from one or more client computing devices, each of the plurality of messages corresponding to a transaction in a plurality of transactions; for each respective transaction in the plurality of transactions; initializing, by the computing system and from a common template that has been determined to be free of malware infection, a respective one of a plurality of virtual machines that execute at one or more computing devices of the computing system, wherein initializing comprises initializing an instance of an application on the respective virtual machine in accordance with application state stored within a shared database; wherein the plurality of messages includes a request to initiate a respective communication session between the computing system and a particular client computing device among the one or more client computing devices; in response to receiving the request to initiate the respective communication session, assigning, by the computing system, the respective transaction to the respective virtual machine from the plurality of virtual machines, wherein the respective transaction is the first transaction assigned to the respective virtual machine; generating, by the respective virtual machine, as part of the respective virtual machine completing the respective transaction, a database modification request associated with the respective transaction; performing a modification to the shared database in response to the database modification request associated with the respective transaction, wherein the database modification request requests modification, within the shared database, of the application state for the application running on the respective virtual machine, and wherein the shared database is persisted independently of the plurality of virtual machines; generating checkpoint data associated with the respective transaction; in response to determining that processing of the respective transaction is complete upon detecting termination of the respective communication session, discarding, by the computing system, the respective virtual machine; and in response to determining that the respective transaction is associated with a cyber-attack, using the checkpoint data associated with the respective transaction to roll back the modification to the shared database performed in response to the database modification request associated with the respective transaction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computing system comprising:
-
a shared database; and one or more computing devices configured to; receive a plurality of messages from one or more client computing devices, each of the plurality of messages corresponding to a transaction in a plurality of transactions; for each respective transaction in the plurality of transactions; initialize, from a common template that has been determined to be free of malware infection, a respective one of a plurality of virtual machines that execute at one or more of the computing devices of the computing system, wherein initializing comprises initializing an instance of an application on the respective virtual machine in accordance with application state stored within the shared database; wherein the plurality of messages includes a request to initiate a respective communication session between the computing system and a particular client computing device among the one or more client computing devices; in response to receiving the request to initiate the respective communication session, assign the respective transaction to the respective virtual machine from the plurality of virtual machines, wherein the respective transaction is the first transaction assigned to the respective virtual machine; generate, as part of the respective virtual machine completing the respective transaction, a database modification request associated with the respective transaction; perform a modification to the shared database in response to the database modification request associated with the respective transaction, wherein the database modification request requests modification, within the shared database, of the application state for the application running on the respective virtual machine, and wherein the shared database is persisted independently of the plurality of virtual machines; generate checkpoint data associated with the respective transaction; in response to determining that processing of the respective transaction is complete upon detecting termination of the respective communication session, discard the respective virtual machine; and in response to determining that the respective transaction is associated with a cyber-attack, use the checkpoint data associated with the respective transaction to roll back the modification to the shared database performed in response to the database modification request associated with the respective transaction. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable data storage medium having stored thereon instructions that, when executed, configure a computing system to:
-
receive a plurality of messages from one or more client computing devices, each of the plurality of messages corresponding to a transaction in a plurality of transactions; for each respective transaction in the plurality of transactions; initialize, from a common template that has been determined to be free of malware infection, a respective one of a plurality of virtual machines that execute at one or more computing devices of the computing system, wherein initializing comprises initializing an instance of an application on the respective virtual machine in accordance with application state stored within a shared database; wherein the plurality of messages includes a request to initiate a respective communication session between the computing system and a particular client computing device among the one or more client computing devices; in response to receiving the request to initiate the respective communication session, assign the respective transaction to the respective virtual machine from the plurality of virtual machines, wherein the respective transaction is the first transaction assigned to the respective virtual machine; generate, as part of the respective virtual machine completing the respective transaction, a database modification request associated with the respective transaction; perform a modification to the shared database in response to the database modification request associated with the respective transaction, wherein the database modification request requests modification, within the shared database, of the application state for the application running on the respective virtual machine, and wherein the shared database is persisted independently of the plurality of virtual machines; generate checkpoint data associated with the respective transaction; in response to determining that processing of the respective transaction is complete upon detecting termination of the respective communication session, discard the respective virtual machine; and in response to determining that the respective transaction is associated with a cyber-attack, use the checkpoint data associated with the respective transaction to roll back the modification to the shared database performed in response to the database modification request associated with the respective transaction.
-
-
20. A network node comprising:
-
a hardware-based processing system having a set of one or more processing units; a plurality of virtual machines (VMs) executing on the one or more processing units, wherein each of the plurality of virtual machines is initialized from a common template that has been determined to be free of malware infection; a dispatcher that; receives, from one or more client computing devices, a plurality of messages corresponding to transactions in a plurality of transactions, wherein, for each respective transaction in the plurality of transactions, the plurality of messages includes requests to initiate respective communication sessions between the network node and particular client computing devices, assigns, in response to receiving the requests to initiate the respective communication sessions, each of the transactions to the plurality of virtual machines, and discards each of the VMs when the transactions assigned to the VMs are complete upon detecting termination of the respective communication sessions; one or more intrusion detection systems that detect whether any of the VMs have been compromised and whether a shared database has been compromised; a checkpointing module that generates checkpoint data based on requests from the VMs to modify the shared database, a rollback module that uses the checkpoint data to roll back modifications to the shared database that are associated with a particular transaction when the one or more intrusion detection systems determine that a VM to which the particular transaction was assigned has been compromised or the shared database has been compromised, and one or more processors are configured such that for each respective virtual machine from the plurality of virtual machines, the one or more processors generate a database modification request as part of completing a respective transaction from the plurality of transactions, the database modification request requesting storage to the shared database of an application state of an application running on the respective virtual machine, wherein the one or more processors initialize, from the common template, a particular virtual machine such that an instance of the application running on the particular virtual machine has the application state of the application running on one of the virtual machines.
-
Specification