System and method for identifying unauthorized activities on a computer system using a data structure model
DCFirst Claim
1. A computer implemented method of identifying unauthorized activities on a decoy computer system attached to a computer network, wherein the decoy system comprises:
- one or more processors; and
memory storing;
a virtual machine; and
a virtual machine monitor supervising the virtual machine, the method comprising, at the virtual machine monitor;
monitoring activity on the virtual machine;
identifying a plurality of activities being performed at the virtual machine, wherein each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target;
storing in the memory the activity sources, activity targets, and associations;
creating, from the stored activities, a fingerprint indicative of the activity on the virtual machine; and
transmitting the fingerprint to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint.
5 Assignments
Litigations
0 Petitions
Accused Products
Abstract
A computer implemented method includes monitoring activity on the virtual machine. A plurality of activities being performed at the virtual machine is identified. Each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target. The activity sources, activity targets, and associations are stored in the memory. A fingerprint indicative of the activity on the virtual machine is created from the stored activities. The fingerprint is transmitted to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint.
-
Citations
23 Claims
-
1. A computer implemented method of identifying unauthorized activities on a decoy computer system attached to a computer network, wherein the decoy system comprises:
-
one or more processors; and memory storing; a virtual machine; and a virtual machine monitor supervising the virtual machine, the method comprising, at the virtual machine monitor; monitoring activity on the virtual machine; identifying a plurality of activities being performed at the virtual machine, wherein each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target; storing in the memory the activity sources, activity targets, and associations; creating, from the stored activities, a fingerprint indicative of the activity on the virtual machine; and transmitting the fingerprint to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 21, 22, 23)
-
-
19. A system, comprising:
-
one or more processors; and memory storing; a virtual machine; a virtual machine monitor supervising the virtual machine; and one or more programs, the one or more programs including instructions for; monitoring activity on the virtual machine; identifying a plurality of activities being performed at the virtual machine, where each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target; storing in the memory the activity sources, activity targets, and associations; creating, from the stored activities, a fingerprint indicative of the activity on the virtual machine; and transmitting the fingerprint to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint.
-
-
20. A non-transitory computer readable storage medium, including one or more programs for execution by one or more processors of a computer system, the one or more programs including instructions for:
-
monitoring activity on the virtual machine; identifying a plurality of activities being performed at the virtual machine, where each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target; storing in the memory the activity sources, activity targets, and associations; creating, from the stored activities, a fingerprint indicative of the activity on the virtual machine; and transmitting the fingerprint to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint.
-
Specification