Method and system for intrusion and extrusion detection
First Claim
1. A system for intrusion and extrusion detection comprising:
- at least one processor; and
at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for intrusion and extrusion detection, the process for intrusion and extrusion detection including;
providing a network communications system, the network communications system controlling message traffic sent to, and/or sent from, a virtual asset;
providing the network communications system an analysis trigger monitoring system;
defining two or more analysis trigger parameters, the two or more analysis trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency greater than a defined threshold frequency;
generating analysis trigger data representing the analysis trigger parameters;
providing the analysis trigger data to the analysis trigger monitoring system;
using the analysis trigger monitoring system and the analysis trigger data to monitor at least a portion of the message traffic sent to, and/or sent from, the virtual asset controlled by the network communications system to detect any message satisfying one or more of the two or more analysis trigger parameters, wherein all message traffic sent to, and/or sent from, the virtual asset is relayed by the network communications system using a first communications channel;
classifying any detected message satisfying one or more of the two or more analysis trigger parameters as a suspect message;
for each suspect message generating suspect message copy data representing a copy of at least a portion of the suspect message; and
transferring the suspect message copy data to one or more analysis systems for further analysis, the suspect message copy data being transferred to the one or more analysis systems through an analysis communications channel that is distinct from the first communications channel.
1 Assignment
0 Petitions
Accused Products
Abstract
A hypervisor includes an analysis trigger monitoring system. One or more analysis trigger parameters are defined and analysis trigger data representing the analysis trigger parameters is generated. The analysis trigger data is then provided to the analysis trigger monitoring system and the analysis trigger monitoring system is used to monitor at least a portion of the message traffic sent to, and/or sent from, a virtual asset controlled by the hypervisor to detect any message including one or more of the one or more analysis trigger parameters. A copy of at least a portion of any detected message including one or more of the one or more analysis trigger parameters is then transferred to one or more analysis systems for further analysis.
-
Citations
24 Claims
-
1. A system for intrusion and extrusion detection comprising:
-
at least one processor; and at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for intrusion and extrusion detection, the process for intrusion and extrusion detection including; providing a network communications system, the network communications system controlling message traffic sent to, and/or sent from, a virtual asset; providing the network communications system an analysis trigger monitoring system; defining two or more analysis trigger parameters, the two or more analysis trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency greater than a defined threshold frequency; generating analysis trigger data representing the analysis trigger parameters; providing the analysis trigger data to the analysis trigger monitoring system; using the analysis trigger monitoring system and the analysis trigger data to monitor at least a portion of the message traffic sent to, and/or sent from, the virtual asset controlled by the network communications system to detect any message satisfying one or more of the two or more analysis trigger parameters, wherein all message traffic sent to, and/or sent from, the virtual asset is relayed by the network communications system using a first communications channel; classifying any detected message satisfying one or more of the two or more analysis trigger parameters as a suspect message; for each suspect message generating suspect message copy data representing a copy of at least a portion of the suspect message; and transferring the suspect message copy data to one or more analysis systems for further analysis, the suspect message copy data being transferred to the one or more analysis systems through an analysis communications channel that is distinct from the first communications channel. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for hypervisor assisted intrusion and extrusion detection comprising:
-
at least one processor; and at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for hypervisor assisted intrusion and extrusion detection, the process for hypervisor assisted intrusion and extrusion detection including; providing a hypervisor, the hypervisor controlling a virtual asset; providing the hypervisor an analysis trigger monitoring system; defining two or more analysis trigger parameters, the two or more analysis trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency greater than a defined threshold frequency; generating analysis trigger data representing the analysis trigger parameters; providing the analysis trigger data to the analysis trigger monitoring system; using the analysis trigger monitoring system and the analysis trigger data to monitor at least a portion of the message traffic sent to, and/or sent from, the virtual asset controlled by the hypervisor to detect any message satisfying one or more of the two or more analysis trigger parameters, wherein all message traffic sent to, and/or sent from, the virtual asset is relayed by the network communications system using a first communications channel; classifying any detected message satisfying one or more of the two or more analysis trigger parameters as a suspect message; for each suspect message generating suspect message copy data representing a copy of at least a portion of the suspect message; and transferring the suspect message copy data to one or more analysis systems for further analysis, the suspect message copy data being transferred to the one or more analysis systems through an analysis communications channel that is distinct from the first communications channel. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for hypervisor assisted intrusion and extrusion detection comprising:
-
a host system, the host system hosting at least one virtual asset; a hypervisor controlling the at least one virtual asset, the hypervisor being associated with the host system; a first communications channel through which all the message traffic sent to, and/or sent from, the at least one virtual asset controlled by the hypervisor; an analysis trigger monitoring module, the analysis trigger monitoring module being associated with the hypervisor; one or more analysis systems for performing analysis of copy data representing a copy of at least a portion of a suspect message; at least one analysis communications channel that is distinct from the first communications channel for transferring the suspect message copy data to the one or more analysis systems for further analysis; at least one processor; and at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for hypervisor assisted intrusion and extrusion detection, the process for hypervisor assisted intrusion and extrusion detection including; defining two or more analysis trigger parameters, the two or more analysis trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency greater than a defined threshold frequency; generating analysis trigger data representing the analysis trigger parameters; providing the analysis trigger data to the analysis trigger monitoring module; using the analysis trigger monitoring module and the analysis trigger data to monitor at least a portion of the message traffic sent to, and/or sent from, the one or more virtual assets to detect any message satisfying one or more of the two or more analysis trigger parameters, wherein all message traffic sent to, and/or sent from, the virtual asset is relayed by the network communications system using a first communications channel; classifying any detected message satisfying one or more of the two or more analysis trigger parameters as a suspect message; for each suspect message generating suspect message copy data representing a copy of at least a portion of the suspect message; and transferring the suspect message copy data to one or more of the one or more analysis systems for further analysis, the suspect message copy data being transferred to the one or more analysis systems through an analysis communications channel that is distinct from the first communications channel. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification