Method and system for intrusion and extrusion detection

US 9,323,926 B2
Filed: 12/30/2013
Issued: 04/26/2016
Est. Priority Date: 12/30/2013
Status: Active Grant

First Claim

Patent Images

1. A system for intrusion and extrusion detection comprising:

at least one processor; and

at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for intrusion and extrusion detection, the process for intrusion and extrusion detection including;

providing a network communications system, the network communications system controlling message traffic sent to, and/or sent from, a virtual asset;

providing the network communications system an analysis trigger monitoring system;

defining two or more analysis trigger parameters, the two or more analysis trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency greater than a defined threshold frequency;

generating analysis trigger data representing the analysis trigger parameters;

providing the analysis trigger data to the analysis trigger monitoring system;

using the analysis trigger monitoring system and the analysis trigger data to monitor at least a portion of the message traffic sent to, and/or sent from, the virtual asset controlled by the network communications system to detect any message satisfying one or more of the two or more analysis trigger parameters, wherein all message traffic sent to, and/or sent from, the virtual asset is relayed by the network communications system using a first communications channel;

classifying any detected message satisfying one or more of the two or more analysis trigger parameters as a suspect message;

for each suspect message generating suspect message copy data representing a copy of at least a portion of the suspect message; and

transferring the suspect message copy data to one or more analysis systems for further analysis, the suspect message copy data being transferred to the one or more analysis systems through an analysis communications channel that is distinct from the first communications channel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A hypervisor includes an analysis trigger monitoring system. One or more analysis trigger parameters are defined and analysis trigger data representing the analysis trigger parameters is generated. The analysis trigger data is then provided to the analysis trigger monitoring system and the analysis trigger monitoring system is used to monitor at least a portion of the message traffic sent to, and/or sent from, a virtual asset controlled by the hypervisor to detect any message including one or more of the one or more analysis trigger parameters. A copy of at least a portion of any detected message including one or more of the one or more analysis trigger parameters is then transferred to one or more analysis systems for further analysis.

170 Citations

24 Claims

1. A system for intrusion and extrusion detection comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for intrusion and extrusion detection, the process for intrusion and extrusion detection including;
  
  providing a network communications system, the network communications system controlling message traffic sent to, and/or sent from, a virtual asset;
  
  providing the network communications system an analysis trigger monitoring system;
  
  defining two or more analysis trigger parameters, the two or more analysis trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency greater than a defined threshold frequency;
  
  generating analysis trigger data representing the analysis trigger parameters;
  
  providing the analysis trigger data to the analysis trigger monitoring system;
  
  using the analysis trigger monitoring system and the analysis trigger data to monitor at least a portion of the message traffic sent to, and/or sent from, the virtual asset controlled by the network communications system to detect any message satisfying one or more of the two or more analysis trigger parameters, wherein all message traffic sent to, and/or sent from, the virtual asset is relayed by the network communications system using a first communications channel;
  
  classifying any detected message satisfying one or more of the two or more analysis trigger parameters as a suspect message;
  
  for each suspect message generating suspect message copy data representing a copy of at least a portion of the suspect message; and
  
  transferring the suspect message copy data to one or more analysis systems for further analysis, the suspect message copy data being transferred to the one or more analysis systems through an analysis communications channel that is distinct from the first communications channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system for intrusion and extrusion detection of claim 1 wherein the virtual asset is a virtual asset selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      a database or data store;
      
      an instance in a cloud environment;
      
      a cloud environment access system;
      
      part of a mobile device;
      
      part of a remote sensor;
      
      part of a laptop;
      
      part of a desktop;
      
      part of a point-of-sale device;
      
      part of an ATM; and
      
      part of an electronic voting machine.
  - 3. The system for intrusion and extrusion detection of claim 1 wherein the analysis trigger monitoring system monitors all of the message traffic sent to, and/or sent from, the virtual asset.
  - 4. The system for intrusion and extrusion detection of claim 1 wherein the analysis trigger monitoring system monitors a sample portion of the message traffic sent to, and/or sent from, the virtual asset.
  - 5. The system for intrusion and extrusion detection of claim 1 wherein at least one of the one or more analysis trigger parameters is selected from the group of analysis trigger parameters consisting of:
    - an IP address indicating a designated suspect origin or destination;
      
      an IP address indicating a destination or origin not included in an allowed origin or destination list;
      
      an IP address indicating a geographical region not included in an allowed geographical region list;
      
      frequency analysis indicating messages arrive at frequency less than a defined threshold frequency;
      
      a message size that exceeds a threshold maximum message size;
      
      a message size that does not meet a threshold minimum message size;
      
      a hash value of the message data that is not included in a list of allowed hash values;
      
      an MD5 value of the message data that is not included in a list of allowed MD5 values;
      
      the specific identity of the sender of the message; and
      
      the specific identity of the recipient of the message.
  - 6. The system for intrusion and extrusion detection of claim 1 wherein the suspect message copy data associated with a given suspect message is transferred to a specific analysis system of the one or more analysis systems for further analysis and/or action based, at least in part, on the analysis trigger parameter of the one or more analysis trigger parameters detected in the suspect message.
  - 7. The system for intrusion and extrusion detection of claim 1 wherein if, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an intrusion or extrusion related message, one or more designated parties are automatically informed.
  - 8. The system for intrusion and extrusion detection of claim 1 wherein if, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an intrusion or extrusion related message, one or more protective actions are automatically implemented.

9. A system for hypervisor assisted intrusion and extrusion detection comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for hypervisor assisted intrusion and extrusion detection, the process for hypervisor assisted intrusion and extrusion detection including;
  
  providing a hypervisor, the hypervisor controlling a virtual asset;
  
  providing the hypervisor an analysis trigger monitoring system;
  
  defining two or more analysis trigger parameters, the two or more analysis trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency greater than a defined threshold frequency;
  
  generating analysis trigger data representing the analysis trigger parameters;
  
  providing the analysis trigger data to the analysis trigger monitoring system;
  
  using the analysis trigger monitoring system and the analysis trigger data to monitor at least a portion of the message traffic sent to, and/or sent from, the virtual asset controlled by the hypervisor to detect any message satisfying one or more of the two or more analysis trigger parameters, wherein all message traffic sent to, and/or sent from, the virtual asset is relayed by the network communications system using a first communications channel;
  
  classifying any detected message satisfying one or more of the two or more analysis trigger parameters as a suspect message;
  
  for each suspect message generating suspect message copy data representing a copy of at least a portion of the suspect message; and
  
  transferring the suspect message copy data to one or more analysis systems for further analysis, the suspect message copy data being transferred to the one or more analysis systems through an analysis communications channel that is distinct from the first communications channel.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system for hypervisor assisted intrusion and extrusion detection of claim 9 wherein the virtual asset is a virtual asset selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      a database or data store;
      
      an instance in a cloud environment;
      
      a cloud environment access system;
      
      part of a mobile device;
      
      part of a remote sensor;
      
      part of a laptop;
      
      part of a desktop;
      
      part of a point-of-sale device;
      
      part of an ATM; and
      
      part of an electronic voting machine.
  - 11. The system for hypervisor assisted intrusion and extrusion detection of claim 9 wherein the analysis trigger monitoring system monitors all of the message traffic sent to, and/or sent from, the virtual asset.
  - 12. The system for hypervisor assisted intrusion and extrusion detection of claim 9 wherein the analysis trigger monitoring system monitors a sample portion of the message traffic sent to, and/or sent from, the virtual asset.
  - 13. The system for hypervisor assisted intrusion and extrusion detection of claim 9 wherein at least one of the one or more analysis trigger parameters is selected from the group of analysis trigger parameters consisting of:
    - an IP address indicating a designated suspect origin or destination;
      
      an IP address indicating a destination or origin not included in an allowed origin or destination list;
      
      an IP address indicating a geographical region not included in an allowed geographical region list;
      
      frequency analysis indicating messages arrive at frequency less than a defined threshold frequency;
      
      a message size that exceeds a threshold maximum message size;
      
      a message size that does not meet a threshold minimum message size;
      
      a hash value of the message data that is not included in a list of allowed hash values;
      
      an MD5 value of the message data that is not included in a list of allowed MD5 values;
      
      the specific identity of the sender of the message; and
      
      the specific identity of the recipient of the message.
  - 14. The system for hypervisor assisted intrusion and extrusion detection of claim 9 wherein the suspect message copy data associated with a given suspect message is transferred to a specific analysis system of the one or more analysis systems for further analysis and/or action based, at least in part, on the analysis trigger parameter of the one or more analysis trigger parameters detected in the suspect message.
  - 15. The system for hypervisor assisted intrusion and extrusion detection of claim 9 wherein if, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an intrusion or extrusion related message, one or more designated parties are automatically informed.
  - 16. The system for hypervisor assisted intrusion and extrusion detection of claim 9 wherein if, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an intrusion or extrusion related message, one or more protective actions are automatically implemented.

17. A system for hypervisor assisted intrusion and extrusion detection comprising:
- a host system, the host system hosting at least one virtual asset;
  
  a hypervisor controlling the at least one virtual asset, the hypervisor being associated with the host system;
  
  a first communications channel through which all the message traffic sent to, and/or sent from, the at least one virtual asset controlled by the hypervisor;
  
  an analysis trigger monitoring module, the analysis trigger monitoring module being associated with the hypervisor;
  
  one or more analysis systems for performing analysis of copy data representing a copy of at least a portion of a suspect message;
  
  at least one analysis communications channel that is distinct from the first communications channel for transferring the suspect message copy data to the one or more analysis systems for further analysis;
  
  at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for hypervisor assisted intrusion and extrusion detection, the process for hypervisor assisted intrusion and extrusion detection including;
  
  defining two or more analysis trigger parameters, the two or more analysis trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency greater than a defined threshold frequency;
  
  generating analysis trigger data representing the analysis trigger parameters;
  
  providing the analysis trigger data to the analysis trigger monitoring module;
  
  using the analysis trigger monitoring module and the analysis trigger data to monitor at least a portion of the message traffic sent to, and/or sent from, the one or more virtual assets to detect any message satisfying one or more of the two or more analysis trigger parameters, wherein all message traffic sent to, and/or sent from, the virtual asset is relayed by the network communications system using a first communications channel;
  
  classifying any detected message satisfying one or more of the two or more analysis trigger parameters as a suspect message;
  
  for each suspect message generating suspect message copy data representing a copy of at least a portion of the suspect message; and
  
  transferring the suspect message copy data to one or more of the one or more analysis systems for further analysis, the suspect message copy data being transferred to the one or more analysis systems through an analysis communications channel that is distinct from the first communications channel.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system for hypervisor assisted intrusion and extrusion detection of claim 17 wherein the at least one virtual asset is a virtual asset selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      a database or data store;
      
      an instance in a cloud environment;
      
      a cloud environment access system;
      
      part of a mobile device;
      
      part of a remote sensor;
      
      part of a laptop;
      
      part of a desktop;
      
      part of a point-of-sale device;
      
      part of an ATM; and
      
      part of an electronic voting machine.
  - 19. The system for hypervisor assisted intrusion and extrusion detection of claim 17 wherein the analysis trigger monitoring module monitors all of the message traffic sent to, and/or sent from, the at least one virtual asset.
  - 20. The system for hypervisor assisted intrusion and extrusion detection of claim 17 wherein the analysis trigger monitoring module monitors a sample portion of the message traffic sent to, and/or sent from, the at least one virtual asset.
  - 21. The system for hypervisor assisted intrusion and extrusion detection of claim 17 wherein at least one of the one or more analysis trigger parameters is selected from the group of analysis trigger parameters consisting of:
    - an IP address indicating a designated suspect origin or destination;
      
      an IP address indicating a destination or origin not included in an allowed origin or destination list;
      
      an IP address indicating a geographical region not included in an allowed geographical region list;
      
      a message size that exceeds a threshold maximum message size;
      
      frequency analysis indicating messages arrive at frequency less than a defined threshold frequency;
      
      a message size that does not meet a threshold minimum message size;
      
      a hash value of the message data that is not included in a list of allowed hash values;
      
      an MD5 value of the message data that is not included in a list of allowed MD5 values;
      
      the specific identity of the sender of the message; and
      
      the specific identity of the recipient of the message.
  - 22. The system for hypervisor assisted intrusion and extrusion detection of claim 17 wherein the suspect message copy data associated with a given suspect message is transferred to a specific analysis system of the one or more analysis systems for further analysis and/or action based, at least in part, on the analysis trigger parameter of the one or more analysis trigger parameters detected in the suspect message.
  - 23. The system for hypervisor assisted intrusion and extrusion detection of claim 17 wherein if, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an intrusion or extrusion related message, one or more designated parties are automatically informed.
  - 24. The system for hypervisor assisted intrusion and extrusion detection of claim 17 wherein if, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an intrusion or extrusion related message, one or more protective actions are automatically implemented.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Cabrera, Luis Felipe, Lietz, M. Shannon
Primary Examiner(s)
Okeke, Izunna
Assistant Examiner(s)
SONG, HEE K

Application Number

US14/143,999
Publication Number

US 20150186641A1
Time in Patent Office

848 Days
Field of Search

726/11, 726/23, 726/24
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/1441   Countermeasures against mal...

Method and system for intrusion and extrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

170 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for intrusion and extrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

170 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links