Installing virtual machines within different communication pathways to access protected resources

US 9,459,912 B1
Filed: 06/24/2015
Issued: 10/04/2016
Est. Priority Date: 06/24/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of controlling access to computer resources used by a computer application, the computer-implemented method comprising:

fractionating, by one or more processors, a computer application into disparate components;

assigning, by one or more processors, two or more of the disparate components to different communication pathways, wherein the different communication pathways lead to requisite resources needed to execute the disparate components;

creating, by one or more processors, a virtual machine, wherein the virtual machine controls access to a particular requisite resource by a particular disparate component;

installing, by one or more processors, the virtual machine within at least one of the different communication pathways to control access to the particular requisite resource by the particular disparate component;

transmitting, by one or more processors, a resource retrieval instruction to retrieve the particular requisite resource via the virtual machine and the at least one of the different communication pathways, andtransmitting, by one or more processors, dummy instructions on the different communication pathways, wherein the dummy instructions utilize a same protocol as the resource retrieval instruction, and wherein the dummy instructions do not access the particular requisite resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method, system, and/or computer program product controls access to computer resources used by a computer application. One or more processors fractionate a computer application into disparate components. Two or more of the disparate components are assigned to different communication pathways, where the different communication pathways lead to requisite resources needed to execute the disparate components. One or more processors create and install a virtual machine within at least one of the different communication pathways, such that the virtual machine controls access to a particular requisite resource by a particular disparate component. One or more processors then issue a resource retrieval instruction to retrieve the particular requisite resource via the virtual machine and at least one of the different communication pathways.

44 Citations

View as Search Results

18 Claims

1. A computer-implemented method of controlling access to computer resources used by a computer application, the computer-implemented method comprising:
- fractionating, by one or more processors, a computer application into disparate components;
  
  assigning, by one or more processors, two or more of the disparate components to different communication pathways, wherein the different communication pathways lead to requisite resources needed to execute the disparate components;
  
  creating, by one or more processors, a virtual machine, wherein the virtual machine controls access to a particular requisite resource by a particular disparate component;
  
  installing, by one or more processors, the virtual machine within at least one of the different communication pathways to control access to the particular requisite resource by the particular disparate component;
  
  transmitting, by one or more processors, a resource retrieval instruction to retrieve the particular requisite resource via the virtual machine and the at least one of the different communication pathways, andtransmitting, by one or more processors, dummy instructions on the different communication pathways, wherein the dummy instructions utilize a same protocol as the resource retrieval instruction, and wherein the dummy instructions do not access the particular requisite resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, further comprising:
    - retrieving, by one or more processors, the particular requisite resource; and
      
      using, by one or more processors, the particular requisite resource to execute the particular disparate component.
  - 3. The computer-implemented method of claim 1, further comprising:
    - setting, by one or more processors, an expiration time for the virtual machine within the at least one of the different communication pathways; and
      
      in response to the expiration time passing for the virtual machine within the at least one of the different communication pathways, dematerializing, by one or more processors, the virtual machine, wherein dematerializing the virtual machine disables the at least one of the different communication pathways.
  - 4. The computer-implemented method of claim 1, further comprising:
    - installing, by one or more processors, multiple virtual machines in series within at least one of the different communication pathways, wherein the multiple virtual machines comprise a first virtual machine and a second virtual machine;
      
      assigning, by one or more processors, a first address message to the first virtual machine, wherein the first address message identifies only an address of the second virtual machine, and wherein the first address message instructs the first virtual machine to send the resource retrieval instruction to the second virtual machine; and
      
      assigning, by one or more processors, a second address message to the second virtual machine, wherein the second address message identifies only an address of the particular requisite resource, and wherein the second address message instructs the second virtual machine to send the resource retrieval instruction to the particular requisite resource.
  - 5. The computer-implemented method of claim 4, wherein the particular disparate component further comprises a command layer instruction, and wherein the computer-implemented method further comprises:
    - fractionating, by one or more processors, the command layer instruction into disparate command layer components;
      
      assigning, by one or more processors, a first disparate command layer component from the disparate command layer components to the first virtual machine;
      
      executing, by one or more processors, the first disparate command layer component to create a command virtual machine; and
      
      controlling, by one or more processors, the first virtual machine via the command virtual machine.
  - 6. The computer-implemented method of claim 1, further comprising:
    - restricting, by one or more processors, each of the different communication pathways such that each of the different communication pathways utilizes a different type of communication pathway as compared with other communication pathways in the different communication pathways.
  - 7. The computer-implemented method of claim 1, further comprising:
    - instantiating, by one or more processors, dummy communication pathways, wherein the dummy communication pathways do not access the particular requisite resource.
  - 8. The computer-implemented method of claim 1, further comprising:
    - defining, by one or more processors, a threat level for the particular requisite resource; and
      
      adjusting, by one or more processors, features of the virtual machine according to the threat level for the particular requisite resource.
  - 9. The computer-implemented method of claim 1, further comprising:
    - defining, by one or more processors, a threat level for the particular requisite resource; and
      
      adjusting, by one or more processors, a quantity of virtual machines between the computer application and the particular requisite resource according to the threat level for the particular requisite resource.
  - 10. The computer-implemented method of claim 1, further comprising:
    - defining, by one or more processors, a threat level for the particular disparate component; and
      
      adjusting, by one or more processors, features of the virtual machine according to the threat level for the particular disparate component.
  - 11. The computer-implemented method of claim 1, further comprising:
    - defining, by one or more processors, a threat level for the particular disparate component; and
      
      adjusting, by one or more processors, a quantity of virtual machines between the computer application and the particular requisite resource according to the threat level for the particular disparate component.
  - 12. The computer-implemented method of claim 1, wherein the disparate components provide features that have been predefined as being functionally different from one another.

13. A computer program product for controlling access to computer resources used by a computer application, the computer program product comprising a non-transitory computer readable storage medium having program code embodied therewith, the program code readable and executable by a processor to perform a method comprising:
- fractionating a computer application into disparate components;
  
  assigning two or more of the disparate components to different communication pathways, wherein the different communication pathways lead to requisite resources needed to execute the disparate components;
  
  creating a virtual machine, wherein the virtual machine controls access to a particular requisite resource by a particular disparate component;
  
  installing the virtual machine within at least one of the different communication pathways to control access to the particular requisite resource by the particular disparate component;
  
  transmitting a resource retrieval instruction to retrieve the particular requisite resource via the virtual machine and the at least one of the different communication pathways; and
  
  instantiating dummy communication pathways, wherein the dummy communication pathways do not access the particular requisite resource.
- View Dependent Claims (14, 15, 16)
- - 14. The computer program product of claim 13, wherein the method further comprises:
    - retrieving the particular requisite resource; and
      
      using the particular requisite resource to execute the particular disparate component.
  - 15. The computer program product of claim 13, wherein the method further comprises:
    - setting an expiration time for the virtual machine within the at least one of the different communication pathways; and
      
      in response to the expiration time passing for the virtual machine within the at least one of the different communication pathways, dematerializing the virtual machine, wherein dematerializing the virtual machine disables the at least one of the different communication pathways.
  - 16. The computer program product of claim 13, wherein the particular disparate component further comprises a command layer instruction, and wherein the method further comprises:
    - installing multiple virtual machines in series within at least one of the different communication pathways, wherein the multiple virtual machines comprise a first virtual machine and a second virtual machine;
      
      assigning a first address message to the first virtual machine, wherein the first address message identifies only an address of the second virtual machine, and wherein the first address message instructs the first virtual machine to send the resource retrieval instruction to the second virtual machine;
      
      assigning a second address message to the second virtual machine, wherein the second address message identifies only an address of the particular requisite resource, and wherein the second address message instructs the second virtual machine to send the resource retrieval instruction to the particular requisite resource;
      
      fractionating the command layer instruction into disparate command layer components;
      
      assigning a first disparate command layer component from the disparate command layer components to the first virtual machine;
      
      executing the first disparate command layer component to create a command virtual machine; and
      
      controlling the first virtual machine via the command virtual machine.

17. A computer system comprising:
- a processor, a computer readable memory, and a non-transitory computer readable storage medium;
  
  first program instructions to fractionate a computer application into disparate components;
  
  second program instructions to assign two or more of the disparate components to different communication pathways, wherein the different communication pathways lead to requisite resources needed to execute the disparate components;
  
  third program instructions to create a virtual machine, wherein the virtual machine controls access to a particular requisite resource by a particular disparate component, wherein the particular disparate component comprises a command layer instruction;
  
  fourth program instructions to install the virtual machine within at least one of the different communication pathways to control access to the particular requisite resource by the particular disparate component;
  
  fifth program instructions to transmit a resource retrieval instruction to retrieve the particular requisite resource via the virtual machine and the at least one of the different communication pathways;
  
  sixth program instructions to install multiple virtual machines in series within at least one of the different communication pathways, wherein the multiple virtual machines comprise a first virtual machine and a second virtual machine;
  
  seventh program instructions to assign a first address message to the first virtual machine, wherein the first address message identifies only an address of the second virtual machine, and wherein the first address message instructs the first virtual machine to send the resource retrieval instruction to the second virtual machine;
  
  eighth program instructions to assign a second address message to the second virtual machine, wherein the second address message identifies only an address of the particular requisite resource, and wherein the second address message instructs the second virtual machine to send the resource retrieval instruction to the particular requisite resource;
  
  ninth program instructions to fractionate the command layer instruction into disparate command layer components;
  
  tenth program instructions to assign a first disparate command layer component from the disparate command layer components to the first virtual machine;
  
  eleventh program instructions to execute the first disparate command layer component to create a command virtual machine; and
  
  twelfth program instructions to control the first virtual machine via the command virtual machine; and
  
  whereinthe first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, and twelfth program instructions are stored on the non-transitory computer readable storage medium for execution by one or more processors via the computer readable memory.
- View Dependent Claims (18)
- - 18. The computer system of claim 17, further comprising:
    - thirteenth program instructions to retrieve the particular requisite resource; and
      
      fourteenth program instructions to use the particular requisite resource to execute the particular disparate component; and
      
      whereinthe thirteenth and fourteenth program instructions are stored on the non-transitory computer readable storage medium for execution by one or more processors via the computer readable memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Durniak, Timothy, Friedlander, Robert R., Kraemer, James R., Linton, Jeb R.
Primary Examiner(s)
WU, BENJAMIN C

Application Number

US14/749,116
Time in Patent Office

468 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 21/53   by executing in a restricte...

G06F 21/6218   to a system of files or obj...

G06F 2209/503   Resource availability

G06F 2221/2149   Restricted operating enviro...

G06F 8/61   Installation

G06F 9/4451   User profiles; Roaming

G06F 9/45558   Hypervisor-specific managem...

G06F 9/468   Specific access rights for ...

G06F 9/5027   the resource being a machin...

G06F 9/5077   Logical partitioning of res...

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

H04L 67/1078   Resource delivery mechanisms

H04L 67/34   involving the movement of s...

Installing virtual machines within different communication pathways to access protected resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Installing virtual machines within different communication pathways to access protected resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links