Method and apparatus for encrypting data messages after detecting infected VM

US 9,489,519 B2
Filed: 06/30/2014
Issued: 11/08/2016
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. For a host machine on which a set of virtual machines (VMs) execute, an encryption method comprising:

detecting that a first VM in the set of VMs executing on the host machine is infected with malware by analyzing introspection data gathered from an agent installed on the first VM; and

based on the detected malware infection, encrypting data messages transmitted by at least a second VM in the set of VMs executing on the host machine.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host. When two different GVMs are part of two different logical overlay networks that are implemented on common network fabric, the method in some embodiments encrypts the data messages exchanged between the GVMs of one logical network differently than the data messages exchanged between the GVMs of another logical network. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce encryption rules in response to dynamically detected events, such as malware infections.

30 Citations

View as Search Results

24 Claims

1. For a host machine on which a set of virtual machines (VMs) execute, an encryption method comprising:
- detecting that a first VM in the set of VMs executing on the host machine is infected with malware by analyzing introspection data gathered from an agent installed on the first VM; and
  
  based on the detected malware infection, encrypting data messages transmitted by at least a second VM in the set of VMs executing on the host machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein before the malware was detected, the data messages from the second VM were not encrypted.
  - 3. The method of claim 1, wherein the second VM is the first VM.
  - 4. The method of claim 1, wherein encrypting data messages comprises encrypting data messages transmitted by a plurality of VMs in the set of VMs that execute on the host, said plurality of VMs including VMs that are not infected with malware.
  - 5. The method of claim 1, wherein the second VM is not the first VM.
  - 6. The method of claim 1, wherein detecting malware infection on the first VM comprises detecting that the first VM has been tagged as a malware-infected VM.
  - 7. The method of claim 1 further comprising:
    - examining a set of encryption policies to determine whether a set of encryption rules needs to be specified because the first VM has been detected with malware; and
      
      based on the examination of the encryption policy set, specifying at least one encryption rule that specifies that data messages transmitted by the second VM should be encrypted.
  - 8. The method of claim 7, wherein specifying the encryption rule comprises specifying a plurality of encryption rules that each specify the encryption of data messages for a different VM in the set of VMs that executes on the host.
  - 9. The method of claim 7, wherein the specified encryption rule specifies the encryption of data messages from a plurality of VMs that execute on the host, said plurality of VMs including at least one VM that is not infected with malware.
  - 10. The method of claim 7, wherein the encryption policies are stored on the host computer.
  - 11. The method of claim 1 further comprising:
    - inserting an encryption identifier in at least one encrypted data message, said encryption identifier for allowing a destination of the data message to decrypt the encrypted data message.
  - 12. The method of claim 11, wherein the encryption identifier is a key identifier that identifies at least one of an encryption key that was used to encrypt the data message and a decryption key that is needed to decrypt the data message.
  - 13. The method of claim 11, wherein the encryption identifier is an encryption identifier that identifies at least one of an encryption process that was used to encrypt the data message and a decryption process that is needed to decrypt the data message.
  - 14. The method of claim 11, wherein the encryption identifier is inserted in a header field of the data message.

15. For a host machine on which a set of virtual machines (VMs) execute, an encryption method comprising:
- detecting that a first VM in the set of VMs executing on the host machine is infected with malware by analyzing introspection data from a guest introspection agent installed on the first VM; and
  
  based on the detected malware infection, encrypting data messages transmitted by at least a second VM in the set of VMs executing on the host machine.
- View Dependent Claims (17)
- - 17. The method of claim 15,wherein the VMs are guest VMs (GVMs),wherein detecting malware infection comprises determining whether a GVM has been associated with a malware tag by a service VM (SVM) executing on the host, andwherein the SVM (i) analyzes introspection data provided by an agent installed on the GVM to determine whether the GVM has been infected with malware, and (ii) associates a malware tag with the GVM when the introspection data from the GVM indicates that the GVM has been infected by malware.

16. A non-transitory machine readable medium storing a program for encrypting messages from a virtual machine (VM) in a set of VMs that execute on a host computer, the program comprising sets of instructions for:
- detecting that a first VM in the set of VMs executing on the host machine is infected with malware by analyzing introspection data gathered from an agent installed on the first VM; and
  
  based on the detected malware infection, encrypting data messages transmitted by at least a second VM in the set of VMs executing on the host machine.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The non-transitory machine readable medium of claim 16, wherein the set of instructions for encrypting data messages comprises sets of instructions for:
    - using a set of message attribute values to identify one encryption rule from a plurality of stored encryption rules, said identified encryption rule being an encryption rule that is defined for the data messages sent by the second VM;
      
      retrieving an encryption parameter for an encryption process from the identified encryption rule; and
      
      using the identified encryption parameter to encrypt the data messages.
  - 19. The non-transitory machine readable medium of claim 16, wherein the set of VMs includes VMs belonging to different tenants.
  - 20. The non-transitory machine readable medium of claim 16, wherein the set of instructions for encrypting data messages comprises a set of instructions for encrypting data messages from a plurality of VMs that execute on the host, said plurality of VMs belonging to a plurality of tenants, said plurality of VMs further comprising VMs that are not infected with malware.
  - 21. The non-transitory machine readable medium of claim 16 further comprising sets of instructions for:
    - examining a set of encryption policies to determine whether a set of encryption rules needs to be specified because the first VM has been detected with malware; and
      
      based on the examination of the encryption policy set, specifying at least one encryption rule that specifies that data messages transmitted by the second VM should be encrypted.
  - 22. The non-transitory machine readable medium of claim 16,wherein the VMs are guest VMs (GVMs),wherein the set of instructions for detecting malware infection further comprises a set of instructions for determining whether a GVM has been associated with a malware tag by a service VM (SVM) executing on the host, andwherein the SVM (i) analyzes introspection data provided by an agent installed on the GVM to determine whether the GVM has been infected with malware, and (ii) associates a malware tag with the GVM when the introspection data from the GVM indicates that the GVM has been infected by malware.
  - 23. The non-transitory machine readable medium of claim 16 further comprising a set of instructions for inserting an encryption identifier in at least one encrypted data message, said encryption identifier for allowing a destination of the data message to decrypt the encrypted data message.

24. A non-transitory machine readable medium storing a program for encrypting messages from a virtual machine (VM) in a set of VMs that execute on a host computer, the program comprising sets of instructions for:
- detecting that a first VM in the set of VMs executing on the host machine is infected with malware by analyzing introspection data from a guest introspection agent installed on the VM; and
  
  based on the detected malware infection, encrypting data messages transmitted by at least a second VM in the set of VMs executing on the host machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Feroz, Azeem, Thota, Kiran Kumar, Wiese, James C.
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Anderson, Michael D

Application Number

US14/320,579
Publication Number

US 20150379279A1
Time in Patent Office

862 Days
Field of Search

713/189, 713/193
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

G06F 21/602   Providing cryptographic fac...

G06F 21/6236   between heterogeneous systems

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/542   Event management; Broadcast...

G09C 1/00   Apparatus or methods whereb...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/0428   wherein the data content is...

H04L 63/123   received data contents, e.g...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 9/14   using a plurality of keys o...

Method and apparatus for encrypting data messages after detecting infected VM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for encrypting data messages after detecting infected VM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links