Security policy generation based on snapshots of similar virtual machines
First Claim
Patent Images
1. A method comprising:
- monitoring a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines;
for each virtual machine of the set of monitored virtual machines, determining a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots;
determining a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack;
determining a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; and
analyzing the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following;
(i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack;
wherein the comparison of the snapshot deltas is based only on significant snapshot deltas;
wherein the analysis of the snapshot deltas includes;
determining an identity of first intersection snapshot deltas that occur in every virtual machine of the first subset of virtual machine(s); and
communicating that the first intersection snapshot deltas are relatively likely to reflect an effective defense to the attack.
1 Assignment
0 Petitions
Accused Products
Abstract
Determining which snapshot deltas tend to occur in: (i) healthy virtual machines (VMs) that have been subject to an attack yet remained healthy, and/or (ii) unhealthy VMs that have apparently been adversely affected by an attack. Snapshot deltas that occur in at least some (or more preferably all) of the healthy VM subset provide information about software changes (for example, updates, configuration changes) that may be helpful. Snapshot deltas that occur in at least some (or more preferably all) of the unhealthy VM subsets provide information about software changes (for example, updates, configuration changes) that may be unhelpful.
-
Citations
14 Claims
-
1. A method comprising:
-
monitoring a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines; for each virtual machine of the set of monitored virtual machines, determining a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots; determining a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack;determining a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; andanalyzing the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following;
(i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack;wherein the comparison of the snapshot deltas is based only on significant snapshot deltas; wherein the analysis of the snapshot deltas includes; determining an identity of first intersection snapshot deltas that occur in every virtual machine of the first subset of virtual machine(s); and communicating that the first intersection snapshot deltas are relatively likely to reflect an effective defense to the attack. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer program product comprising a computer readable storage medium having stored thereon:
-
first program instructions programmed to monitor a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines; second program instructions programmed to, for each virtual machine of the set of monitored virtual machines, determine a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots; third program instructions programmed to determine a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack;fourth program instructions programmed to determine a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; andfifth program instructions programmed to analyze the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following;
(i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack;wherein the comparison of the snapshot deltas is based only on significant snapshot deltas;
wherein the fifth program instructions are further programmed to;determine an identity of first intersection snapshot deltas that occur in every virtual machine of the first subset of virtual machine(s); and communicate that the first intersection snapshot deltas are relatively likely to reflect an effective defense to the attack. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer system comprising:
-
a processor(s) set; and a computer readable storage medium;
wherein;the processor set is structured, located, connected and/or programmed to run program instructions stored on the computer readable storage medium; and the program instructions include; first program instructions programmed to monitor a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machines in the set of virtual machines, second program instructions programmed to, for each virtual machine of the set of monitored virtual machines, determine a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots, third program instructions programmed to determine a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack,fourth program instructions programmed to determine a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack, andfifth program instructions programmed to analyze the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following;
(i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack;wherein the comparison of the snapshot deltas is based only on significant snapshot deltas; wherein the fifth program instructions are further programmed to; determine an identity of first intersection snapshot deltas that occur in every virtual machine of the first subset of virtual machine(s); and communicate that the first intersection snapshot deltas are relatively likely to reflect an effective defense to the attack. - View Dependent Claims (12, 13, 14)
-
Specification