Security policy generation based on snapshots of similar virtual machines
First Claim
Patent Images
1. A method comprising:
- monitoring a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines;
for each virtual machine of the set of monitored virtual machines, determining a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots;
determining a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack;
determining a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; and
analyzing the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following;
(i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack;
wherein;
the comparison of the snapshot deltas is based only on significant snapshot deltas; and
the analysis of the snapshot deltas includes;
determining an identity of first union snapshot deltas that occur in at least one virtual machine of the first subset of machine(s), andcommunicating that the first union snapshot deltas may reflect an effective defense to the attack.
1 Assignment
0 Petitions
Accused Products
Abstract
Determining which snapshot deltas tend to occur in: (i) healthy virtual machines (VMs) that have been subject to an attack yet remained healthy, and/or (ii) unhealthy VMs that have apparently been adversely affected by an attack. Snapshot deltas that occur in at least some (or more preferably all) of the healthy VM subset provide information about software changes (for example, updates, configuration changes) that may be helpful. Snapshot deltas that occur in at least some (or more preferably all) of the unhealthy VM subsets provide information about software changes (for example, updates, configuration changes) that may be unhelpful.
41 Citations
10 Claims
-
1. A method comprising:
-
monitoring a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines; for each virtual machine of the set of monitored virtual machines, determining a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots; determining a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack;determining a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; andanalyzing the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following;
(i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack;wherein; the comparison of the snapshot deltas is based only on significant snapshot deltas; and the analysis of the snapshot deltas includes; determining an identity of first union snapshot deltas that occur in at least one virtual machine of the first subset of machine(s), and communicating that the first union snapshot deltas may reflect an effective defense to the attack.
-
-
2. A method comprising:
-
monitoring a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines; for each virtual machine of the set of monitored virtual machines, determining a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots; determining a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack;determining a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; andanalyzing the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following;
(i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack;wherein; the comparison of the snapshot deltas is based only on significant snapshot deltas; and the analysis of the snapshot deltas includes; determining an identity of second intersection snapshot deltas that occur in every virtual machine of the second subset of virtual machine(s), and communicating that the second intersection snapshot deltas are relatively likely to lead to a vulnerability to the attack.
-
-
3. A method comprising:
-
monitoring a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines; for each virtual machine of the set of monitored virtual machines, determining a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots; determining a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack;determining a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; andanalyzing the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following;
(i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack;wherein; the comparison of the snapshot deltas is based only on significant snapshot deltas; and the analysis of the snapshot deltas includes; determining an identity of second union snapshot deltas that occur in at least one virtual machine of the second subset of virtual machine(s), and communicating that the second union snapshot deltas may cause a vulnerability to the attack.
-
-
4. A method comprising:
-
monitoring a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines; for each virtual machine of the set of monitored virtual machines, determining a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots; determining a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack;determining a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; andanalyzing the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following;
(i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack;wherein; identifying a fix based, at least in part, upon the determination of unhealthy snapshot deltas and/or healthy snapshot deltas; and applying the fix to at least one VM to;
(i) prevent at least one vulnerability(ies), in the at least one VM, with respect to a malicious attack, and/or (ii) protect the at least one VM from failure due to a non-malicious workload spike.
-
-
5. A computer program product comprising a non-transitory computer readable storage medium having stored thereon:
-
first program instructions programmed to monitor a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines; second program instructions programmed to, for each virtual machine of the set of monitored virtual machines, determine a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots; third program instructions programmed to determine a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack;fourth program instructions programmed to determine a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; andfifth program instructions programmed to analyze the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following;
(i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack;wherein; the comparison of the snapshot deltas is based only on significant snapshot deltas; and the fifth program instructions are further programmed to; determine an identity of first union snapshot deltas that occur in at least one virtual machine of the first subset of virtual machine(s), and communicate that the first union snapshot deltas may reflect an effective defense to the attack. - View Dependent Claims (8)
-
-
6. A computer program product comprising a non-transitory computer readable storage medium having stored thereon:
-
first program instructions programmed to monitor a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines; second program instructions programmed to, for each virtual machine of the set of monitored virtual machines, determine a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots; third program instructions programmed to determine a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack;fourth program instructions programmed to determine a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; andfifth program instructions programmed to analyze the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following;
(i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack;wherein; the comparison of the snapshot deltas is based only on significant snapshot deltas; and the fifth program instructions are further programmed to; determine an identity of second intersection snapshot deltas that occur in every virtual machine of the second subset of virtual machine(s), and communicate that the second intersection snapshot deltas are relatively likely to lead to a vulnerability to the attack. - View Dependent Claims (9)
-
-
7. A computer program product comprising a non-transitory computer readable storage medium having stored thereon:
-
first program instructions programmed to monitor a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines; second program instructions programmed to, for each virtual machine of the set of monitored virtual machines, determine a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots; third program instructions programmed to determine a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack;fourth program instructions programmed to determine a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions;
(i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; andfifth program instructions programmed to analyze the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following;
(i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack;wherein; the comparison of the snapshot deltas is based only on significant snapshot deltas; and fifth program instructions are further programmed to; determine an identity of second union snapshot deltas that occur in at least one virtual machine of the second subset of virtual machine(s), and communicate that the second union snapshot deltas may cause a vulnerability to the attack. - View Dependent Claims (10)
-
Specification