Monitoring execution environments for approved configurations
First Claim
Patent Images
1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by a computer, cause the computer to:
- perform a scan of a memory associated with a virtual machine instance in a service provider network, wherein the virtual machine instance includes a virtual processor configured to run instructions obtained from the memory, and wherein the scan of the memory is performed by a processor that is different from the virtual processor and wherein the scan is operative to detect that the virtual machine instance is in an unapproved configuration, wherein the unapproved configuration indicates one or more of an anomaly of the execution environment, or unexpected data within memory associated with the execution environment; and
in response to determining that the virtual machine instance is in the unapproved configuration, perform one or more actions that changes an access by the virtual machine instance to one or more resources associated with the service provider network, wherein the one or more actions comprise one or more of terminating the virtual machine instance, isolating the virtual machine instance in a sandbox, or placing the virtual machine instance into a forensics mode of operation.
1 Assignment
0 Petitions
Accused Products
Abstract
Functionality is disclosed herein for monitoring an execution environment to determine if the execution environment is in an approved configuration. Memory used by the execution environment may be scanned from outside of the execution environment to determine whether the execution environment is in an unapproved configuration. The scanning may include examining the memory for abnormalities or other irregular or unapproved data. When the execution environment is in the unapproved configuration, actions may be performed that change how the execution environment accesses resources or performing other types of functionality.
-
Citations
20 Claims
-
1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by a computer, cause the computer to:
-
perform a scan of a memory associated with a virtual machine instance in a service provider network, wherein the virtual machine instance includes a virtual processor configured to run instructions obtained from the memory, and wherein the scan of the memory is performed by a processor that is different from the virtual processor and wherein the scan is operative to detect that the virtual machine instance is in an unapproved configuration, wherein the unapproved configuration indicates one or more of an anomaly of the execution environment, or unexpected data within memory associated with the execution environment; and in response to determining that the virtual machine instance is in the unapproved configuration, perform one or more actions that changes an access by the virtual machine instance to one or more resources associated with the service provider network, wherein the one or more actions comprise one or more of terminating the virtual machine instance, isolating the virtual machine instance in a sandbox, or placing the virtual machine instance into a forensics mode of operation. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
one or more processors configured to; detect an execution environment executing on a first processor associated with a memory; run a monitoring environment that is coupled to the execution environment, wherein the monitoring environment is configured to monitor the execution environment to determine that the execution environment is in an unapproved configuration, wherein the unapproved configuration indicates one or more of an anomaly of the execution environment, or unexpected data within the memory, wherein the monitoring includes scanning, from outside of the execution environment, the memory to detect abnormalities associated with the memory; and in response to determining that the execution environment is in the unapproved configuration, changing access to one or more resources by the execution environment. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
17. A computer-implemented method, comprising:
-
detecting an execution environment executing on a first computing device; monitoring the execution environment to determine that the execution environment is in an unapproved configuration, wherein the unapproved configuration indicates one or more of an anomaly of the execution environment, or unexpected data within memory associated with the execution environment, wherein the monitoring includes scanning, from outside of the execution environment, a memory of the first computing device to detect abnormalities in the memory associated with the execution of the execution environment; and in response to determining that the execution environment is in the unapproved configuration, changing access to one or more resources by the execution environment. - View Dependent Claims (18, 19, 20)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeAmazon Technologies, Inc. (Amazon.com, Inc.)
-
Original AssigneeAmazon Technologies, Inc. (Amazon.com, Inc.)
-
InventorsRoth, Gregory Branchek, Bowen, Peter Zachary
-
Primary Examiner(s)Shayanfar, Ali
-
Application NumberUS15/461,136Time in Patent Office229 DaysField of SearchUS Class CurrentCPC Class CodesG06F 2009/45575 Starting, stopping, suspend...G06F 2009/45587 Isolation or security of vi...G06F 2009/45591 Monitoring or debugging sup...G06F 21/53 by executing in a restricte...G06F 21/55 Detecting local intrusion o...G06F 21/554 involving event detection a...G06F 21/604 Tools and structures for ma...G06F 2221/034 Test or assess a computer o...G06F 9/45533 Hypervisors; Virtual machin...G06F 9/45558 Hypervisor-specific managem...
