Monitoring execution environments for approved configurations
First Claim
1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by a computer, cause the computer to:
- perform a scan of a memory associated with a virtual machine instance in a service provider network, wherein the virtual machine instance includes a virtual processor configured to run instructions obtained from the memory, and wherein the scan of the memory is performed by a processor that is different from the virtual processor and wherein the scan is operative to detect that the virtual machine instance is in an unapproved configuration, wherein the unapproved configuration indicates one or more of an anomaly of the execution environment, or unexpected data within memory associated with the execution environment; and
in response to determining that the virtual machine instance is in the unapproved configuration, perform one or more actions that changes an access by the virtual machine instance to one or more resources associated with the service provider network, wherein the one or more actions comprise one or more of terminating the virtual machine instance, isolating the virtual machine instance in a sandbox, or placing the virtual machine instance into a forensics mode of operation.
1 Assignment
0 Petitions
Accused Products
Abstract
Functionality is disclosed herein for monitoring an execution environment to determine if the execution environment is in an approved configuration. Memory used by the execution environment may be scanned from outside of the execution environment to determine whether the execution environment is in an unapproved configuration. The scanning may include examining the memory for abnormalities or other irregular or unapproved data. When the execution environment is in the unapproved configuration, actions may be performed that change how the execution environment accesses resources or performing other types of functionality.
-
Citations
20 Claims
-
1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by a computer, cause the computer to:
-
perform a scan of a memory associated with a virtual machine instance in a service provider network, wherein the virtual machine instance includes a virtual processor configured to run instructions obtained from the memory, and wherein the scan of the memory is performed by a processor that is different from the virtual processor and wherein the scan is operative to detect that the virtual machine instance is in an unapproved configuration, wherein the unapproved configuration indicates one or more of an anomaly of the execution environment, or unexpected data within memory associated with the execution environment; and in response to determining that the virtual machine instance is in the unapproved configuration, perform one or more actions that changes an access by the virtual machine instance to one or more resources associated with the service provider network, wherein the one or more actions comprise one or more of terminating the virtual machine instance, isolating the virtual machine instance in a sandbox, or placing the virtual machine instance into a forensics mode of operation. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
one or more processors configured to; detect an execution environment executing on a first processor associated with a memory; run a monitoring environment that is coupled to the execution environment, wherein the monitoring environment is configured to monitor the execution environment to determine that the execution environment is in an unapproved configuration, wherein the unapproved configuration indicates one or more of an anomaly of the execution environment, or unexpected data within the memory, wherein the monitoring includes scanning, from outside of the execution environment, the memory to detect abnormalities associated with the memory; and in response to determining that the execution environment is in the unapproved configuration, changing access to one or more resources by the execution environment. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
17. A computer-implemented method, comprising:
-
detecting an execution environment executing on a first computing device; monitoring the execution environment to determine that the execution environment is in an unapproved configuration, wherein the unapproved configuration indicates one or more of an anomaly of the execution environment, or unexpected data within memory associated with the execution environment, wherein the monitoring includes scanning, from outside of the execution environment, a memory of the first computing device to detect abnormalities in the memory associated with the execution of the execution environment; and in response to determining that the execution environment is in the unapproved configuration, changing access to one or more resources by the execution environment. - View Dependent Claims (18, 19, 20)
-
Specification