Systems and methods for securing and restoring virtual machines

US 9,916,456 B2
Filed: 03/14/2013
Issued: 03/13/2018
Est. Priority Date: 04/06/2012
Status: Active Grant

First Claim

Patent Images

1. A method for securing a virtual machine, comprising:

executing a virtual machine on a host device, the virtual machine comprising virtual machine files;

generating data parsing information, wherein the data parsing information is usable to (1) specify a substantially random technique for determining into which of a plurality of shares a portion of the virtual machine files will be placed and (2) select from two or more data encryption techniques a data encryption technique to be used to encrypt the portion; and

in response to receiving a command to stop the virtual machine;

generating the plurality of shares based on the data parsing information; and

causing each of the plurality of shares to be stored in respective separate storage locations, wherein the respective separate storage locations include one or more directories located on the host device, the one or more directories designated to store files associated with a non-virtual machine application;

wherein the virtual machine files are restorable by accessing a threshold number of the plurality of shares.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for securing a virtual machine by causing a plurality of shares of virtual machine files to be separately stored in response to a stop command. Systems and methods are also provided for restoring a data set with a cryptographic restoration application in response to a series of user inputs received when no visual indicator of the cryptographic restoration algorithm is displayed, and for restoring a data set with data shares received from another computer device in response to detecting a communication link with the device.

98 Citations

View as Search Results

54 Claims

1. A method for securing a virtual machine, comprising:
- executing a virtual machine on a host device, the virtual machine comprising virtual machine files;
  
  generating data parsing information, wherein the data parsing information is usable to (1) specify a substantially random technique for determining into which of a plurality of shares a portion of the virtual machine files will be placed and (2) select from two or more data encryption techniques a data encryption technique to be used to encrypt the portion; and
  
  in response to receiving a command to stop the virtual machine;
  
  generating the plurality of shares based on the data parsing information; and
  
  causing each of the plurality of shares to be stored in respective separate storage locations, wherein the respective separate storage locations include one or more directories located on the host device, the one or more directories designated to store files associated with a non-virtual machine application;
  
  wherein the virtual machine files are restorable by accessing a threshold number of the plurality of shares.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 51)
- - 2. The method of claim 1, wherein the host device is a handheld computing device.
  - 3. The method of claim 1, wherein the virtual machine files comprise at least one of a log file, a virtual machine BIOS status file, a virtual disk file, a paging file, a snapshot state file, a suspended state file, and a configuration file.
  - 4. The method of claim 1, wherein the command to stop the virtual machine comprises at least one of a save command, a shut down command, a suspend command, and a pause command.
  - 5. The method of claim 1, wherein the command to stop the virtual machine is issued by a user of the host device.
  - 6. The method of claim 1, wherein the command to stop the virtual machine is issued by a processor of the host device without a substantially contemporaneous command from a user of the host device.
  - 7. The method of claim 1, wherein generating the plurality of shares based on the data parsing information comprises:
    - identifying a plurality of portions of the virtual machine files; and
      
      encrypting each of the plurality of portions to form the plurality of shares.
  - 8. The method of claim 1, wherein generating the plurality of shares based on the data parsing information comprises:
    - encrypting the virtual machine files; and
      
      identifying a plurality of portions of the encrypted virtual machine files to form the plurality of shares.
  - 9. The method of claim 1, wherein the data parsing information specifies a substantially random technique for determining into which position within each of the plurality of shares the portion of the virtual machine files will be placed.
  - 10. The method of claim 1, wherein the separate storage locations include a plurality of separate storage locations on the host device.
  - 11. The method of claim 1, wherein the separate storage locations include a plurality of separate storage locations on one or more devices remote from the host device.
  - 12. The method of claim 1, wherein the separate storage locations include at least one storage location on the host device and at least one storage location on a device remote from the host device.
  - 13. The method of claim 1, further comprising:
    - prior to executing the virtual machine on the host device;
      
      receiving a second plurality of shares; and
      
      restoring the virtual machine files from the second plurality of shares using data restoring information that determines how to decrypt and arrange portions from the plurality of shares to form the virtual machine files.
  - 14. The method of claim 13, wherein the second plurality of shares is received from one or more devices remote from the host device.
  - 15. The method of claim 14, wherein the one or more devices remote from the host device include one or more data servers.
  - 16. The method of claim 14, wherein the separate storage locations in which the plurality of shares are respectively stored are located on the one or more devices remote from the host device from which the second plurality of shares is received.
  - 17. The method of claim 1, further comprising:
    - prior to generating data parsing information;
      
      receiving a third plurality of shares; and
      
      restoring an executable parsing application from the third plurality of shares;
      
      wherein the data parsing information is generated by the executable parsing application.
  - 18. The method of claim 17, wherein the third plurality of shares is received from one or more devices remote from the host device.
  - 19. The method of claim 18, wherein the one or more devices remote from the host device include one or more data servers.
  - 20. The method of claim 17, wherein restoring the executable splitting application from the third plurality of shares comprises assembling the third plurality of shares according to a technique stored in and executable by the host device.
  - 21. The method of claim 17, wherein restoring the executable parsing application from the third plurality of shares comprises assembling the third plurality of shares according to a technique specified in the third plurality of shares and executable by the host device.
  - 22. The method of claim 1, wherein the threshold number is less than a total number of the plurality of shares.
  - 23. The method of claim 1, wherein the data parsing information determines the size of each of the shares, wherein the size of at least one share is different from the size of at least one other share.
  - 24. The method of claim 1, wherein the host device comprises one or more computers in a distributed architecture.
  - 25. The method of claim 1, wherein the host device comprises one or more computers in a cloud computing environment.
  - 51. The method of claim 1, wherein the one or more directories include a subdirectory contained within a directory designated to store files associated with the non-virtual machine application.

26. A computer system for securing a virtual machine, comprising:
- processing circuitry in communication with one or more storage locations, the processing circuitry being associated with communications circuitry for receiving communications, the processing circuitry being configured to;
  
  execute a virtual machine on a host device, the virtual machine comprising virtual machine files;
  
  generate data parsing information, wherein the data parsing information is usable to (1) specify a substantially random technique for determining into which of a plurality of shares a portion of the virtual machine files will be placed and (2) select from two or more data encryption techniques a data encryption technique to be used to encrypt the portion; and
  
  in response to receiving a command to stop the virtual machine;
  
  generate the plurality of shares based on the data parsing information; and
  
  cause each of the plurality of shares to be stored in respective separate storage locations, wherein the respective separate storage locations include one or more directories located on the host device, the one or more directories designated to store files associated with a non-virtual machine application;
  
  wherein the virtual machine files are restorable by accessing a threshold number of the plurality of shares.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 53)
- - 27. The system of claim 26, wherein the host device is a handheld computing device.
  - 28. The system of claim 26 wherein the virtual machine files comprise at least one of a log file, a virtual machine BIOS status file, a virtual disk file, a paging file, a snapshot state file, a suspended state file, and a configuration file.
  - 29. The system of claim 26, wherein the command to stop the virtual machine comprises at least one of a save command, a shut down command, a suspend command, and a pause command.
  - 30. The system of claim 26, wherein the command to stop the virtual machine is issued by a user of the host device.
  - 31. The system of claim 26, wherein the command to stop the virtual machine is issued by a processor of the host device without a substantially contemporaneous command from a user of the host device.
  - 32. The system of claim 26, wherein generating the plurality of shares based on the data parsing information comprises:
    - identifying a plurality of portions of the virtual machine files; and
      
      encrypting each of the plurality of portions to form the plurality of shares.
  - 33. The system of claim 26, wherein generating the plurality of shares based on the data parsing information comprises:
    - encrypting the virtual machine files; and
      
      identifying a plurality of portions of the encrypted virtual machine files to form the plurality of shares.
  - 34. The system of claim 26, wherein the data parsing information specifies a substantially random technique for determining into which position within each of the plurality of shares the portion of the virtual machine files will be placed.
  - 35. The system of claim 26, wherein the separate storage locations include a plurality of separate storage locations on the host device.
  - 36. The system of claim 26, wherein the separate storage locations include a plurality of separate storage locations on one or more devices remote from the host device.
  - 37. The system of claim 26, wherein the separate storage locations include at least one storage location on the host device and at least one storage location on a device remote from the host device.
  - 38. The system of claim 26, wherein the processing circuitry is further configured to:
    - prior to executing the virtual machine on the host device;
      
      receive a second plurality of shares; and
      
      restore the virtual machine files from the second plurality of shares using data restoring information that determines how to decrypt and arrange portion from the plurality of shares to form the virtual machine files.
  - 39. The system of claim 38, wherein the second plurality of shares is received from one or more devices remote from the host device.
  - 40. The system of claim 39, wherein the one or more devices remote from the host device include one or more data servers.
  - 41. The system of claim 39, wherein the separate storage locations in which the plurality of shares are respectively stored are located on the one or more devices remote from the host device from which the second plurality of shares is received.
  - 42. The system of claim 26, wherein the processing circuitry is configured to:
    - prior to generating data parsing information;
      
      receive a third plurality of shares; and
      
      restore an executable parsing application from the third plurality of shares;
      
      wherein the data parsing information is generated by the executable parsing application.
  - 43. The system of claim 42, wherein the third plurality of shares is received from one or more devices remote from the host device.
  - 44. The system of claim 43, wherein the one or more devices remote from the host device include one or more data servers.
  - 45. The system of claim 42, wherein restoring the executable parsing application from the third plurality of shares comprises assembling the third plurality of shares according to a technique stored in and executable by the host device.
  - 46. The system of claim 42, wherein restoring the executable parsing application from the third plurality of shares comprises assembling the third plurality of shares according to a technique specified in the third plurality of shares and executable by the host device.
  - 47. The system of claim 26, wherein the threshold number is less than a total number of the plurality of shares.
  - 48. The system of claim 26, wherein the data parsing information determines the size of each of the shares, wherein the size of at least one share is different from the size of at least one other share.
  - 49. The system of claim 26, wherein the processing circuitry comprises one or more computers in a distributed architecture.
  - 50. The system of claim 26, wherein the processing circuitry comprises one or more computers in a cloud computing environment.
  - 53. The system of claim 26, wherein the one or more directories include a subdirectory contained within a directory designated to store files associated with the non-virtual machine application.

52. A method for securing a virtual machine, comprising:
- executing a virtual machine on a host device, the virtual machine comprising virtual machine files;
  
  generating data parsing information, wherein the data parsing information is usable to specify a substantially random technique for determining into which of a plurality of shares a portion of the virtual machine files will be placed and how the portion will be encrypted; and
  
  in response to receiving a command to stop the virtual machine;
  
  generating the plurality of shares based on the data parsing information; and
  
  causing each of the plurality of shares to be stored in respective separate storage locations, wherein the respective separate storage locations include one or more directories located on the host device, the one or more directories designated to store files associated with a non-virtual machine application, wherein the one or more directories being designated to store files associated with the non-virtual machine application is named based on a name of the non-virtual machine application;
  
  wherein the virtual machine files are restorable by accessing a threshold number of the plurality of shares.

54. A computer system for securing a virtual machine, comprising:
- processing circuitry in communication with one or more storage locations, the processing circuitry being associated with communications circuitry for receiving communications, the processing circuitry being configured to;
  
  execute a virtual machine on a host device, the virtual machine comprising virtual machine files;
  
  generate data parsing information, wherein the data parsing information is usable to specify a substantially random technique for determining into which of a plurality of shares a portion of the virtual machine files will be placed and how the portion will be encrypted; and
  
  in response to receiving a command to stop the virtual machine;
  
  generate the plurality of shares based on the data parsing information; and
  
  cause each of the plurality of shares to be stored in respective separate storage locations, wherein the respective separate storage locations include one or more directories located on the host device, the one or more directories designated to store files associated with a non-virtual machine application, wherein the one or more directories being designated to store files associated with the non-virtual machine application is named based on a name of the non-virtual machine application;
  
  wherein the virtual machine files are restorable by accessing a threshold number of the plurality of shares.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
O'Hare, Mark S., Orsini, Rick L.
Primary Examiner(s)
KESSLER, GREGORY AARON

Application Number

US13/831,164
Publication Number

US 20130268931A1
Time in Patent Office

1,825 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 21/6209   to a single file or object,...

G06F 21/629   to features or functions of...

G06F 2221/2107   File encryption

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/485   Task life-cycle, e.g. stopp...

Systems and methods for securing and restoring virtual machines

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for securing and restoring virtual machines

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links