Pre-Grant Publication Number: 20090158432
On-access anti-virus mechanism for virtual machine architecture
Please help the USPTO examine the application by evaluating the relevance of the publicly submitted prior art to the patent application. Peer To Patent forwards the Top 10 most relevant prior art submissions and their annotations to the USPTO.

Review this prior art and click on the thumbs up (or down) to indicate whether this submission should be forwarded to the USPTO.
If you login then you can add an annotation by typing in the box at the bottom of the screen to comment on the relevance of the prior art to the claims of the patent application.
Prior Art Detail
Annotations(0)
#610A Virtual Machine Introspection Based Architecture for Intrusion Detection
Applies to Claims 1
Submitted by: Yeen ThamLast updated: over 2 years ago
1 thumb up 0 thumbs down
Summary / Description
Summary / DescriptionDiscloses an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance using a virtual machine monitor.
 
Basic Information
Type of Prior ArtOnline Publication
 
URLhttp://citeseerx.ist.psu.edu/vi...
 
Author/CreatorGarfinkel, et al.
 
TitleA Virtual Machine Introspection Based Architecture for Intrusion Detection
 
Publication Date2003
 
PublisherProc. Network and Distributed Systems Security Symposium
 
Directions to Document Location
 
Additional Information
 
Notes / To Do
Notes
 
Excerpt
Excerpt
In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance. We achieve this through the use of a virtual machine monitor. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host's state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype implementation. We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks.
 
Relevance
Claims
1
A method for protecting a plurality of guest virtual machines (VMs) from malicious code, the plurality of guest VMs executing via a virtualization layer on a common host platform, method comprising:scanning data using a scan engine of an anti-virus system, the scan engine being configured to execute within the virtualization layer outside a context of a target VM, the target VM being one of the guest VMs, the scanning comprising:receiving a scan request from a driver portion of the anti-virus system, the scan request identifying the data to be scanned;reading the data and comparing the data with a virus signature database;determining a result of the scanning, the result indicating whether malicious code is present in the data; andreporting the result of the scanning back to the driver portion that requested the scan; andprotecting the target VM using a driver portion of the anti-virus system, the driver portion being configured for installation in an operating system of the target VM, the protecting comprising:intercepting an access request to a file, wherein the access request originates within the target VM;communicating the scan request to the scan engine, the scan request including the identification of the data to be scanned by providing information identifying a location of the data to be scanned, the data to be scanned being or corresponding to contents of the file;receiving the result from the scan engine, andtaking remedial action when the result indicates the file contains malicious code, the remedial action including one or more of notifying a user, deleting the file, or quarantining the file.
Relevance
See sec. 6.13 (p.9): Scanning the file system for the presence of known malicious program based on a known “signature” substring of the program is a popular intrusion detection technique. It is employed by anti-virus tools as well as root-kit detection tools like chkrootkit [31]. ...
See sec. 6.13 (p.9): Scanning the file system for the presence of known malicious program based on a known “signature” substring of the program is a popular intrusion detection technique. It is employed by anti-virus tools as well as root-kit detection tools like chkrootkit [31]. ...
Claim Chart
All
0 days left
Activity
Application
Discussion (0)
Prior Art (2)
Research (0)
Subscribe to this Community
Invite a Reviewer
HOW TO USE PEER TO PATENT
Peer To Patent Videos