公开(公告)号：WO2016061742A1

公开(公告)日：2016-04-28

申请号：PCT/CN2014/089008

申请日：2014-10-21

Applicant: INTELLECTUAL VENTURES HONG KONG LIMITED

Inventor： WANG, Jianping ,  ZHANG, Rui ,  QI, Wen

IPC: H04L9/00

CPC classification number: G06F21/577 ,  G06F9/45558 ,  G06F21/556 ,  G06F2009/45587 ,  G06F2221/034 ,  G06N7/005

Abstract: Technologies are generally described for a framework to automatically estimate cross-VM covert channel capacity for channels such as central processing unit (CPU) load, CPU L2 cache, memory bus and disk bus. In some examples, the framework may include automated parameter tuning for various cross-VM covert channels to achieve high data rate and automated capacity estimation of those cross-VM covert channels through machine learning. Shannon Entropy formulation may be applied to estimate the capacity of cross-VM covert channels established on any given cloud platform. Furthermore, the noise of a cross-VM covert channel under a specific cloud platform may be statistically modeled to eliminate the covert channel implementations which perform poorly, thereby narrowing the parameter space. A number of sample signals may be collected with their corresponding ground truth labels, and machine learning tools may be utilized to cross-validate the samples and estimate the capacity of the covert channels.

Abstract translation: 技术通常被描述为用于自动估计诸如中央处理单元（CPU）负载，CPU L2高速缓存，存储器总线和盘总线之类的通道的跨VM隐蔽通道容量的框架。 在一些示例中，框架可以包括用于各种跨VM隐蔽通道的自动参数调整，以通过机器学习实现那些跨VM隐蔽通道的高数据速率和自动容量估计。 可以应用香农熵公式来估计在任何给定的云平台上建立的跨VM隐蔽通道的容量。 此外，特定云平台下的跨VM隐蔽通道的噪声可以被统计学建模，以消除执行不良的隐蔽通道实现，从而缩小参数空间。 可以利用其对应的地面真实标签来收集多个采样信号，并且可以利用机器学习工具来交叉验证样本并估计隐蔽通道的容量。

公开(公告)号：WO2017197554A1

公开(公告)日：2017-11-23

申请号：PCT/CN2016/082176

申请日：2016-05-16

Applicant: INTELLECTUAL VENTURES HONG KONG LIMITED

Inventor： WANG, Jianping ,  QI, Wen ,  WANG, Xinyu

IPC: G06F21/60

CPC classification number: G06F21/556

Abstract: Technologies are generally described to mitigate of sensor-based covert channels. In some examples, a foreground application may cause particular interactions with a device sensor to occur, where the interactions may encode potentially sensitive information. A background application may then attempt to retrieve the interactions from the device sensor and leak the encoded information. In order to address this, a sensor virtualization module may restrict background application access to the sensor, for example by preventing sensor access or by providing intentionally-degraded sensor data to background applications.

Abstract translation: 通常描述技术以减轻基于传感器的隐蔽信道。 在一些示例中，前台应用可以引起与设备传感器的特定交互发生，其中交互可以编码潜在的敏感信息。 后台应用程序可能会尝试从设备传感器中检索交互并泄漏编码后的信息。 为了解决这个问题，传感器虚拟化模块可以限制后台应用程序访问传感器，例如通过防止传感器访问或向后台应用程序提供故意降级的传感器数据。

公开(公告)号：WO2017214856A1

公开(公告)日：2017-12-21

申请号：PCT/CN2016/085713

申请日：2016-06-14

Applicant: INTELLECTUAL VENTURES HONG KONG LIMITED

Inventor： WANG, Jianping ,  QI, Wen ,  WANG, Juntao ,  DUAN, Huayi

IPC: H04L9/00

Abstract: Technologies are described to mitigate cross-VM covert channel attacks in a cloud-computing network. A covert channel capacity for potential cross-VM covert channels may be monitored and trade-off factors for mitigations associated with different potential cross-VM covert channels determined. The trade-off factors may define a trade-off between a victim data loss if the corresponding mitigation is not deployed and a cloud-computing network performance loss if the corresponding mitigation is deployed. One or more of the mitigations may then be deployed or switched based on the trade-off factor. In some examples, a different one of the mitigations may be selected such that a payoff for a defender deploying the mitigations is increased. The payoff may be determined using Nash equilibriums.

Abstract translation: 描述了技术以减轻云计算网络中的跨VM隐蔽信道攻击。 可以监测潜在的跨VM隐蔽通道的隐蔽通道容量，并确定与不同潜在的跨VM隐通通道相关的缓解的折衷因子。 如果相应的缓解未部署，则折衷因素可定义受害者数据丢失与如果部署相应缓解的云计算网络性能损失之间的折衷。 然后可以基于折衷因子来部署或切换一个或多个缓解。 在一些示例中，可以选择不同的缓解，使得部署缓解的防御者的回报增加。 收益可以使用纳什均衡来确定。

公开(公告)号：WO2017045121A1

公开(公告)日：2017-03-23

申请号：PCT/CN2015/089608

申请日：2015-09-15

Applicant: INTELLECTUAL VENTURES HONG KONG LIMITED

Inventor： WANG, Jianping ,  QI, Wen

IPC: G06F9/50

CPC classification number: G06F9/45558 ,  G06F9/5027 ,  G06F21/556 ,  G06F21/577 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2009/45595 ,  H04L63/20

Abstract: Technologies are generally described to provision virtual machines with security requirements in datacenter. In some examples, a scheduler at a datacenter may receive a request to provision a virtual machine, where the virtual machine has an associated security requirement. Based on the security requirement, the scheduler may compute a maximum co-run probability of the virtual machine with at least one other virtual machine. The scheduler may then attempt to determine whether the virtual machine can be accommodated on an already-operational server while satisfying both the maximum co-run probability and a computing resource capacity associated with the virtual machine. If so, the virtual machine may be provisioned on the working server. Otherwise, the virtual machine may be provisioned on a new server if possible.

Abstract translation: 技术通常被描述为在数据中心中提供具有安全要求的虚拟机。 在一些示例中，数据中心处的调度器可以接收到配置虚拟机的请求，虚拟机具有相关联的安全性要求。 基于安全性要求，调度器可以利用至少一个其他虚拟机来计算虚拟机的最大共同运行概率。 然后，调度器可以尝试确定虚拟机是否可以容纳在已经运行的服务器上，同时满足最大同时运行概率和与虚拟机相关联的计算资源容量。 如果是这样，可以在工作服务器上配置虚拟机。 否则，如果可能，可以在新服务器上配置虚拟机。