公开(公告)号：US20210012000A1

公开(公告)日：2021-01-14

申请号：US16504464

申请日：2019-07-08

Applicant: Google LLC

Inventor： Michael Halcrow ,  Thomas Garnier

IPC: G06F21/55 ,  G06F21/56 ,  G06F16/17

Abstract: The technology provides for a threat detection system. In this regard, the system may be configured to output file states of a multi-layer file system. For instance, the system may determine, based on the file states for a file, one or more layers of the multi-layer file system in which one or more objects corresponding to the file can be found. Based on the one or more objects corresponding to the file, the system may detect a potential threat. The system may then take an action in response to the potential threat.

公开(公告)号：US20190205267A1

公开(公告)日：2019-07-04

申请号：US15861844

申请日：2018-01-04

Applicant: Google LLC

Inventor： Joseph Richey ,  Michael Halcrow ,  Sergey Karamov

IPC: G06F12/14 ,  G06F3/06

CPC classification number: G06F12/1408 ,  G06F3/0623 ,  G06F3/064 ,  G06F3/065 ,  G06F3/0665 ,  G06F3/0676 ,  G06F3/0689 ,  G06F21/6218 ,  G06F21/78 ,  G06F2212/1052 ,  G06F2221/2107 ,  G11B20/00253

Abstract: A cloud implementation of a persisted storage device, such as a disk, is provided. The implementation supports a variety of features and protocols, in full analogy with a physical storage device such as a disk drive. The present disclosure provides for implementing standard eDrive protocols in the cloud by designing internal disk storage, referred to as a “system area,” in a virtual disk instance that the virtual disk can potentially utilize for a multitude of disk features. This internal storage can be used to implement eDrive protocols, which use the system area to maintain the necessary internal virtual disk state.

公开(公告)号：US20230385205A1

公开(公告)日：2023-11-30

申请号：US18200380

申请日：2023-05-22

Applicant: Google LLC

Inventor： Joseph Richey ,  Michael Halcrow ,  Sergey Karamov

IPC: G06F12/14 ,  G06F3/06 ,  G06F21/62

CPC classification number: G06F12/1408 ,  G06F3/065 ,  G06F3/0689 ,  G06F3/0623 ,  G06F3/0665 ,  G06F3/0676 ,  G06F21/6218 ,  G06F3/064 ,  G06F2212/1052 ,  G11B20/00253

Abstract: A cloud implementation of a persisted storage device, such as a disk, is provided. The implementation supports a variety of features and protocols, in full analogy with a physical storage device such as a disk drive. The present disclosure provides for implementing standard eDrive protocols in the cloud by designing internal disk storage, referred to as a “system area,” in a virtual disk instance that the virtual disk can potentially utilize for a multitude of disk features. This internal storage can be used to implement eDrive protocols, which use the system area to maintain the necessary internal virtual disk state.

公开(公告)号：US20230028056A1

公开(公告)日：2023-01-26

申请号：US17949320

申请日：2022-09-21

Applicant: Google LLC

Inventor： Michael Halcrow ,  Thomas Garnier

IPC: G06F21/55 ,  G06F16/17 ,  G06F21/56

Abstract: The technology provides for a threat detection system. In this regard, the system may be configured to output file states of a multi-layer file system. For instance, the system may determine, based on the file states for a file, one or more layers of the multi-layer file system in which one or more objects corresponding to the file can be found. Based on the one or more objects corresponding to the file, the system may detect a potential threat. The system may then take an action in response to the potential threat.

公开(公告)号：US20250094205A1

公开(公告)日：2025-03-20

申请号：US18964631

申请日：2024-12-01

Applicant: Google LLC

Inventor： Michael Halcrow ,  Thomas Garnier

IPC: G06F9/455 ,  G06F9/50 ,  G06F11/14 ,  G06F12/14 ,  G06F21/55 ,  G06F21/56 ,  G06F21/57

Abstract: A method including monitoring, using a standard level of auditing, one or more processes of a VM and, based on monitoring the process(es), detecting aberrant behavior indicating that an attack against the VM is imminent. Based on detecting aberrant behavior indicating that the attack is imminent, the method includes monitoring, using a heightened level of auditing, the process(es), the heightened level of auditing generating log data representative of memory accesses performed by the VM, and notifying a user of the VM that the imminent attack is detected. During the attack against the VM, maintaining the monitoring of the process(es) using the heightened level of auditing, the method includes determining that the attack has concluded and, based on determining that the attack has concluded, processing the log data to determine an action performed by the detected attack; and monitoring, using the standard level of auditing, the process(es).

公开(公告)号：US11494216B2

公开(公告)日：2022-11-08

申请号：US16542897

申请日：2019-08-16

Applicant: Google LLC

Inventor： Michael Halcrow ,  Thomas Garnier

IPC: G06F9/455 ,  G06F9/50 ,  G06F11/14 ,  G06F12/14 ,  G06F21/55 ,  G06F21/56 ,  G06F21/57

Abstract: A method for capturing VM resources for forensics includes receiving an indication of compromise (IoC). The indication of compromise indicates an attack is imminent against a virtual machine. The method also includes, in response to receiving the IoC and before the attack begins, snapshotting a memory state of memory used by the virtual machine and increasing a level of auditing of the virtual machine from a standard level of auditing to a heightened level of auditing. The heightened level of auditing generates data representative of all accesses to the memory used by the virtual machine. After the attack against the virtual machine has begun, the method includes maintaining the heightened level of auditing for a threshold period of time, notifying a user of the virtual machine of the indication of compromise, and storing the data in memory external to the virtual machine.

公开(公告)号：US11481487B2

公开(公告)日：2022-10-25

申请号：US16504464

申请日：2019-07-08

Applicant: Google LLC

Inventor： Michael Halcrow ,  Thomas Garnier

IPC: G06F21/55 ,  G06F16/17 ,  G06F21/56

Abstract: The technology provides for a threat detection system. In this regard, the system may be configured to output file states of a multi-layer file system. For instance, the system may determine, based on the file states for a file, one or more layers of the multi-layer file system in which one or more objects corresponding to the file can be found. Based on the one or more objects corresponding to the file, the system may detect a potential threat. The system may then take an action in response to the potential threat.

公开(公告)号：US12182604B2

公开(公告)日：2024-12-31

申请号：US18048532

申请日：2022-10-21

Applicant: Google LLC

Inventor： Michael Halcrow ,  Thomas Garnier

IPC: G06F9/455 ,  G06F9/50 ,  G06F11/14 ,  G06F12/14 ,  G06F21/55 ,  G06F21/56 ,  G06F21/57

Abstract: A method for capturing VM resources for forensics includes receiving an indication of compromise (IoC). The indication of compromise indicates an attack is imminent against a virtual machine. The method also includes, in response to receiving the IoC and before the attack begins, snapshotting a memory state of memory used by the virtual machine and increasing a level of auditing of the virtual machine from a standard level of auditing to a heightened level of auditing. The heightened level of auditing generates data representative of all accesses to the memory used by the virtual machine. After the attack against the virtual machine has begun, the method includes maintaining the heightened level of auditing for a threshold period of time, notifying a user of the virtual machine of the indication of compromise, and storing the data in memory external to the virtual machine.

公开(公告)号：US11693792B2

公开(公告)日：2023-07-04

申请号：US15861844

申请日：2018-01-04

Applicant: Google LLC

Inventor： Joseph Richey ,  Michael Halcrow ,  Sergey Karamov

IPC: G06F21/00 ,  G06F12/14 ,  G06F3/06 ,  G06F21/62 ,  G11B20/00 ,  G06F21/78

CPC classification number: G06F12/1408 ,  G06F3/064 ,  G06F3/065 ,  G06F3/0623 ,  G06F3/0665 ,  G06F3/0676 ,  G06F3/0689 ,  G06F21/6218 ,  G06F21/78 ,  G06F2212/1052 ,  G06F2221/2107 ,  G11B20/00253

Abstract: A cloud implementation of a persisted storage device, such as a disk, is provided. The implementation supports a variety of features and protocols, in full analogy with a physical storage device such as a disk drive. The present disclosure provides for implementing standard eDrive protocols in the cloud by designing internal disk storage, referred to as a “system area,” in a virtual disk instance that the virtual disk can potentially utilize for a multitude of disk features. This internal storage can be used to implement eDrive protocols, which use the system area to maintain the necessary internal virtual disk state.

公开(公告)号：US20210049031A1

公开(公告)日：2021-02-18

申请号：US16542897

申请日：2019-08-16

Applicant: Google LLC

Inventor： Michael Halcrow ,  Thomas Garnier

IPC: G06F9/455 ,  G06F9/50 ,  G06F11/14 ,  G06F12/14 ,  G06F21/56 ,  G06F21/57 ,  G06F21/55

Abstract: A method for capturing VM resources for forensics includes receiving an indication of compromise (IoC). The indication of compromise indicates an attack is imminent against a virtual machine. The method also includes, in response to receiving the IoC and before the attack begins, snapshotting a memory state of memory used by the virtual machine and increasing a level of auditing of the virtual machine from a standard level of auditing to a heightened level of auditing. The heightened level of auditing generates data representative of all accesses to the memory used by the virtual machine. After the attack against the virtual machine has begun, the method includes maintaining the heightened level of auditing for a threshold period of time, notifying a user of the virtual machine of the indication of compromise, and storing the data in memory external to the virtual machine.