Security inspection of massive virtual hosts for immutable infrastructure and infrastructure as code

US 10,003,613 B2
Filed: 12/18/2015
Issued: 06/19/2018
Est. Priority Date: 12/18/2015
Status: Active Grant

First Claim

Patent Images

1. A method for performing a security inspection of a set of virtual images in a cloud infrastructure, the method comprising:

merging the virtual images into a tree structure having a root and a plurality of leaves such that child leaves and a parent leaf to the child leaves have common ones of the virtual images;

identifying a security violation in a given one of the virtual images at a given one of the plurality of leaves;

applying a bisection method against a path in the tree from the root to the given one of the plurality of leaves to find a particular one of the virtual images that is a root cause of the security violation; and

performing a corrective action for any of the plurality of images having the security violation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are provided for performing a security inspection of a set of virtual images in a cloud infrastructure. The method includes merging the virtual images into a tree structure having a root and a plurality of leaves such that child leaves and a parent leaf to the child leaves have common ones of the virtual images. The method further includes identifying a security violation in a given one of the virtual images at a given one of the plurality of leaves. The method also includes applying a bisection method against a path in the tree from the root to the given one of the plurality of leaves to find a particular one of the virtual images that is a root cause of the security violation. The method additionally includes performing a corrective action for any of the plurality of images having the security violation.

9 Citations

View as Search Results

20 Claims

1. A method for performing a security inspection of a set of virtual images in a cloud infrastructure, the method comprising:
- merging the virtual images into a tree structure having a root and a plurality of leaves such that child leaves and a parent leaf to the child leaves have common ones of the virtual images;
  
  identifying a security violation in a given one of the virtual images at a given one of the plurality of leaves;
  
  applying a bisection method against a path in the tree from the root to the given one of the plurality of leaves to find a particular one of the virtual images that is a root cause of the security violation; and
  
  performing a corrective action for any of the plurality of images having the security violation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising identifying the virtual images in child leaves of the given one of the plurality of leaves as having the security violation in common with the given one of the virtual images at the given one of the plurality of leaves.
  - 3. The method of claim 1, further comprising identifying the virtual image in a parent leaf of a certain one of the plurality of leaves as being free of the security violation when the certain one of the plurality of leaves is free of the security violation.
  - 4. The method of claim 1, wherein said identifying step identifies the security violation using a set of rules based on parent-child relationships.
  - 5. The method of claim 1, wherein the rules comprise:
    - identifying the virtual images in child leaves of the given one of the plurality of leaves as having the security violation in common with the given one of the virtual images at the given one of the plurality of leaves; and
      
      identifying the virtual image in a parent leaf of a certain one of the plurality of leaves as being free of the security violation when the certain one of the plurality of leaves is free of the security violation.
  - 6. The method of claim 1, wherein said identifying step is comprised in a leaf inspection step that commences at a deepest one of the plurality of leaves.
  - 7. The method of claim 6, wherein the bisection method forms a plurality of subtrees, and the inspection commences at the deepest one of the plurality of leaves in a deepest one of the plurality of subtrees.
  - 8. The method of claim 7, wherein a traversal order of the inspection step is from the deepest one of the plurality of leaves towards the root.
  - 9. The method of claim 1, wherein at least one of the virtual images is associated with a timestamp associated with a security vulnerability such that any of the virtual images having an earlier timestamp are identified as being without the security vulnerability.
  - 10. The method of claim 1, wherein said identifying step is comprised in a leaf inspection step that, upon identifying the security violation at the given one of the virtual images at the given one of the plurality of leaves, next inspects a common nearest parent leaf to the given one of the plurality of leaves.
  - 11. The method of claim 1, wherein the corrective action comprises marking as defective any of the plurality of virtual images having the security violation.
  - 12. The method of claim 1, wherein the corrective action comprises retrieving replacement virtual images for any of the plurality of virtual images having the security violation.

13. A computer program product for performing a security inspection of a set of virtual images in a cloud infrastructure, the computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method comprising:
- merging the virtual images into a tree structure having a root and a plurality of leaves such that child leaves and a parent leaf to the child leaves have common ones of the virtual images;
  
  identifying a security violation in a given one of the virtual images at a given one of the plurality of leaves;
  
  applying a bisection method against a path in the tree from the root to the given one of the plurality of leaves to find a particular one of the virtual images that is a root cause of the security violation; and
  
  performing a corrective action for any of the plurality of images having the security violation.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The computer program product of claim 13, further comprising identifying the virtual images in child leaves of the given one of the plurality of leaves as having the security violation in common with the given one of the virtual images at the given one of the plurality of leaves.
  - 15. The computer program product of claim 13, further comprising identifying the virtual image in a parent leaf of a certain one of the plurality of leaves as being free of the security violation when the certain one of the plurality of leaves is free of the security violation.
  - 16. The computer program product of claim 13, wherein said identifying step identifies the security violation using a set of rules based on parent-child relationships.
  - 17. The computer program product of claim 13, wherein the rules comprise:
    - identifying the virtual images in child leaves of the given one of the plurality of leaves as having the security violation in common with the given one of the virtual images at the given one of the plurality of leaves; and
      
      identifying the virtual image in a parent leaf of a certain one of the plurality of leaves as being free of the security violation when the certain one of the plurality of leaves is free of the security violation.
  - 18. The computer program product of claim 13, wherein at least one of the virtual images is associated with a timestamp associated with a security vulnerability such that any of the virtual images having an earlier timestamp are identified as being without the security vulnerability.
  - 19. The computer program product of claim 13, wherein said identifying step is comprised in a leaf inspection step that, upon identifying the security violation at the given one of the virtual images at the given one of the plurality of leaves, next inspects a common nearest parent leaf to the given one of the plurality of leaves.

20. A system for performing a security inspection of a set of virtual images in a cloud infrastructure, the system comprising:
- a hardware processor and a memory device, configured to;
  
  merge the virtual images into a tree structure having a root and a plurality of leaves such that child leaves and a parent leaf to the child leaves have common ones of the virtual images;
  
  identify a security violation in a given one of the virtual images at a given one of the plurality of leaves;
  
  apply a bisection method against a path in the tree from the root to the given one of the plurality of leaves to find a particular one of the virtual images that is a root cause of the security violation; and
  
  perform a corrective action for any of the plurality of images having the security violation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Mizutani, Masayoshi, Nogayama, Takahide, Rudy, Raymond H. P., Trent, Scott R., Tsuboi, Yuta, Watanabe, Yuji
Primary Examiner(s)
Moorthy, Aravind K

Application Number

US14/975,057
Publication Number

US 20170180422A1
Time in Patent Office

914 Days
Field of Search

726 1, 726 23, 726 24, 713165, 713168, 713188
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

H04L 2463/146   Tracing the source of attacks

H04L 63/20   for managing network securi...

Security inspection of massive virtual hosts for immutable infrastructure and infrastructure as code

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security inspection of massive virtual hosts for immutable infrastructure and infrastructure as code

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links