Detecting unknown software vulnerabilities and system compromises

US 10,032,031 B1
Filed: 08/27/2015
Issued: 07/24/2018
Est. Priority Date: 08/27/2015
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

during a learning period, recording in a memory of at least one of one or more computing devices, an indication of which of a plurality of portions of an imported software package are invoked by a service during execution of the service in the learning period, individual ones of the plurality of portions selected from at least one of;

a class, a function, a file, or a library;

determining, via at least one monitoring service executed by at least one of the one or more computing devices, that a different portion of the imported software package is invoked by the service subsequent to the learning period, the different portion being different than those invoked by the service during the learning period;

blocking, via the at least one monitoring service executed by at least one of the one or more computing devices, execution of the different portion of the imported software package in response to determining that the different portion of the imported software package is invoked by the service; and

causing a re-initiation of the learning period for the imported software package, via at least one of the one or more computing devices, the re-initiation of the learning period updating, in the memory, the indication of the plurality of portions of the imported software package invoked by the service, in response to at least one of;

determining, via at least one of the one or more computing devices, that the service has changed;

determining, via at least one of the one or more computing devices, that the imported software package has changed;

ordetermining, via at least one of the one or more computing devices, that a customer of the service has changed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for detecting unknown software vulnerabilities and system compromises. In a first implementation, a monitoring service records an indication of which portions of an imported software package are invoked by a service during a learning period. After the learning period, the monitoring service determines that a different portion of the imported software package is invoked by the service. The portion is different than those invoked by the service during the learning period. An action is then performed in response to determining that the different portion of the imported software package is invoked by the service.

43 Citations

View as Search Results

23 Claims

1. A method, comprising:
- during a learning period, recording in a memory of at least one of one or more computing devices, an indication of which of a plurality of portions of an imported software package are invoked by a service during execution of the service in the learning period, individual ones of the plurality of portions selected from at least one of;
  
  a class, a function, a file, or a library;
  
  determining, via at least one monitoring service executed by at least one of the one or more computing devices, that a different portion of the imported software package is invoked by the service subsequent to the learning period, the different portion being different than those invoked by the service during the learning period;
  
  blocking, via the at least one monitoring service executed by at least one of the one or more computing devices, execution of the different portion of the imported software package in response to determining that the different portion of the imported software package is invoked by the service; and
  
  causing a re-initiation of the learning period for the imported software package, via at least one of the one or more computing devices, the re-initiation of the learning period updating, in the memory, the indication of the plurality of portions of the imported software package invoked by the service, in response to at least one of;
  
  determining, via at least one of the one or more computing devices, that the service has changed;
  
  determining, via at least one of the one or more computing devices, that the imported software package has changed;
  
  ordetermining, via at least one of the one or more computing devices, that a customer of the service has changed.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising adjusting, via at least one of the one or more computing devices, a portion granularity for monitoring execution of the imported software package based at least in part on a computing device performance.
  - 3. The method of claim 1, further comprising sending, via at least one of the one or more computing devices, a notification to a supervisory user in response to determining that the different portion of the imported software package is invoked by the service.

4. A system, comprising:
- at least one computing device including at least one memory and at least one processor; and
  
  at least one monitoring service executed by the at least one processor of the at least one computing device, wherein when executed the at least one monitoring service causes the at least one computing device to at least;
  
  receive an indication of which of a plurality of portions of an imported software package are invoked by a service during a learning period, individual ones of the plurality of portions selected from at least one of;
  
  a class, a function, a file, or a library;
  
  after the learning period, determine that a different portion of the imported software package is invoked by the service executed by the at least one processor, the different portion being different than those invoked by the service during the learning period; and
  
  perform an action in response to determining that the different portion of the imported software package is invoked by the service, wherein the action includes;
  
  blocking the execution of the different portion of the imported software package, andupdating the received indication of the plurality of portions of the imported software package invoked by the service.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The system of claim 4, wherein when executed the at least one monitoring service further causes the at least one computing device to at least:
    - after the learning period, determine that a portion of the imported software package that was invoked by the service during the learning period is presently being invoked by the service at an increased rate as compared to a baseline rate during the learning period, wherein a difference between the increased rate and the baseline rate exceeds a threshold; and
      
      perform another action in response to determining that the portion of the imported software package is presently being invoked by the service at the increased rate.
  - 6. The system of claim 4, wherein the action comprises sending an alarm notification to a supervisory user.
  - 7. The system of claim 4, wherein the action further comprises reducing privileges of the imported software package.
  - 8. The system of claim 4, wherein the plurality of portions of the imported software package correspond to a plurality of classes, and the different portion corresponds to a particular one of the plurality of classes.
  - 9. The system of claim 4, wherein the plurality of portions of the imported software package correspond to a plurality of methods, and the different portion corresponds to a particular one of the plurality of methods.
  - 10. The system of claim 4, wherein when executed the at least one monitoring service further causes the at least one computing device to at least reenter the learning period in response to determining a change in the service.
  - 11. The system of claim 4, wherein when executed the at least one monitoring service further causes the at least one computing device to at least reenter the learning period in response to determining a change in the imported software package.
  - 12. The system of claim 4, wherein when executed the at least one monitoring service further causes the at least one computing device to at least reenter the learning period in response to determining a change in a customer of the service.

13. A method, comprising:
- during a learning period, recording in a memory of at least one of one or more computing devices, a plurality of process execution trees invoking one or more programs during execution of the one or more programs in the learning period;
  
  after the learning period, determining, via at least one monitoring service executed by at least one of the one or more computing devices, that at least one program of the one or more programs has been invoked by a process execution tree;
  
  determining, via the at least one monitoring service executed by at least one of the one or more computing devices, that the invoking process execution tree does not match any of the plurality of recorded process execution trees; and
  
  performing, via the at least one monitoring service executed by at least one of the one or more computing devices, an action with respect to the invoked program in response to determining that the invoking process execution tree does not match any of the plurality of recorded process execution trees, wherein the action comprises;
  
  blocking the invoking process execution tree, andupdating the memory to include the invoking process execution tree.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, further comprising upon receiving a manual confirmation, adding, via at least one of the one or more computing devices, the invoking process execution tree to the plurality of recorded process execution trees.
  - 15. The method of claim 13, wherein the one or more computing devices comprises a first computing device and a second computing device, the learning period is determined with respect to the first computing device, and the invoked at least one program after the learning period is determined with respect to the second computing device.
  - 16. The method of claim 13, further comprising determining, via at least one of the one or more computing devices, whether the invoking process execution tree is associated with an expected parameter size to invoke the one or more programs.
  - 17. The method of claim 13, further comprising determining, via at least one of the one or more computing devices, whether the invoking process execution tree is associated with an expected number of parameters to invoke the at least one program.
  - 18. The method of claim 13, wherein the action comprises reducing privileges of the invoked at least one program.
  - 19. The method of claim 13, wherein the action comprises terminating all or a subset of a plurality of processes represented in the invoking process execution tree.
  - 20. The method of claim 13, wherein the action comprises sending an alarm notification to a supervisory user.

21. A system, comprising:
- at least one computing device including at least one memory and at least one processor; and
  
  at least one monitoring service executed by the at least one processor of the at least one computing device, wherein when executed the at least one monitoring service causes the at least one computing device to at least;
  
  identify at least one portion of an imported software package that is not invoked by a service during a learning period, wherein during the learning period the monitoring service records one or more portions of the imported software package invoked during execution of the imported software package;
  
  block the at least one portion of the imported software package from being executed by the service after the learning period; and
  
  cause a re-initiation of the learning period for the imported software package.
- View Dependent Claims (22, 23)
- - 22. The system of claim 21, wherein when executed the at least one monitoring service further causes the at least one computing device to at least:
    - after the learning period, determine that the service has attempted to invoke the at least one portion of the imported software package; and
      
      perform an action in response to determining that the service has attempted to invoke the at least one portion of the imported software package.
  - 23. The system of claim 21, wherein when executed the at least one monitoring service further causes the at least one computing device to at least reenter the learning period in response to determining a change in the imported software package or in a customer of the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Sharifi Mehr, Nima
Primary Examiner(s)
Colin, Carl G
Assistant Examiner(s)
Lakhia, Viral S

Application Number

US14/837,390
Time in Patent Office

1,062 Days
Field of Search

726 25- 27, 713140-142
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

Detecting unknown software vulnerabilities and system compromises

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Detecting unknown software vulnerabilities and system compromises

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others