Security threat based auto scaling

US 10,050,999 B1
Filed: 09/22/2015
Issued: 08/14/2018
Est. Priority Date: 09/22/2015
Status: Active Grant

First Claim

Patent Images

1. A method for auto scaling computing resources in response to a cyber-attack in a service provider environment, the method comprising:

identifying computing resources in the service provider environment that are being subjected to the cyber-attack, and computing resources that are predicted to be attacked at a subsequent time based on a cyber-attack vector that characterizes the cyber-attack;

determining an expected amount of time before the computing resources in the service provider environment become compromised due to the cyber-attack;

selecting an auto scaling event to perform in the service provider environment using heuristic scaling rules in order to mitigate the cyber-attack, wherein an amount of time to perform the selected auto scaling event is less than the expected amount of time before the computing resources become compromised;

initiating performance of the auto scaling event in the service provider environment;

recalculating the expected amount of time before the computing resources become compromised based on the auto scaling event selected for performance in the service provider environment;

notifying an operator of the cyber-attack, along with a recalculated expected amount of time before the computing resources become compromised, and the auto scaling event selected to mitigate the cyber-attack;

detecting an expected amount of time for the cyber-attack to be completed in view of the auto scaling event performed in the service provider environment; and

determining to throttle or shut down the auto scaling event performed to mitigate the cyber-attack based on the expected amount of time for the cyber-attack to be completed.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technology is described for auto scaling computing resources in response to a cyber-attack in a service provider environment. The computing resources in the service provider environment may be detected as being exposed to the cyber-attack. A security scaling action may be performed in the service provider environment that mitigates the cyber-attack. The security scaling action to be performed may be determined by a security threat mitigation service that operates in the service provider environment. A performance of the security scaling action in the service provider environment may be initiated.

Citations

19 Claims

1. A method for auto scaling computing resources in response to a cyber-attack in a service provider environment, the method comprising:
- identifying computing resources in the service provider environment that are being subjected to the cyber-attack, and computing resources that are predicted to be attacked at a subsequent time based on a cyber-attack vector that characterizes the cyber-attack;
  
  determining an expected amount of time before the computing resources in the service provider environment become compromised due to the cyber-attack;
  
  selecting an auto scaling event to perform in the service provider environment using heuristic scaling rules in order to mitigate the cyber-attack, wherein an amount of time to perform the selected auto scaling event is less than the expected amount of time before the computing resources become compromised;
  
  initiating performance of the auto scaling event in the service provider environment;
  
  recalculating the expected amount of time before the computing resources become compromised based on the auto scaling event selected for performance in the service provider environment;
  
  notifying an operator of the cyber-attack, along with a recalculated expected amount of time before the computing resources become compromised, and the auto scaling event selected to mitigate the cyber-attack;
  
  detecting an expected amount of time for the cyber-attack to be completed in view of the auto scaling event performed in the service provider environment; and
  
  determining to throttle or shut down the auto scaling event performed to mitigate the cyber-attack based on the expected amount of time for the cyber-attack to be completed.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the auto scaling event includes auto scaling out the computing resources in the service provider environment to cause the computing resources to not be compromised in the expected amount of time.
  - 3. The method of claim 1, wherein the auto scaling event includes auto scaling in the computing resources in order to reduce an attack surface in the service provider environment.
  - 4. The method of claim 1, wherein the auto scaling event is selected:
    - for performance at a given time to increase a dwell time of a cyber-attacker in the service provider environment in order to enable capture of a cyber-attacker;
      
      or to increase a cost for the cyber-attacker to continue inflicting the cyber-attack in the service provider environment.
  - 5. The method of claim 1, wherein the expected amount of time before the computing resources become compromised is determined based on at least one of:
    - a type of cyber-attack, a class of computing resource that is being subjected to the cyber-attack or a type of computing resource configuration in the service provider environment.
  - 6. The method of claim 1, further comprising:
    - using machine learning to improve a determination of the expected amount of time before the computing resources become compromised due to the cyber-attack.

7. A computer-implemented method, comprising:
- detecting computing resources in a service provider environment that are exposed to a cyber-attack;
  
  determining a security scaling action to perform in the service provider environment that mitigates the cyber-attack, wherein the security scaling action to be performed is determined using heuristic scaling rules by a security threat mitigation service that operates in the service provider environment;
  
  initiating performance of the security scaling action in the service provider environment;
  
  detecting an expected amount of time for the cyber-attack to be completed in view of the security scaling action performed in the service provider environment; and
  
  determining to shut down the security scaling action performed to mitigate the cyber-attack based on the expected amount of time for the cyber-attack to be completed.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The method of claim 7, wherein the performance of the security scaling action includes auto scaling out the computing resources in the service provider environment to mitigate the cyber-attack and decrease a dwell time of a cyber-attacker in the service provider environment, wherein an amount of time to perform the auto scaling is less than an expected amount of time before the computing resources become compromised due to the cyber-attack.
  - 9. The method of claim 7, wherein the performance of the security scaling action includes auto scaling out the computing resources in the service provider environment to mitigate the cyber-attack, wherein security patches used to resist the cyber-attack are applied to the computing resources being auto-scaled in the service provider environment.
  - 10. The method of claim 7, wherein the performance of the security scaling action includes auto scaling in the computing resources in order to reduce an attack surface in the service provider environment and create a choke point in the service provider environment that enables capture of the cyber-attacker.
  - 11. The method of claim 7, wherein the performance of the security scaling action includes:
    - auto scaling out or auto scaling in alternative computing resources to mitigate the cyber-attack based on an expected amount of time before the computing resources become compromised due to the cyber-attack, wherein the alternative computing resources are currently not under the cyber-attack;
      
      orauto scaling out alternative computing resources that are currently not exposed to the cyber-attack while permitting the computing resources that are being exposed to the cyber-attack to become compromised.
  - 12. The method of claim 7, wherein the performance of the security scaling action includes adding a security layer in the service provider environment to mitigate the cyber-attack, wherein the security layer includes a web application firewall (WAF) layer.
  - 13. The method of claim 7, wherein the performance of the security scaling action includes adding a reverse proxy in the service provider environment to prevent data transfer out of the service provider environment during the cyber-attack.
  - 14. The method of claim 7, further comprising calculating a period of time for sustaining the performance of the security scaling action using heuristic scaling rules based on a type of cyber-attack, an estimated computing resource capacity of the cyber-attacker and an estimated computing resource capacity of a customer'"'"'s environment in the service provider environment.
  - 15. The method of claim 7, further comprising notifying an operator of the cyber-attack substantially in parallel with initiating the performance of the security scaling action, wherein the operator is notified via a message queuing service that operates in the service provider environment.

16. A system for auto scaling computing resources in response to a cyber-attack in a service provider environment, the system comprising:
- a processor;
  
  a memory device including a data store to store a plurality of data and instructions that, when executed by the processor, cause the processor to;
  
  identify computing resources in the service provider environment that are being subjected to the cyber-attack and computing resources that are expected to be subjected to the cyber-attack, the computing resources including a class of computing resources;
  
  determine an expected amount of time before the class of computing resources in the service provider environment become compromised due to the cyber-attack, wherein the expected amount of time is determined based on a type of cyber-attack and the class of computing resources that are being subjected to the cyber-attack;
  
  select an auto scaling event to perform in the service provider environment in order to mitigate the cyber-attack, wherein an amount of time to perform the selected auto scaling event is less than the expected amount of time before the class of computing resources become compromised, wherein the expected amount of time is recalculated based on the auto scaling event selected for performance in the service provider environment;
  
  initiate performance of the auto scaling event in the service provider environment;
  
  detect an expected amount of time for the cyber-attack to be completed in view of the auto scaling event performed in the service provider environment; and
  
  determine to throttle or shut down the auto scaling event performed to mitigate the cyber-attack based on the expected amount of time for the cyber-attack to be completed.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein the auto scaling event includes at least one of:
    - auto scaling out the class of computing resources in the service provider environment to cause the class of computing resources to not be compromised in the expected amount of time;
      
      auto scaling in the class of computing resources in order to reduce an attack surface in the service provider environment;
      
      auto scaling up computing resources in the service provider environment;
      
      orauto scaling down computing resources in the service provider environment.
  - 18. The system of claim 16, wherein the plurality of data and instructions, when executed by the processor, cause the processor to:
    - notify an operator of the cyber-attack substantially in parallel with initiating the performance of the auto scaling event, wherein the operator is notified via a message queuing service that operates in the service provider environment.
  - 19. The system of claim 16, wherein the auto scaling event is selected:
    - for performance at a given time to increase a dwell time of a cyber-attacker in the service provider environment in order to enable capture of the cyber-attacker;
      
      or to increase a cost for the cyber-attacker to continue inflicting the cyber-attack in the service provider environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Rossman, Hart Matthew
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Teng, Louis C

Application Number

US14/862,052
Time in Patent Office

1,057 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1458   Denial of Service

Security threat based auto scaling

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Security threat based auto scaling

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links