Transparent volume based intrusion detection
First Claim
Patent Images
1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving an application programming interface request to monitor a logical volume attached to a virtual machine instance, the logical volume associated with a customer of a computing resource service provider, the computing resource service provider implementing the logical volume as a log-structured storage system on hardware provided by the computing resource service provider;
obtaining access to a stream of log events of the logical volume in response to the application programming interface request, the stream of log events indicating input/output operations of the logical volume; and
for at least a subset of log events included in the stream of log events;
detecting malicious activity on the logical volume based at least in part on the subset of log events; and
performing an operation to mitigate the malicious activity.
1 Assignment
0 Petitions
Accused Products
Abstract
A computing resource service provider may provide customers with a block-level forensics service. Logical volumes associated a customer may be used to instantiate computing resources provided by a computing resource service provide for use by the customer. The block-level forensics service or component thereof may monitor the logical volume based at least in part on a log generated as a result of the logical volume being implemented as a log-structured storage system. Operations to the log may be collected by the block-level forensics service and malicious activity may be detected based at least in part on operations to the log.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, receiving an application programming interface request to monitor a logical volume attached to a virtual machine instance, the logical volume associated with a customer of a computing resource service provider, the computing resource service provider implementing the logical volume as a log-structured storage system on hardware provided by the computing resource service provider; obtaining access to a stream of log events of the logical volume in response to the application programming interface request, the stream of log events indicating input/output operations of the logical volume; and for at least a subset of log events included in the stream of log events; detecting malicious activity on the logical volume based at least in part on the subset of log events; and performing an operation to mitigate the malicious activity. - View Dependent Claims (2, 3, 4, 5)
-
6. A system, comprising:
-
one or more processors; and memory that includes instructions that, as a result of execution by the one or more processors, cause the system to; monitor a logical volume associated with a customer of a computing resource service provider by at least; obtaining access to a log of operations to the logical volume, the log of operations generated as a result of the logical volume being implemented as log-structure storage; detecting malicious activity based at least in part on a portion of the log of operations; and mitigating the malicious activity. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
receive a request to monitor a logical volume attached to a virtual machine, the logical volume used to instantiate the virtual machine utilizing computing resources of a computing resource service provider and the logical volume implemented as log-structured storage, where the computing resources are distributed across one or more service provider networks operated by the computing resource service provider; obtain access to a set of operations performed on the logical volume; detect malicious activity based at least in part on a portion of the set of operations; and mitigate the malicious activity. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification