Transparent volume based intrusion detection

US 10,079,842 B1
Filed: 03/30/2016
Issued: 09/18/2018
Est. Priority Date: 03/30/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems configured with executable instructions,receiving an application programming interface request to monitor a logical volume attached to a virtual machine instance, the logical volume associated with a customer of a computing resource service provider, the computing resource service provider implementing the logical volume as a log-structured storage system on hardware provided by the computing resource service provider;

obtaining access to a stream of log events of the logical volume in response to the application programming interface request, the stream of log events indicating input/output operations of the logical volume; and

for at least a subset of log events included in the stream of log events;

detecting malicious activity on the logical volume based at least in part on the subset of log events; and

performing an operation to mitigate the malicious activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing resource service provider may provide customers with a block-level forensics service. Logical volumes associated a customer may be used to instantiate computing resources provided by a computing resource service provide for use by the customer. The block-level forensics service or component thereof may monitor the logical volume based at least in part on a log generated as a result of the logical volume being implemented as a log-structured storage system. Operations to the log may be collected by the block-level forensics service and malicious activity may be detected based at least in part on operations to the log.

Citations

20 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving an application programming interface request to monitor a logical volume attached to a virtual machine instance, the logical volume associated with a customer of a computing resource service provider, the computing resource service provider implementing the logical volume as a log-structured storage system on hardware provided by the computing resource service provider;
  
  obtaining access to a stream of log events of the logical volume in response to the application programming interface request, the stream of log events indicating input/output operations of the logical volume; and
  
  for at least a subset of log events included in the stream of log events;
  
  detecting malicious activity on the logical volume based at least in part on the subset of log events; and
  
  performing an operation to mitigate the malicious activity.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, wherein detecting malicious activity on the logical volume further comprises determining if a particular log event of the subset of log events violates a rule set associated with the logical volume.
  - 3. The computer-implemented method of claim 1, wherein detecting malicious activity on the logical volume further comprises detecting data written to the logical volume violates a rule set associated with the logical volume.
  - 4. The computer-implemented method of claim 1, wherein the malicious activity further comprises writing to a location on the logical volume associated with an operating systems of the virtual machine instance.
  - 5. The computer-implemented method of claim 1, wherein performing the operation to mitigate the malicious activity further comprises transmitting a notification of the malicious activity to an administrator associated with the customer.

6. A system, comprising:
- one or more processors; and
  
  memory that includes instructions that, as a result of execution by the one or more processors, cause the system to;
  
  monitor a logical volume associated with a customer of a computing resource service provider by at least;
  
  obtaining access to a log of operations to the logical volume, the log of operations generated as a result of the logical volume being implemented as log-structure storage;
  
  detecting malicious activity based at least in part on a portion of the log of operations; and
  
  mitigating the malicious activity.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The system of claim 6, wherein the memory further comprises instructions that, as a result of execution by the one or more processors, cause the system to perform analysis of the logical volume prior to monitoring the logical volume.
  - 8. The system of claim 6, wherein monitoring the logical volume further comprises correlating the malicious activity with additional threat information obtained from at least one other system.
  - 9. The system of claim 8, wherein additional threat information further comprises network telemetry information obtained from an intrusion detection system.
  - 10. The system of claim 8, wherein additional threat information further comprises a signature of a malware application.
  - 11. The system of claim 10, wherein monitoring the logical volume further comprises:
    - determining a set of sequential operations based at least in part on a portion of the log of operations; and
      
      detecting malicious activity based at least in part on the set of sequential operations.
  - 12. The system of claim 6, wherein the logical volume is implemented as log-structured storage.
  - 13. The system of claim 12, wherein monitoring the logical volume is performed prior to execution of an operation on the logical volume;
    - andwherein mitigating the malicious activity further comprises preventing the operation from being committed to the logical volume.

14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- receive a request to monitor a logical volume attached to a virtual machine, the logical volume used to instantiate the virtual machine utilizing computing resources of a computing resource service provider and the logical volume implemented as log-structured storage, where the computing resources are distributed across one or more service provider networks operated by the computing resource service provider;
  
  obtain access to a set of operations performed on the logical volume;
  
  detect malicious activity based at least in part on a portion of the set of operations; and
  
  mitigate the malicious activity.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the instructions that cause the computer system to obtain access to the set of operations further include instructions that cause the computer system to obtain a set of entries appended to a log corresponding to the logical volume.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the instructions that cause the computer system to detect malicious activity further include instructions that cause the computer system to determine that a particular operation of the set of operations is associated with malicious activity based at least in part on a set of rule defining malicious activity associated with the logical volume.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - obtain additional threat information from at least one other computer system; and
      
      wherein detecting malicious activity further comprises detecting malicious activity based at least in part on the portion of the set of operations and the additional threat information.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to update a set of rules used to detect malicious activity based at least in part on the additional threat information.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - monitor the set of operations for an interval of time to generate monitoring information; and
      
      generate a set of rules for detecting malicious activity based at least in part on the monitoring information.
  - 20. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to correlate the malicious activity with additional threat information obtained from at least one other computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, Fitzgerald, Robert Eric, Lucas, Alexander Robin Gordon
Primary Examiner(s)
McNally, Michael S

Application Number

US15/085,708
Time in Patent Office

902 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/80   in storage media based on m...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Transparent volume based intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent volume based intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links