Method and system for protecting cloud-based applications executed in a cloud computing platform

US 10,091,169 B2
Filed: 12/14/2015
Issued: 10/02/2018
Est. Priority Date: 11/11/2013
Status: Active Grant

First Claim

Patent Images

1. A method for protecting cloud-based applications executed in a cloud computing platform, comprising:

intercepting, by at least one proxy device, traffic flows from a plurality of client devices to the cloud computing platform, wherein each of the plurality of client devices is associated with a user attempting to access a cloud-based application, wherein the at least one proxy device is connected between the plurality of client devices and the cloud computing platform;

extracting at least one parameter from the intercepted traffic related to at least each client device and a respective user attempting to access the cloud-based application;

determining, based on the at least one parameter and at least a set of parameters combining cloud-based application risk factors for a provider of the cloud computing platform, a risk indicator for the user attempting to access the cloud-based application, wherein the risk factors define at least security measures implemented by the provider and the cloud-based application; and

performing a mitigation action to mitigate a potential risk to the cloud computing platform based on the determined risk indicator, wherein the mitigation action includes at least regulating the access to the cloud-based application, and wherein the risk indicator is further determined using a profiling engine characterizing, based on passive traffic recordings of the set of parameters, user characteristics of each user, wherein the user characteristics include at least one of;

user usage patterns, roles, locations, distribution of user activities over time, and daily user routines.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for protecting cloud-based applications executed in a cloud computing platform are presented. The method includes intercepting traffic flows from a plurality of client devices to the cloud computing platform, wherein each of the plurality of client devices is associated with a user attempting to access a cloud-based application; extracting at least one parameter from the intercepted traffic related to at least each client device and a respective user attempting to access the cloud-based application; determining based on, the at least one parameter and at least a set of parameters combining cloud-based application risk factors for a provider of the cloud computing platform, a risk indicator for the user attempting to access the cloud-based application; and performing an action to mitigate a potential risk to the cloud computing platform based on the determined risk indicator.

65 Citations

View as Search Results

36 Claims

1. A method for protecting cloud-based applications executed in a cloud computing platform, comprising:
- intercepting, by at least one proxy device, traffic flows from a plurality of client devices to the cloud computing platform, wherein each of the plurality of client devices is associated with a user attempting to access a cloud-based application, wherein the at least one proxy device is connected between the plurality of client devices and the cloud computing platform;
  
  extracting at least one parameter from the intercepted traffic related to at least each client device and a respective user attempting to access the cloud-based application;
  
  determining, based on the at least one parameter and at least a set of parameters combining cloud-based application risk factors for a provider of the cloud computing platform, a risk indicator for the user attempting to access the cloud-based application, wherein the risk factors define at least security measures implemented by the provider and the cloud-based application; and
  
  performing a mitigation action to mitigate a potential risk to the cloud computing platform based on the determined risk indicator, wherein the mitigation action includes at least regulating the access to the cloud-based application, and wherein the risk indicator is further determined using a profiling engine characterizing, based on passive traffic recordings of the set of parameters, user characteristics of each user, wherein the user characteristics include at least one of;
  
  user usage patterns, roles, locations, distribution of user activities over time, and daily user routines.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, further comprising:
    - auditing activities of users accessing the cloud-based application.
  - 3. The method of claim 1, wherein the cloud computing platform is a software as a service (SaaS) platform.
  - 4. The method of claim 1 wherein the at least one parameter includes at least one of:
    - a type of the client device, a location of the client device, an identity of the user device, an action taken by the user, a response by the cloud-based application, a time of a requested action, and bandwidth consumed by the client device.
  - 5. The method of claim 1, wherein extracting at least one parameter from the intercepted traffic further comprises:
    - identifying any client device used by the user to access the cloud-based application;
      
      storing at least one device unique parameter associated with each identified client device; and
      
      tracking, using the at least one device unique parameter, the user attempting to access the cloud-based application across multiple sessions.
  - 6. The method of claim 5, wherein the at least one device unique parameter associated with each identified client device comprises any one of:
    - an International Mobile Equipment Identity (IMEI), a phone number, a media access control (MAC) address, an Internet Protocol (IP) address.
  - 7. The method of claim 1, wherein the risk indicator is further determined using at least one of:
    - an anomaly engine and a cloud service index, wherein the cloud service index provides the set of parameters combining the cloud-based application risk factors for the provider of the cloud computing platform, wherein each of the security measures defined by the risk factors includes any one of;
      
      an authentication protocol, an encryption type, a security certification, and a security control.
  - 8. The method of claim 7, further comprising:
    - detecting, by the anomaly engine, at least one specific anomalous operation performed by each user, a series of anomalous operations by each user, and a pattern of anomalous operations performed by each user.
  - 9. The method of claim 8, wherein the detection is based in part on information provided by the profiling engine.
  - 10. The method of claim 7, wherein the anomaly engine is any one of:
    - a distance-based anomaly engine and a statistical-based anomaly engine.
  - 11. The method of claim 7, wherein the set of parameters provided by the cloud service index includes at least one of:
    - a security policy of the cloud-computing platform, a list of history of vulnerabilities of the cloud-computing platform, and attacks performed against the cloud-computing platform.
  - 12. The method of claim 1, wherein determining the risk indicator further comprises:
    - measuring a risk level for each risk vector of a plurality of risk vectors; and
      
      computing the risk indicator as a weighted function of the measured risk levels.
  - 13. The method of claim 12, wherein each risk vector of the plurality of risk vectors includes any one of:
    - a data risk vector related to data maintained or accessed by the cloud-based application;
      
      a user risk vector related to a type of users or devices that can access the cloud-based application, a service risk vector related to services provided by a provider of the cloud-computing platform, and a business risk vector related to a control provided to the user of the cloud-computing platform.
  - 14. The method of claim 1, wherein regulating the access to the cloud-based application further comprises at least one of:
    - generating an alert indicating on an unauthorized access;
      
      blocking an access to the cloud-based application;
      
      encrypting traffic to and from the cloud computing platform;
      
      suspending a user from accessing the cloud-based application, eliminating permissions granted to a user; and
      
      restricting access to some functions of the cloud-based application.
  - 15. The method of claim 1, further comprising:
    - capturing responses sent by the cloud-based application; and
      
      processing the captured responses to enable processing of subsequent requests by the at least one proxy device.
  - 16. The method of claim 1, wherein each of the plurality of client devices is any one of:
    - a managed device and an unmanaged device.
  - 17. The method of claim 1, further comprising:
    - preventing a user from retrieving files from the cloud computing platform by enabling integration with cloud-based storage systems.

18. A non-transitory computer readable medium having stored thereon instructions for causing one or more processors to perform a process for protecting cloud-based applications executed in a cloud computing platform, the process comprising:
- intercepting, by at least one proxy device, traffic flows from a plurality of client devices to the cloud computing platform, wherein each of the plurality of client devices is associated with a user attempting to access a cloud-based application, wherein the at least one proxy device is connected between the plurality of client devices and the cloud computing platform;
  
  extracting at least one parameter from the intercepted traffic related to at least each client device and a respective user attempting to access the cloud-based application;
  
  determining, based on the at least one parameter and at least a set of parameters combining cloud-based application risk factors for a provider of the cloud computing platform, a risk indicator for the user attempting to access the cloud-based application, wherein the risk factors define at least security measures implemented by the provider and the cloud-based application; and
  
  performing a mitigation action to mitigate a potential risk to the cloud computing platform based on the determined risk indicator, wherein the mitigation action includes at least regulating the access to the cloud-based application, and wherein the risk indicator is further determined using a profiling engine characterizing, based on passive traffic recordings of the set of parameters, user characteristics of each user, wherein the user characteristics include at least one of;
  
  user usage patterns, roles, locations, distribution of user activities over time, and daily user routines.

19. A system for protecting cloud-based applications executed in a cloud computing platform, comprising:
- a processor; and
  
  a memory, the memory containing instructions that, when executed by the processor, configure the system to;
  
  intercept traffic flows from a plurality of client devices to the cloud computing platform, wherein each of the plurality of client devices is associated with a user attempting to access a cloud-based application, wherein the system is connected between the plurality of client devices and the cloud computing platform;
  
  extract at least one parameter from the intercepted traffic related to at least each client device and a respective user attempting to access the cloud-based application;
  
  determine, based on the at least one parameter and at least a set of parameters combining cloud-based application risk factors for a provider of the cloud computing platform, a risk indicator for the user attempting to access the cloud-based application, wherein the risk factors define at least security measures implemented by the provider and the cloud-based application; and
  
  perform a mitigation action to mitigate a potential risk to the cloud computing platform based on the determined risk indicator, wherein the mitigation action includes at least regulating the access to the cloud-based application, and wherein the risk indicator is further determined using a profiling engine configured to characterize, based on passive traffic recordings of the set of parameters, user characteristics of each user, wherein the user characteristics include at least one of;
  
  user usage patterns, roles, locations, distribution of user activities over time, and daily user routines.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The system of claim 19, the system is further configured to:
    - audit activities of users accessing the cloud-based application.
  - 21. The system of claim 19, wherein the cloud computing platform is a software as a service (SaaS) platform.
  - 22. The system of claim 19, wherein the at least one parameter includes at least one of:
    - a type of the client device, a location of the client device, an identity of the user device, an action taken by the user, a response by the cloud-based application, a time of a requested action, and bandwidth consumed by the client device.
  - 23. The system of claim 19, the system is further configured to:
    - identify any client device used by the user to access the cloud-based application;
      
      store at least one device unique parameter associated with each identified client device; and
      
      track, using the at least one device unique parameter, the user attempting to access the cloud-based application across multiple sessions.
  - 24. The system of claim 23, wherein the at least one device unique parameter associated with each identified client device comprises any one of:
    - an International Mobile Equipment Identity (IMEI), a phone number, a media access control (MAC) address, an Internet Protocol (IP) address.
  - 25. The system of claim 19, wherein the system is further configured to determine the risk indicator using at least one of:
    - a profiling cnginc, an anomaly engine, and a cloud service index, wherein the cloud service index provides the set of parameters combining the cloud-based application risk factors for the provider of the cloud computing platform, wherein each of the security measures defined by the risk factors includes any one of;
      
      an authentication protocol, an encryption type, a security certification, and a security control.
  - 26. The system of claim 25, the system is further configured to:
    - detect, by the anomaly engine, at least one specific anomalous operation performed by each user, a series of anomalous operations by each user, and a pattern of anomalous operations performed by each user.
  - 27. The system of claim 26, wherein the detection is based in part on information provided by the profiling engine.
  - 28. The system of claim 25, wherein the anomaly engine is any one of:
    - a distance-based anomaly engine and a statistical-based anomaly engine.
  - 29. The system of claim 25, wherein the set of parameters provided by the cloud service index includes at least one of:
    - a security policy of the cloud-computing platform, a list of history of vulnerabilities of the cloud-computing platform, and attacks performed against the cloud-computing platform.
  - 30. The system of claim 19, the system is further configured to:
    - measure a risk level for each risk vector of a plurality of risk vectors; and
      
      compute the risk indicator as a weighted function of the measured risk levels.
  - 31. The system of claim 30, wherein each risk vector of the plurality of risk vectors includes any one of:
    - a data risk vector related to data maintained or accessed by the cloud-based application;
      
      a user risk vector related to a type of users or devices that can access the cloud-based application, a service risk vector related to services provided by a provider of the cloud-computing platform, and a business risk vector related to a control provided to the user of the cloud-computing platform.
  - 32. The system of claim 22, wherein regulating the access to the cloud-based application further comprises at least one of:
    - generating an alert indicating on an unauthorized access;
      
      blocking an access to the cloud-based application;
      
      encrypting traffic to and from the cloud computing platform;
      
      suspending a user from accessing the cloud-based application, eliminating permissions granted to a user; and
      
      restricting access to some functions of the cloud-based application.
  - 33. The system of claim 19, wherein the system is realized as a proxy device.
  - 34. The system of claim 33, the system is further configured to:
    - capture responses sent by the cloud-based application; and
      
      process the captured responses to enable processing of subsequent requests.
  - 35. The system of claim 19, wherein each of the plurality of client devices is any one of:
    - a managed device and an unmanaged device.
  - 36. The system of claim 19, the system is further configured to:
    - prevent a user from retrieving files from the cloud computing platform by enabling integration with cloud-based storage systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Israel Research And Development (2002) Ltd (Microsoft Corporation)
Inventors
Cohen, Aviram, Moysi, Liran, Luttwak, Ami, Reznik, Roy, Vishnepolsky, Greg
Primary Examiner(s)
Turchen, James R

Application Number

US14/968,432
Publication Number

US 20160112375A1
Time in Patent Office

1,023 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/9574   of access to content, e.g. ...

G06F 21/128   involving web programs, i.e...

G06F 21/554   involving event detection a...

G06F 8/51   Source to source

G06F 9/5072   Grid computing

G06Q 10/10   Office automation; Time man...

H04L 41/5032   Generating service level re...

H04L 41/5096   wherein the managed service...

H04L 63/0281   Proxies

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/168   above the transport layer

H04L 67/10   in which an application is ...

H04L 67/34   involving the movement of s...

H04L 67/51   Discovery or management the...

H04L 67/535   Tracking the activity of th...

H04L 67/565   Conversion or adaptation of...

Method and system for protecting cloud-based applications executed in a cloud computing platform

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

36 Claims

Specification

Use Cases

Quick Links

Others

Method and system for protecting cloud-based applications executed in a cloud computing platform

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

36 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others