Biology based techniques for handling information security and privacy

US 10,110,626 B2
Filed: 04/26/2016
Issued: 10/23/2018
Est. Priority Date: 04/26/2016
Status: Active Grant

First Claim

Patent Images

1. A method, in a data processing system comprising at least one processor and at least one memory, the at least one memory comprising instructions which are executed by the at least one processor to configure the data processing system to implement a local segment analysis and security (LSAS) engine that operates to:

collect, from one or more agents associated with computing resources in a first segment of a computing environment, status metrics indicating a current operational status of the computing resources within the first segment;

analyze the status metrics to determine whether the first segment is the target of a first attack on one or more computing resources of the first segment;

receive, from one or more other LSAS engines associated with one or more second segments of the computing environment, at least one message indicating a status of the one or more second segments with regard to the one or more second segments being a target of a second attack;

determine a security response action to implement based on the received at least one message and results of the analysis; and

automatically transmit a control message to at least one data traffic routing device of the first segment to implement the determined security response action to control a flow of data traffic to or from the first segment, wherein;

the determined security response action is at least one of a segmentation security response action, a dilution security response action, or a scaffolding security response action,determining the security response action to implement based on the received at least one message and results of the analysis com rises performing a trend analysis on the status metrics for the first segment and applying results of the trend analysis to a plurality of rules associated with corresponding security response action indicators, and automatically selecting a security response action based on a rule in the plurality of rules whose criteria are met by the results of the trend analysis and other characteristics of at least one of the first attack or second attack,the plurality of rules represents increasing levels of security response actions as the status metrics and characteristics of at least one of the first attack or second attack indicate an increasing threat from the first attack or second attack, andat least one of the rules is associated with a security response action indicator that indicates performing at least two of the security response actions, wherein the computing environment is a cloud computing environment, and wherein the first segment is a segment of the cloud computing environment corresponding to a network or geographical topology based portion of the cloud computing environment, and wherein each of the one or more second segments are different segments of the cloud computing environment corresponding to different network or geographical topology based portions of the cloud computing environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A local segment analysis and security (LSAS) engine method, computer program product, and apparatus are provided. The LSAS engine collects status metrics indicating a current operational status of the computing resources within a first segment of a computing environment, analyzes the status metrics to determine whether the first segment is the target of a first attack, and receives, from another LSAS engine of a second segment of the computing environment, a message indicating a status of the second segment with regard to the second segment being a target of a second attack. The LSAS engine determines a security response action to implement based on the received message and results of the analysis and transmits a control message to a computing resource of the first segment to implement the determined security response action. The security response action is at least one of a segmentation, dilution, or scaffolding security response action.

Citations

19 Claims

1. A method, in a data processing system comprising at least one processor and at least one memory, the at least one memory comprising instructions which are executed by the at least one processor to configure the data processing system to implement a local segment analysis and security (LSAS) engine that operates to:
- collect, from one or more agents associated with computing resources in a first segment of a computing environment, status metrics indicating a current operational status of the computing resources within the first segment;
  
  analyze the status metrics to determine whether the first segment is the target of a first attack on one or more computing resources of the first segment;
  
  receive, from one or more other LSAS engines associated with one or more second segments of the computing environment, at least one message indicating a status of the one or more second segments with regard to the one or more second segments being a target of a second attack;
  
  determine a security response action to implement based on the received at least one message and results of the analysis; and
  
  automatically transmit a control message to at least one data traffic routing device of the first segment to implement the determined security response action to control a flow of data traffic to or from the first segment, wherein;
  
  the determined security response action is at least one of a segmentation security response action, a dilution security response action, or a scaffolding security response action,determining the security response action to implement based on the received at least one message and results of the analysis com rises performing a trend analysis on the status metrics for the first segment and applying results of the trend analysis to a plurality of rules associated with corresponding security response action indicators, and automatically selecting a security response action based on a rule in the plurality of rules whose criteria are met by the results of the trend analysis and other characteristics of at least one of the first attack or second attack,the plurality of rules represents increasing levels of security response actions as the status metrics and characteristics of at least one of the first attack or second attack indicate an increasing threat from the first attack or second attack, andat least one of the rules is associated with a security response action indicator that indicates performing at least two of the security response actions, wherein the computing environment is a cloud computing environment, and wherein the first segment is a segment of the cloud computing environment corresponding to a network or geographical topology based portion of the cloud computing environment, and wherein each of the one or more second segments are different segments of the cloud computing environment corresponding to different network or geographical topology based portions of the cloud computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the determined security response action comprises a segmentation security response action that comprises throttling a bandwidth associated with at least one of an inter-segment communication channel or an intra-segment communication channel based on results of the analysis.
  - 3. The method of claim 2, wherein an amount of throttling of the bandwidth is determined based on the characteristics of the first attack or second attack, and wherein the characteristics comprise a type of at least one of the first attack or second attack, a source of at least one of the first attack or the second attack, and a determined severity of at least one of the first attack or second attack.
  - 4. The method of claim 1, wherein the determined security response action comprises a segmentation security response action that comprises reducing an amount of bandwidth available to at least one intra-segment communication channel associated with the first segment in response to the results of the analysis indicating that the first segment is the target of the first attack.
  - 5. The method of claim 1, wherein the determined security response action comprises a segmentation security response action that comprises reducing an amount of bandwidth available to at least one inter-segment communication channel associated with the first segment and a selected second segment in the one or more second segments, in response to the results of the analysis indicating that the selected second segment is the target of the second attack.
  - 6. The method of claim 1, wherein the determined security response action comprises a dilution security response action that comprises injecting innocuous messages into at least one of an inter-segment communication channel or an intra-segment communication channel associated with at least one of the first attack or second attack identified by the results of the analysis.
  - 7. The method of claim 1, wherein the determined security response action comprises a dilution security response action that comprises performing a sandboxing operation to redirect messages determined to be associated with the first attack to a virtual sandbox processing environment.
  - 8. The method of claim 1, wherein the determined security response action comprises a dilution security response action that comprises performing a honeypot operation to redirect messages determined to be associated with the first attack to a virtual honeypot data structure comprising a pseudo-data data structure.
  - 9. The method of claim 1, wherein the determined security response action comprises a scaffolding security response action that comprises sending one or more control messages, along an alternative communication channel, to at least one computing resource that is a target of the first attack to regain control of the at least one computing resource.

10. A computer program product comprising a non-transitory computer readable medium having a computer readable program stored therein, wherein the computer readable program, when executed on a computing device, causes the computing device to implement a local segment analysis and security (LSAS) engine that operates to:
- collect, from one or more agents associated with computing resources in a first segment of a computing environment, status metrics indicating a current operational status of the computing resources within the first segment;
  
  analyze the status metrics to determine whether the first segment is the target of a first attack on one or more computing resources of the first segment;
  
  receive, from one or more other LSAS engines associated with one or more second segments of the computing environment, at least one message indicating a status of the one or more second segments with regard to the one or more second segments being a target of a second attack;
  
  determine a security response action to implement based on the received at least one message and results of the analysis; and
  
  automatically transmit a control message to at least one data traffic routing device of the first segment to implement the determined security response action to control a flow of data traffic to or from the first segment, wherein;
  
  the determined security response action is at least one of a segmentation security response action, a dilution security response action, or a scaffolding security response action,determining the security response action to implement based on the received at least one message and results of analysis comprises performing a trend analysis on the status metrics for the first segment and applying results of the trend analysis to a plurality of rules associated with corresponding security response action indicators, and automatically selecting a security response action based on a rule in the plurality of rules whose criteria are met by the results of the trend analysis and other characteristics of at least one of the first attack or second attack,the plurality of rules represents increasing levels of security response actions as the status metrics and characteristics of at least one of the first attack or second attack indicate an increasing threat from the first attack or second attack, andat least one of the rules is associated with a security response action indicator that indicates performing at least two of the security response actions, wherein the computing environment is a cloud computing environment, and wherein the first segment is a segment of the cloud computing environment corresponding to a network or geographical topology based portion of the cloud computing environment, and wherein each of the one or more second segments are different segments of the cloud computing environment corresponding to different network or geographical topology based portions of the cloud computing environment.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer program product of claim 10, wherein the determined security response action comprises a segmentation security response action that comprises throttling a bandwidth associated with at least one of an inter-segment communication channel or an intra-segment communication channel based on results of the analysis.
  - 12. The computer program product of claim 11, wherein an amount of throttling of the bandwidth is determined based on the characteristics of the first attack or second attack, and wherein the characteristics comprise a type of at least one of the first attack or second attack, a source of at least one of the first attack or the second attack, and a determined severity of at least one of the first attack or second attack.
  - 13. The computer program product of claim 10, wherein the determined security response action comprises a segmentation security response action that comprises reducing an amount of bandwidth available to at least one intra-segment communication channel associated with the first segment in response to the results of the analysis indicating that the first segment is the target of the first attack.
  - 14. The computer program product of claim 10, wherein the determined security response action comprises a segmentation security response action that comprises reducing an amount of bandwidth available to at least one inter-segment communication channel associated with the first segment and a selected second segment in the one or more second segments, in response to the results of the analysis indicating that the selected second segment is the target of the second attack.
  - 15. The computer program product of claim 10, wherein the determined security response action comprises a dilution security response action that comprises injecting innocuous messages into at least one of an inter-segment communication channel or an intra-segment communication channel associated with at least one of the first attack or second attack identified by the results of the analysis.
  - 16. The computer program product of claim 10, wherein the determined security response action comprises a dilution security response action that comprises performing a sandboxing operation to redirect messages determined to be associated with the first attack to a virtual sandbox processing environment.
  - 17. The computer program product of claim 10, wherein the determined security response action comprises a dilution security response action that comprises performing a honeypot operation to redirect messages determined to be associated with the first attack to a virtual honeypot data structure comprising a pseudo-data data structure.
  - 18. The computer program product of claim 10, wherein the determined security response action comprises a scaffolding security response action that comprises sending one or more control messages, along an alternative communication channel, to at least one computing resource that is a target of the first attack to regain control of the at least one computing resource.

19. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory comprises instructions which, when executed by the processor, cause the processor to implement a local segment analysis and security (LSAS) engine that operates to;
  
  collect, from one or more agents associated with computing resources in a first segment of a computing environment, status metrics indicating a current operational status of the computing resources within the first segment;
  
  analyze the status metrics to determine whether the first segment is the target of a first attack on one or more computing resources of the first segment;
  
  receive, from one or more other LSAS engines associated with one or more second segments of the computing environment, at least one message indicating a status of the one or more second segments with regard to the one or more second segments being a target of a second attack;
  
  determine a security response action to implement based on the received at least one message and results of the analysis; and
  
  automatically transmit a control message to at least one data traffic routing device of the first segment to implement the determined security response action to control a flow of data traffic to or from the first segment, wherein;
  
  the determined security response action is at least one of a segmentation security response action, a dilution security response action, or a scaffolding security response action,determining the security response action to implement based on the received at least one message and results of the analysis comprises performing a trend analysis on the status metrics for the first segment and applying results of the trend analysis to a plurality of rules associated with corresponding security response action indicators, and automatically selecting a security response action based on a rule in the plurality of rules whose criteria are met by the results of the trend analysis and other characteristics of at least one of the first attack or second attack,the plurality of rules represents increasing levels of security response actions as the status metrics and characteristics of at least one of the first attack or second attack indicate an increasing threat from the first attack or second attack, andat least one of the rules is associated with a security response action indicator that indicates performing at least two of the security response actions wherein the computing environment is a cloud computing environment, and wherein the first segment is a segment of the cloud computing environment corresponding to a network or geographical topology based portion of the cloud computing environment, and wherein each of the one or more second segments are different segments of the cloud computing environment corresponding to different network or geographical topology based portions of the cloud computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chantz, Hyman D.
Primary Examiner(s)
Rashid, Harunur

Application Number

US15/138,564
Publication Number

US 20170310702A1
Time in Patent Office

910 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

Biology based techniques for handling information security and privacy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Biology based techniques for handling information security and privacy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links