Correlating threat information across multiple levels of distributed computing systems
First Claim
Patent Images
1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,prompting a customer for access to a first set of logs generated by a first set of computing resources operated by the customer and provided to the customer by a computing resource service provider, where the first set of logs are generated by a first set of applications executing at an operating system level and above;
obtaining a second set of logs generated by a second set of computing resources operated by the computing resource service provider, where the second set of logs are generated by a second set of applications executing at a hypervisor level and below;
generating correlated threat information by at least correlating at least a first portion of the first set of logs and at least a second portion of the second set of logs using a clustering algorithm; and
providing the correlated threat information to the customer.
1 Assignment
0 Petitions
Accused Products
Abstract
Customers of a computing resource service provider may operate one or more computing resource provided by the computing resource service provider. In addition, the customers may implement security applications and/or devices using the one or more computing resources provided by the computing resource service provider. Operational information from customer operated computing resources may be correlated with operational information from computing resources operated by the computing resource service provider or other entities and correlated threat information may be generated. Anomalous activity may be detected based at least in part on the correlated threat information.
103 Citations
20 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, prompting a customer for access to a first set of logs generated by a first set of computing resources operated by the customer and provided to the customer by a computing resource service provider, where the first set of logs are generated by a first set of applications executing at an operating system level and above; obtaining a second set of logs generated by a second set of computing resources operated by the computing resource service provider, where the second set of logs are generated by a second set of applications executing at a hypervisor level and below; generating correlated threat information by at least correlating at least a first portion of the first set of logs and at least a second portion of the second set of logs using a clustering algorithm; and providing the correlated threat information to the customer. - View Dependent Claims (2, 3, 4)
-
5. A system, comprising:
-
one or more processors; and memory that includes instructions that, as a result of execution by the one or more processors, cause the system to; obtain first operational information from a first set of computing resources associated with a customer; generate threat information by at least; obtaining one or more events included in the operational information; and correlating the one or more events with second operational information from a second set of computing resources of a computing resource service provider, the second operational information generated by a set of applications executing at a hypervisor level and below; and provide the threat information to at least one other system. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
obtain a first set of operational information from computing resources operated by a customer, the computing resources provided by a computing resource service provider and connected by a network operated by the computing resource service provider; obtain a second set of operational information from computing resources operated by a computing resource service provider, the second set of operational information generated by a set of applications executing at or below a hypervisor level; correlate the first set of operational information and the second set of operational information; and detect anomalous activity based at least in part of a result of correlating the first set of operational information and the second set of operational information. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification