Security policy generation for virtualization, bare-metal server, and cloud computing environments

US 10,264,025 B2
Filed: 07/01/2016
Issued: 04/16/2019
Est. Priority Date: 06/24/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for security in virtualization, bare- metal server, and cloud computing environments comprising:

receiving network traffic associated with a primary workload, the primary workload including a behavior and a relationship of a particular workload with a secondary workload;

generating first metadata using the network traffic;

determining a primary categorization associated with the primary workload, using the first metadata;

confirming the primary categorization is reliable;

determining a secondary categorization associated with at least one secondary workload, the at least one secondary workload being communicatively coupled to the primary workload;

ascertaining the primary categorization and the secondary categorization are consistent with each other and are each stable;

producing a model using the primary categorization and the secondary categorization, the model including a behavior and a relationship associated with the primary workload;

checking the model for sustained convergence; and

generating a high-level declarative security policy associated with the primary workload using the model, the high-level declarative security policy indicating at least an application or a service with which the primary workload can communicate.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media for security in virtualization, bare-metal server, and cloud computing environments are provided herein. Exemplary methods include: receiving network traffic associated with a primary workload; generating first metadata using the network traffic; determining a primary categorization associated with the primary workload, using the first metadata; confirming the primary categorization is reliable; determining a secondary categorization associated with at least one secondary workload, the at least one secondary workload being communicatively coupled to the primary workload; ascertaining the primary categorization and the secondary categorization are consistent with each other and are each stable; producing a model using the primary categorization and the secondary categorization; checking the model for sustained convergence; and generating a high-level declarative security policy associated with the primary workload using the model, the high-level declarative security policy indicating at least an application or service with which the primary workload can communicate.

Citations

20 Claims

1. A computer-implemented method for security in virtualization, bare- metal server, and cloud computing environments comprising:
- receiving network traffic associated with a primary workload, the primary workload including a behavior and a relationship of a particular workload with a secondary workload;
  
  generating first metadata using the network traffic;
  
  determining a primary categorization associated with the primary workload, using the first metadata;
  
  confirming the primary categorization is reliable;
  
  determining a secondary categorization associated with at least one secondary workload, the at least one secondary workload being communicatively coupled to the primary workload;
  
  ascertaining the primary categorization and the secondary categorization are consistent with each other and are each stable;
  
  producing a model using the primary categorization and the secondary categorization, the model including a behavior and a relationship associated with the primary workload;
  
  checking the model for sustained convergence; and
  
  generating a high-level declarative security policy associated with the primary workload using the model, the high-level declarative security policy indicating at least an application or a service with which the primary workload can communicate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein the network traffic comprises data communications between the primary workload and the secondary workload.
  - 3. The computer-implemented method of claim 2, wherein:
    - the primary, secondary, and tertiary categorizations are each associated with a respective application or service; and
      
      the application or service is at least one of;
      
      a database, email server, message queue, web server, Session Initiation Protocol (SIP) server, other media server, file server, service-oriented architecture (SOA) and/or microservices process, and object-based storage.
  - 4. The computer-implemented method of claim 3 further comprising:
    - receiving tertiary metadata associated with the primary workload;
      
      determining a tertiary categorization using the tertiary metadata; and
      
      checking the primary categorization matches the tertiary categorization.
  - 5. The computer-implemented method of claim 4, wherein:
    - the primary workload is a container;
      
      the tertiary metadata is received using an application programming interface (API) from an orchestration layer; and
      
      the tertiary metadata includes at least one of;
      
      an image name, image type, service name, and user-configurable tag or label associated with the container.
  - 6. The computer-implemented method of claim 5, wherein the orchestration layer is at least one of:
    - Kubernetes, Diego, Docker Swarm, and Mesos.
  - 7. The computer-implemented method of claim 5, wherein determining the tertiary categorization includes:
    - ascertaining an image type associated with the container using the tertiary metadata; and
      
      identifying the tertiary categorization using the image type;
      
      wherein the method further comprises;
      
      confirming the primary, secondary, and tertiary categorizations are consistent; and
      
      wherein the producing the model further uses the tertiary categorization.
  - 8. The computer-implemented method of claim 3, wherein:
    - the first metadata comprises at least two of;
      
      a source address and/or hostname, a source port, destination address and/or hostname, a destination port, protocol, application determination using APP-ID, and category;
      
      the primary categorization is determined at least in part using the first metadata and a second model, the second model including at least one of;
      
      a service or application category, protocols associated with the category that the primary workload should use, ports associated with the category that that the primary workload should use, applications associated with the category that should communicate with the primary workload, and services associated with the category that should communicate with the primary workload; and
      
      the secondary categorization is determined at least in part by assessing a relationship using communications between the primary and secondary workloads, and by confirming the communications between the primary and secondary workloads are consistent with at least an expected behavior of the primary categorization.
  - 9. The computer-implemented method of claim 8, wherein ascertaining the primary categorization and the secondary categorization are consistent includes using the second model to check that the secondary categorization corresponds to an allowed communications partner associated with the primary categorization.
  - 10. The computer-implemented method of claim 3, wherein:
    - the confirming the primary categorization is reliable includes checking that a predetermined time has elapsed.

11. A system for security in virtualization, bare-metal server, and cloud computing environments comprising:
- a processor; and
  
  a memory coupled to the processor, the memory storing instructions which are executable by the processor to perform a method comprising;
  
  receiving network traffic associated with a primary workload;
  
  generating first metadata using the network traffic;
  
  determining a primary categorization associated with the primary workload, using the first metadata;
  
  confirming the primary categorization is reliable;
  
  determining a secondary categorization associated with at least one secondary workload, the at least one secondary workload being communicatively coupled to the primary workload;
  
  ascertaining the primary categorization and the secondary categorization are consistent with each other and are each stable;
  
  producing a model using the primary categorization and the secondary categorization, the model including a behavior and a relationship associated with the primary workload;
  
  checking the model for sustained convergence; and
  
  generating a high-level declarative security policy associated with the primary workload using the model, the high-level declarative security policy indicating at least an application or a service with which the primary workload can communicate.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the network traffic comprises data communications between the primary workload and the secondary workload.
  - 13. The system of claim 12, wherein:
    - the primary, secondary, and tertiary categorizations are each associated with a respective application or service; and
      
      the application or service is at least one of;
      
      a database, email server, message queue, web server, Session Initiation Protocol (SIP) server, other media server, file server, service-oriented architecture (SOA) or microservices process, and object-based storage.
  - 14. The system of claim 13, wherein the method further comprises:
    - receiving tertiary metadata associated with the primary workload;
      
      determining a tertiary categorization using the tertiary metadata; and
      
      checking the primary categorization matches the tertiary categorization.
  - 15. The system of claim 14, wherein:
    - the primary workload is a container;
      
      the tertiary metadata is received using an application programming interface (API) from an orchestration layer; and
      
      the tertiary metadata includes at least one of;
      
      an image name, image type, service name, and user-configurable tag or label associated with the container.
  - 16. The system of claim 15, wherein the orchestration layer is at least one of:
    - Kubernetes, Diego, Docker Swarm, and Mesos.
  - 17. The system of claim 15, wherein determining the tertiary categorization includes:
    - ascertaining an image type associated with the container using the tertiary metadata; and
      
      identifying the tertiary categorization using the image type;
      
      wherein the method further comprises;
      
      confirming the primary, secondary, and tertiary categorizations are consistent; and
      
      wherein the producing the model further uses the tertiary categorization.
  - 18. The system of claim 13, wherein:
    - the first metadata comprises at least two of;
      
      a source address and/or hostname, a source port, destination address and/or hostname, a destination port, protocol, application determination using APP-ID, and category;
      
      the primary categorization is determined at least in part using the first metadata and a second model, the second model including at least one of;
      
      a service or application category, protocols associated with the category that the primary workload should use, ports associated with the category that that the primary workload should use, applications associated with the category that should communicate with the primary workload, and services associated with the category that should communicate with the primary workload; and
      
      the secondary categorization is determined at least in part by assessing a relationship using communications between the primary and secondary workloads, and by confirming the communications between the primary and secondary workloads are consistent with at least an expected behavior of the primary categorization.
  - 19. The system of claim 18, wherein ascertaining the primary categorization and the secondary categorization are consistent includes using the second model to check that the secondary categorization corresponds to an allowed communications partner associated with the primary categorization.

20. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for security in a container-based virtualization, bare-metal server, and cloud computing environments, the method comprising:
- receiving network traffic associated with a primary workload;
  
  generating first metadata using the network traffic;
  
  determining a primary categorization associated with the primary workload, using the first metadata;
  
  confirming the primary categorization is reliable;
  
  determining a secondary categorization associated with at least one secondary workload, the at least one secondary workload being communicatively coupled to the primary workload;
  
  ascertaining the primary categorization and the secondary categorization are consistent with each other and are each stable;
  
  producing a model using the primary categorization and the secondary categorization, the model including a behavior and a relationship associated with the primary workload;
  
  checking the model for sustained convergence; and
  
  generating a high-level declarative security policy associated with the primary workload using the model, the high-level declarative security policy indicating at least an application or a service with which the primary workload can communicate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Woolward, Marc
Primary Examiner(s)
Reza, Mohammad W

Application Number

US15/201,351
Publication Number

US 20170374101A1
Time in Patent Office

1,019 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Security policy generation for virtualization, bare-metal server, and cloud computing environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security policy generation for virtualization, bare-metal server, and cloud computing environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links