Multi-tenant cloud security threat detection
First Claim
1. A system of security threat detection, the system comprising:
- a first plurality of virtual machines including at least a first virtual machine, which includes;
a plurality of applications including at least a first application and a second application;
a plurality of application security modules (ASMs) respectively associated with each of the plurality of applications, including at least a first ASM associated with the first application and a second ASM associated with the second application; and
a network interface;
a first network controller associated with a first network;
one or more processors, in communication with the first network controller; and
a first security policy engine (SPE), executing on the one or more processors;
wherein the first ASM;
detects an abnormality with a request to the first application;
identifies a source and a mode of the abnormality, wherein the first ASM is configured to detect a component of the request as the mode, which includes an identifying characteristic used to identify related further abnormalities associated with additional requests;
reports the source and the mode to the first SPE, andwherein responsive to receiving a report with the source and the mode from the first ASM, the first SPE;
prevents a further abnormality with at least one of the source and the mode from affecting the second application by adjusting a threshold for detecting a mode associated with the second ASM; and
commands the first network controller to prevent the source from interacting with the first network.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for security threat detection are disclosed. For example, a virtual machine with a network interface of a plurality of virtual machines includes a plurality of applications including first and second applications. The plurality of applications is associated with a respective plurality of application security modules, including a first and second application security modules associated with the first and second applications. A security policy engine executes on a processor in communication with a network including a network controller. The application security module detects an abnormality with a request to the first application, identifies a source and a mode of the abnormality, and reports the source and the mode to the security policy engine. The security policy engine prevents a further abnormality with the source and/or the mode from affecting the second application and commands the network controller to prevent the source from interacting with the network.
-
Citations
19 Claims
-
1. A system of security threat detection, the system comprising:
-
a first plurality of virtual machines including at least a first virtual machine, which includes; a plurality of applications including at least a first application and a second application; a plurality of application security modules (ASMs) respectively associated with each of the plurality of applications, including at least a first ASM associated with the first application and a second ASM associated with the second application; and a network interface; a first network controller associated with a first network; one or more processors, in communication with the first network controller; and a first security policy engine (SPE), executing on the one or more processors; wherein the first ASM; detects an abnormality with a request to the first application; identifies a source and a mode of the abnormality, wherein the first ASM is configured to detect a component of the request as the mode, which includes an identifying characteristic used to identify related further abnormalities associated with additional requests; reports the source and the mode to the first SPE, and wherein responsive to receiving a report with the source and the mode from the first ASM, the first SPE; prevents a further abnormality with at least one of the source and the mode from affecting the second application by adjusting a threshold for detecting a mode associated with the second ASM; and commands the first network controller to prevent the source from interacting with the first network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method of security threat detection, the method comprising:
-
detecting, by a first application security module (ASM), an abnormality with a request to a first application associated with the first ASM; identifying a source and a mode of the abnormality, wherein the first ASM is configured to detect a component of the request as the mode, which includes an identifying characteristic used to identify related further abnormalities associated with additional requests; reporting the source and the mode to a security policy engine (SPE); and responsive to receiving, by the SPE, a report with the source and the mode; preventing, by the SPE, a further abnormality with at least one of the source and the mode from affecting a second application by adjusting a threshold for detecting a mode associated with a second ASM, wherein the second ASM is associated with the second application; and commanding, by the SPE, a network controller to prevent the source from interacting with a network. - View Dependent Claims (18)
-
-
19. A computer-readable non-transitory storage medium storing executable instructions, which when executed by a computer system, cause the computer system to:
-
detect, by a first application security module (ASM), an abnormality with a request to a first application associated with the first ASM; identify a source and a mode of the abnormality, wherein the first ASM is configured to detect a component of the request as the mode, which includes an identifying characteristic used to identify related further abnormalities associated with additional requests; report the source and the mode to a security policy engine (SPE); and responsive to receiving, by the SPE, a report with the source and the mode; prevent, by the SPE, a further abnormality with at least one of the source and the mode from affecting a second application by adjusting a threshold for detecting a mode associated with a second ASM, wherein the second ASM is associated with the second application; and command, by the SPE, a network controller to prevent the source from interacting with a network.
-
Specification