Multi-tenant cloud security threat detection

US 10,298,605 B2
Filed: 11/16/2016
Issued: 05/21/2019
Est. Priority Date: 11/16/2016
Status: Active Grant

First Claim

Patent Images

1. A system of security threat detection, the system comprising:

a first plurality of virtual machines including at least a first virtual machine, which includes;

a plurality of applications including at least a first application and a second application;

a plurality of application security modules (ASMs) respectively associated with each of the plurality of applications, including at least a first ASM associated with the first application and a second ASM associated with the second application; and

a network interface;

a first network controller associated with a first network;

one or more processors, in communication with the first network controller; and

a first security policy engine (SPE), executing on the one or more processors;

wherein the first ASM;

detects an abnormality with a request to the first application;

identifies a source and a mode of the abnormality, wherein the first ASM is configured to detect a component of the request as the mode, which includes an identifying characteristic used to identify related further abnormalities associated with additional requests;

reports the source and the mode to the first SPE, andwherein responsive to receiving a report with the source and the mode from the first ASM, the first SPE;

prevents a further abnormality with at least one of the source and the mode from affecting the second application by adjusting a threshold for detecting a mode associated with the second ASM; and

commands the first network controller to prevent the source from interacting with the first network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for security threat detection are disclosed. For example, a virtual machine with a network interface of a plurality of virtual machines includes a plurality of applications including first and second applications. The plurality of applications is associated with a respective plurality of application security modules, including a first and second application security modules associated with the first and second applications. A security policy engine executes on a processor in communication with a network including a network controller. The application security module detects an abnormality with a request to the first application, identifies a source and a mode of the abnormality, and reports the source and the mode to the security policy engine. The security policy engine prevents a further abnormality with the source and/or the mode from affecting the second application and commands the network controller to prevent the source from interacting with the network.

Citations

19 Claims

1. A system of security threat detection, the system comprising:
- a first plurality of virtual machines including at least a first virtual machine, which includes;
  
  a plurality of applications including at least a first application and a second application;
  
  a plurality of application security modules (ASMs) respectively associated with each of the plurality of applications, including at least a first ASM associated with the first application and a second ASM associated with the second application; and
  
  a network interface;
  
  a first network controller associated with a first network;
  
  one or more processors, in communication with the first network controller; and
  
  a first security policy engine (SPE), executing on the one or more processors;
  
  wherein the first ASM;
  
  detects an abnormality with a request to the first application;
  
  identifies a source and a mode of the abnormality, wherein the first ASM is configured to detect a component of the request as the mode, which includes an identifying characteristic used to identify related further abnormalities associated with additional requests;
  
  reports the source and the mode to the first SPE, andwherein responsive to receiving a report with the source and the mode from the first ASM, the first SPE;
  
  prevents a further abnormality with at least one of the source and the mode from affecting the second application by adjusting a threshold for detecting a mode associated with the second ASM; and
  
  commands the first network controller to prevent the source from interacting with the first network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, further comprising a second network controller associated with a different second network, wherein the first SPE commands the second network controller to prevent the source from interacting with the second network.
  - 3. The system of claim 2, wherein the first network controller accepts commands via a first application programming interface and the second network controller accepts commands via a different second application programming interface.
  - 4. The system of claim 1, wherein the mode includes at least one of a traffic surge, an invalid login credential, a login from an unknown device, identified malware, a phishing attempt, a password attack, a denial-of-service attack, a cross site scripting attempt, a sql injection attempt, a local file inclusion attempt, and a remote file inclusion attempt.
  - 5. The system of claim 1, wherein the source includes at least one of an IP address, a MAC address, a physical location, a phone number, a domain, and a subnet.
  - 6. The system of claim 1, wherein the source and the mode are associated with a plurality of identifying characteristics including a first identifying characteristic, and the first identifying characteristic is used by at least one of the first SPE and the first network controller to identify a new abnormality as having at least one of the same source and the same mode as the abnormality.
  - 7. The system of claim 6, wherein the first identifying characteristic is one of an IP address, a MAC address, a physical location, a phone number, a domain, a subnet, a login credential, a password, a database, a database table, a URL, a command, a query, a unique identifier, a message, contents of a message, a size of request, user identifying information, and a frequency of request.
  - 8. The system of claim 7, wherein an authentication application is associated with the first plurality of virtual machines, and the first SPE disables the login credential for authenticating with applications executing on the first plurality of virtual machines in response to the report.
  - 9. The system of claim 6, wherein the first SPE analyzes the mode of the abnormality to determine the first identifying characteristic;
    - andthe first SPE prevents further abnormalities with the first identifying characteristic from affecting other applications of the plurality of applications.
  - 10. The system of claim 9, wherein the first SPE prevents a further abnormality with the first identifying characteristic from affecting a second virtual machine of the plurality of virtual machines.
  - 11. The system of claim 6, wherein the first SPE notifies a third ASM associated with a third application executing on a second virtual machine of the first plurality of virtual machines to prevent abnormalities with the first identifying characteristic in the second virtual machine associated with the third ASM.
  - 12. The system of claim 6, wherein the first SPE notifies the first network controller of at least one of the mode, the source, the first identifying characteristic, and the occurrence of the abnormality.
  - 13. The system of claim 12, wherein the first network controller notifies a second SPE associated with a different second plurality of virtual machines of at least one of the mode, the source, the first identifying characteristic, and the occurrence of the abnormality;
    - andthe second SPE prevents a further abnormality with at least one of the source, the mode, and the first identifying characteristic from affecting a third application executing on a third virtual machine of the second plurality of virtual machines by configuring a third ASM associated with the third application.
  - 14. The system of claim 1, wherein the first ASM detects the request as one of legitimate and illegitimate based on other requests from a requester of the request, and wherein requests detected as legitimate and illegitimate are indistinguishable to the first network controller.
  - 15. The system of claim 1, wherein the first ASM identifies the abnormality based on a frequency of requests from a requester, and notifies the first SPE of an identifying feature of the requester.
  - 16. The system of claim 1, wherein the first network controller blocks communication between the source and at least one of the first plurality of virtual machines associated with a first tenant, a second plurality of virtual machines associated with a second tenant, and all virtual machines connected to the first network.

17. A method of security threat detection, the method comprising:
- detecting, by a first application security module (ASM), an abnormality with a request to a first application associated with the first ASM;
  
  identifying a source and a mode of the abnormality, wherein the first ASM is configured to detect a component of the request as the mode, which includes an identifying characteristic used to identify related further abnormalities associated with additional requests;
  
  reporting the source and the mode to a security policy engine (SPE); and
  
  responsive to receiving, by the SPE, a report with the source and the mode;
  
  preventing, by the SPE, a further abnormality with at least one of the source and the mode from affecting a second application by adjusting a threshold for detecting a mode associated with a second ASM, wherein the second ASM is associated with the second application; and
  
  commanding, by the SPE, a network controller to prevent the source from interacting with a network.
- View Dependent Claims (18)
- - 18. The method of claim 17, wherein the source and the mode are associated with a plurality of identifying characteristics including a first identifying characteristic, and the first identifying characteristic is used by at least one of the SPE and the network controller to identify a new abnormality as having at least one of the same source and the same mode as the abnormality.

19. A computer-readable non-transitory storage medium storing executable instructions, which when executed by a computer system, cause the computer system to:
- detect, by a first application security module (ASM), an abnormality with a request to a first application associated with the first ASM;
  
  identify a source and a mode of the abnormality, wherein the first ASM is configured to detect a component of the request as the mode, which includes an identifying characteristic used to identify related further abnormalities associated with additional requests;
  
  report the source and the mode to a security policy engine (SPE); and
  
  responsive to receiving, by the SPE, a report with the source and the mode;
  
  prevent, by the SPE, a further abnormality with at least one of the source and the mode from affecting a second application by adjusting a threshold for detecting a mode associated with a second ASM, wherein the second ASM is associated with the second application; and
  
  command, by the SPE, a network controller to prevent the source from interacting with a network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Chen, Huamin
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US15/353,288
Publication Number

US 20180139221A1
Time in Patent Office

916 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1483   service impersonation, e.g....

H04L 63/20   for managing network securi...

Multi-tenant cloud security threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-tenant cloud security threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links