System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment

US 10,360,062 B2
Filed: 02/23/2018
Issued: 07/23/2019
Est. Priority Date: 02/03/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

at least one memory coupled to the one or more processors, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process including;

providing a cloud computing environment, the cloud computing environment including a virtual asset instantiated and executing within the cloud computing environment by a computing processor, the virtual asset being a component of a network switch, the one or more virtual assets comprising, at instantiation;

virtual asset self-monitoring logic, the virtual asset self-monitoring logic including data and instructions for detecting one or more trigger events of the virtual asset, the trigger events including deviations from pre-established baseline traffic patterns, the virtual asset self monitoring logic further including data and instructions to detect, as a trigger event, a response to a customer request being directed to a destination that is not the customer location of record and further including data and instructions to detect, as a trigger event, an internal elapsed time of defined critical operations changing to a time outside a defined range and further including data and instructions to detect, as a trigger event, an access pattern indicating that messages arrive too infrequently;

virtual asset self-reporting logic, the virtual asset self-reporting logic including data and instructions for generating trigger event reporting data if one of the one or more trigger events is detected in the virtual asset by the virtual asset self-monitoring logic;

self-reporting communications channel creation logic, the self-reporting communications channel creation logic including data and instructions for opening a self-reporting communications channel between the virtual asset and a virtual asset monitoring system responsive to one of the one or more trigger events being detected in the virtual asset by the virtual asset self-monitoring logic; and

trigger event reporting data transfer logic, the trigger event reporting data transfer logic including data and instructions for transferring the trigger event reporting data from the virtual asset to the virtual asset monitoring system when one of the one or more trigger events is detected in the virtual asset by the virtual asset self-monitoring logic;

using the virtual asset self-monitoring logic to monitor at least a portion of message traffic sent to the virtual asset to detect any message meeting one or more initial trigger parameters;

classifying one or more portions of the detected at least one message as being suspect, the classified portions of the detected message satisfying the one or more predefined trigger parameters;

determining, based on the satisfied one or more trigger parameters, which of a plurality of threat scoring services to analyze the classified one or more suspect portions, each of the threat scoring services configured to analyze specific trigger parameters;

transferring the one or more suspect portions to the determined threat scoring services;

assigning, by the determined threat scoring services, threat scores to the suspect message at least partially based on a potential impact of the suspect message'"'"'s potential security threat on the virtual asset, wherein the assigned threat scores are higher if the potential impact includes compromising financial data of users, and the assigned threat score is lower if the potential security threat is expected to cause a minor decrease in network connectivity speeds;

enabling, by providing the threat score to the virtual asset, the virtual asset to secure against the suspect message;

for each suspect message, generating suspect message copy data representing a copy of at least a portion of the suspect message;

transferring the suspect message copy data to one or more analysis systems for further analysis;

determining, through analysis by the one or more analysis systems, an identity of a specific recipient of the detected at least one message;

determining one or more second trigger parameters having criteria defining similar messages to the detected at least one message;

updating the initial trigger parameters to include the one or more second trigger parameters; and

detecting at least one suspect message using the updated initial trigger parameters.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A trigger event monitoring system is provided in one or more virtual assets. One or more trigger parameters, including security threat patterns, are defined and trigger data is generated. The one or more trigger monitoring systems are used to monitor extrusion and intrusion capabilities and self-monitored trigger events that may harm or otherwise leave a virtual asset in a vulnerable state. In one embodiment, trigger events and monitoring of at least a portion of message traffic sent to, or sent from, the one or more virtual assets are initiated and/or performed to detect any message including one or more of the one or more of the trigger parameters. Any message meeting the one or more trigger parameters is identified as a potential security threat and is assigned a threat score, which is provided to the virtual asset. Various corrective actions may take place.

438 Citations

22 Claims

1. A system comprising:
- one or more processors; and
  
  at least one memory coupled to the one or more processors, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process including;
  
  providing a cloud computing environment, the cloud computing environment including a virtual asset instantiated and executing within the cloud computing environment by a computing processor, the virtual asset being a component of a network switch, the one or more virtual assets comprising, at instantiation;
  
  virtual asset self-monitoring logic, the virtual asset self-monitoring logic including data and instructions for detecting one or more trigger events of the virtual asset, the trigger events including deviations from pre-established baseline traffic patterns, the virtual asset self monitoring logic further including data and instructions to detect, as a trigger event, a response to a customer request being directed to a destination that is not the customer location of record and further including data and instructions to detect, as a trigger event, an internal elapsed time of defined critical operations changing to a time outside a defined range and further including data and instructions to detect, as a trigger event, an access pattern indicating that messages arrive too infrequently;
  
  virtual asset self-reporting logic, the virtual asset self-reporting logic including data and instructions for generating trigger event reporting data if one of the one or more trigger events is detected in the virtual asset by the virtual asset self-monitoring logic;
  
  self-reporting communications channel creation logic, the self-reporting communications channel creation logic including data and instructions for opening a self-reporting communications channel between the virtual asset and a virtual asset monitoring system responsive to one of the one or more trigger events being detected in the virtual asset by the virtual asset self-monitoring logic; and
  
  trigger event reporting data transfer logic, the trigger event reporting data transfer logic including data and instructions for transferring the trigger event reporting data from the virtual asset to the virtual asset monitoring system when one of the one or more trigger events is detected in the virtual asset by the virtual asset self-monitoring logic;
  
  using the virtual asset self-monitoring logic to monitor at least a portion of message traffic sent to the virtual asset to detect any message meeting one or more initial trigger parameters;
  
  classifying one or more portions of the detected at least one message as being suspect, the classified portions of the detected message satisfying the one or more predefined trigger parameters;
  
  determining, based on the satisfied one or more trigger parameters, which of a plurality of threat scoring services to analyze the classified one or more suspect portions, each of the threat scoring services configured to analyze specific trigger parameters;
  
  transferring the one or more suspect portions to the determined threat scoring services;
  
  assigning, by the determined threat scoring services, threat scores to the suspect message at least partially based on a potential impact of the suspect message'"'"'s potential security threat on the virtual asset, wherein the assigned threat scores are higher if the potential impact includes compromising financial data of users, and the assigned threat score is lower if the potential security threat is expected to cause a minor decrease in network connectivity speeds;
  
  enabling, by providing the threat score to the virtual asset, the virtual asset to secure against the suspect message;
  
  for each suspect message, generating suspect message copy data representing a copy of at least a portion of the suspect message;
  
  transferring the suspect message copy data to one or more analysis systems for further analysis;
  
  determining, through analysis by the one or more analysis systems, an identity of a specific recipient of the detected at least one message;
  
  determining one or more second trigger parameters having criteria defining similar messages to the detected at least one message;
  
  updating the initial trigger parameters to include the one or more second trigger parameters; and
  
  detecting at least one suspect message using the updated initial trigger parameters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1 further comprising providing the virtual assets, at instantiation:
    - responsive action implementation data receipt logic, the responsive action implementation data receipt logic including data and instructions for receiving responsive action implementation data from the virtual asset monitoring system; and
      
      responsive action implementation logic, the responsive action implementation logic including data and instructions for implementing the one or more responsive actions indicated in the responsive action implementation data received by the responsive action implementation data receipt logic.
  - 3. The system of claim 1, wherein at least one of the one or more trigger events is selected from the group of trigger events consisting of:
    - a network message from a virtual asset directed to a location known to be associated with malicious entities;
      
      a frequency of outgoing network messages changing level above a defined threshold level;
      
      a virtual asset receiving a high-frequency of login attempts that fail;
      
      a size of the parameters sent into a virtual asset being outside a defined range;
      
      a size of outgoing network messages being outside a defined range;
      
      a total amount of data in any one communication connection of a virtual asset exceeding a defined maximum; and
      
      a request to a virtual asset coming in from a location known to be associated with malicious entities.
  - 4. The system of claim 1 wherein the suspect message copy data associated with a given suspect message is transferred to a specific analysis system of the one or more analysis systems for further analysis based, at least in part, on the specific trigger parameter of the one or more trigger parameters detected in the suspect message.
  - 5. The system of claim 1 wherein if, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an intrusion related message, one or more protective actions are automatically implemented.
  - 6. The system of claim 1, wherein the virtual asset is a virtual asset selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      a database or data store;
      
      an instance in a cloud environment;
      
      a cloud environment access system;
      
      part of a mobile device;
      
      part of a remote sensor;
      
      part of a server computing system; and
      
      part of a desktop computing system.
  - 7. The system of claim 1, wherein defining one or more trigger parameters includes retrieving trigger parameters from an information management security vendor.
  - 8. The system of claim 1, wherein assigning the threat score includes assigning a number of a predetermined range of numbers to the suspect message, wherein a higher number is associated with a higher security priority.
  - 9. The system of claim 1, wherein providing the threat score includes delaying transmission of the threat score based on a priority of the suspect message.
  - 10. The system of claim 1, wherein assigning the threat score to the suspect message includes evaluating a service configuration to determine a vulnerability of the virtual asset.
  - 11. The system of claim 10, wherein the service configuration includes hardware characteristics of a host computing system of the virtual asset, and a type of information stored and provided by the virtual asset.

12. A computing system implemented method, which when executed by one or more computing processors, performs process operations comprising:
- providing a cloud computing environment, the cloud computing environment including one or more virtual assets instantiated within the cloud computing environment, the one or more virtual assets being a component of a network switch, the one or more virtual assets comprising, at instantiation;
  
  virtual asset self-monitoring logic including data and instructions for detecting one or more trigger events of the virtual asset, the trigger events including deviations from pre-established baseline traffic patterns, the virtual asset self monitoring logic further including data and instructions to detect, as a trigger event, a response to a customer request being directed to a destination that is not the customer location of record and further including data and instructions to detect, as a trigger event, an internal elapsed time of defined critical operations changing to a time outside a defined range and further including data and instructions to detect, as a trigger event, an access pattern indicating that messages arrive too infrequently;
  
  virtual asset self-reporting logic including data and instructions for generating trigger event reporting data if one of the one or more trigger events is detected in the virtual asset by the virtual asset self-monitoring logic;
  
  self-reporting communications channel creation logic including data and instructions for opening a self-reporting communications channel between the virtual asset and a virtual asset monitoring system responsive to one of the one or more trigger events being detected in the virtual asset by the virtual asset self-monitoring logic; and
  
  trigger event reporting data transfer logic including data and instructions for transferring the trigger event reporting data from the virtual asset to the virtual asset monitoring system when one of the one or more trigger events is detected in the virtual asset by the virtual asset self-monitoring logic;
  
  using the virtual asset self-monitoring logic to monitor at least a portion of message traffic sent to the virtual asset to detect any message meeting one or more initial trigger parameters;
  
  classifying one or more portions of a detected message as being suspect, the classified portions of the detected message satisfying the one or more initial trigger parameters;
  
  determining, based on the satisfied one or more trigger parameters, which of a plurality of threat scoring services to analyze the classified one or more suspect portions, each of the threat scoring services configured to analyze specific trigger parameters;
  
  transferring the one or more suspect portions to the determined threat scoring services;
  
  assigning, by the determined threat scoring services, threat scores to the suspect message at least partially based on a potential impact of the suspect message'"'"'s potential security threat to the virtual asset, wherein the assigned threat scores are higher if the potential impact includes compromising financial data of users, and the assigned threat score is lower if the potential security threat is expected to cause a minor decrease in network connectivity speeds;
  
  enabling, by providing the threat score to the virtual asset, the virtual asset to secure against the suspect message;
  
  for each suspect message, generating suspect message copy data representing a copy of at least a portion of the suspect message;
  
  transferring the suspect message copy data to one or more analysis systems for further analysis;
  
  determining, through analysis by the one or more analysis systems, an identity of a specific recipient of the detected at least one message;
  
  determining one or more second trigger parameters having criteria defining similar messages to the detected at least one message;
  
  updating the initial trigger parameters to include the one or more second trigger parameters; and
  
  detecting at least one suspect message using the updated initial trigger parameters.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computing system implemented method of claim 12 further comprising providing the virtual assets, at instantiation:
    - responsive action implementation data receipt logic, the responsive action implementation data receipt logic including data and instructions for receiving responsive action implementation data from the virtual asset monitoring system; and
      
      responsive action implementation logic, the responsive action implementation logic including data and instructions for implementing the one or more responsive actions indicated in the responsive action implementation data received by the responsive action implementation data receipt logic.
  - 14. The computing system implemented method of claim 12 wherein at least one of the one or more trigger events is selected from the group of trigger events consisting of:
    - a network message from a virtual asset directed to a location known to be associated with malicious entities;
      
      a frequency of outgoing network messages changing level above a defined threshold level;
      
      a virtual asset receiving a high-frequency of login attempts that fail;
      
      a size of the parameters sent into a virtual asset being outside a defined range;
      
      a size of outgoing network messages being outside a defined range;
      
      a total amount of data in any one communication connection of a virtual asset exceeding a defined maximum; and
      
      a request to a virtual asset coming in from a location known to be associated with malicious entities.
  - 15. The computing system implemented method of claim 12 wherein the suspect message copy data associated with a given suspect message is transferred to a specific analysis system of the one or more analysis systems for further analysis based, at least in part, on the specific trigger parameter of the one or more trigger parameters detected in the suspect message.
  - 16. The computing system implemented method of claim 12 wherein if, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an intrusion related message, one or more protective actions are automatically implemented.
  - 17. The computing system implemented method of claim 12, wherein the virtual asset is a virtual asset selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      a database or data store;
      
      an instance in a cloud environment;
      
      a cloud environment access system;
      
      part of a mobile device;
      
      part of a remote sensor;
      
      part of a server computing system; and
      
      part of a desktop computing system.
  - 18. The computing system implemented method of claim 12, wherein defining one or more trigger parameters includes retrieving trigger parameters from an information management security vendor.
  - 19. The computing system implemented method of claim 12, wherein assigning the threat score includes assigning a number of a predetermined range of numbers to the suspect message, wherein a higher number is associated with a higher security priority.
  - 20. The computing system implemented method of claim 12, wherein providing the threat score includes delaying transmission of the threat score based on a priority of the suspect message.
  - 21. The computing system implemented method of claim 12, wherein assigning the threat score to the suspect message includes evaluating a service configuration to determine a vulnerability of the virtual asset.
  - 22. The computing system implemented method of claim 21, wherein the service configuration includes hardware characteristics of a host computing system of the virtual asset, and a type of information stored and provided by the virtual asset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Lietz, M. Shannon, Cabrera, Luis Felipe
Primary Examiner(s)
Potratz, Daniel B

Application Number

US15/903,963
Publication Number

US 20180191753A1
Time in Patent Office

515 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 9/45558   Hypervisor-specific managem...

H04L 41/0886   Fully automatic configuration

H04L 41/40   using virtualisation of net...

H04L 41/5025   by proactively reacting to ...

H04L 41/5032   Generating service level re...

H04L 41/5096   wherein the managed service...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

438 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

438 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links