Runtime behavior of computing resources of a distributed environment

US 10,362,046 B1
Filed: 03/29/2017
Issued: 07/23/2019
Est. Priority Date: 03/29/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining a runtime configuration generated based at least in part on a set of security rules defining a set of security threats to a computer system instance and a set of remedial operations, the set of security rules generated based at least in part on customer input provided through a web service front-end, the computer system instance and the web service front-end provided by a computing resource service provider, the computer system instance a member of a set of computer system instance provided to customers of the computing resource service provider, where the runtime configuration indicates a threat level associated with a security threat included in the set of security threats;

obtaining access to operational information of the computer system instance, the operational information indicating at least a configuration of the computer system instance, a set of processes executed by the computer systems instance, and a set of operations performed by the computer systems instance;

determining a security threat of the set of security threats to the computer system instance by at least processing the operational information based at least in part on the runtime configuration;

performing a remedial operation of the set of operations indicated by the runtime configuration; and

providing the operational information and information associated with the remedial operation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Customers of a computing resource service provider may operate one or more computing resource provided by the computing resource service provider. In addition, the customers may execute agent using the one or more computing resources provided by the computing resource service provider. Operational information from customer-operated computing resources may be obtained by the agents and evaluated for security threats. The operational information may be evaluated based at least in part on a set of security rules. The security rules may be generated at least in part on customer input to generate customer defined security rules.

18 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- obtaining a runtime configuration generated based at least in part on a set of security rules defining a set of security threats to a computer system instance and a set of remedial operations, the set of security rules generated based at least in part on customer input provided through a web service front-end, the computer system instance and the web service front-end provided by a computing resource service provider, the computer system instance a member of a set of computer system instance provided to customers of the computing resource service provider, where the runtime configuration indicates a threat level associated with a security threat included in the set of security threats;
  
  obtaining access to operational information of the computer system instance, the operational information indicating at least a configuration of the computer system instance, a set of processes executed by the computer systems instance, and a set of operations performed by the computer systems instance;
  
  determining a security threat of the set of security threats to the computer system instance by at least processing the operational information based at least in part on the runtime configuration;
  
  performing a remedial operation of the set of operations indicated by the runtime configuration; and
  
  providing the operational information and information associated with the remedial operation.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein performing the remedial operation further comprises performing the remedial operation as a result of receiving a command from a security service provided by the computing resource service provider.
  - 3. The computer-implemented method of claim 2, wherein the remedial operation is indicated by a customer of the security service.
  - 4. The computer-implemented method of claim 1, wherein obtaining the set of security rules further comprises obtaining the set of security rules through a user interface exposed to a customer as a management console.

5. A system, comprising:
- one or more processors; and
  
  memory to store computer-executable instructions that, if executed, cause the one or more processors to;
  
  obtain a runtime configuration from a security service provided by a computing resource service provide, the runtime configuration generated based at least in part on a set of security rules, at least a portion of the set of security rules including a customer input and the runtime configuration including an indication of a threat level associated with a security threat detectable based at least in part on a violation of a subset of security rules of the set of security rules;
  
  provide the runtime configuration to an agent, the agent executed by a virtual machine instance supported by the system and managed by the computing resource service provider;
  
  detect the security threat by at least processing operational information based at least in part on the runtime configuration;
  
  perform a remedial operation in response to the security threat, the remedial operation indicated in the runtime configuration; and
  
  transmit information associated with the remedial operation and operational information to the security service.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 20)
- - 6. The system of claim 5, wherein the set of security rules are defined by a customer using a programming language.
  - 7. The system of claim 6, wherein at least a portion of the set of security rules are generated based at least in part on security rules published by a third party.
  - 8. The system of claim 5, wherein the runtime configuration further comprises a set of validated security rules generated by the security service based at least in part on the set of security rules.
  - 9. The system of claim 5, wherein memory further includes computer-executable instructions that, if executed, cause the one or more processors to provide the agent with operating system privileges to perform one or more operations.
  - 10. The system of claim 5, wherein the operational information further comprises information associated with a set of processes executed by the virtual machine instance.
  - 11. The system of claim 5, wherein the operational information further comprises information associated with a set of static configurations of the virtual machine instance.
  - 20. The system of claim 5, wherein the computer-executable instructions that cause the one or more processors to perform the remedial operation in response to the security threat further include computer-executable instructions that, if executed, cause the one or more processors to perform the remedial operation based at least in part on the threat level associated with a security threat.

12. A set of non-transitory computer-readable storage media having that stores executable instructions that, if executed by one or more processors of a computer system, cause the computer system to:
- obtain a runtime configuration generated based at least in part on a set of security rules generated based at least in part on customer defined security rules obtained through a service front-end of a security service provided by a computing resource service provider, the runtime configuration including a threat level of a security threat associated with the set of security rules;
  
  provide the runtime configuration to an agent executed by a virtual computer system instance provided by the computing resource service provider;
  
  detect, by the agent executed by the virtual computer system instance, the security threat to the virtual computer system instance by at least;
  
  obtaining operational information associated with the virtual computer system instance; and
  
  evaluating the operational information based at least in part on the runtime configuration; and
  
  provide information associated with the security threat.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The set of non-transitory computer-readable storage media of claim 12, wherein the instructions that cause the computer system to provide information associated with the security threat further include instructions that cause the computer system to provide information associated with the security threat to a stream service responsible for multiplexing information associated with security threats to a plurality of security services provided by a computing resource service provider.
  - 14. The set of non-transitory computer-readable storage media of claim 13, wherein the instructions that cause the computer system to provide information associated with the security threat further include instructions that cause the computer system to provide a notification of the security threat to a customer associated with the virtual computer system instance.
  - 15. The set of non-transitory computer-readable storage media of claim 12, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to perform, by the agent, a remedial operation associated with the security threat to virtual computer system instance based at least in part on the runtime configuration.
  - 16. The set of non-transitory computer-readable storage media of claim 15, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - provide the agent with access to a set of privileges to perform the remedial operation; and
      
      remove access to the set of privileges as a result of the agent completing performance of the remedial operation.
  - 17. The set of non-transitory computer-readable storage media of claim 15, wherein the instructions that cause the computer system to perform, by the agent, the remedial operation further include instructions that cause the computer system to terminate a process of the virtual computer system instance.
  - 18. The set of non-transitory computer-readable storage media of claim 15, wherein the instructions that cause the computer system to perform, by the agent, the remedial operation further include instructions that cause the computer system to terminate a network connection between the virtual computer system instance and at least one other computer system.
  - 19. The set of non-transitory computer-readable storage media of claim 15, wherein the instructions that cause the computer system to perform, by the agent, the remedial operation further include instructions that cause the computer system to perform the remedial operation in response to a security event generated based at least in part on the information associated with the security threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Srinivasan, Preethi, Nagargadde, Aparna
Primary Examiner(s)
Tabor, Amare F

Application Number

US15/473,511
Time in Patent Office

846 Days
Field of Search

726 23, 726 25
US Class Current
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Runtime behavior of computing resources of a distributed environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Runtime behavior of computing resources of a distributed environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links