Change monitoring and detection for a cloud computing environment

US 10,581,851 B1
Filed: 07/17/2019
Issued: 03/03/2020
Est. Priority Date: 07/17/2019
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

configuring a change order monitoring application, wherein the change order monitoring application receives one or more audit logs from one or more application services in a cloud computing environment, wherein the one or more audit logs comprises a plurality of change events and a plurality of noise events, wherein the plurality of change events require a change order and the plurality of noise events do not require a change order;

detecting and filtering, by the change order monitoring application, the plurality of change events from the plurality of noise events in the one or more audit logs;

matching, by the change order monitoring application, the plurality of change events to the one or more application services in the cloud computing environment, wherein matching the plurality of change events to the one or more application services is based on associating each change event with a corresponding taggable resource;

matching, by the change order monitoring application, the plurality of change events to one or more change orders in the cloud computing environment;

training a machine learning algorithm based on the plurality of change events, wherein training the machine learning algorithm comprises;

clustering the plurality of change events using a weighted event graph comprising the plurality of change events with one or more related connections between the plurality of change events;

forming one or more change clusters based on the clustering of the plurality of change events;

determining one or more patterns of performance based on the one or more change clusters, wherein the one or more patterns of performance indicates a potential correlation between the one or more change clusters and the plurality of change events; and

updating the machine learning algorithm based on the one or more patterns of performance;

determining one or more unauthorized changes from the one or more change clusters, wherein the unauthorized changes are one or more change events that are not matched with one or more change orders and not matched with one or more application services; and

generating, using the machine learning algorithm and the change order monitoring application, an alert for the one or more unauthorized changes and sending the alert to an implementer of the one or more unauthorized changes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects described herein allow for systems and methods to monitor production changes to resources in a cloud computing environment and determine whether those changes were performed in accordance with a change management policy. A change order monitoring application receives data from cloud computing audit logs to detect infrastructure changes and combines that data with application information to determine which application was affected. The change order monitoring application then uses a machine learning algorithm to cluster multiple change events together when it is likely that the change events were part of the same change. If cluster of change activity does not appear to be authorized, the change order monitoring application sends an alert to a change management team and an application team to get more information about the activity.

51 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- configuring a change order monitoring application, wherein the change order monitoring application receives one or more audit logs from one or more application services in a cloud computing environment, wherein the one or more audit logs comprises a plurality of change events and a plurality of noise events, wherein the plurality of change events require a change order and the plurality of noise events do not require a change order;
  
  detecting and filtering, by the change order monitoring application, the plurality of change events from the plurality of noise events in the one or more audit logs;
  
  matching, by the change order monitoring application, the plurality of change events to the one or more application services in the cloud computing environment, wherein matching the plurality of change events to the one or more application services is based on associating each change event with a corresponding taggable resource;
  
  matching, by the change order monitoring application, the plurality of change events to one or more change orders in the cloud computing environment;
  
  training a machine learning algorithm based on the plurality of change events, wherein training the machine learning algorithm comprises;
  
  clustering the plurality of change events using a weighted event graph comprising the plurality of change events with one or more related connections between the plurality of change events;
  
  forming one or more change clusters based on the clustering of the plurality of change events;
  
  determining one or more patterns of performance based on the one or more change clusters, wherein the one or more patterns of performance indicates a potential correlation between the one or more change clusters and the plurality of change events; and
  
  updating the machine learning algorithm based on the one or more patterns of performance;
  
  determining one or more unauthorized changes from the one or more change clusters, wherein the unauthorized changes are one or more change events that are not matched with one or more change orders and not matched with one or more application services; and
  
  generating, using the machine learning algorithm and the change order monitoring application, an alert for the one or more unauthorized changes and sending the alert to an implementer of the one or more unauthorized changes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the one or more audit logs comprise individual change events and application programming interface (API) calls.
  - 3. The method of claim 1, wherein the one or more related connections between the plurality of change events comprises two change events that are part of a same user login.
  - 4. The method of claim 3, wherein the one or more related connections between the plurality of change events comprises two change events that are from the same application service and that occurred within one hour of each other.
  - 5. The method of claim 1, wherein matching the plurality of change events to one or more change orders in the cloud computing environment comprises the following:
    - matching a change order configuration item to one of the one or more application services through mapping to a change management database;
      
      determining an event time window for the one or more change orders and ensuring the matched plurality of change events are within the event time window; and
      
      determining the implementer is a member of an implementing group for the change order.
  - 6. The method of claim 5, wherein the event time window starts at one hour before a planned event start time and ends at one hour after a planned event end time.
  - 7. The method of claim 1, wherein the machine learning algorithm comprises a python implementation of a Louvain community detection algorithm.
  - 8. The method of claim 7, wherein the weighted event graph comprises weighted edges and the Louvain community detection algorithm assigns each vertex to a cluster to maximize a graph modularity.
  - 9. The method of claim 7, wherein the change order monitoring application creates the weighted event graph with the plurality of change events as edges between the plurality of events that are part of the same change event, and the Louvain community detection algorithm partitions the same change events into the change clusters, wherein the edges are determined by one or more edge variables that comprise a resource environment identifier, a resource identifier, and an access key identifier.
  - 10. The method of claim 1, wherein generating the alert includes automatically notifying the implementer of the one or more unauthorized changes and requesting additional information from the implementer of the one or more unauthorized changes regarding the unauthorized change.
  - 11. The method of claim 1, wherein the alert appears on a dashboard.

12. A system comprising:
- a database configured to store one or more audit logs from one or more application services in a cloud computing environment, wherein the one or more audit logs comprises a plurality of change events and a plurality of noise events, wherein the plurality of change events require a change order and the plurality of noise events do not require a change order;
  
  one or more processors; and
  
  memory storing instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  receive, by a change order monitoring application executing on the one or more processors, the one or more audit logs;
  
  detect and filter the plurality of change events from the plurality of noise events in the one or more audit logs;
  
  match the plurality of change events to the one or more application services in the cloud computing environment, wherein matching the plurality of change events to the one or more application services is based on associating each change event with a corresponding taggable resource;
  
  match the plurality of change events to one or more change orders in the cloud computing environment, further including;
  
  match a change order configuration item to one of the one or more application services through mapping to a change management database,determine an event time window for the one or more change orders and ensure the matched plurality of change events are within the event time window, anddetermine the implementer is a member of an implementing group for the change order;
  
  train a Louvain community detection algorithm based on the plurality of change events, wherein the instructions cause the change order monitoring application to train the Louvain community detection algorithm by causing the change order monitoring application to;
  
  cluster the plurality of change events using a weighted event graph comprising the plurality of change events with one or more related connections between the plurality of change events;
  
  form one or more change clusters based on the clustering of the plurality of change events;
  
  determine one or more patterns of performance based on the one or more change clusters, wherein the one or more patterns of performance indicates a potential correlation between the one or more change clusters and the plurality of change events; and
  
  update the Louvain community detection algorithm based on the one or more patterns of performance;
  
  determine one or more unauthorized changes from the one or more change clusters, wherein the unauthorized changes are one or more change events that are not matched with one or more change orders and not matched with one or more application services; and
  
  generate an alert for the one or more unauthorized changes and automatically send the alert to an implementer of the one or more unauthorized changes.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12, wherein the one or more related connections between the plurality of change events comprises two change events that are part of a same user login.
  - 14. The system of claim 13, wherein the one or more related connections between the plurality of change events comprises two change events that are from the same application service and occurred within one hour of each other.
  - 15. The system of claim 12, wherein the change order monitoring application creates the weighted event graph with the plurality of change events as edges between the plurality of events that are part of the same change event, and the Louvain community detection algorithm partitions the same change events into the change clusters, wherein the edges are determined by one or more edge variables that comprise a resource environment identifier, a resource identifier, and an access key identifier.
  - 16. The system of claim 12, wherein generating the alert comprises requesting additional information from the implementer of the one or more unauthorized changes regarding the unauthorized change, and the alert appears on a dashboard.
  - 17. The system of claim 12, wherein the one or more audit logs comprise individual change events and application programming interface (API) calls.
  - 18. The system of claim 12, wherein one of the one or more related connections between the plurality of change events comprise one or more of the following:
    - two change events that are part of a same user login or two change events that are from the same application service and that occurred within one hour of each other.

19. One or more non-transitory media storing instructions that, when executed by one or more processors, cause the one or more processors to perform steps comprising:
- configuring a change order monitoring application, wherein the change order monitoring application receives one or more audit logs from one or more application services in a cloud computing environment, wherein the one or more audit logs comprises a plurality of change events and a plurality of noise events, wherein the plurality of change events require a change order and the plurality of noise events do not require a change order;
  
  detecting and filtering, by the change order monitoring application, the plurality of change events from the plurality of noise events in the one or more audit logs;
  
  matching, by the change order monitoring application, the plurality of change events to the one or more application services in the cloud computing environment, wherein matching the plurality of change events to the one or more application services is based on associating each change event with a taggable resource;
  
  matching, by the change order monitoring application, the plurality of change events to one or more change orders in the cloud computing environment, the matching further including;
  
  matching a change order configuration item to one of the one or more application services through mapping to a change management database, determining an event time window for the one or more change orders and ensuring the matched plurality of change events are within the event time window, and determining the implementer is a member of an implementing group for the change order;
  
  training a Louvain community detection algorithm based on the plurality of change events, wherein the Louvain community detection algorithm comprises;
  
  clustering the plurality of change events using a weighted event graph comprising the plurality of change events with one or more related connections between the plurality of change events, wherein the weighted event graph comprises weighted edges and the Louvain community detection algorithm assigns each vertex to a cluster to maximize a graph modularity;
  
  forming one or more change clusters based on the clustering of the plurality of change events, wherein the change order monitoring application creates the weighted event graph with the plurality of change events as vertices and edges between the plurality of events that are part of the same change event, and the Louvain community detection algorithm partitions the same change events into the change clusters, wherein the edges are determined by one or more edge variables that comprise a resource environment identifier, a resource identifier, and an access key identifier;
  
  determining one or more patterns of performance based on the one or more change clusters, wherein the one or more patterns of performance indicates a potential correlation between the one or more change clusters and the plurality of change events; and
  
  updating the Louvain community detection algorithm based on the one or more patterns of performance;
  
  determining one or more unauthorized changes from the one or more change clusters, wherein the unauthorized changes are one or more change events that are not matched with one or more change orders and not matched with one or more application services; and
  
  generating, using the Louvain community detection algorithm and the change order monitoring application, an alert for the one or more unauthorized changes, automatically sending the alert to an implementer of the one or more unauthorized changes, requesting additional information from the implementer of the one or more unauthorized changes, wherein the alert appears on a dashboard.
- View Dependent Claims (20)
- - 20. The one or more non-transitory media storing instructions of claim 19, wherein the one or more audit logs comprise individual change events and application programming interface (API) calls.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
File, Dan, Liu, Hao, Durairaj, Rajesh Kanna, Terrana, Peter
Primary Examiner(s)
Poltorak, Piotr

Application Number

US16/514,406
Time in Patent Office

230 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 18/2323   based on graph theory, e.g....

G06F 21/50   Monitoring users, programs ...

G06N 20/00   Machine learning

H04L 63/0876   based on the identity of th...

H04L 63/104   Grouping of entities

H04L 63/1416   Event detection, e.g. attac...

Change monitoring and detection for a cloud computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Change monitoring and detection for a cloud computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links