Automated threat modeling using machine-readable threat models

US 10,652,266 B1
Filed: 02/28/2018
Issued: 05/12/2020
Est. Priority Date: 02/28/2018
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

one or more computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;

receiving a request to provision a network-based service from a computing device;

provisioning the network-based service in a network-based service environment of a service provider, wherein the network-based service includes;

a first component configured to perform first functionality of the network-based service; and

a second component configured to perform second functionality of the network-based service;

analyzing the network-based service to identify system-level security threats to the network-based service;

generating a first machine-readable threat model that represents system-level security constraints for the network-based service and that is to detect the system-level security threats;

detecting a change to the network-based service to the first component;

determining that the change violates a local-level security constraint associated with the first component;

updating, based on the change, the first machine-readable threat model to generate a second machine-readable threat model;

utilizing the second machine-readable threat model to determine that a system-level security constraint of the system-level security constraints has been violated; and

providing, to a security computing device associated with the service provider, a notification that the system-level security constraint has been violated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure describes techniques for automating a system-level security review of a network-based service. The techniques may include generating and utilizing a machine-readable threat model to identify system-level security threats to the network-based service. The network-based service may be scanned upon being provisioned in a service-provider network, and the machine-readable threat model may be generated based on results of the scan. The machine-readable threat model may represent components of the network-based service, system-level security constraints configured to identify system-level security threats to the service, and mitigations to remedy violations to the system-level security constraints. The network-based service may be continuously, or periodically, scanned to identify changes in the network-based service. The techniques further include updating the machine-readable threat model to account for the detected changes to the network-based service, and analyzing the updated machine-readable threat model to determine whether the changes to the network-based service violate a system-level security constraint.

18 Citations

View as Search Results

21 Claims

1. A system comprising:
- one or more processors; and
  
  one or more computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  receiving a request to provision a network-based service from a computing device;
  
  provisioning the network-based service in a network-based service environment of a service provider, wherein the network-based service includes;
  
  a first component configured to perform first functionality of the network-based service; and
  
  a second component configured to perform second functionality of the network-based service;
  
  analyzing the network-based service to identify system-level security threats to the network-based service;
  
  generating a first machine-readable threat model that represents system-level security constraints for the network-based service and that is to detect the system-level security threats;
  
  detecting a change to the network-based service to the first component;
  
  determining that the change violates a local-level security constraint associated with the first component;
  
  updating, based on the change, the first machine-readable threat model to generate a second machine-readable threat model;
  
  utilizing the second machine-readable threat model to determine that a system-level security constraint of the system-level security constraints has been violated; and
  
  providing, to a security computing device associated with the service provider, a notification that the system-level security constraint has been violated.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the change occurs at a first time, and the operations further comprising, subsequent to the first time:
    - scanning the first component and the second component multiple times over a period of time to determine whether the first component or the second component underwent changes;
      
      detecting, at a second time of the multiple times, a second change to at least one of the first component or the second component;
      
      updating, based on the second change, the second machine-readable threat model to generate a third machine-readable threat model; and
      
      utilizing the third machine-readable threat model to determine that a second system-level security constraint of the system-level security constraints has been violated.
  - 3. The system of claim 1, wherein:
    - the first machine-readable threat model comprises;
      
      a first machine-readable representation of the first component; and
      
      a second machine-readable representation of the second component; and
      
      the updating the first machine-readable threat model to generate the second machine-readable model comprises modifying the first machine-readable representation of the first component in the first machine-readable threat model based on the change.
  - 4. The system of claim 1, wherein:
    - the system-level security constraint is defined based at least in part on a first security property for a boundary of the network-based service at which behavior of the network-based service is observable by a user of the network-based service; and
      
      the local-level security constraint is defined based at least in part on a second security property for the first component of the network-based service that is internal to the boundary at which the behavior of the network-based service is observable by the user.

5. A computer-implemented method comprising:
- analyzing a network-based service provisioned in a network-based service environment of a service provider, the network-based service including;
  
  a first component configured to perform first functionality of the network-based service, wherein the first component is associated with a first local-level security constraint to identify a first local-level threat; and
  
  a second component configured to perform second functionality of the network-based service, wherein the second component is associated with a second local-level security constraint to identify a second local-level threat;
  
  identifying a first machine-readable threat model associated with the network-based service, the first machine-readable threat model comprising a system-level security constraint to identify a system-level threat to the network-based service;
  
  detecting, based at least in part on the analyzing the network-based service, a change to the network-based service;
  
  updating, based at least in part on the change, the first machine-readable threat model to generate a second machine-readable threat model; and
  
  utilizing the second machine-readable threat model to determine that the change to the network-based service violated the system-level security constraint.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The computer-implemented method of claim 5, further comprising:
    - determining that the change violated at least one of the first local-level security constraint or the second local-level security constraint,wherein the determining that the change violated the system-level security constraint is performed based at least in part on the determining that the change violated the at least one of the first local-level security constraint or the second local-level security constraint.
  - 7. The computer-implemented method of claim 5, wherein:
    - the first machine-readable threat model further comprises a system-level mitigation to remedy the system-level threat to the network-based service; and
      
      further comprising at least one of;
      
      providing a first notification that the system-level security constraint was violated to a security computing device associated with the service provider;
      
      automatically performing the system-level mitigation to the network-based service to remedy the system-level threat;
      
      orproviding a second notification of the system-level mitigation to the security computing device associated with the service provider.
  - 8. The computer-implemented method of the claim 5, wherein identifying the first machine-readable threat model associated with the network-based service comprises at least one of:
    - generating the first machine-readable threat model based at least in part on an initial analysis of the network-based service provisioned in the network-based service environment;
      
      orselecting, from a data structure storing a plurality of machine-readable threat models, the first machine-readable threat model based at least in part on the first machine-readable threat model being associated with the network-based service.
  - 9. The computer-implemented method of claim 5, wherein:
    - the system-level security constraint comprises an access-control policy configured to control access to data stored in the network-based service; and
      
      the determining that the change violated the system-level security constraint comprises determining that the change caused the access-control policy to become more permissive regarding access to the data stored in the network-based service.
  - 10. The computer-implemented method of claim 5, wherein the detecting the change to the network-based service occurs at a first time, andfurther comprising:
    - scanning the network-based service multiple times over a period of time to identify a violation of a second system-level security constraint of the network-based service;
      
      utilizing the second machine-readable threat model to identify, at a second time of the multiple times at which the network-based service was scanned, the violation of the second system-level security constraint; and
      
      providing, to at least one of a security computing device associated with the service provider or a developer computing device, a notification that the second system-level security constraint was violated to at least one of a security computing device or a developer computing device.
  - 11. The computer-implemented method of claim 5, wherein:
    - the analyzing the network-based service comprises at least one of analyzing first source code of the first component or second source code of the second component;
      
      the detecting the change to the network-based service comprises identifying a second change to the first source code;
      
      the updating the first machine-readable threat model comprises modifying, based at least in part on the second change, a first source-code representation included in the first machine-readable threat model to generate a second source-code representation included in the second machine-readable threat model; and
      
      determining that the change violated the system-level security constraint comprises determining that the second source-code representation violated the system-level security constraint.
  - 12. The computer-implemented method of claim 5, wherein:
    - the analyzing the network-based service comprises at least one of analyzing a first asset of the first component or a second asset of the second component;
      
      the detecting the change comprises identifying a second change to the first asset;
      
      the updating the first machine-readable threat model comprises modifying, based at least in part on the second change, a first asset representation included in the first machine-readable threat model to generate a second asset representation included in the second machine-readable threat model; and
      
      determining that the change violated the system-level security constraint comprises determining that the second asset representation violated the system-level security constraint.

13. A system comprising:
- one or more processors; and
  
  one or more computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  provisioning a network-based service in a network-based service environment of a service provider, the network-based service comprising at least one component associated with at least one local-level security constraint to identify at least one local-level threat to the at least one component;
  
  identifying a first machine-readable threat model associated with the network-based service, the first machine-readable threat model a system-level security constraint to identify a system-level threat to the network-based service;
  
  scanning, multiple times during a period of time, the network-based service;
  
  detecting, at a first time from the multiple times at which the network-based service was scanned, a change to the network-based service; and
  
  updating, based at least in part on the change, the first machine-readable threat model to generate a second machine-readable threat model.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The system of claim 13, the operations further comprising:
    - utilizing the second machine-readable threat model to determine that the change violates the system-level security constraint such that the network-based service is exposed to the system-level threat.
  - 15. The system of claim 14, the operations further comprising at least one of:
    - providing a notification that the system-level security constraint was violated to a security computing device associated with the service provider;
      
      providing an indication of a mitigation to remedy the system-level threat to the security computing device;
      
      orautomatically performing the mitigation to the network-based service to remedy the system-level threat.
  - 16. The system of claim 13, wherein the change comprises a first change, and the system-level security constraint comprises a first system-level security constraint;
    - andthe operations further comprising;
      
      detecting, at a second time from the multiple times, a second change to the network-based service;
      
      updating, based at least in part on the second change, the second machine-readable threat model to generate a third machine-readable threat model; and
      
      utilizing the third machine-readable threat model to determine that the second change does not violate a second system-level security constraint.
  - 17. The system of claim 13, the operations further comprising:
    - utilizing the second machine-readable threat model to determine that the change violates the system-level security constraint such that the network-based service is exposed to the system-level threat;
      
      performing a mitigation on the network-based service to remedy the system-level threat; and
      
      determining that the mitigation performed on the network-based service remedies the system-level threat.
  - 18. The system of claim 13, wherein the identifying the first machine-readable threat model associated with the network-based service comprises generating the first machine-readable threat model based at least in part on an initial analysis of the network-based service provisioned in the network-based service environment.
  - 19. The system of claim 13, wherein the identifying the first machine-readable threat model associated with the network-based service comprises selecting, from a data structure storing a plurality of machine-readable threat models, the first machine-readable threat model based at least in part on the first machine-readable model being associated with the network-based service.
  - 20. The system of claim 13, the operations further comprising:
    - determining that the change violates the one or more local-level security constraints associated with the one or more components of the network-based service; and
      
      based at least in part on the change violating the one or more local-level security constraints, utilizing the second machine-readable threat model to determine that the change violates the system-level security constraint such that the network-based service is exposed to the system-level threat.
  - 21. The system of claim 13, the operations further comprising:
    - utilizing the second machine-readable threat model to determine that the change violates the system-level security constraint such that the network-based service is exposed to the system-level threat;
      
      determining a severity of the system-level threat to the network-based service; and
      
      based at least in part on the severity of the system-level threat, providing a notification that the system-level security constraint was violated to a security computing device associated with the service provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Tautschnig, Michael, Rungta, Neha, Cook, John, Bolignano, Pauline Virginie, MacDermid, Todd Granger, Tkachuk, Oksana
Primary Examiner(s)
Avery, Jeremiah L

Application Number

US15/907,870
Time in Patent Office

804 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Automated threat modeling using machine-readable threat models

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Automated threat modeling using machine-readable threat models

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links