Intrusion detection system enrichment based on system lifecycle
First Claim
1. A computer-implemented method performed by one or more processors, the method comprising:
- identifying, at an intrusion detection system, an indication of at least one potentially malicious action occurring in a secured environment monitored by the intrusion detection system;
identifying, by the intrusion detection system, an initial mitigation action associated with the at least one potentially malicious action;
accessing, by the intrusion detection system, a lifecycle-based context (LBC) associated with a lifecycle operations manager (LOM), the LOM responsible for managing lifecycle operations associated with at least one component in the secured environment, wherein the LBC stores information associated with at least one lifecycle operation executed by the LOM, and wherein the at least one lifecycle operation executed by the LOM includes at least one of a system copy, a system refresh, a system rename, and a system creation;
determining, at the intrusion detection system, whether the at least one potentially malicious action associated with the identified indication is associated with at least a portion of the information associated with at least one lifecycle operation executed by the LOM stored in the accessed LBC; and
in response to determining that the at least one potentially malicious action is associated with one or more of the at least one lifecycle operations;
triggering an alternative mitigation action, wherein the alternative mitigation action is a less severe action than the initial mitigation action.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are described for automatically incorporating lifecycle context information for a secured environment into an intrusion detection system monitoring the secured environment'"'"'s operations. In one example, an indication of a potentially malicious action occurring in a secured environment monitored by an intrusion detection system is identified. A lifecycle-based context associated with a lifecycle operations manager (LOM) is accessed, where the LOM is responsible for managing lifecycle operations associated with components in the secured environment, and where the context stores information associated with lifecycle operations executed by the LOM. A determination is made as to whether the potentially malicious action associated with the indication is associated with information associated with an executed lifecycle operation stored in the context. In response to determining that a malicious action is associated with a lifecycle operation, a mitigation action associated with the potentially malicious action can be modified.
-
Citations
17 Claims
-
1. A computer-implemented method performed by one or more processors, the method comprising:
-
identifying, at an intrusion detection system, an indication of at least one potentially malicious action occurring in a secured environment monitored by the intrusion detection system; identifying, by the intrusion detection system, an initial mitigation action associated with the at least one potentially malicious action; accessing, by the intrusion detection system, a lifecycle-based context (LBC) associated with a lifecycle operations manager (LOM), the LOM responsible for managing lifecycle operations associated with at least one component in the secured environment, wherein the LBC stores information associated with at least one lifecycle operation executed by the LOM, and wherein the at least one lifecycle operation executed by the LOM includes at least one of a system copy, a system refresh, a system rename, and a system creation; determining, at the intrusion detection system, whether the at least one potentially malicious action associated with the identified indication is associated with at least a portion of the information associated with at least one lifecycle operation executed by the LOM stored in the accessed LBC; and in response to determining that the at least one potentially malicious action is associated with one or more of the at least one lifecycle operations; triggering an alternative mitigation action, wherein the alternative mitigation action is a less severe action than the initial mitigation action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
at least one processor; and a memory communicatively coupled to the at least one processor, the memory storing instructions which, when executed, cause the at least one processor to perform operations comprising; identifying, at an intrusion detection system, an indication of at least one potentially malicious action occurring in a secured environment monitored by the intrusion detection system; identifying, by the intrusion detection system, an initial mitigation action associated with the at least one potentially malicious action; accessing, by the intrusion detection system, a lifecycle-based context (LBC) associated with a lifecycle operations manager (LOM), the LOM responsible for managing lifecycle operations associated with at least one component in the secured environment, wherein the LBC stores information associated with at least one lifecycle operation executed by the LOM, and wherein the at least one lifecycle operation executed by the LOM includes at least one of a system copy, a system refresh, a system rename, and a system creation; determining, at the intrusion detection system, whether the at least one potentially malicious action associated with the identified indication is associated with at least a portion of the information associated with at least one lifecycle operation executed by the LOM stored in the accessed lifecycle-based context LBC; and in response to determining that the at least one potentially malicious action is associated with one or more of the at least one lifecycle operations; triggering an alternative mitigation action, wherein the alternative mitigation action is a less severe action than the initial mitigation action. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium storing instructions which, when executed, cause at least one processor to perform operations comprising:
-
identifying, at an intrusion detection system, an indication of at least one potentially malicious action occurring in a secured environment monitored by the intrusion detection system; identifying, by the intrusion detection system, an initial mitigation action associated with the at least one potentially malicious action; accessing, by the intrusion detection system, a lifecycle-based context (LBC) associated with a lifecycle operations manager (LOM), the LOM responsible for managing lifecycle operations associated with at least one component in the secured environment, wherein the LBC stores information associated with at least one lifecycle operation executed by the LOM, and wherein the at least one lifecycle operation executed by the LOM includes at least one of a system copy, a system refresh, a system rename, and a system creation; determining, at the intrusion detection system, whether the at least one potentially malicious action associated with the identified indication is associated with at least a portion of the information associated with at least one lifecycle operation executed by the LOM stored in the accessed LBC; and in response to determining that the at least one potentially malicious action is associated with one or more of the at least one lifecycle operations; triggering an alternative mitigation action, wherein the alternative mitigation action is a less severe action than the initial mitigation action.
-
Specification