Intrusion detection system enrichment based on system lifecycle

US 10,671,723 B2
Filed: 08/01/2017
Issued: 06/02/2020
Est. Priority Date: 08/01/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method performed by one or more processors, the method comprising:

identifying, at an intrusion detection system, an indication of at least one potentially malicious action occurring in a secured environment monitored by the intrusion detection system;

identifying, by the intrusion detection system, an initial mitigation action associated with the at least one potentially malicious action;

accessing, by the intrusion detection system, a lifecycle-based context (LBC) associated with a lifecycle operations manager (LOM), the LOM responsible for managing lifecycle operations associated with at least one component in the secured environment, wherein the LBC stores information associated with at least one lifecycle operation executed by the LOM, and wherein the at least one lifecycle operation executed by the LOM includes at least one of a system copy, a system refresh, a system rename, and a system creation;

determining, at the intrusion detection system, whether the at least one potentially malicious action associated with the identified indication is associated with at least a portion of the information associated with at least one lifecycle operation executed by the LOM stored in the accessed LBC; and

in response to determining that the at least one potentially malicious action is associated with one or more of the at least one lifecycle operations;

triggering an alternative mitigation action, wherein the alternative mitigation action is a less severe action than the initial mitigation action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for automatically incorporating lifecycle context information for a secured environment into an intrusion detection system monitoring the secured environment'"'"'s operations. In one example, an indication of a potentially malicious action occurring in a secured environment monitored by an intrusion detection system is identified. A lifecycle-based context associated with a lifecycle operations manager (LOM) is accessed, where the LOM is responsible for managing lifecycle operations associated with components in the secured environment, and where the context stores information associated with lifecycle operations executed by the LOM. A determination is made as to whether the potentially malicious action associated with the indication is associated with information associated with an executed lifecycle operation stored in the context. In response to determining that a malicious action is associated with a lifecycle operation, a mitigation action associated with the potentially malicious action can be modified.

Citations

17 Claims

1. A computer-implemented method performed by one or more processors, the method comprising:
- identifying, at an intrusion detection system, an indication of at least one potentially malicious action occurring in a secured environment monitored by the intrusion detection system;
  
  identifying, by the intrusion detection system, an initial mitigation action associated with the at least one potentially malicious action;
  
  accessing, by the intrusion detection system, a lifecycle-based context (LBC) associated with a lifecycle operations manager (LOM), the LOM responsible for managing lifecycle operations associated with at least one component in the secured environment, wherein the LBC stores information associated with at least one lifecycle operation executed by the LOM, and wherein the at least one lifecycle operation executed by the LOM includes at least one of a system copy, a system refresh, a system rename, and a system creation;
  
  determining, at the intrusion detection system, whether the at least one potentially malicious action associated with the identified indication is associated with at least a portion of the information associated with at least one lifecycle operation executed by the LOM stored in the accessed LBC; and
  
  in response to determining that the at least one potentially malicious action is associated with one or more of the at least one lifecycle operations;
  
  triggering an alternative mitigation action, wherein the alternative mitigation action is a less severe action than the initial mitigation action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the intrusion detection system comprises a threat detection system.
  - 3. The method of claim 1, wherein the secured environment includes at least one of one or more independent application instances, systems comprising several related application instances, and an infrastructure environment, the infrastructure environment comprising at least one of one or more storage instances, one or more networks, one or more honeypots, and one or more firewalls.
  - 4. The method of claim 1, wherein the intrusion detection system is associated with a malicious action rule set defining at least one pattern associated with one or more monitored activities occurring in the secured environment.
  - 5. The method of claim 4, wherein the intrusion detection system compares one or more log files corresponding to at least some of the components of the secured environment to the malicious action rule set to identify potential malicious actions occurring in the secured environment.
  - 6. The method of claim 4, wherein the LBC is used by the intrusion detection system within the malicious action rule set as one attribute for the identification of a potentially malicious action.
  - 7. The method of claim 6, wherein the LBC is used by the intrusion detection system to preselect the one or more log files or log file entries corresponding to at least some of the components within the secured environment prior to execution of the malicious action rule set.
  - 8. The method of claim 1, further comprising, in response to determining that the at least one potentially malicious action is not associated with at least a portion of the information associated with at least one lifecycle operation executed by the LOM stored in the accessed LBC, triggering the initial mitigation action associated with the at least one potentially malicious action.
  - 9. The method of claim 8, wherein the initial mitigation action includes at least one of presenting a warning to a responsible entity and automatic triggering of at least one security countermeasure corresponding to the at least one potentially malicious action.
  - 10. The method of claim 1, wherein the information associated with the at least one lifecycle operation executed by the LOM comprises resulting states associated with at least one component within the secured environment as a result of the at least one lifecycle operation.
  - 11. The method of claim 1, wherein the alternative mitigation action comprises suppressing triggering of the initial mitigation action.

12. A system comprising:
- at least one processor; and
  
  a memory communicatively coupled to the at least one processor, the memory storing instructions which, when executed, cause the at least one processor to perform operations comprising;
  
  identifying, at an intrusion detection system, an indication of at least one potentially malicious action occurring in a secured environment monitored by the intrusion detection system;
  
  identifying, by the intrusion detection system, an initial mitigation action associated with the at least one potentially malicious action;
  
  accessing, by the intrusion detection system, a lifecycle-based context (LBC) associated with a lifecycle operations manager (LOM), the LOM responsible for managing lifecycle operations associated with at least one component in the secured environment, wherein the LBC stores information associated with at least one lifecycle operation executed by the LOM, and wherein the at least one lifecycle operation executed by the LOM includes at least one of a system copy, a system refresh, a system rename, and a system creation;
  
  determining, at the intrusion detection system, whether the at least one potentially malicious action associated with the identified indication is associated with at least a portion of the information associated with at least one lifecycle operation executed by the LOM stored in the accessed lifecycle-based context LBC; and
  
  in response to determining that the at least one potentially malicious action is associated with one or more of the at least one lifecycle operations;
  
  triggering an alternative mitigation action, wherein the alternative mitigation action is a less severe action than the initial mitigation action.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12, wherein the secured environment includes at least one of one or more independent application instances, systems comprising several related application instances, and an infrastructure environment, the infrastructure environment comprising at least one of one or more storage instances, one or more networks, one or more honeypots, and one or more firewalls.
  - 14. The system of claim 12, wherein the intrusion detection system is associated with a malicious action rule set defining at least one pattern associated with one or more monitored activities occurring in the secured environment, and wherein the intrusion detection system compares one or more log files corresponding to at least some of the components of the secured environment to the malicious action rule set to identify potential malicious actions occurring in the secured environment.
  - 15. The system of claim 12, the operations further comprising, in response to determining that the at least one potentially malicious action is not associated with at least a portion of the information associated with at least one lifecycle operation executed by the LOM stored in the LBC, triggering initial mitigation action associated with the at least one potentially malicious action, wherein the initial mitigation action includes at least one of presenting a warning to a responsible entity and automatic triggering of at least one security countermeasure corresponding to the at least one potentially malicious action.
  - 16. The system of claim 12, wherein the alternative mitigation action comprises suppressing triggering of the initial mitigation action.

17. A non-transitory computer-readable medium storing instructions which, when executed, cause at least one processor to perform operations comprising:
- identifying, at an intrusion detection system, an indication of at least one potentially malicious action occurring in a secured environment monitored by the intrusion detection system;
  
  identifying, by the intrusion detection system, an initial mitigation action associated with the at least one potentially malicious action;
  
  accessing, by the intrusion detection system, a lifecycle-based context (LBC) associated with a lifecycle operations manager (LOM), the LOM responsible for managing lifecycle operations associated with at least one component in the secured environment, wherein the LBC stores information associated with at least one lifecycle operation executed by the LOM, and wherein the at least one lifecycle operation executed by the LOM includes at least one of a system copy, a system refresh, a system rename, and a system creation;
  
  determining, at the intrusion detection system, whether the at least one potentially malicious action associated with the identified indication is associated with at least a portion of the information associated with at least one lifecycle operation executed by the LOM stored in the accessed LBC; and
  
  in response to determining that the at least one potentially malicious action is associated with one or more of the at least one lifecycle operations;
  
  triggering an alternative mitigation action, wherein the alternative mitigation action is a less severe action than the initial mitigation action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Krebs, Rouven, Frank, Juergen
Primary Examiner(s)
Tolentino, Roderick

Application Number

US15/665,700
Publication Number

US 20190042736A1
Time in Patent Office

1,036 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

H04L 43/16   Threshold monitoring

H04L 63/0263   Rule management

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

Intrusion detection system enrichment based on system lifecycle

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection system enrichment based on system lifecycle

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links