Method and system for implementing cloud native application threat detection

US 10,685,115 B1
Filed: 10/27/2017
Issued: 06/16/2020
Est. Priority Date: 10/27/2017
Status: Active Grant

First Claim

Patent Images

1. A method for implementing cloud native application (CNA) threat detection, comprising:

in response to a CNA meeting a webhook trigger;

receiving a webhook message comprising an application granularity image (AGI);

instantiating a restored image environment (RIE) within a cloud computing environment;

configuring the RIE through a restoration of the AGI therein; and

probing the AGI, within the RIE, to perform a cyber security assessment of the CNA as part of an application development pipeline (ADP),wherein the CNA meeting the webhook trigger comprises detecting a modification to a document configuring or defining a container stack implementing the CNA,wherein probing the AGI, within the RIE, to perform the cyber security assessment of the CNA, comprises;

employing a data scanning algorithm to probe the AGI within the RIE;

based on the employing, identifying a potential threat signature (PTS) in the AGI;

determining that the PTS does not match a known cyber security threat signature; and

based on the determining, generating a recommendation to permit a proceeding of the CNA to a deployment stage along the ADP.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for implementing cloud native application threat detection. Specifically, the disclosed method and system entail configuring a webhook within a build pipeline for cloud native applications, which when triggered by the detection of modifications to container configuration and/or definition files associated with the cloud native applications, forwards exact copies of the cloud native applications to a threat detection service for cyber security assessing. Further, based on the assessing, cloud native applications may be impeded from continuing, or alternatively, may be permitted to continue along, the build pipeline.

Citations

18 Claims

1. A method for implementing cloud native application (CNA) threat detection, comprising:
- in response to a CNA meeting a webhook trigger;
  
  receiving a webhook message comprising an application granularity image (AGI);
  
  instantiating a restored image environment (RIE) within a cloud computing environment;
  
  configuring the RIE through a restoration of the AGI therein; and
  
  probing the AGI, within the RIE, to perform a cyber security assessment of the CNA as part of an application development pipeline (ADP),wherein the CNA meeting the webhook trigger comprises detecting a modification to a document configuring or defining a container stack implementing the CNA,wherein probing the AGI, within the RIE, to perform the cyber security assessment of the CNA, comprises;
  
  employing a data scanning algorithm to probe the AGI within the RIE;
  
  based on the employing, identifying a potential threat signature (PTS) in the AGI;
  
  determining that the PTS does not match a known cyber security threat signature; and
  
  based on the determining, generating a recommendation to permit a proceeding of the CNA to a deployment stage along the ADP.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the webhook trigger corresponds to a webhook attached to a testing stage of the ADP.
  - 3. The method of claim 1, wherein the document is one selected from a group consisting of a Docker DockerFile, a Kubernetes Pod Configuration File, a Kubernetes Deployment Descriptor File, and a CloudFoundry Manifest File.
  - 4. The method of claim 1, wherein the AGI is an image-based snapshot of a CNA granularity, wherein the CNA granularity comprises one selected from a group consisting of a microservice portion, a complete microservice, and a set of collaborative microservices.
  - 5. The method of claim 1, further comprising:
    - determining that the PTS matches a known cyber security threat signature; and
      
      based on the determining, generating a recommendation to deny a proceeding of the CNA to a deployment stage along the ADP.
  - 6. The method of claim 1, further comprising:
    - detecting anomalous activity exhibited in the AGI using the data scanning algorithm;
      
      succeeding to identify an anomalous activity root (AAR) instigating the anomalous activity; and
      
      based on the succeeding, generating a recommendation to deny a proceeding of the CNA to a deployment stage along the ADP.
  - 7. The method of claim 1, further comprising:
    - detecting anomalous activity exhibited in the AGI using the scanning algorithm;
      
      failing to identify an anomalous activity root (AAR) instigating the anomalous activity; and
      
      based on the failing, generating a recommendation to permit a proceeding of the CNA to a deployment stage along the ADP.

8. A system, comprising:
- a cloud platform service (CPS) comprising a first computer processor programmed to implement an application development pipeline (ADP); and
  
  a threat detection service (TDS) kernel executing on a second computer processor operatively connected to the CPS,wherein the TDS kernel is programmed to;
  
  in response to a cloud native application (CNA) meeting a webhook trigger;
  
  obtain, for the CNA, an application granularity image (AGI) originating from the CPS;
  
  instantiate a restored image environment (RIE) within a cloud computing environment;
  
  configure the RIE through a restoration of the AGI therein; and
  
  create a RIE manager responsible for probing the AGI, within the RIE, to perform a cyber security assessment of the CNA as part of the ADP,wherein the CNA meeting the webhook trigger comprises detecting a modification to a document configuring or defining a container stack implementing the CNA,wherein probing the AGI, within the RIE, to perform the cyber security assessment of the CNA, comprises;
  
  employing a data scanning algorithm to probe the AGI within the RIE;
  
  based on the employing, identifying a potential threat signature (PTS) in the AGI;
  
  determining that the PTS does not match a known cyber security threat signature; and
  
  based on the determining, generating a recommendation to permit a proceeding of the CNA to a deployment stage along the ADP.
- View Dependent Claims (9, 10, 11)
- - 9. The system of claim 8, further comprising:
    - a data repository operatively connected to the TDS kernel, and configured to store at least the AGI and a threat signature library (CTL),wherein the CTL comprises a plurality of known cyber security threat signatures,wherein each known cyber security threat signature of the plurality of known cyber security threat signatures uniquely identifies a different known cyber security threat.
  - 10. The system of claim 9, further comprising:
    - a TDS operatively connected to the CPS, and comprising;
      
      the second computer processor, a TDS application program interface (API) executing on the second computer processor, the TDS kernel, the data repository, the RIE manager, and the RIE.
  - 11. The system of claim 8, wherein the CPS comprises a webhook attached to a testing stage of the ADP, wherein the webhook is defined through the AGI, the webhook trigger, and a webhook destination uniform resource locator (URL) associated with a TDS resource residing on the TDS.

12. A non-transitory computer readable medium (CRM) comprising computer readable program code, which when executed by a computer processor, enables the computer processor to:
- in response to a cloud native application (CNA) meeting a webhook trigger;
  
  receive a webhook message comprising an application granularity image (AGI);
  
  instantiate a restored image environment (RIE) within a cloud computing environment;
  
  configure the RIE through a restoration of the AGI therein; and
  
  probe the AGI, within the RIE, to perform a cyber security assessment of the CNA as part of an application development pipeline (ADP),wherein the CNA meeting the webhook trigger comprises detecting a modification to a document configuring or defining a container stack implementing the CNA,wherein probing the AGI, within the RIE, to perform the cyber security assessment of the CNA, comprises;
  
  employing a data scanning algorithm to probe the AGI within the RIE;
  
  based on the employing, identifying a potential threat signature (PTS) in the AGI;
  
  determining that the PTS does not match a known cyber security threat signature; and
  
  based on the determining, generating a recommendation to permit a proceeding of the CNA to a deployment stage along the ADP.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The non-transitory CRM of claim 12, wherein the webhook trigger corresponds to a webhook attached to a testing stage of the ADP.
  - 14. The non-transitory CRM of claim 12, wherein the document is one selected from a group consisting of a Docker DockerFile, a Kubernetes Pod Configuration File, a Kubernetes Deployment Descriptor File, and a CloudFoundry Manifest File.
  - 15. The non-transitory CRM of claim 12, wherein the AGI is an image-based snapshot of a CNA granularity, wherein the CNA granularity comprises one selected from a group consisting of a microservice portion, a complete microservice, and a set of collaborative microservices.
  - 16. The non-transitory CRM of claim 12, wherein the computer readable program code further enables the computer processor to:
    - determine that the PTS matches a known cyber security threat signature; and
      
      based on the determining, generate a recommendation to deny a proceeding of the CNA to a deployment stage along the ADP.
  - 17. The non-transitory CRM of claim 12, the computer readable program code further enables the computer processor to:
    - detect anomalous activity exhibited in the AGI using the data scanning algorithm;
      
      succeed to identify an anomalous activity root (AAR) instigating the anomalous activity; and
      
      based on the succeeding, generate a recommendation to deny a proceeding of the CNA to a deployment stage along the ADP.
  - 18. The non-transitory CRM of claim 12, wherein the computer readable program code further enables the computer processor to:
    - detect anomalous activity exhibited in the AGI using the scanning algorithm;
      
      fail to identify an anomalous activity root (AAR) instigating the anomalous activity; and
      
      based on the failing, generate a recommendation to permit a proceeding of the CNA to a deployment stage along the ADP.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Lieberman, Amit, Natanzon, Assaf, Golan, Oron, Manusov, Yuri, Shnier, Raul
Primary Examiner(s)
Lagor, Alexander
Assistant Examiner(s)
Khan, Moeen

Application Number

US15/795,852
Time in Patent Office

963 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Method and system for implementing cloud native application threat detection

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for implementing cloud native application threat detection

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links