METHOD AND SYSTEM FOR EFFICIENT MANAGEMENT OF SECURITY THREATS IN A DISTRIBUTED COMPUTING ENVIRONMENT

US 20150381641A1
Filed: 06/30/2014
Published: 12/31/2015
Est. Priority Date: 06/30/2014
Status: Abandoned Application

First Claim

Patent Images

1. A computing system implemented method for distributing security threat management of a first instance of an application that is hosted from multiple geographic locations, comprising:

monitoring, with a computing system, first operational characteristics of the first instance of the application,wherein the first instance of the application is hosted by a first virtual asset in a first computing environment,wherein the first computing environment is disposed in a first geographic region,wherein the first operational characteristics include a quantity of communication traffic between the first instance of the application and one or more external computing systems;

establishing an average for the first operational characteristics based at least partially on the first operational characteristics;

identifying a first deviation from the average for the first operational characteristics that is more than a first predetermined amount;

in response to identifying the first deviation from the average, retrieving second operational characteristics for at least one other instance of the application,wherein the at least one other instance of the application is hosted by one or more second virtual assets in one or more second computing environments,wherein the one or more second computing environments are disposed in one or more second geographic regions that are different than the first geographic region;

comparing the first operational characteristics to the second operational characteristics; and

reporting an identification of a potential security threat if the first operational characteristics differ from the second operational characteristics by more than a second predetermined amount.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for distributing security threat management of an instance of an application that is hosted from multiple geographic locations, according to one embodiment. The method and system include monitoring first operational characteristics of the instance of the application, and establishing an average for the first operational characteristics based at least partially on the first operational characteristics, according to one embodiment. The method and system include identifying a deviation from the average for the first operational characteristics that is more than a predetermined amount, according to one embodiment. The method and system include retrieving second operational characteristics for at least one other instance of the application and comparing the first operational characteristics to the second operational characteristics, according to one embodiment. The system and method include reporting an identification of a potential security threat, according to one embodiment.

Citations

32 Claims

1. A computing system implemented method for distributing security threat management of a first instance of an application that is hosted from multiple geographic locations, comprising:
- monitoring, with a computing system, first operational characteristics of the first instance of the application,wherein the first instance of the application is hosted by a first virtual asset in a first computing environment,wherein the first computing environment is disposed in a first geographic region,wherein the first operational characteristics include a quantity of communication traffic between the first instance of the application and one or more external computing systems;
  
  establishing an average for the first operational characteristics based at least partially on the first operational characteristics;
  
  identifying a first deviation from the average for the first operational characteristics that is more than a first predetermined amount;
  
  in response to identifying the first deviation from the average, retrieving second operational characteristics for at least one other instance of the application,wherein the at least one other instance of the application is hosted by one or more second virtual assets in one or more second computing environments,wherein the one or more second computing environments are disposed in one or more second geographic regions that are different than the first geographic region;
  
  comparing the first operational characteristics to the second operational characteristics; and
  
  reporting an identification of a potential security threat if the first operational characteristics differ from the second operational characteristics by more than a second predetermined amount.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the second operational characteristics are an average of one or more of the second operational characteristics of the at least one other instance of the application.
  - 3. The method of claim 1, wherein the computing system is a first computing system,wherein retrieving the second operational characteristics includes:
    - transmitting a request from the first computing system to the second computing system to receive the second operational characteristics; and
      
      receiving the second operational characteristics from the second computing system,wherein the second computing system is located in the one or more second geographic regions.
  - 4. The method of claim 1, further comprising:
    - determining an event that includes one or more patterns of the first operational characteristics; and
      
      reporting the identification of a potential security threat if an event is detected.
  - 5. The method of claim 1, wherein monitoring includes receiving the first operation characteristics from the virtual asset hosting the first instance of the application.
  - 6. The method of claim 1, wherein monitoring the first operational characteristics of the first instance of the application includes monitoring the first operational characteristics in real-time or near real-time.
  - 7. The method of claim 1, further comprising:
    - comparing the first operational characteristics of the application to multiple patterns of operational characteristics,wherein each of the multiple patterns of operational characteristics represents one or more potential security threats; and
      
      reporting the identification of the potential security threat if the first operational characteristics match any of the patterns of operational characteristics.
  - 8. The method of claim 7, wherein the multiple patterns of operational characteristics are stored by the computing system in a data structure.
  - 9. The method of claim 1, wherein monitoring the first operational characteristics of the first instance of the application includes monitoring the first operational characteristics because applications hosted in the first geographical region have a higher-than-average likelihood of receiving cyber-attack.
  - 10. The method of claim 1, wherein the first operational characteristics and the one or more second operational characteristics include one or more:
    - commands received by the first instance of the application from the one or more external computing systems;
      
      requests received by the first instance of the application from the one or more external computing systems;
      
      digital signatures of content of the communication traffic;
      
      IP addresses associated with the one or more external computing systems; and
      
      user accounts for users that have access to the first instance of the application.
  - 11. The method of claim 1, further comprising:
    - verifying a status of a user account that has submitted a request for information from the first instance of the application, if the user account is associated with an IP address that is located in the one or more second geographic regions.
  - 12. The method of claim 11, wherein verifying the status of the user account includes transmitting a request for account validation to the one or more second virtual assets in the one or more second geographic regions.
  - 13. The method of claim 11, further comprising:
    - reporting the identification of the potential security threat if the status of the user account is other than active.

14. A computing system implemented method for distributing security threat management of a first instance of an application that is hosted from multiple geographic locations, comprising:
- receiving, with a regional management computing system, a security threat policy from a global management computing system,wherein the security threat policy includes multiple patterns of operational characteristics for the first instance of the application,wherein each of the multiple patterns of operational characteristics is associated with one or more potential security threats against the first instance of the application;
  
  monitoring, with the regional management computing system, operational characteristics of the first instance of the application,wherein the first instance of the application is hosted by a first virtual asset in a first computing environment and the first instance of the application is different than at least one other instance of the application that is hosted by at least one other virtual asset in at least one other computing environment,wherein the first computing environment is located in a first geographic region and the at least one other computing environment is located in at least one other geographic region;
  
  comparing the operational characteristics of the first instance of the application to at least one of the multiple patterns of operational characteristics to detect the one or more potential security threats; and
  
  reporting an identification of the one or more potential security threats if the operational characteristics are similar to at least one of the multiple patterns of operational characteristics.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, wherein the operational characteristics of the first instance of the application are first operational characteristics, the method further comprising:
    - retrieving second operational characteristics for at least one other instance of the application;
      
      comparing the first operational characteristics to the second operational characteristics; and
      
      reporting the identification of the one or more potential security threats if the first operational characteristics deviate from the second operational characteristics by more than a predetermined amount.
  - 16. The method of claim 14, wherein the operational characteristics of the first instance of the application include one or more:
    - commands received by the first instance of the application from one or more external computing systems;
      
      requests received by the first instance of the application from the one or more external computing systems;
      
      digital signatures of content of communication traffic between the first instance of the application and the one or more external computing systems;
      
      IP addresses associated with the one or more external computing systems; and
      
      user accounts for users that have access to the first instance of the application.

17. A system for distributing security threat management of a first instance of an application that is hosted from multiple geographic locations, the system comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which, when executed by any set of the one or more processors, perform a process for distributing security threat management of a first instance of an application that is hosted from multiple geographic locations, the process including;
  
  monitoring, with a computing system, first operational characteristics of the first instance of the application,wherein the first instance of the application is hosted by a first virtual asset in a first computing environment,wherein the first computing environment is disposed in a first geographic region,wherein the first operational characteristics include a quantity of communication traffic between the first instance of the application and one or more external computing systems;
  
  establishing an average for the first operational characteristics based at least partially on the first operational characteristics;
  
  identifying a first deviation from the average for the first operational characteristics that is more than a first predetermined amount;
  
  in response to identifying the first deviation from the average, retrieving second operational characteristics for at least one other instance of the application,wherein the at least one other instance of the application is hosted by one or more second virtual assets in one or more second computing environments,wherein the one or more second computing environments are disposed in one or more second geographic regions that are different than the first geographic region;
  
  comparing the first operational characteristics to the second operational characteristics; and
  
  reporting an identification of a potential security threat if the first operational characteristics differ from the second operational characteristics by more than a second predetermined amount.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 18. The system of claim 17, wherein the second operational characteristics are an average of one or more of the second operational characteristics of the at least one other instance of the application.
  - 19. The system of claim 17, wherein the computing system is a first computing system,wherein retrieving the second operational characteristics includes:
    - transmitting a request from the first computing system to the second computing system to receive the second operational characteristics; and
      
      receiving the second operational characteristics from the second computing system,wherein the second computing system is located in the one or more second geographic regions.
  - 20. The system of claim 17, wherein the process further comprises:
    - determining an event that includes one or more patterns of the first operational characteristics; and
      
      reporting the identification of a potential security threat if an event is detected.
  - 21. The system of claim 17, wherein monitoring includes receiving the first operation characteristics from the virtual asset hosting the first instance of the application.
  - 22. The system of claim 17, wherein monitoring the first operational characteristics of the first instance of the application includes monitoring the first operational characteristics in real-time or near real-time.
  - 23. The system of claim 17, wherein the process further comprises:
    - comparing the first operational characteristics of the application to multiple patterns of operational characteristics,wherein each of the multiple patterns of operational characteristics represents one or more potential security threats; and
      
      reporting the identification of the potential security threat if the first operational characteristics match any of the patterns of operational characteristics.
  - 24. The system of claim 23, wherein the multiple patterns of operational characteristics are stored by the computing system in a data structure.
  - 25. The system of claim 17, wherein monitoring the first operational characteristics of the first instance of the application includes monitoring the first operational characteristics because applications hosted in the first geographical region have a higher-than-average likelihood of receiving cyber-attack.
  - 26. The system of claim 17, wherein the first operational characteristics and the one or more second operational characteristics include one or more:
    - commands received by the first instance of the application from the one or more external computing systems;
      
      requests received by the first instance of the application from the one or more external computing systems;
      
      digital signatures of content of the communication traffic;
      
      IP addresses associated with the one or more external computing systems; and
      
      user accounts for users that have access to the first instance of the application.
  - 27. The system of claim 17, wherein the process further comprises:
    - verifying a status of a user account that has submitted a request for information from the first instance of the application, if the user account is associated with an IP address that is located in the one or more second geographic regions.
  - 28. The system of claim 27, wherein verifying the status of the user account includes transmitting a request for account validation to the one or more second virtual assets in the one or more second geographic regions.
  - 29. The system of claim 27, wherein the process further comprises:
    - reporting the identification of the potential security threat if the status of the user account is other than active.

30. A system for distributing security threat management of a first instance of an application that is hosted from multiple geographic locations, comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for distributing security threat management of a first instance of an application that is hosted from multiple geographic locations, the process including;
  
  receiving, with a regional management computing system, a security threat policy from a global management computing system,wherein the security threat policy includes multiple patterns of operational characteristics for the first instance of the application,wherein each of the multiple patterns of operational characteristics is associated with one or more potential security threats against the first instance of the application;
  
  monitoring, with the regional management computing system, operational characteristics of the first instance of the application,wherein the first instance of the application is hosted by a first virtual asset in a first computing environment and the first instance of the application is different than at least one other instance of the application that is hosted by at least one other virtual asset in at least one other computing environment,wherein the first computing environment is located in a first geographic region and the at least one other computing environment is located in at least one other geographic region;
  
  comparing the operational characteristics of the first instance of the application to at least one of the multiple patterns of operational characteristics to detect the one or more potential security threats; and
  
  reporting an identification of the one or more potential security threats if the operational characteristics are similar to at least one of the multiple patterns of operational characteristics.
- View Dependent Claims (31, 32)
- - 31. The system of claim 30, wherein the operational characteristics of the first instance of the application are first operational characteristics, the process further comprising:
    - retrieving second operational characteristics for at least one other instance of the application;
      
      comparing the first operational characteristics to the second operational characteristics; and
      
      reporting the identification of the one or more potential security threats if the first operational characteristics deviate from the second operational characteristics by more than a predetermined amount.
  - 32. The system of claim 30, wherein the operational characteristics of the first instance of the application include one or more:
    - commands received by the first instance of the application from one or more external computing systems;
      
      requests received by the first instance of the application from the one or more external computing systems;
      
      digital signatures of content of communication traffic between the first instance of the application and the one or more external computing systems;
      
      IP addresses associated with the one or more external computing systems; and
      
      user accounts for users that have access to the first instance of the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Cabrera, Luis Felipe, Lietz, M. Shannon

Application Number

US14/319,352
Publication Number

US 20150381641A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

METHOD AND SYSTEM FOR EFFICIENT MANAGEMENT OF SECURITY THREATS IN A DISTRIBUTED COMPUTING ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR EFFICIENT MANAGEMENT OF SECURITY THREATS IN A DISTRIBUTED COMPUTING ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links