METHOD AND SYSTEM FOR PROTECTING CLOUD-BASED APPLICATIONS EXECUTED IN A CLOUD COMPUTING PLATFORM

US 20160112375A1
Filed: 12/14/2015
Published: 04/21/2016
Est. Priority Date: 11/11/2013
Status: Active Grant

First Claim

Patent Images

1. A method for protecting cloud-based applications executed in a cloud computing platform, comprising:

intercepting traffic flows from a plurality of client devices to the cloud computing platform, wherein each of the plurality of client devices is associated with a user attempting to access a cloud-based application;

extracting at least one parameter from the intercepted traffic related to at least each client device and a respective user attempting to access the cloud-based application;

determining based on, the at least one parameter and at least a set of parameters combining cloud-based application risk factors for a provider of the cloud computing platform, a risk indicator for the user attempting to access the cloud-based application; and

performing an action to mitigate a potential risk to the cloud computing platform based on the determined risk indicator.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for protecting cloud-based applications executed in a cloud computing platform are presented. The method includes intercepting traffic flows from a plurality of client devices to the cloud computing platform, wherein each of the plurality of client devices is associated with a user attempting to access a cloud-based application; extracting at least one parameter from the intercepted traffic related to at least each client device and a respective user attempting to access the cloud-based application; determining based on, the at least one parameter and at least a set of parameters combining cloud-based application risk factors for a provider of the cloud computing platform, a risk indicator for the user attempting to access the cloud-based application; and performing an action to mitigate a potential risk to the cloud computing platform based on the determined risk indicator.

Citations

39 Claims

1. A method for protecting cloud-based applications executed in a cloud computing platform, comprising:
- intercepting traffic flows from a plurality of client devices to the cloud computing platform, wherein each of the plurality of client devices is associated with a user attempting to access a cloud-based application;
  
  extracting at least one parameter from the intercepted traffic related to at least each client device and a respective user attempting to access the cloud-based application;
  
  determining based on, the at least one parameter and at least a set of parameters combining cloud-based application risk factors for a provider of the cloud computing platform, a risk indicator for the user attempting to access the cloud-based application; and
  
  performing an action to mitigate a potential risk to the cloud computing platform based on the determined risk indicator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, further comprising:
    - auditing activities of users accessing the cloud-based application.
  - 3. The method of claim 1, wherein the cloud computing platform is a software as a service (SaaS) platform.
  - 4. The method of claim 1 wherein the at least one parameter includes at least one of:
    - a type of the client device, a location of the client device, an identity of the user device, an action taken by the user, a response by the cloud-based application, a time of a requested action, and bandwidth consumed by the client device.
  - 5. The method of claim 1, wherein extracting at least one parameter from the intercepted traffic further comprises:
    - identifying any client device used by the user to access the cloud-based application;
      
      storing at least one device unique parameter associated with each identified client device; and
      
      tracking, using the at least one device unique parameter, the user attempting to access the cloud-based application across multiple sessions.
  - 6. The method of claim 5, wherein the at least one device unique parameter associated with each identified client device comprises any one of:
    - an International Mobile Equipment Identity (IMEI), a phone number, a media access control (MAC) address, an Internet Protocol (IP) address.
  - 7. The method of claim 1, wherein the risk indicator is further determined using at least one of:
    - a profiling engine, an anomaly engine, and a cloud service index, wherein the cloud service index provides the set of parameters combining the cloud-based application risk factors for the provider of the cloud computing platform.
  - 8. The method of claim 7, further comprising:
    - characterizing, by the profiling engine, each user based on passive traffic recordings of the set of parameters, wherein the user characteristics include at least one of;
      
      user usage patterns;
      
      roles, locations, distribution of user activities over time, and daily user routines.
  - 9. The method of claim 7, further comprising:
    - detecting, by the anomaly engine, at least one specific anomalous operation performed by each user, a series of anomalous operations by each user, and a pattern of anomalous operations performed by each user.
  - 10. The method of claim 9, wherein the detection is based in part on information provided by the profiling engine.
  - 11. The method of claim 7, wherein the anomaly engine is any one of:
    - a distance-based anomaly engine and a statistical-based anomaly engine.
  - 12. The method of claim 7, wherein the set of parameters provided by the cloud service index includes at least one of:
    - a security policy of the cloud-computing platform, a list of history of vulnerabilities of the cloud-computing platform, and attacks performed against the cloud-computing platform.
  - 13. The method of claim 1, wherein determining the risk indicator further comprises:
    - measuring a risk level for each risk vector of a plurality of risk vectors; and
      
      computing the risk indicator as a weighted function of the measured risk levels.
  - 14. The method of claim 13, wherein each risk vector of the plurality of risk vectors includes:
    - a data risk vector related to data maintained or accessed by the cloud-based application;
      
      a user risk vector related to a type of users or devices that can access the cloud-based application, a service risk vector related to services provided by a provider of the cloud-computing platform, a business risk vector related to a control provided to the user of the cloud-computing platform.
  - 15. The method of claim 14, wherein the action is at least one of:
    - generating an alert;
      
      blocking an access to the cloud-based application;
      
      encrypting traffic to and from the cloud computing platform;
      
      suspending a user from accessing the cloud-based application, eliminating permissions granted to a user; and
      
      restricting access to some functions of the cloud-based application.
  - 16. The method of claim 1, wherein the method is performed by one or more proxy devices communicatively connected between the cloud computing platform and the plurality of user devices.
  - 17. The method of claim 16, further comprising:
    - capturing responses sent by the cloud-based application; and
      
      processing the captured responses to enable processing of subsequent requests by one or more of the proxy devices.
  - 18. The method of claim 1, wherein each of the plurality of client devices is any one of:
    - a managed device and an unmanaged device.
  - 19. The method of claim 1, further comprising:
    - preventing a user from retrieving files from the cloud computing platform by enabling integration with cloud-based storage systems.
  - 20. A non-transitory computer readable medium having stored thereon instructions for causing one or more processing units to execute the method according to claim 1.

21. A system for reconstructing application-layer traffic flowing between a plurality client devices and a cloud computing platform, comprising:
- a processor; and
  
  a memory, the memory containing instructions that, when executed by the processor, configure the system to;
  
  intercept traffic flows from a plurality of client devices to the cloud computing platform, wherein each of the plurality of client devices is associated with a user attempting to access a cloud-based application;
  
  extract at least one parameter from the intercepted traffic related to at least each client device and a respective user attempting to access the cloud-based application;
  
  determine based on, the at least one parameter and at least a set of parameters combining cloud-based application risk factors for a provider of the cloud computing platform, a risk indicator for the user attempting to access the cloud-based application; and
  
  perform an action to mitigate a potential risk to the cloud computing platform based on the determined risk indicator.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 22. The system of claim 21, the system is further configured to:
    - audit activities of users accessing the cloud-based application.
  - 23. The system of claim 21, wherein the cloud computing platform is a software as a service (SaaS) platform.
  - 24. The system of claim 21, wherein the at least one parameter includes at least one of:
    - a type of the client device, a location of the client device, an identity of the user device, an action taken by the user, a response by the cloud-based application, a time of a requested action, and bandwidth consumed by the client device.
  - 25. The system of claim 21, the system is further configured to:
    - identify any client device used by the user to access the cloud-based application;
      
      store at least one device unique parameter associated with each identified client device; and
      
      track, using the at least one device unique parameter, the user attempting to access the cloud-based application across multiple sessions.
  - 26. The system of claim 25, wherein the at least one device unique parameter associated with each identified client device comprises any one of:
    - an International Mobile Equipment Identity (IMEI), a phone number, a media access control (MAC) address, an Internet Protocol (IP) address.
  - 27. The system of claim 21, wherein the system is further configured to determine the risk indicator using at least one of:
    - a profiling engine, an anomaly engine, and a cloud service index, wherein the cloud service index provides the set of parameters combining the cloud-based application risk factors for the provider of the cloud computing platform.
  - 28. The system of claim 27, the system is further configured to:
    - characterize, by the profiling engine, each user based on passive traffic recordings of the set of parameters, wherein the user characteristics include at least one of;
      
      user usage patterns;
      
      roles, locations, distribution of user activities over time, and daily user routines.
  - 29. The system of claim 27, the system is further configured to:
    - detect, by the anomaly engine, at least one specific anomalous operation performed by each user, a series of anomalous operations by each user, and a pattern of anomalous operations performed by each user.
  - 30. The system of claim 29, wherein the detection is based in part on information provided by the profiling engine.
  - 31. The system of claim 27, wherein the anomaly engine is any one of:
    - a distance-based anomaly engine and a statistical-based anomaly engine.
  - 32. The system of claim 27, wherein the set of parameters provided by the cloud service index includes at least one of:
    - a security policy of the cloud-computing platform, a list of history of vulnerabilities of the cloud-computing platform, and attacks performed against the cloud-computing platform.
  - 33. The system of claim 21, the system is further configured to:
    - measure a risk level for each risk vector of a plurality of risk vectors; and
      
      compute the risk indicator as a weighted function of the measured risk levels.
  - 34. The system of claim 33, wherein each risk vector of the plurality of risk vectors includes:
    - a data risk vector related to data maintained or accessed by the cloud-based application;
      
      a user risk vector related to a type of users or devices that can access the cloud-based application, a service risk vector related to services provided by a provider of the cloud-computing platform, a business risk vector related to a control provided to the user of the cloud-computing platform.
  - 35. The system of claim 24, wherein the action is at least one of:
    - generating an alert;
      
      blocking an access to the cloud-based application;
      
      encrypting traffic to and from the cloud computing platform;
      
      suspending a user from accessing the cloud-based application, eliminating permissions granted to a user; and
      
      restricting access to some functions of the cloud-based application.
  - 36. The system of claim 21, wherein the system is a proxy device communicatively connected between the cloud computing platform and the plurality of user devices.
  - 37. The system of claim 36, the system is further configured to:
    - capture responses sent by the cloud-based application; and
      
      process the captured responses to enable processing of subsequent requests by one or more of the proxy devices.
  - 38. The system of claim 21, wherein each of the plurality of client devices is any one of:
    - a managed device and an unmanaged device.
  - 39. The system of claim 21, the system is further configured to:
    - prevent a user from retrieving files from the cloud computing platform by enabling integration with cloud-based storage systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
COHEN, Aviram, MOYSI, Liran, LUTTWAK, Ami, REZNIK, Roy, VISHNEPOLSKY, Greg

Granted Patent

US 10,091,169 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/9574   of access to content, e.g. ...

G06F 21/128   involving web programs, i.e...

G06F 21/554   involving event detection a...

G06F 8/51   Source to source

G06F 9/5072   Grid computing

G06Q 10/10   Office automation; Time man...

H04L 41/5032   Generating service level re...

H04L 41/5096   wherein the managed service...

H04L 63/0281   Proxies

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/168   above the transport layer

H04L 67/10   in which an application is ...

H04L 67/34   involving the movement of s...

H04L 67/51   Discovery or management the...

H04L 67/535   Tracking the activity of th...

H04L 67/565   Conversion or adaptation of...

METHOD AND SYSTEM FOR PROTECTING CLOUD-BASED APPLICATIONS EXECUTED IN A CLOUD COMPUTING PLATFORM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR PROTECTING CLOUD-BASED APPLICATIONS EXECUTED IN A CLOUD COMPUTING PLATFORM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links