THREAT DETECTION AND MITIGATION THROUGH RUN-TIME INTROSPECTION AND INSTRUMENTATION

US 20160373481A1
Filed: 09/02/2016
Published: 12/22/2016
Est. Priority Date: 03/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems configured with executable instructions,obtaining a measurement at a point in a distributed computing environment;

determining, based at least in part on the measurement, a correlation between a first element in the distributed computing environment and a second element in the distributed computing environment;

generating, based at least in part on the correlation, a graph comprising a plurality of nodes, with a first node of the plurality of nodes associated with the first element and a second node of the plurality of nodes associated with the second element;

determining, from the graph, that the measurement is in noncompliance with a rule; and

triggering a security action based at least in part on the noncompliance that was determined.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A graph of a plurality of resources in a computing environment is generated, with the graph associating a first resource of the plurality with a second resource of the plurality. Based at least in part on measurements obtained at a point in a test computing environment that corresponds to a point in the computing environment, an expected value or expected range of values is determined. An assessment of a security state of the computing environment is generated based at least in part on a comparison between a measurement obtained at the point in the computing environment and the expected value or expected range of values, and responsive to a determination that the assessment indicates a rule violation in the computing environment, a security action is performed.

142 Citations

20 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,obtaining a measurement at a point in a distributed computing environment;
  
  determining, based at least in part on the measurement, a correlation between a first element in the distributed computing environment and a second element in the distributed computing environment;
  
  generating, based at least in part on the correlation, a graph comprising a plurality of nodes, with a first node of the plurality of nodes associated with the first element and a second node of the plurality of nodes associated with the second element;
  
  determining, from the graph, that the measurement is in noncompliance with a rule; and
  
  triggering a security action based at least in part on the noncompliance that was determined.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein compliance with the rule comprises:
    - a software library being of at least of a particular version,a network communication protocol being encrypted,an unused network port being closed, ora set of credentials being associated with a least amount of privilege sufficient to access a requested resource.
  - 3. The computer-implemented method of claim 1, further comprising determining a location for the point in the distributed computing system at which to obtain the measurement based at least in part on a type of information that can be obtained from measurements taken at the point.
  - 4. The computer-implemented method of claim 1, wherein an edge between the first node and the second node in the graph is associated with the correlation.
  - 5. The computer-implemented method of claim 1, wherein performing the security action includes adding one or more constraints to a security policy that causes the distributed computing environment to comply with the rule.
  - 6. The computer-implemented method of claim 1, further comprising generating, based at least in part on the graph, a threat model that identifies potential risks to the distributed computing environment.
  - 7. The computer-implemented method of claim 1, wherein:
    - the graph is a second graph;
      
      the measurement is a second measurement obtained at a second time, after a first time;
      
      the computer-implemented method further comprises;
      
      obtaining a first measurement at the first time; and
      
      generating, based at least in part on the second measurement, a first graph; and
      
      determining that the measurement is in noncompliance is based at least in part on a comparison between the first graph and the second graph.

8. A system, comprising:
- one or more processors; and
  
  memory including instructions that, as a result of execution by the one or more processors, cause the system to;
  
  determine, based at least in part on information collected at a location in a computing environment, a correlation between a first resource and a second resource of the computing environment, the computing environment being associated with a customer of a service provider;
  
  generate a graph based at least in part on the correlation, the graph having a first node representing the first resource and a second node representing the second resource;
  
  determine, based at least in part on an evaluation of the graph against a rule, that the first resource is in noncompliance with the rule; and
  
  cause a security action, dependent at least in part on the noncompliance, to be performed.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the instructions further cause the system to further cause the system to:
    - determine, in response to receipt of a request to monitor the computing environment, the location in the computing environment at which to collect the information; and
      
      collect the information at the location.
  - 10. The system of claim 8, wherein:
    - the instructions further include instructions that cause the system to;
      
      receive a request to monitor the computing environment; and
      
      configure a sensor to collect the information at the location; and
      
      the instructions that cause the system to determine the correlation include instructions that cause the system to determine the correlation based at least in part on the information obtained from the sensor.
  - 11. The system of claim 8, wherein the security action is one or more of:
    - sending a notification to the customer,modifying a security policy to constrain privileges associated with credentials in the computing environment,preventing a process associated with the noncompliance from executing,logging the noncompliance, orupdating software associated with the noncompliance.
  - 12. The system of claim 8, wherein the first node represents a plurality of resources having a common characteristic, the first resource being one of the plurality of resources.
  - 13. The system of claim 8, wherein the instructions that cause the system to generate the graph include instructions that cause the system to identify a plurality of resource types within the computing environment, the first resource and the second resource each being one of the plurality of resource types.
  - 14. The system of claim 13, wherein:
    - the first node comprises a first plurality of resources that includes the first resource, the first plurality of resources being of a first type of the plurality of resource types; and
      
      the second node comprises a second plurality of resources that includes the second resource, the second plurality of resources being of a second type of the plurality of resources, different from the first type.

15. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, as a result of execution by one or more processors of one or more computer systems, cause the one or more computer systems to at least collectively:
- generate a graph of a plurality of resources in a computing environment, the graph including a relationship between a first resource of the plurality and a second resource of the plurality;
  
  at a point in the computing environment associated with the relationship, obtain a measurement;
  
  determine, based at least in part on at least one measurement obtained at a point in a test computing environment that corresponds to the point in the computing environment, a baseline;
  
  generate, by walking the graph, an assessment of a security state of the relationship, the assessment based at least in part on a comparison of the measurement with the baseline; and
  
  responsive to a determination that the assessment indicates a rule violation in the computing environment, cause performance of a security action.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The one or more non-transitory computer-readable storage media of claim 15, wherein the security action includes one or more of:
    - changing a network to use a secure protocol,storing a state of a virtual machine,terminating a virtual machine instance,rotating a cryptographic key, orrevoking access of an entity to the first resource or second resource.
  - 17. The one or more non-transitory computer-readable storage media of claim 15, the security action includes disassociating the first resource from the second resource pending confirmation from a customer associated with the computing environment that the measurement having varied from the baseline is acceptable.
  - 18. The one or more non-transitory computer-readable storage media of claim 15, wherein a resource of the plurality of resources is one of:
    - a software library,a network connection,a software process, ora service provided by a provider hosting the one or more computer systems.
  - 19. The one or more non-transitory computer-readable storage media of claim 15, wherein the measurements are obtained by a software agent executing within:
    - a controlling domain of a hypervisor in the computing environment,a hypervisor in the computing environment,an operating system of a virtual machine being monitored in the computing environment, ornetworking hardware of the computing environment.
  - 20. The one or more non-transitory computer-readable storage media of claim 15, wherein the executable instructions include executable instructions that cause the one or more computer systems to determine the point based at least in part on identifying information found in particular data that is obtainable at the point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Sultan, Hassan, Schweitzer, John, Bailey, Donald Lee Jr., Roth, Gregory Branchek, Potlapally, Nachiketh Rao

Granted Patent

US 9,876,815 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

THREAT DETECTION AND MITIGATION THROUGH RUN-TIME INTROSPECTION AND INSTRUMENTATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

142 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

THREAT DETECTION AND MITIGATION THROUGH RUN-TIME INTROSPECTION AND INSTRUMENTATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others