DISTRIBUTED DETECTION OF MALICIOUS CLOUD ACTORS

US 20170244738A1
Filed: 08/28/2014
Published: 08/24/2017
Est. Priority Date: 08/28/2014
Status: Active Grant

First Claim

Patent Images

1. A system for distributed detection of malicious cloud actors, the system comprising:

a plurality of intrusion detection modules that are each connected to a cloud server of a plurality of cloud servers, wherein each of the plurality of cloud servers is configured to provide a cloud service that is associated with a customer of a plurality of customers, each of the plurality of intrusion detection modules to;

intercept a plurality of outgoing cloud packets from the cloud server that are processed to determine if a preliminary threshold is exceeded, wherein a potential outgoing intrusion event of a plurality of potential outgoing intrusion events is generated when the preliminary threshold is exceeded; and

a malice aggregator for execution by a processor to;

update an aggregate log based on the plurality of potential outgoing intrusion events, wherein the aggregate log tracks a customer subset of the plurality of cloud servers that is associated with the customer; and

in response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, provide a notification of malicious activity by the customer, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples relate to distributed detection of malicious cloud actors. In some examples, outgoing cloud packets from the cloud server are intercepted and processed to determine if a preliminary threshold is exceeded, where the outgoing cloud packets are used to identify a customer. At this stage, a potential outgoing intrusion event of a number of potential outgoing intrusion events is generated when the preliminary threshold is exceeded. The potential outgoing intrusions events are used to update an aggregate log, where the aggregate log tracks a customer subset of the cloud servers that is associated with the customer. In response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, a notification of malicious activity by the customer is provided, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold.

Citations

15 Claims

1. A system for distributed detection of malicious cloud actors, the system comprising:
- a plurality of intrusion detection modules that are each connected to a cloud server of a plurality of cloud servers, wherein each of the plurality of cloud servers is configured to provide a cloud service that is associated with a customer of a plurality of customers, each of the plurality of intrusion detection modules to;
  
  intercept a plurality of outgoing cloud packets from the cloud server that are processed to determine if a preliminary threshold is exceeded, wherein a potential outgoing intrusion event of a plurality of potential outgoing intrusion events is generated when the preliminary threshold is exceeded; and
  
  a malice aggregator for execution by a processor to;
  
  update an aggregate log based on the plurality of potential outgoing intrusion events, wherein the aggregate log tracks a customer subset of the plurality of cloud servers that is associated with the customer; and
  
  in response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, provide a notification of malicious activity by the customer, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein each of the plurality of intrusion detection modules uses identified packets of the plurality of outgoing cloud packets that exceed a threshold packet size to determine if the preliminary threshold is exceed.
  - 3. The system of claim 1, wherein the plurality of outgoing cloud packets are iteratively processed in a server queue, wherein each of the plurality of intrusion detection modules is further configured to:
    - in response to determining that the server queue exceeds a threshold queue size, request that an additional intrusion detection module be instantiated to process the plurality of outgoing cloud packets in the server queue.
  - 4. The system of claim 3, wherein the additional intrusion detection module is configured to:
    - in response to determining that the server queue no longer exceeds the threshold queue size, initiate a self-destruct procedure.
  - 5. The system of claim 4, wherein at least one of the plurality of intrusion detection modules is designated as permanent.
  - 6. The system of claim 1, wherein each of the plurality of intrusion detection modules is further configured to:
    - intercept a plurality of incoming cloud packets directed at the cloud server to determine if the preliminary threshold is exceeded, wherein a potential incoming intrusion event of a plurality of potential incoming intrusion events is generated when the preliminary threshold is exceeded;
      
      and wherein the malice aggregator is further to;
      
      update an incoming aggregate log that is associated with the customer subset of the plurality of cloud servers based on the plurality of potential incoming intrusion events; and
      
      in response to analyzing the incoming aggregate log to determine that cloud traffic directed at the customer subset exceeds the intrusion threshold, provide a customer notification of malicious activity that is targeted at the customer subset.

7. A method for distributed detection of malicious cloud actors, the method comprising:
- intercepting, by a processor, a plurality of outgoing cloud packets from the cloud server that are processed to determine if a preliminary threshold is exceeded, wherein the plurality of outgoing cloud packets is used to identify a customer of a plurality of customers;
  
  generating a potential outgoing intrusion event of a plurality of potential outgoing intrusion events when the preliminary threshold is exceeded; and
  
  updating an aggregate log based on the plurality of potential outgoing intrusion events, wherein the aggregate log tracks a customer subset of the plurality of cloud servers that is associated with the customer; and
  
  in response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, providing a notification of malicious activity by the customer, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein each of the plurality of intrusion detection modules uses identified packets of the plurality of outgoing cloud packets that exceed a threshold packet size to determine if the preliminary threshold is exceed.
  - 9. The method of claim 7, wherein the plurality of outgoing cloud packets are iteratively processed in a server queue, wherein the method further comprises:
    - in response to determining that the server queue exceeds a threshold queue size, requesting that an additional intrusion detection module be instantiated to process the plurality of outgoing cloud packets in the server queue.
  - 10. The method of claim 9, wherein at least one of the plurality of intrusion detection modules is designated as permanent.
  - 11. The method of claim 7, further comprising:
    - intercepting a plurality of incoming cloud packets directed at the cloud server;
      
      to determine if the preliminary threshold is exceeded, wherein a potential incoming intrusion event of a plurality of potential incoming intrusion events is generated when the preliminary threshold is exceeded;
      
      updating an incoming aggregate log that is associated with the customer subset of the plurality of cloud servers based on the plurality of potential incoming intrusion events; and
      
      in response to analyzing the incoming aggregate log to determine that cloud traffic directed at the customer subset exceeds the intrusion threshold, providing a customer notification of malicious activity that is targeted at the customer subset.

12. A non-transitory machine-readable storage medium encoded with instructions executable by a processor for distributed detection of malicious cloud actors, the machine-readable storage medium comprising instructions to:
- intercept a plurality of outgoing cloud packets from the cloud server that are processed in a server queue to determine if a preliminary threshold is exceeded, wherein the plurality of outgoing cloud packets is used to identify a customer of a plurality of customers;
  
  in response to determining that the server queue exceeds a threshold queue size, request that an additional intrusion detection module be instantiated to process the plurality of outgoing cloud packets in the server queue;
  
  generate a potential outgoing intrusion event of a plurality of potential outgoing intrusion events when the preliminary threshold is exceeded; and
  
  update an aggregate log based on the plurality of potential outgoing intrusion events, wherein the aggregate log tracks a customer subset of the plurality of cloud servers that is associated with the customer; and
  
  in response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, provide a notification of malicious activity by the customer, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold.
- View Dependent Claims (13, 14, 15)
- - 13. The non-transitory machine-readable storage medium of claim 12, wherein the plurality of outgoing cloud packets are iteratively processed in a server queue, wherein the instructions are further to:
    - in response to determining that the server queue exceeds a threshold queue size, request that an additional intrusion detection module be instantiated to process the plurality of outgoing cloud packets in the server queue.
  - 14. The non-transitory machine-readable storage medium of claim 13, wherein at least one of the plurality of intrusion detection modules is designated as permanent.
  - 15. The non-transitory machine-readable storage medium of claim 12, wherein the instructions are further to:
    - intercept a plurality of incoming cloud packets directed at the cloud server;
      
      to determine if the preliminary threshold is exceeded, wherein a potential incoming intrusion event of a plurality of potential incoming intrusion events is generated when the preliminary threshold is exceeded;
      
      update an incoming aggregate log that is associated with the customer subset of the plurality of cloud servers based on the plurality of potential incoming intrusion events; and
      
      in response to analyzing the incoming aggregate log to determine that cloud traffic directed at the customer subset exceeds the intrusion threshold, provide a customer notification of malicious activity that is targeted at the customer subset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SUSE, LLC (EQT AB)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
CLARK, Robert Graham

Granted Patent

US 10,951,637 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/5096   wherein the managed service...

H04L 43/028   by filtering

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/10   in which an application is ...

DISTRIBUTED DETECTION OF MALICIOUS CLOUD ACTORS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

DISTRIBUTED DETECTION OF MALICIOUS CLOUD ACTORS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links