DISTRIBUTED DETECTION OF MALICIOUS CLOUD ACTORS
First Claim
1. A system for distributed detection of malicious cloud actors, the system comprising:
- a plurality of intrusion detection modules that are each connected to a cloud server of a plurality of cloud servers, wherein each of the plurality of cloud servers is configured to provide a cloud service that is associated with a customer of a plurality of customers, each of the plurality of intrusion detection modules to;
intercept a plurality of outgoing cloud packets from the cloud server that are processed to determine if a preliminary threshold is exceeded, wherein a potential outgoing intrusion event of a plurality of potential outgoing intrusion events is generated when the preliminary threshold is exceeded; and
a malice aggregator for execution by a processor to;
update an aggregate log based on the plurality of potential outgoing intrusion events, wherein the aggregate log tracks a customer subset of the plurality of cloud servers that is associated with the customer; and
in response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, provide a notification of malicious activity by the customer, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold.
2 Assignments
0 Petitions
Accused Products
Abstract
Examples relate to distributed detection of malicious cloud actors. In some examples, outgoing cloud packets from the cloud server are intercepted and processed to determine if a preliminary threshold is exceeded, where the outgoing cloud packets are used to identify a customer. At this stage, a potential outgoing intrusion event of a number of potential outgoing intrusion events is generated when the preliminary threshold is exceeded. The potential outgoing intrusions events are used to update an aggregate log, where the aggregate log tracks a customer subset of the cloud servers that is associated with the customer. In response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, a notification of malicious activity by the customer is provided, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold.
-
Citations
15 Claims
-
1. A system for distributed detection of malicious cloud actors, the system comprising:
-
a plurality of intrusion detection modules that are each connected to a cloud server of a plurality of cloud servers, wherein each of the plurality of cloud servers is configured to provide a cloud service that is associated with a customer of a plurality of customers, each of the plurality of intrusion detection modules to; intercept a plurality of outgoing cloud packets from the cloud server that are processed to determine if a preliminary threshold is exceeded, wherein a potential outgoing intrusion event of a plurality of potential outgoing intrusion events is generated when the preliminary threshold is exceeded; and a malice aggregator for execution by a processor to; update an aggregate log based on the plurality of potential outgoing intrusion events, wherein the aggregate log tracks a customer subset of the plurality of cloud servers that is associated with the customer; and in response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, provide a notification of malicious activity by the customer, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for distributed detection of malicious cloud actors, the method comprising:
-
intercepting, by a processor, a plurality of outgoing cloud packets from the cloud server that are processed to determine if a preliminary threshold is exceeded, wherein the plurality of outgoing cloud packets is used to identify a customer of a plurality of customers; generating a potential outgoing intrusion event of a plurality of potential outgoing intrusion events when the preliminary threshold is exceeded; and updating an aggregate log based on the plurality of potential outgoing intrusion events, wherein the aggregate log tracks a customer subset of the plurality of cloud servers that is associated with the customer; and in response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, providing a notification of malicious activity by the customer, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A non-transitory machine-readable storage medium encoded with instructions executable by a processor for distributed detection of malicious cloud actors, the machine-readable storage medium comprising instructions to:
-
intercept a plurality of outgoing cloud packets from the cloud server that are processed in a server queue to determine if a preliminary threshold is exceeded, wherein the plurality of outgoing cloud packets is used to identify a customer of a plurality of customers; in response to determining that the server queue exceeds a threshold queue size, request that an additional intrusion detection module be instantiated to process the plurality of outgoing cloud packets in the server queue; generate a potential outgoing intrusion event of a plurality of potential outgoing intrusion events when the preliminary threshold is exceeded; and update an aggregate log based on the plurality of potential outgoing intrusion events, wherein the aggregate log tracks a customer subset of the plurality of cloud servers that is associated with the customer; and in response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, provide a notification of malicious activity by the customer, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold. - View Dependent Claims (13, 14, 15)
-
Specification