Cloud protection techniques

US 8,789,179 B2
Filed: 10/28/2011
Issued: 07/22/2014
Est. Priority Date: 10/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a non-transitory machine readable storage medium and processed by one or more processors of a source server device and configured to perform the method, comprising:

identifying, by the source server device, a security intrusion to a source cloud environment;

instructing, by the source server device, a cloud protection agent to shut down an enterprise system operating within the source cloud environment;

migrating, by the source server device, the enterprise system from the source cloud environment to a target cloud environment once the cloud protection agent indicates resources of the enterprise system are ready for migration; and

creating, by the source server device, a feigned enterprise system within the source cloud environment as migration proceeds, the feigned enterprise system is a fake and partially operational enterprise system that is used to dupe an intruder and to track actions of the intruder to determine what the intruder is doing, who the intruder is, where the intruder came from, and how the intruder penetrated the source cloud environment, the feigned enterprise system created in parallel and concurrently with the migration.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Cloud protection techniques are provided. A security breach is detected in a source cloud environment. An enterprise system processing in the source cloud environment is immediately locked down and is dynamically migrated to a target cloud environment. While the enterprise system is migrating, the source cloud environment creates a fake environment with fake resources within the source cloud environment to dupe an intruder having access as a result of the security breach. Metrics and logs are gathered with respect to activities of the intruder within the source cloud environment.

30 Citations

View as Search Results

20 Claims

1. A method implemented in a non-transitory machine readable storage medium and processed by one or more processors of a source server device and configured to perform the method, comprising:
- identifying, by the source server device, a security intrusion to a source cloud environment;
  
  instructing, by the source server device, a cloud protection agent to shut down an enterprise system operating within the source cloud environment;
  
  migrating, by the source server device, the enterprise system from the source cloud environment to a target cloud environment once the cloud protection agent indicates resources of the enterprise system are ready for migration; and
  
  creating, by the source server device, a feigned enterprise system within the source cloud environment as migration proceeds, the feigned enterprise system is a fake and partially operational enterprise system that is used to dupe an intruder and to track actions of the intruder to determine what the intruder is doing, who the intruder is, where the intruder came from, and how the intruder penetrated the source cloud environment, the feigned enterprise system created in parallel and concurrently with the migration.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 further comprising, tracking, by the source server device, actions of the intruder with respect to the feigned enterprise system within the source cloud environment.
  - 3. The method of claim 1 further comprising, notifying, by the source server device, administrative and user resources of the enterprise system of the migration to the target cloud environment.
  - 4. The method of claim 1, wherein identifying further includes receiving notification from a security information and event management system of a specific security event trapped that indicates the security intrusion.
  - 5. The method of claim 1, wherein receiving further includes evaluating the security event based on a policy to determine the security intrusion.
  - 6. The method of claim 1, wherein instructing further includes providing configuration details to the cloud protection agent for the cloud protection agent to re-install itself and auto configure itself within the target cloud environment when the migration completes.
  - 7. The method of claim 1, wherein migrating further includes requesting that the cloud protection agent assist in migrating some or all the resources associated with the migration.
  - 8. The method of claim 1, wherein migrating further includes configuring the resources for installation in the target cloud environment.
  - 9. The method of claim 1, wherein migrating further includes receiving a notice from a new instance of the cloud protection agent that the enterprise system is up and running in the target cloud environment.
  - 10. The method of claim 9, wherein receiving further includes instantiating a new instance of the method within the target cloud environment.
  - 11. The method of claim 1 wherein creating further includes accessing a policy, that defines configuration actions and environmental settings to take and to configure so as to feign the appearance of the enterprise system to the intruder.
  - 12. The method of claim 1, wherein creating further includes trapping and tying other security events occurring with intruder actions of the intruder in a log for real time and subsequent analysis.
  - 13. The method of claim 12, wherein creating further includes establishing fake resources and fake network traffic within the feigned enterprise system to entice some of the intruder actions of the intruder within the source cloud environment.

14. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors of a target sever device configured to perform the method, comprising:
- detecting, at the target service device, an instruction to initiate within a target cloud environment after some configurable amount of files are available within the target cloud environment based on conditions defined in an installation package;
  
  configuring, by the target server device, configuration settings set from a prior instance of a prior enterprise system;
  
  configuring, by the target server device, resources for a new instance of the prior enterprise system based on configuration data; and
  
  initiating, by the target server device, the resources to establish an enterprise system within the target cloud environment, the enterprise system representing the prior instance of the prior enterprise system that was migrated from a source cloud environment based on an identified security threat by a cloud protection manager and the enterprise system created in parallel and concurrently during migration.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14 further comprising, receiving, via a source server device, an indication from the cloud protection manager to prepare the enterprise system within the source cloud environment for migration to the target cloud environment, actions taken by the method are by a prior instance of the method and before a current instance of the method processes.
  - 16. The method of claim 15, wherein receiving further includes configuring the resources for the enterprise system based on specific configuration details provided by the cloud protection manager.
  - 17. The method of claim 14 further comprising, notifying, by the target server device, the cloud protection manager that the enterprise system is up and running and accessible from the target cloud environment.
  - 18. The method of claim 14 further comprising, instantiating, by the target server device, a new instance of the cloud protection manager within the target cloud environment, the new instance of the cloud protection manager configured to communicate with the cloud protection manager of the source cloud environment.

19. A system, comprising:
- a processor configured with a cloud protection manager that resides and is implemented within a non-transitory computer-readable storage medium and that executes on a source server device; and
  
  another processor configured with a cloud protection agent that resides and is implemented within a non-transitory computer-readable storage medium and that executes on a target server device;
  
  the cloud protection manager configured to detect a security threat in a source cloud environment and begin migration of an enterprise system to a target cloud environment, the cloud protection manager also configured to create a fake enterprise system within the source cloud environment and track actions taken by an intruder within the source cloud environment, the actions determine what the intruder is doing, who the intruder is, where the intruder came from, how the intruder penetrated the source cloud environment and devices and resources accessed by the intruder, the fake enterprise system remains at least partially operational within the source cloud environment while the actions of the intruder is being tracked, and the cloud protection agent configured to assist in migrating the enterprise system and to install the enterprise system within the target cloud environment and in parallel with and concurrent to the migration from the source cloud environment, the fake enterprise system is created in the source cloud environment, and the cloud protection agent configured to notify the cloud protection manager once the enterprise system is up and running within the target cloud environment.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the enterprise system is migrated as a virtual machine that processes within the target cloud environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus Software, Inc. (Open Text Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Sabin, Jason Allen
Primary Examiner(s)
Truong, Thanhnga B
Assistant Examiner(s)
Jeudy, Josnel

Application Number

US13/284,194
Publication Number

US 20130111540A1
Time in Patent Office

998 Days
Field of Search

726 22- 25, 713187-188, 713193-194
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2123   Dummy operation

H04L 63/14   for detecting or protecting...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

Cloud protection techniques

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud protection techniques

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links