Managing requests for security services

US 9,076,013 B1
Filed: 02/28/2011
Issued: 07/07/2015
Est. Priority Date: 02/28/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for analyzing network security from a remote geographic location, the method comprising:

accessing, by or more physical computing systems under control of a program execution service, a request from a user of a computing service to analyze a target network located at the remote geographic location from the computing service, the computing service comprising a plurality of computing nodes, the request received via a computing interface;

automatically allocating, by the one or more physical computing systems, a computing node from the plurality of computing nodes of the computing service at the remote geographic location from the target network in response to the user'"'"'s request, the computing node configured to analyze network security of the target network at the remote geographic location from the computing service;

automatically establishing, by the one or more physical computing systems, a secure connection between the allocated computing node and a location within the target network, the secure connection providing the allocated computing node with network access to the target network at least substantially similar to network access provided to a computing node located at the location, the allocated computing node configured to gather network security data from the target network using the secure connection; and

automatically determining, by the one or more physical computing systems, a security status of the target network based at least partly on the network security data gathered by the allocated computing node using the secure connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of systems and methods are described for managing requests for security services to a provider of computing resources. In some implementations, a user can request that security services be provided to analyze or test a target network. For example, the user can request that security services conduct penetration testing of the target network in order to detect vulnerabilities with the target network'"'"'s security infrastructure or configuration. The computing resource provider can dynamically provide the security services to the target network, for example, by instantiating one or more virtual machines that begin security testing of the target network in response to the user'"'"'s request. In some embodiments, the provider of the security services may instantiate a security virtual machine instance (VMI) that can be connected to a customer'"'"'s network using a secure connection, such as a virtual private network. The virtual machine instance can be physically located outside the customer'"'"'s network while functioning as part of the customer'"'"'s network. Thus, the security VMI can test security from either outside the network or from inside the network. In some embodiments, the VMI may test at multiple locations of the customer'"'"'s network, for example, by establishing connections to multiple locations on the customer network.

Citations

33 Claims

1. A computer-implemented method for analyzing network security from a remote geographic location, the method comprising:
- accessing, by or more physical computing systems under control of a program execution service, a request from a user of a computing service to analyze a target network located at the remote geographic location from the computing service, the computing service comprising a plurality of computing nodes, the request received via a computing interface;
  
  automatically allocating, by the one or more physical computing systems, a computing node from the plurality of computing nodes of the computing service at the remote geographic location from the target network in response to the user'"'"'s request, the computing node configured to analyze network security of the target network at the remote geographic location from the computing service;
  
  automatically establishing, by the one or more physical computing systems, a secure connection between the allocated computing node and a location within the target network, the secure connection providing the allocated computing node with network access to the target network at least substantially similar to network access provided to a computing node located at the location, the allocated computing node configured to gather network security data from the target network using the secure connection; and
  
  automatically determining, by the one or more physical computing systems, a security status of the target network based at least partly on the network security data gathered by the allocated computing node using the secure connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the network access provided to the computing node through the secure connection is greater than network access provided to a computing node accessing the target network without a secure connection from outside the target network via the secure connection.
  - 3. The method of claim 1, wherein determining the security status comprises generating network security data by accessing the target network from outside the target network.
  - 4. The method of claim 1, wherein the network access is provided through a virtual private network.
  - 5. The method of claim 1, wherein the computing node is associated with an internet protocol (IP) address within an IP address range used by the target network.
  - 6. The method of claim 1, wherein the location within the target network is identified by an internet protocol (IP) address.
  - 7. The method of claim 1, further comprising communicating a security status report comprising information related to vulnerabilities of the target network to the user.
  - 8. The method of claim 1, further comprising communicating a security status report comprising information related to vulnerabilities of the target network to a security provider.
  - 9. The method of claim 1, further comprising performing additional security testing of the target network based at least partly on the network security data.
  - 10. The method of claim 1, wherein the computing node comprises a virtual machine instance.
  - 11. The method of claim 1, further comprising dynamically allocating additional computing nodes based at least partly on the user request.
  - 12. The method of claim 1, further comprising:
    - metering the user'"'"'s usage of the computing node configured to analyze network security; and
      
      billing the user based, at least partly, on the user'"'"'s rated usage.
  - 13. The method of claim 1, further comprising billing the user based on dynamically metered usage, wherein an amount of usage determines, at least in part, an amount billed to the user.

14. A system configured to manage requests for security testing of a target network, the system comprising:
- a computer memory configured to store one or more program modules for managing requests for security testing by a computing service, the computing service comprising a plurality of computing nodes; and
  
  a security services manager configured to communicate with the computer memory and to execute the one or more program modules stored in the computer memory, the security services manager implemented by a physical computing system, the program modules configured to;
  
  access, by the physical computing system, a request from a user of the computing service for security testing for a target network located at a remote geographic location from the computing service;
  
  automatically, by the physical computing system, allocate a computing node from the plurality of computing nodes of the computing service at the remote geographic location from the target network in response to the user'"'"'s request, the computing node configured to analyze network security;
  
  automatically establish, by the physical computing system, one or more connections between the allocated computing node and one or more locations within the target network, the allocated computing node configured to gather network security data from the target network using the secure connection;
  
  andautomatically determine, by the physical computing system, a security status of the target network based at least partly on the network security data gathered by the allocated computing node using the secure connection.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The system of claim 14, wherein the plurality of computing nodes of the computing service comprise one or more physical computing systems.
  - 16. The system of claim 14, wherein the plurality of computing nodes comprise one or more virtual machine instances hosted on the one or more physical computing systems.
  - 17. The system of claim 14, wherein the one or more virtual machine instances is instantiated from one of a plurality of virtual machine images provided by a plurality of security program providers.
  - 18. The system of claim 17, wherein the request from the user includes a selection of a virtual machine image from the plurality of virtual machine images provided by the plurality of security program providers.
  - 19. The system of claim 14, wherein the computing service provides an Application Programming Interface (API) for programmatically interacting with the computing service, and wherein the program modules are configured to receive the request from the user via the API.
  - 20. The system of claim 14, wherein the security services manager is configured to connect to a network monitoring device located at least one of the one or more locations.
  - 21. The system of claim 14, wherein the accessed request is a request stored for a period of time.
  - 22. The system of claim 14, wherein the accessed request is a request received in substantially real-time.

23. A computer-implemented method for analyzing network security from a remote geographic location, the method comprising:
- accessing, by one or more physical computing systems under control of a program execution service, a request from a user of a computing service to analyze a target network located at the remote geographic location from the computing service, the computing service comprising a plurality of computing nodes, the request received via a computing interface;
  
  dynamically allocating, by the one or more physical computing systems, a computing node from the plurality of computing nodes of the computing service at the remote geographic location from the target network in response to the user'"'"'s request, the computing node configured to analyze security of the target network at the remote geographic location from the computing service;
  
  automatically establishing, by the one or more physical computing systems, a first secure connection between the allocated computing node and a first location on the target network and the allocated computing node, the allocated computing node configured to gather network security data from the target network using the first secure connection;
  
  generating first network security data by accessing the target network at the first location with the allocated computing node through the first secure connection;
  
  automatically establishing, by the one or more physical computing systems, a second secure connection between the allocated computing node and a second location on the target network, wherein the allocated computing node is configured to gather network security data from the target network using the second secure connection, and wherein the second location is different from the first location;
  
  generating second network security data by accessing the target network at the second location with the allocated computing node through the second secure connection; and
  
  determining, by the one or more physical computing systems, a security status of the target network based at least partly on the first network data and second network data.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The method of claim 23, wherein the computing node operating on the first secure connection operates with network access at least substantially similar to a computing node located in the first location on the target network.
  - 25. The method of claim 23, further comprising generating additional network security data with the computing node by establishing additional secure connections and wherein the security status of the target network is determined based at least partly on the additional network security data.
  - 26. The method of claim 23, wherein the first location includes a first virtual private network server and the second location includes a second virtual private network server.
  - 27. The method of claim 23, wherein the first secure connection comprises a first virtual private network and the second secure connection comprises a second virtual private network.
  - 28. The method of claim 23, wherein computing interface comprises an Application Programming Interface (API) for programmatically interacting with the computing service and the request from the user is received via the API.
  - 29. The method of claim 23, wherein the computing node comprises a virtual machine instance.

30. A non-transitory computer-readable medium having stored thereon instructions that, when executed by a computer system, cause the computer system to:
- access a request from a user of a computing service to analyze a target network located at a remote geographic location from the computing service, the computing service comprising a plurality of computing nodes;
  
  allocate one or more computing nodes from the plurality of computing nodes at the computing service in response to the user'"'"'s request, the one or more computing nodes configured to analyze security of the target network;
  
  establish connections between the allocated one or more computing nodes and multiple locations inside the target network, the allocated one or more computing nodes configured to gather network security data from the target network using the secure connection; and
  
  determine a security status of the target network based at least partly on the network security data gathered by the allocated one or more computing nodes using the secure connection.
- View Dependent Claims (31, 32, 33)
- - 31. The computer-readable medium of claim 30, wherein the connections comprise virtual private network connections.
  - 32. The computer-readable medium of claim 30, wherein the request includes network configuration data for the target network.
  - 33. The computer-readable medium of claim 30, wherein the connections allow the one or more computing nodes to bypass a network filter of the target network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Bailey, Donald L. Jr., Brandwine, Eric Jason
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US13/037,265
Time in Patent Office

1,590 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6227   where protection concerns t...

H04L 63/0272   Virtual private networks

H04L 63/1433   Vulnerability analysis

H04W 12/06   Authentication

H04W 12/63   Location-dependent; Proximi...

Managing requests for security services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Managing requests for security services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links