Method and system for virtual asset assisted extrusion and intrusion detection in a cloud computing environment

US 9,325,726 B2
Filed: 02/03/2014
Issued: 04/26/2016
Est. Priority Date: 02/03/2014
Status: Active Grant

First Claim

Patent Images

1. A system for virtual asset assisted extrusion detection in a cloud computing environment comprising:

at least one processor; and

at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for virtual asset assisted extrusion detection in a cloud computing environment, the process for virtual asset assisted extrusion detection in a cloud computing environment including;

providing a cloud computing environment, the cloud computing environment including one or more virtual assets;

transforming at least one of the one or more of the virtual assets into an extrusion detection capable virtual asset by providing an analysis trigger monitoring system to the at least one of the one or more of the virtual assets;

defining two or more analysis trigger parameters, the defined two or more trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency less than a defined threshold frequency;

generating analysis trigger data representing the analysis trigger parameters;

providing at least part of the analysis trigger data to the analysis trigger monitoring systems of the extrusion detection capable virtual assets;

using the analysis trigger monitoring systems and the analysis trigger data to monitor at least a portion of message traffic sent from any of the extrusion detection capable virtual assets to detect any message including one or more of the two or more analysis trigger parameters;

classifying any detected message including one or more of the two or more analysis trigger parameters as a suspect message;

for each suspect message, generating suspect message copy data representing a copy of at least a portion of the suspect message; and

transferring the suspect message copy data to one or more analysis systems for further analysis.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An analysis trigger monitoring system is provided in one or more virtual assets. One or more analysis trigger parameters are defined and analysis trigger data is generated. The analysis trigger monitoring systems are used to monitor at least a portion of the message traffic sent to, or sent from, the one or more virtual assets to detect any message including one or more of the one or more analysis trigger parameters. A copy of at least a portion of any detected message including one or more of the one or more analysis trigger parameters is then transferred to one or more analysis systems for further analysis using a second communication channel.

166 Citations

36 Claims

1. A system for virtual asset assisted extrusion detection in a cloud computing environment comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for virtual asset assisted extrusion detection in a cloud computing environment, the process for virtual asset assisted extrusion detection in a cloud computing environment including;
  
  providing a cloud computing environment, the cloud computing environment including one or more virtual assets;
  
  transforming at least one of the one or more of the virtual assets into an extrusion detection capable virtual asset by providing an analysis trigger monitoring system to the at least one of the one or more of the virtual assets;
  
  defining two or more analysis trigger parameters, the defined two or more trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency less than a defined threshold frequency;
  
  generating analysis trigger data representing the analysis trigger parameters;
  
  providing at least part of the analysis trigger data to the analysis trigger monitoring systems of the extrusion detection capable virtual assets;
  
  using the analysis trigger monitoring systems and the analysis trigger data to monitor at least a portion of message traffic sent from any of the extrusion detection capable virtual assets to detect any message including one or more of the two or more analysis trigger parameters;
  
  classifying any detected message including one or more of the two or more analysis trigger parameters as a suspect message;
  
  for each suspect message, generating suspect message copy data representing a copy of at least a portion of the suspect message; and
  
  transferring the suspect message copy data to one or more analysis systems for further analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 1 wherein at least one of the one or more virtual assets transformed into an extrusion detection capable virtual asset is a virtual asset selected from a group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      a virtual database or data store;
      
      an instance in a cloud environment;
      
      a cloud environment access system;
      
      part of a mobile device;
      
      part of a remote sensor;
      
      part of a laptop;
      
      part of a desktop;
      
      part of a point-of-sale device;
      
      part of an ATM; and
      
      part of an electronic voting machine.
  - 3. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 1 wherein the suspect message copy data is transferred to the analysis system for further analysis through a message analysis communications channel that is distinct from a network communications channel.
  - 4. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 1 wherein the analysis trigger monitoring systems monitor all of the message traffic sent from their respective extrusion detection capable virtual assets.
  - 5. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 1 wherein the analysis trigger monitoring systems monitor a sample portion of the message traffic sent from their respective extrusion detection capable virtual assets.
  - 6. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 1 wherein at least one of the two or more analysis trigger parameters is selected from a group of analysis trigger parameters consisting of:
    - an IP address indicating a designated suspect destination;
      
      an IP address indicating a destination not included in an allowed destination list;
      
      an IP address indicating a geographical region not included in an allowed geographical region list;
      
      a message size that exceeds a threshold maximum message size;
      
      a message size that does not meet a threshold minimum message size;
      
      frequency analysis indicating messages arrive at frequency greater than a defined threshold frequency;
      
      the specific identity of a sender of a specific message;
      
      the specific identity of a recipient of a specific message;
      
      a hash value of the message data that is not included in a list of allowed hash values; and
      
      an MD5 value of the message data that is not included in a list of allowed MD5 values.
  - 7. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 1 wherein the suspect message copy data associated with a given suspect message is transferred to a specific analysis system of the one or more analysis systems for further analysis based, at least in part, on the specific analysis trigger parameter of the one or more analysis trigger parameters detected in the suspect message.
  - 8. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 1 wherein when, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an extrusion related message, one or more designated parties are automatically informed.
  - 9. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 1 wherein when, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an extrusion related message, one or more protective actions are automatically implemented.

10. A system for virtual asset assisted intrusion detection in a cloud computing environment comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for virtual asset assisted intrusion detection in a cloud computing environment, the process for virtual asset assisted intrusion detection in a cloud computing environment including;
  
  providing a cloud computing environment, the cloud computing environment including one or more virtual assets;
  
  transforming at least one of the one or more of the virtual assets into an intrusion detection capable virtual asset by providing an analysis trigger monitoring system to the at least one of the one or more of the virtual assets;
  
  defining two or more analysis trigger parameters, the defined two or more trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency less than a defined threshold frequency;
  
  generating analysis trigger data representing the analysis trigger parameters;
  
  providing at least part of the analysis trigger data to the analysis trigger monitoring systems of the intrusion detection capable virtual assets;
  
  using the analysis trigger monitoring systems and the analysis trigger data to monitor at least a portion of message traffic sent to any of the intrusion detection capable virtual assets to detect any message including one or more of the two or more analysis trigger parameters;
  
  classifying any detected message including one or more of the two or more analysis trigger parameters as a suspect message;
  
  for each suspect message, generating suspect message copy data representing a copy of at least a portion of the suspect message; and
  
  transferring the suspect message copy data to one or more analysis systems for further analysis.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 10 wherein at least one of the one or more virtual assets transformed into an intrusion detection capable virtual asset is a virtual asset selected from a group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      a virtual database or data store;
      
      an instance in a cloud environment;
      
      a cloud environment access system;
      
      part of a mobile device;
      
      part of a remote sensor;
      
      part of a laptop;
      
      part of a desktop;
      
      part of a point-of-sale device;
      
      part of an ATM; and
      
      part of an electronic voting machine.
  - 12. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 10 wherein the suspect message copy data is transferred to the analysis system for further analysis through a message analysis communications channel that is distinct from a network communications channel.
  - 13. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 10 wherein the analysis trigger monitoring systems monitor all of the message traffic sent to their respective intrusion detection capable virtual assets.
  - 14. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 10 wherein the analysis trigger monitoring systems monitor a sample portion of the message traffic sent to their respective intrusion detection capable virtual assets.
  - 15. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 10 wherein at least one of the two or more analysis trigger parameters is selected from a group of analysis trigger parameters consisting of:
    - an IP address indicating a designated suspect origin;
      
      an IP address indicating a destination not included in an allowed origin list;
      
      an IP address indicating a geographical region not included in an allowed geographical region list;
      
      a message size that exceeds a threshold maximum message size;
      
      a message size that does not meet a threshold minimum message size;
      
      frequency analysis indicating messages arrive at frequency greater than a defined threshold frequency;
      
      the specific identity of a sender of a specific message;
      
      the specific identity of a recipient of a specific message;
      
      a hash value of the message data that is not included in a list of allowed hash values; and
      
      an MD5 value of the message data that is not included in a list of allowed MD5 values.
  - 16. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 10 wherein the suspect message copy data associated with a given suspect message is transferred to a specific analysis system of the one or more analysis systems for further analysis based, at least in part, on the specific analysis trigger parameter of the one or more analysis trigger parameters detected in the suspect message.
  - 17. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 10 wherein when, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an intrusion related message, one or more designated parties are automatically informed.
  - 18. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 10 wherein when, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an intrusion related message, one or more protective actions are automatically implemented.

19. A system for virtual asset assisted extrusion detection in a cloud computing environment comprising:
- a cloud computing environment, the cloud computing environment including one or more virtual assets;
  
  a network communications circuit, the network communications circuit receiving message traffic sent from any of the one or more virtual assets;
  
  a network communications channel through which all the message traffic sent from the one or more virtual assets is relayed through the network communications device;
  
  at least one extrusion detection capable virtual asset created by providing an analysis trigger monitoring hardware system stored in a memory to perform at least one of the one or more of the virtual assets to transform the at least one virtual asset into an extrusion detection capable virtual asset;
  
  at least one message analysis communications channel that is distinct from the network communications channel for transferring suspect message copy data to the one or more analysis systems for further analysis;
  
  at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for virtual asset assisted extrusion detection in a cloud computing environment, the process for virtual asset assisted extrusion detection in a cloud computing environment including;
  
  defining two or more analysis trigger parameters, the defined two or more trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency less than a defined threshold frequency;
  
  generating analysis trigger data representing the analysis trigger parameters;
  
  providing at least part of the analysis trigger data to the analysis trigger monitors of the extrusion detection capable virtual assets;
  
  using the analysis trigger monitor and the analysis trigger data to monitor at least a portion of the message traffic sent from any of the extrusion detection capable virtual assets to detect any message including one or more of the two or more analysis trigger parameters;
  
  classifying any detected message including one or more of the two or more analysis trigger parameters as a suspect message;
  
  for each suspect message, generating suspect message copy data representing a copy of at least a portion of the suspect message; and
  
  using the message analysis communications channel to transfer the suspect message copy data to one or more of the one or more analysis systems for further analysis.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 19 wherein at least one of the virtual assets transformed into an extrusion detection capable virtual asset is a virtual asset selected from a group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      a virtual database or data store;
      
      an instance in a cloud environment;
      
      a cloud environment access system;
      
      part of a mobile device;
      
      part of a remote sensor;
      
      part of a laptop;
      
      part of a desktop;
      
      part of a point-of-sale device;
      
      part of an ATM; and
      
      part of an electronic voting machine.
  - 21. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 19 wherein the network communications circuit is selected from a group of network communications circuits consisting of:
    - a switching system;
      
      a network switch;
      
      a router;
      
      a border router;
      
      any gateway system;
      
      a firewall system;
      
      a hypervisor;
      
      a load balancing system; and
      
      any system through which message traffic to, and/or from, a cloud computing environment passes.
  - 22. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 19 wherein the analysis trigger monitoring hardware systems monitor all of the message traffic sent from their respective extrusion detection capable virtual assets.
  - 23. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 19 wherein the analysis trigger monitoring hardware systems monitor a sample portion of the message traffic sent from their respective extrusion detection capable virtual assets.
  - 24. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 19 wherein at least one of the two or more analysis trigger parameters is selected from a group of analysis trigger parameters consisting of:
    - an IP address indicating a designated suspect destination;
      
      an IP address indicating a destination not included in an allowed destination list;
      
      an IP address indicating a geographical region not included in an allowed geographical region list;
      
      a message size that exceeds a threshold maximum message size;
      
      a message size that does not meet a threshold minimum message size;
      
      frequency analysis indicating messages arrive at frequency greater than a defined threshold frequency;
      
      the specific identity of a sender of a specific message;
      
      the specific identity of a recipient of a specific message;
      
      a hash value of the message data that is not included in a list of allowed hash values; and
      
      an MD5 value of the message data that is not included in a list of allowed MD5 values.
  - 25. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 19 wherein the suspect message copy data associated with a given suspect message is transferred to a specific analysis system of the one or more analysis systems for further analysis based, at least in part, on the specific analysis trigger parameter of the one or more analysis trigger parameters detected in the suspect message.
  - 26. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 19 wherein when, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an extrusion related message, one or more designated parties are automatically informed.
  - 27. The system for virtual asset assisted extrusion detection in a cloud computing environment of claim 19 wherein when, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an extrusion related message, one or more protective actions are automatically implemented.

28. A system for virtual asset assisted intrusion detection in a cloud computing environment comprising:
- a cloud computing environment, the cloud computing environment including one or more virtual assets;
  
  a network communications circuit, the network communications circuit receiving message traffic sent to any of the one or more virtual assets;
  
  a network communications channel through which all the message traffic sent to the one or more virtual assets is relayed through the network communications device;
  
  at least one intrusion detection capable virtual asset created by providing an analysis trigger monitoring hardware system stored in the memory to perform at least one of the one or more of the virtual assets to transform the at least one virtual asset into an intrusion detection capable virtual asset;
  
  at least one message analysis communications channel that is distinct from the network communications channel for transferring suspect message copy data to the one or more analysis systems for further analysis;
  
  at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for virtual asset assisted intrusion detection in a cloud computing environment, the process for virtual asset assisted intrusion detection in a cloud computing environment including;
  
  defining two or more analysis trigger parameters, the defined two or more trigger parameters at least including an IP address indicating a designated suspect geographical region and frequency analysis indicating messages arrive at frequency less than a defined threshold frequency;
  
  generating analysis trigger data representing the analysis trigger parameters;
  
  providing at least part of the analysis trigger data to the analysis trigger monitors of the intrusion detection capable virtual assets;
  
  using the analysis trigger monitor and the analysis trigger data to monitor at least a portion of the message traffic sent to any of the intrusion detection capable virtual assets to detect any message including one or more of the two or more analysis trigger parameters;
  
  classifying any detected message including one or more of the two or more analysis trigger parameters as a suspect message;
  
  for each suspect message, generating suspect message copy data representing a copy of at least a portion of the suspect message; and
  
  using the message analysis communications channel to transfer the suspect message copy data to one or more of the one or more analysis systems for further analysis.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
- - 29. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 28 wherein at least one of the virtual assets transformed into an intrusion detection capable virtual asset is a virtual asset selected from a group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      a virtual database or data store;
      
      an instance in a cloud environment;
      
      a cloud environment access system;
      
      part of a mobile device;
      
      part of a remote sensor;
      
      part of a laptop;
      
      part of a desktop;
      
      part of a point-of-sale device;
      
      part of an ATM; and
      
      part of an electronic voting machine.
  - 30. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 28 wherein the network communications circuit is selected from a group of network communications circuits consisting of:
    - a switching system;
      
      a network switch;
      
      a router;
      
      a border router;
      
      any gateway system;
      
      a hypervisor;
      
      a firewall system; and
      
      a load balancing system.
  - 31. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 28 wherein the analysis trigger monitoring hardware systems monitor all of the message traffic sent to their respective intrusion detection capable virtual assets.
  - 32. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 28 wherein the analysis trigger monitoring hardware systems monitor a sample portion of the message traffic sent to their respective intrusion detection capable virtual assets.
  - 33. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 28 wherein at least one of the two or more analysis trigger parameters is selected from a group of analysis trigger parameters consisting of:
    - an IP address indicating a designated suspect origin;
      
      an IP address indicating a destination not included in an allowed origin list;
      
      an IP address indicating a geographical region not included in an allowed geographical region list;
      
      a message size that exceeds a threshold maximum message size;
      
      a message size that does not meet a threshold minimum message size;
      
      frequency analysis indicating messages arrive at frequency greater than a defined threshold frequency;
      
      the specific identity of a sender of a specific message;
      
      the specific identity of a recipient of a specific message;
      
      a hash value of the message data that is not included in a list of allowed hash values; and
      
      an MD5 value of the message data that is not included in a list of allowed MD5 values.
  - 34. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 28 wherein the suspect message copy data associated with a given suspect message is transferred to a specific analysis system of the one or more analysis systems for further analysis based, at least in part, on the specific analysis trigger parameter of the one or more analysis trigger parameters detected in the suspect message.
  - 35. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 28 wherein when, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an intrusion related message, one or more designated parties are automatically informed.
  - 36. The system for virtual asset assisted intrusion detection in a cloud computing environment of claim 28 wherein when, as a result of the further analysis at the one or more analysis systems, the suspect message is determined to be an intrusion related message, one or more protective actions are automatically implemented.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Lietz, M. Shannon, Cabrera, Luis Felipe
Primary Examiner(s)
Abyaneh, Ali
Assistant Examiner(s)
WADE, SHAQUEAL D

Application Number

US14/171,438
Publication Number

US 20150222647A1
Time in Patent Office

813 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/107   wherein the security polici...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Method and system for virtual asset assisted extrusion and intrusion detection in a cloud computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

166 Citations

36 Claims

Specification

Use Cases

Quick Links

Others

Method and system for virtual asset assisted extrusion and intrusion detection in a cloud computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

36 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others