Threat detection and mitigation through run-time introspection and instrumentation

US 9,438,618 B1
Filed: 03/30/2015
Issued: 09/06/2016
Est. Priority Date: 03/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems that execute instructions,determining a set of introspection points in a distributed computing system of a computing resource service provider, the set of introspection points having a first type of introspection point and a second type of introspection point determined based at least in part on a type of identifying characteristics accessible at individual introspection points of the set of introspection points;

measuring, at the individual introspection points, the identifying characteristics;

generating a graph representing a set of nodes based at least in part on the identifying characteristics measured, with individual nodes of the set of nodes corresponding to individual elements of the distributed computing system, and edges in the graph corresponding to measurements of the identifying characteristics correlating the individual elements to other individual elements; and

evaluating a rule based at least in part on the graph by at least;

determining that one or more measurements that correlate an individual element to another individual element in the graph are in noncompliance with the rule; and

performing a security action based at least in part on the noncompliance.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for threat detection and mitigation through run-time introspection. The system and method comprising receiving a request to monitor a computing environment. Based on the received request, the system and method further includes determining a set of introspection points for monitoring the computing environment. receive a request to monitor a computing environment, measuring at individual introspection points of the set of introspection points to obtain a set of measurements, generating a graph of a set of resources in the computing environment, wherein the graph correlates individual resources in the set of resources to other resources based on at based at least in part on the set of measurements, and determining whether to perform a security action based at least in part on whether an evaluation of the graph indicates a threat to the computing environment.

53 Citations

View as Search Results

23 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems that execute instructions,determining a set of introspection points in a distributed computing system of a computing resource service provider, the set of introspection points having a first type of introspection point and a second type of introspection point determined based at least in part on a type of identifying characteristics accessible at individual introspection points of the set of introspection points;
  
  measuring, at the individual introspection points, the identifying characteristics;
  
  generating a graph representing a set of nodes based at least in part on the identifying characteristics measured, with individual nodes of the set of nodes corresponding to individual elements of the distributed computing system, and edges in the graph corresponding to measurements of the identifying characteristics correlating the individual elements to other individual elements; and
  
  evaluating a rule based at least in part on the graph by at least;
  
  determining that one or more measurements that correlate an individual element to another individual element in the graph are in noncompliance with the rule; and
  
  performing a security action based at least in part on the noncompliance.
- View Dependent Claims (2, 3, 19)
- - 2. The computer-implemented method of claim 1, wherein each node of the set of nodes is of a type from a plurality of node types, the plurality of node types including one or more of a software library, a network connection, a software process, or a service provided by the computing resource service provider.
  - 3. The computer-implemented method of claim 1, further comprising generating a threat model that identifies potential risks in the distributed computing system based at least in part on the graph.
  - 19. The computer-implemented method of claim 1, wherein the measuring is performed by an introspection agent executing within one of:
    - a hypervisor,a controlling domain of the hypervisor,network hardware of the distributed computing system, oran operating system of a virtual machine running in the distributed computing system.

4. A system, comprising:
- one or more processors;
  
  memory including instructions that, as a result of execution by the one or more processors, cause the system to;
  
  receive a request to configure monitoring of a software application in a computing environment, the computing environment assigned to a customer of a computing resource service provider;
  
  in response to receipt of the request;
  
  select a set of sensors; and
  
  configure the set of sensors to monitor information accessible at one or more locations in the computing environment;
  
  generate a graph based at least in part on the information, the graph having nodes representing resources within the computing environment, the graph being generated by causing the system to at least;
  
  identify a set of resource types within the computing environment;
  
  identify a set of resources within the computing environment, wherein each resource within the set of resources corresponds to a resource type of the set of resource types; and
  
  determine relationships between resources of the set of resources based at least in part on the information monitored; and
  
  based at least in part on a comparison of the information monitored against a set of rules, determine whether to perform a security action.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 20, 21)
- - 5. The system of claim 4, wherein the instructions that cause the system to perform a security action include instructions that cause the system to alert the customer to a result of the comparison.
  - 6. The system of claim 4, wherein the instructions that cause the system to select the set of sensors further includes instructions that cause the system to determine, for each sensor of the set of sensors, whether the sensor has been deployed in the computing environment, and, if not already deployed, deploy the sensor in the computing environment.
  - 7. The system of claim 4, wherein the instructions that cause the system to perform a security action include instructions that cause the system to add one or more constraints to a configuration of the computing environment to enforce compliance of the computing environment with the set of rules.
  - 8. The system of claim 7, wherein a constraint of the one or more constraints added to the configuration includes adding access constraints to a security policy associated with a set of credentials.
  - 9. The system of claim 4, wherein the set of rules includes one or more of a software library being of at least of a particular version, a network communication protocol being encrypted, an unused network port being closed, or a set of credentials being assigned minimum privileges sufficient for accessing a requested resource.
  - 10. The system of claim 4, wherein the comparison of the information monitored includes evaluating a set of rules against the graph.
  - 20. The system of claim 4, wherein:
    - the set of sensors obtain information at a first time and at a second time;
      
      the instructions that cause the system to generate a graph based at least in part on the information include instructions that cause the system to;
      
      generate a first graph based at least in part on the information obtained at the first time; and
      
      generate a second graph based at least in part on the information obtained at the second time; and
      
      the instructions that cause the system to determine whether to perform the security action include instructions that cause the system to determine whether to perform the security action based at least in part on a comparison between the first graph and the second graph.
  - 21. The system of claim 4, wherein the instructions that cause the system to generate the graph further include instructions that cause the system to group, into a single node, a subset of the set of resources that correspond to a same resource type.

11. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, as a result of execution by one or more processors of one or more computer systems, cause the one or more computer systems to at least collectively:
- receive a request to monitor a computing environment;
  
  based at least in part on receipt of the request;
  
  determine a set of introspection points for monitoring the computing environment;
  
  obtain a measurement at individual introspection points of the set of introspection points to obtain a set of measurements;
  
  generate a graph of a set of resources in the computing environment, the graph correlating individual resources in the set of resources to other resources based at least in part on the set of measurements;
  
  evaluate one or more security rules against the graph to determine one or more rule violations in the computing environment by causing the one or more computer systems to at least generate an assessment of a security state of the computing environment based at least in part on a comparison of the set of measurements against a set of reference values, the set of reference values being a set of expected values or ranges determined based at least in part on measurements obtained at the set of introspection points in a test computing environment; and
  
  responsive to evaluation of the one or more security rules, perform a security action.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 22, 23)
- - 12. The one or more non-transitory computer-readable storage media of claim 11, wherein the executable instructions that cause the one or more computer systems to generate the graph further include instructions that cause the one or more computer systems to group an associated set of resource types into a single node.
  - 13. The one or more non-transitory computer-readable storage media of claim 11, wherein at least a subset of the set of measurements are obtained by at least one introspection agent executing in a controlling domain of a virtualization layer in the computing environment.
  - 14. The one or more non-transitory computer-readable storage media of claim 11, wherein at least a subset of the set of measurements are obtained by at least one introspection agent executing within a virtualization layer in the computing environment.
  - 15. The one or more non-transitory computer-readable storage media of claim 11, wherein at least a subset of the set of measurements are obtained by at least one introspection agent executing within an operating system of a virtual machine being monitored in the computing environment.
  - 16. The one or more non-transitory computer-readable storage media of claim 11, wherein at least a subset of the set of measurements are obtained by at least one introspection agent implemented in networking hardware of the computing environment.
  - 17. The one or more non-transitory computer-readable storage media of claim 11, wherein the executable instructions that cause the one or more computer systems to determine whether to perform the security action include instructions that cause the one or more computer systems to determine whether an evaluation of the graph against a set of rules indicates that the computing environment is compliant with the set of rules.
  - 18. The one or more non-transitory computer-readable storage media of claim 11, wherein the set of measurements is a first set of measurements, the graph is a first graph, and the executable instructions further include executable instructions that cause the one or more computer systems to:
    - obtain a second set of measurements at a time after obtaining the first set of measurements;
      
      generate a second graph based at least in part on the second set of measurements; and
      
      determine whether to perform the security action based at least in part on a comparison between the first graph and the second graph.
  - 22. The one or more non-transitory computer-readable storage media of claim 11, wherein the executable instructions further include executable instructions that cause the one or more computer systems to generate a threat model that identifies potential risks to the one or more computer systems based at least in part on the graph.
  - 23. The one or more non-transitory computer-readable storage media of claim 11, wherein the executable instructions that cause the one or more computer systems to perform a security action include executable instructions that cause the one or more computer systems to add one or more constraints to a configuration of the computing environment to enforce compliance of the computing environment with the one or more security rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Schweitzer, John, Sultan, Hassan, Bailey, Donald Lee Jr., Roth, Gregory Branchek, Potlapally, Nachiketh Rao
Primary Examiner(s)
Tabor, Amare F

Application Number

US14/673,642
Time in Patent Office

526 Days
Field of Search

726/26, 726/1, 726/22, 713/189
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Threat detection and mitigation through run-time introspection and instrumentation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Threat detection and mitigation through run-time introspection and instrumentation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links