Threat detection and mitigation through run-time introspection and instrumentation
First Claim
1. A computer-implemented method, comprising:
- under the control of one or more computer systems that execute instructions,determining a set of introspection points in a distributed computing system of a computing resource service provider, the set of introspection points having a first type of introspection point and a second type of introspection point determined based at least in part on a type of identifying characteristics accessible at individual introspection points of the set of introspection points;
measuring, at the individual introspection points, the identifying characteristics;
generating a graph representing a set of nodes based at least in part on the identifying characteristics measured, with individual nodes of the set of nodes corresponding to individual elements of the distributed computing system, and edges in the graph corresponding to measurements of the identifying characteristics correlating the individual elements to other individual elements; and
evaluating a rule based at least in part on the graph by at least;
determining that one or more measurements that correlate an individual element to another individual element in the graph are in noncompliance with the rule; and
performing a security action based at least in part on the noncompliance.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for threat detection and mitigation through run-time introspection. The system and method comprising receiving a request to monitor a computing environment. Based on the received request, the system and method further includes determining a set of introspection points for monitoring the computing environment. receive a request to monitor a computing environment, measuring at individual introspection points of the set of introspection points to obtain a set of measurements, generating a graph of a set of resources in the computing environment, wherein the graph correlates individual resources in the set of resources to other resources based on at based at least in part on the set of measurements, and determining whether to perform a security action based at least in part on whether an evaluation of the graph indicates a threat to the computing environment.
53 Citations
23 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems that execute instructions, determining a set of introspection points in a distributed computing system of a computing resource service provider, the set of introspection points having a first type of introspection point and a second type of introspection point determined based at least in part on a type of identifying characteristics accessible at individual introspection points of the set of introspection points; measuring, at the individual introspection points, the identifying characteristics; generating a graph representing a set of nodes based at least in part on the identifying characteristics measured, with individual nodes of the set of nodes corresponding to individual elements of the distributed computing system, and edges in the graph corresponding to measurements of the identifying characteristics correlating the individual elements to other individual elements; and evaluating a rule based at least in part on the graph by at least; determining that one or more measurements that correlate an individual element to another individual element in the graph are in noncompliance with the rule; and performing a security action based at least in part on the noncompliance. - View Dependent Claims (2, 3, 19)
-
4. A system, comprising:
-
one or more processors; memory including instructions that, as a result of execution by the one or more processors, cause the system to; receive a request to configure monitoring of a software application in a computing environment, the computing environment assigned to a customer of a computing resource service provider; in response to receipt of the request; select a set of sensors; and configure the set of sensors to monitor information accessible at one or more locations in the computing environment; generate a graph based at least in part on the information, the graph having nodes representing resources within the computing environment, the graph being generated by causing the system to at least; identify a set of resource types within the computing environment; identify a set of resources within the computing environment, wherein each resource within the set of resources corresponds to a resource type of the set of resource types; and determine relationships between resources of the set of resources based at least in part on the information monitored; and based at least in part on a comparison of the information monitored against a set of rules, determine whether to perform a security action. - View Dependent Claims (5, 6, 7, 8, 9, 10, 20, 21)
-
-
11. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, as a result of execution by one or more processors of one or more computer systems, cause the one or more computer systems to at least collectively:
-
receive a request to monitor a computing environment; based at least in part on receipt of the request; determine a set of introspection points for monitoring the computing environment; obtain a measurement at individual introspection points of the set of introspection points to obtain a set of measurements; generate a graph of a set of resources in the computing environment, the graph correlating individual resources in the set of resources to other resources based at least in part on the set of measurements; evaluate one or more security rules against the graph to determine one or more rule violations in the computing environment by causing the one or more computer systems to at least generate an assessment of a security state of the computing environment based at least in part on a comparison of the set of measurements against a set of reference values, the set of reference values being a set of expected values or ranges determined based at least in part on measurements obtained at the set of introspection points in a test computing environment; and responsive to evaluation of the one or more security rules, perform a security action. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 22, 23)
-
Specification