Preventing application-level denial-of-service in a multi-tenant system using parametric-sensitive transaction weighting

US 9,548,991 B1
Filed: 12/29/2015
Issued: 01/17/2017
Est. Priority Date: 12/29/2015
Status: Active Grant

First Claim

Patent Images

1. A method of preventing application-level denial-of-service with respect to compute resources in a multi-tenant shared infrastructure, wherein a set of tenant applications available in the multi-tenant shared infrastructure are accessible by one or more accessors, comprising:

upon receipt from an accessor of a request to access a given application in the multi-tenant shared infrastructure, selecting a given usage profile from a set of usage profiles, the given usage profile including a usage constraint that, for a given transaction identified in the usage constraint, has an associated parametric-sensitive transaction weighting that is computed by (i) associating a weight to the given transaction, (ii) parameterizing the transaction weight according to at least one parameter using a weighting function, the weighting function associated with a given transaction type that includes the given transaction, (iii) evaluating the weighting function to a value; and

(iv) adjusting the weight according to the value;

applying the usage constraint in the selected usage profile to determine whether the request to access the given application should proceed;

when permitting the request to access triggers the usage constraint in the selected usage profile, taking a given action, wherein the given action restricts one or more subsequent requests to access the given application by the accessor until a predetermined threshold of usage as defined by the usage constraint is no longer met.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Denial-of-service attacks are prevented or mitigated in a cloud compute environment, such as a multi-tenant, collaborative SaaS system. This is achieved by providing a mechanism by which characterization of “legitimate” behavior is defined for accessor classes, preferably along with actions to be taken in the event an accessor exceeds those limits. A set of accessor “usage profiles” are generated. Typically, a profile comprises information, such as one or more “constraints,” and one or more “actions.” At least one constraint is generated by applying one or more parameters of a transaction weighting function such that the resulting constraint represents an actual or estimated cost of executing the transaction. An action defines how the system will respond if a particular constraint is triggered. By applying the constraints to accessor requests, the approach prevents over-utilization of compute resources.

Citations

17 Claims

1. A method of preventing application-level denial-of-service with respect to compute resources in a multi-tenant shared infrastructure, wherein a set of tenant applications available in the multi-tenant shared infrastructure are accessible by one or more accessors, comprising:
- upon receipt from an accessor of a request to access a given application in the multi-tenant shared infrastructure, selecting a given usage profile from a set of usage profiles, the given usage profile including a usage constraint that, for a given transaction identified in the usage constraint, has an associated parametric-sensitive transaction weighting that is computed by (i) associating a weight to the given transaction, (ii) parameterizing the transaction weight according to at least one parameter using a weighting function, the weighting function associated with a given transaction type that includes the given transaction, (iii) evaluating the weighting function to a value; and
  
  (iv) adjusting the weight according to the value;
  
  applying the usage constraint in the selected usage profile to determine whether the request to access the given application should proceed;
  
  when permitting the request to access triggers the usage constraint in the selected usage profile, taking a given action, wherein the given action restricts one or more subsequent requests to access the given application by the accessor until a predetermined threshold of usage as defined by the usage constraint is no longer met.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as described in claim 1 wherein the weight associated with the given transaction is distinct from a transaction count.
  - 3. The method as described in claim 1 wherein the usage constraint includes one or more additional parametric-sensitive transaction weightings for one or more respective transactions also included in the given usage profile.
  - 4. The method as described in claim 3 wherein the usage constraint is a function of the parametric-sensitive transaction weightings in the given usage profile.
  - 5. The method as described in claim 1 further including tracking one or more requests to access the given application and, in response to one or more results obtained from the tracking, adjusting the associated parametric-sensitive transaction weighting.
  - 6. The method as described in claim 1 wherein the parametric-sensitive transaction weighting for the given transaction is an unbounded positive integer.

7. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to prevent application-level denial-of-service with respect to compute resources in a multi-tenant shared infrastructure, wherein a set of tenant applications available in the multi-tenant shared infrastructure are accessible by one or more accessors, the computer program instructions comprising;
  
  program code operative upon receipt from an accessor of a request to access a given application in the multi-tenant shared infrastructure to select a given usage profile from a set of usage profiles, the given usage profile including a usage constraint that, for a given transaction identified in the usage constraint, has an associated parametric-sensitive transaction weighting that is computed by (i) associating a weight to the given transaction, (ii) parameterizing the transaction weight according to at least one parameter using a weighting function, the weighting function associated with a given transaction type that includes the given transaction, (iii) evaluating the weighting function to a value; and
  
  (iv) adjusting the weight according to the value;
  
  program code to apply the usage constraint in the selected usage profile to determine whether the request to access the given application should proceed; and
  
  program code to take a given action when permitting the request to access triggers the usage constraint in the selected usage profile, wherein the given action restricts one or more subsequent requests to access the given application by the accessor until a predetermined threshold of usage as defined by the usage constraint is no longer met.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus as described in claim 7 wherein the weight associated with the given transaction is distinct from a transaction count.
  - 9. The apparatus as described in claim 7 wherein the usage constraint includes one or more additional parametric-sensitive transaction weightings for one or more respective transactions also included in the given usage profile.
  - 10. The apparatus as described in claim 9 wherein the usage constraint is a function of the parametric-sensitive transaction weightings in the given usage profile.
  - 11. The apparatus as described in claim 7 wherein the computer program instructions further include program code to track one or more requests to access the given application and, in response to one or more results obtained from the tracking, adjust the associated parametric-sensitive transaction weighting.
  - 12. The apparatus as described in claim 7 wherein the parametric-sensitive transaction weighting for the given transaction is an unbounded positive integer.

13. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, prevent application-level denial-of-service with respect to compute resources in a multi-tenant shared infrastructure, wherein a set of tenant applications available in the multi-tenant shared infrastructure are accessible by one or more accessors, the computer program instructions comprising:
- program code operative upon receipt from an accessor of a request to access a given application in the multi-tenant shared infrastructure to select a given usage profile from a set of usage profiles, the given usage profile including a usage constraint that, for a given transaction identified in the usage constraint, has an associated parametric-sensitive transaction weighting that is computed by (i) associating a weight to the given transaction, (ii) parameterizing the transaction weight according to at least one parameter using a weighting function, the weighting function associated with a given transaction type that includes the given transaction, (iii) evaluating the weighting function to a value; and
  
  (iv) adjusting the weight according to the value;
  
  program code to apply the usage constraint in the selected usage profile to determine whether the request to access the given application should proceed; and
  
  program code to take a given action when permitting the request to access triggers the usage constraint in the selected usage profile, wherein the given action restricts one or more subsequent requests to access the given application by the accessor until a predetermined threshold of usage as defined by the usage constraint is no longer met.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer program product as described in claim 13 wherein the weight associated with the given transaction is distinct from a transaction count.
  - 15. The computer program product as described in claim 13 wherein the usage constraint includes one or more additional parametric-sensitive transaction weightings for one or more respective transactions also included in the given usage profile.
  - 16. The computer program product as described in claim 15 wherein the usage constraint is a function of the parametric-sensitive transaction weightings in the given usage profile.
  - 17. The computer program product as described in claim 13 wherein the computer program instructions further include program code to track one or more requests to access the given application and, in response to one or more results obtained from the tracking, adjust the associated parametric-sensitive transaction weighting.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Maplebear Inc.
Original Assignee
International Business Machines Corporation
Inventors
Holden, Russell L.
Primary Examiner(s)
Okeke, Izunna
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US14/982,756
Time in Patent Office

385 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Preventing application-level denial-of-service in a multi-tenant system using parametric-sensitive transaction weighting

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Preventing application-level denial-of-service in a multi-tenant system using parametric-sensitive transaction weighting

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links