Preventing application-level denial-of-service in a multi-tenant system using parametric-sensitive transaction weighting
First Claim
1. A method of preventing application-level denial-of-service with respect to compute resources in a multi-tenant shared infrastructure, wherein a set of tenant applications available in the multi-tenant shared infrastructure are accessible by one or more accessors, comprising:
- upon receipt from an accessor of a request to access a given application in the multi-tenant shared infrastructure, selecting a given usage profile from a set of usage profiles, the given usage profile including a usage constraint that, for a given transaction identified in the usage constraint, has an associated parametric-sensitive transaction weighting that is computed by (i) associating a weight to the given transaction, (ii) parameterizing the transaction weight according to at least one parameter using a weighting function, the weighting function associated with a given transaction type that includes the given transaction, (iii) evaluating the weighting function to a value; and
(iv) adjusting the weight according to the value;
applying the usage constraint in the selected usage profile to determine whether the request to access the given application should proceed;
when permitting the request to access triggers the usage constraint in the selected usage profile, taking a given action, wherein the given action restricts one or more subsequent requests to access the given application by the accessor until a predetermined threshold of usage as defined by the usage constraint is no longer met.
2 Assignments
0 Petitions
Accused Products
Abstract
Denial-of-service attacks are prevented or mitigated in a cloud compute environment, such as a multi-tenant, collaborative SaaS system. This is achieved by providing a mechanism by which characterization of “legitimate” behavior is defined for accessor classes, preferably along with actions to be taken in the event an accessor exceeds those limits. A set of accessor “usage profiles” are generated. Typically, a profile comprises information, such as one or more “constraints,” and one or more “actions.” At least one constraint is generated by applying one or more parameters of a transaction weighting function such that the resulting constraint represents an actual or estimated cost of executing the transaction. An action defines how the system will respond if a particular constraint is triggered. By applying the constraints to accessor requests, the approach prevents over-utilization of compute resources.
-
Citations
17 Claims
-
1. A method of preventing application-level denial-of-service with respect to compute resources in a multi-tenant shared infrastructure, wherein a set of tenant applications available in the multi-tenant shared infrastructure are accessible by one or more accessors, comprising:
-
upon receipt from an accessor of a request to access a given application in the multi-tenant shared infrastructure, selecting a given usage profile from a set of usage profiles, the given usage profile including a usage constraint that, for a given transaction identified in the usage constraint, has an associated parametric-sensitive transaction weighting that is computed by (i) associating a weight to the given transaction, (ii) parameterizing the transaction weight according to at least one parameter using a weighting function, the weighting function associated with a given transaction type that includes the given transaction, (iii) evaluating the weighting function to a value; and
(iv) adjusting the weight according to the value;applying the usage constraint in the selected usage profile to determine whether the request to access the given application should proceed; when permitting the request to access triggers the usage constraint in the selected usage profile, taking a given action, wherein the given action restricts one or more subsequent requests to access the given application by the accessor until a predetermined threshold of usage as defined by the usage constraint is no longer met. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. Apparatus, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor to prevent application-level denial-of-service with respect to compute resources in a multi-tenant shared infrastructure, wherein a set of tenant applications available in the multi-tenant shared infrastructure are accessible by one or more accessors, the computer program instructions comprising; program code operative upon receipt from an accessor of a request to access a given application in the multi-tenant shared infrastructure to select a given usage profile from a set of usage profiles, the given usage profile including a usage constraint that, for a given transaction identified in the usage constraint, has an associated parametric-sensitive transaction weighting that is computed by (i) associating a weight to the given transaction, (ii) parameterizing the transaction weight according to at least one parameter using a weighting function, the weighting function associated with a given transaction type that includes the given transaction, (iii) evaluating the weighting function to a value; and
(iv) adjusting the weight according to the value;program code to apply the usage constraint in the selected usage profile to determine whether the request to access the given application should proceed; and program code to take a given action when permitting the request to access triggers the usage constraint in the selected usage profile, wherein the given action restricts one or more subsequent requests to access the given application by the accessor until a predetermined threshold of usage as defined by the usage constraint is no longer met. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, prevent application-level denial-of-service with respect to compute resources in a multi-tenant shared infrastructure, wherein a set of tenant applications available in the multi-tenant shared infrastructure are accessible by one or more accessors, the computer program instructions comprising:
-
program code operative upon receipt from an accessor of a request to access a given application in the multi-tenant shared infrastructure to select a given usage profile from a set of usage profiles, the given usage profile including a usage constraint that, for a given transaction identified in the usage constraint, has an associated parametric-sensitive transaction weighting that is computed by (i) associating a weight to the given transaction, (ii) parameterizing the transaction weight according to at least one parameter using a weighting function, the weighting function associated with a given transaction type that includes the given transaction, (iii) evaluating the weighting function to a value; and
(iv) adjusting the weight according to the value;program code to apply the usage constraint in the selected usage profile to determine whether the request to access the given application should proceed; and program code to take a given action when permitting the request to access triggers the usage constraint in the selected usage profile, wherein the given action restricts one or more subsequent requests to access the given application by the accessor until a predetermined threshold of usage as defined by the usage constraint is no longer met. - View Dependent Claims (14, 15, 16, 17)
-
Specification