Insider attack resistant system and method for cloud services integrity checking

US 9,787,701 B2
Filed: 03/16/2017
Issued: 10/10/2017
Est. Priority Date: 08/13/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a memory that stores instructions; and

a processor that executes the instructions to perform operations, the operations comprising;

executing, by utilizing a virtual machine executing a copy of a service and by utilizing an integrity checking script activated at the virtual machine, a set of operations associated with the service to check the integrity of the service, wherein the set of operations are executed based on a minimum level of access to a peripheral that is required for each operation in the set of operations to be executed, wherein the minimum level of access is established by suspending access to a network port;

executing, when the system is in a normal operation mode, the set of operations associated with service based on a full level of access to the peripheral and the network port;

logging each result for each operation in the set of operations after each operation is executed;

analyzing, by utilizing the virtual machine, each result for each operation in the set of operations to determine if a failure for an operation in the set of operations exists; and

determining, if the failure exists, that a change in a system behavior associated with the service has occurred.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An insider attack resistant system for providing cloud services integrity checking is disclosed. In particular, the system utilizes an automated integrity checking script and virtual machines to check the integrity of a service. The system may utilize the integrity checking script and virtual machines to execute a set of operations associated with the service so as to check the integrity of the service. When executing the set of operations, the system may only have access to the minimum level of access to peripherals that is required for each operation in the set of operations to be executed. After each operation is executed, the system may log each result for each operation, and analyze each result to determine if a failure exists for any of the operations. If a failure exists, the system may determine that a change in an expected system behavior associated with the service has occurred.

27 Citations

20 Claims

1. A system, comprising:
- a memory that stores instructions; and
  
  a processor that executes the instructions to perform operations, the operations comprising;
  
  executing, by utilizing a virtual machine executing a copy of a service and by utilizing an integrity checking script activated at the virtual machine, a set of operations associated with the service to check the integrity of the service, wherein the set of operations are executed based on a minimum level of access to a peripheral that is required for each operation in the set of operations to be executed, wherein the minimum level of access is established by suspending access to a network port;
  
  executing, when the system is in a normal operation mode, the set of operations associated with service based on a full level of access to the peripheral and the network port;
  
  logging each result for each operation in the set of operations after each operation is executed;
  
  analyzing, by utilizing the virtual machine, each result for each operation in the set of operations to determine if a failure for an operation in the set of operations exists; and
  
  determining, if the failure exists, that a change in a system behavior associated with the service has occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the operations further comprise activating the integrity checking script.
  - 3. The system of claim 2, wherein the operations further comprise activating the integrity checking script at periodic intervals.
  - 4. The system of claim 3, wherein the operations further comprise performing an analysis on an integrity checking script when the integrity checking script is contaminated.
  - 5. The system of claim 1, wherein the operations further comprise mimicking a user by utilizing the virtual machine.
  - 6. The system of claim 1, wherein the operations further comprise determining if malware is affecting the service.
  - 7. The system of claim 6, wherein the operations further comprise removing the malware if the malware is determined to be affecting the service.
  - 8. The system of claim 1, wherein the operations further comprise generating an alert when the change in the system behavior associated with the service has occurred.
  - 9. The system of claim 1, wherein the operations further comprise enforcing the minimum level of access to the peripheral by synchronizing a software-defined network script with the integrity checking script.
  - 10. The system of claim 1, wherein the operations further comprise logging a number of times the peripheral is accessed during execution of the set of operations.
  - 11. The system of claim 1, wherein the operations further comprise suspending access to other peripherals.
  - 12. The system of claim 1, wherein the operations further comprise determining a manner in which malware affecting the service is perpetrating an attack on the service.
  - 13. The system of claim 1, wherein the operations further comprise enforcing the minimum level of access to the peripheral by utilizing a hypervisor layer firewall.

14. A method, comprising:
- processing, by utilizing a virtual machine executing a copy of a service and by utilizing an integrity checking script executing at the virtual machine, a set of operations associated with the service to check the integrity of the service, wherein the set of operations are processed based on a minimum level of access to a peripheral that is required for each operation in the set of operations to be processed, wherein the minimum level of access is established by suspending access to a network port;
  
  executing, when the system is in a normal operation mode, the set of operations associated with service based on a full level of access to the peripheral and the network port;
  
  logging each result for each operation in the set of operations after each operation is executed or processed;
  
  analyzing, by utilizing the virtual machine, each result for each operation in the set of operations to determine if a failure for an operation in the set of operations exists; and
  
  determining, if the failure exists, a change in a system behavior associated with the service, wherein the determining is performed by utilizing instructions from a memory that are executed by a processor.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14, further comprising generating an alert when the change in the system behavior associated with the service has occurred.
  - 16. The method of claim 14, further comprising determining if malware is affecting the service.
  - 17. The method of claim 16, further comprising determining a manner in which the malware is perpetrating an attack on the service.
  - 18. The method of claim 14, further comprising performing an analysis on an integrity checking script when the integrity checking script is contaminated.
  - 19. The method of claim 14, further comprising removing malware if the malware is determined to be affecting the service.

20. A computer-readable device comprising instructions, which when executed by a processor, cause the processor to perform operations comprising:
- executing, by utilizing a virtual machine executing a copy of a service and by utilizing an integrity checking script activated at the virtual machine, a set of operations associated with the service to check the integrity of the service, wherein the set of operations are executed based on a minimum level of access to a peripheral that is required for each operation in the set of operations, wherein the minimum level of access is established by suspending access to a network port;
  
  executing, when the system is in a normal operation mode, the set of operations associated with service based on a full level of access to the peripheral and the network port;
  
  logging each result for each operation in the set of operations after each operation is executed;
  
  evaluating, by utilizing the virtual machine, each result for each operation in the set of operations to determine if a failure for an operation in the set of operations exists; and
  
  determining, if the failure exists, an occurrence of a change in a system behavior associated with the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Jayawardena, Thusitha, Bickford, Jeffrey E., Istomin, Mikhail, Liefert, John, Singaraju, Gokul, Van Wart, Christopher
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/460,818
Publication Number

US 20170187732A1
Time in Patent Office

208 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/0712   in a virtual computing plat...

G06F 11/0751   Error or fault detection no...

G06F 11/079   Root cause analysis, i.e. e...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 9/45512   Command shells

G06F 9/45558   Hypervisor-specific managem...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Insider attack resistant system and method for cloud services integrity checking

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Insider attack resistant system and method for cloud services integrity checking

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others