System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment
First Claim
1. A system comprising:
- one or more processors; and
at least one memory coupled to the one or more processors, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process including;
providing a cloud computing environment, the cloud computing environment including a virtual asset instantiated and executing within the cloud computing environment by a computing processor, the virtual asset being a component of a network switch, the one or more virtual assets comprising, at instantiation;
virtual asset self-monitoring logic, the virtual asset self-monitoring logic including data and instructions for detecting one or more trigger events of the virtual asset, the trigger events including deviations from pre-established baseline traffic patterns, the virtual asset self monitoring logic further including data and instructions to detect, as a trigger event, a response to a customer request being directed to a destination that is not the customer location of record and further including data and instructions to detect, as a trigger event, an internal elapsed time of defined critical operations changing to a time outside a defined range and further including data and instructions to detect, as a trigger event, an access pattern indicating that messages arrive too infrequently;
virtual asset self-reporting logic, the virtual asset self-reporting logic including data and instructions for generating trigger event reporting data if one of the one or more trigger events is detected in the virtual asset by the virtual asset self-monitoring logic;
self-reporting communications channel creation logic, the self-reporting communications channel creation logic including data and instructions for opening a self-reporting communications channel between the virtual asset and a virtual asset monitoring system responsive to one of the one or more trigger events being detected in the virtual asset by the virtual asset self-monitoring logic; and
trigger event reporting data transfer logic, the trigger event reporting data transfer logic including data and instructions for transferring the trigger event reporting data from the virtual asset to the virtual asset monitoring system when one of the one or more trigger events is detected in the virtual asset by the virtual asset self-monitoring logic;
using the virtual asset self-monitoring logic to monitor at least a portion of message traffic sent to the virtual asset to detect any message meeting one or more initial trigger parameters;
classifying one or more portions of the detected at least one message as being suspect, the classified portions of the detected message satisfying the one or more predefined trigger parameters;
determining, based on the satisfied one or more trigger parameters, which of a plurality of threat scoring services to analyze the classified one or more suspect portions, each of the threat scoring services configured to analyze specific trigger parameters;
transferring the one or more suspect portions to the determined threat scoring services;
assigning, by the determined threat scoring services, threat scores to the suspect message at least partially based on a potential impact of the suspect message'"'"'s potential security threat on the virtual asset, wherein the assigned threat scores are higher if the potential impact includes compromising financial data of users, and the assigned threat score is lower if the potential security threat is expected to cause a minor decrease in network connectivity speeds;
enabling, by providing the threat score to the virtual asset, the virtual asset to secure against the suspect message;
for each suspect message, generating suspect message copy data representing a copy of at least a portion of the suspect message;
transferring the suspect message copy data to one or more analysis systems for further analysis;
determining, through analysis by the one or more analysis systems, an identity of a specific recipient of the detected at least one message;
determining one or more second trigger parameters having criteria defining similar messages to the detected at least one message;
updating the initial trigger parameters to include the one or more second trigger parameters; and
detecting at least one suspect message using the updated initial trigger parameters.
0 Assignments
0 Petitions
Accused Products
Abstract
A trigger event monitoring system is provided in one or more virtual assets. One or more trigger parameters, including security threat patterns, are defined and trigger data is generated. The one or more trigger monitoring systems are used to monitor extrusion and intrusion capabilities and self-monitored trigger events that may harm or otherwise leave a virtual asset in a vulnerable state. In one embodiment, trigger events and monitoring of at least a portion of message traffic sent to, or sent from, the one or more virtual assets are initiated and/or performed to detect any message including one or more of the one or more of the trigger parameters. Any message meeting the one or more trigger parameters is identified as a potential security threat and is assigned a threat score, which is provided to the virtual asset. Various corrective actions may take place.
438 Citations
22 Claims
-
1. A system comprising:
-
one or more processors; and at least one memory coupled to the one or more processors, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process including; providing a cloud computing environment, the cloud computing environment including a virtual asset instantiated and executing within the cloud computing environment by a computing processor, the virtual asset being a component of a network switch, the one or more virtual assets comprising, at instantiation; virtual asset self-monitoring logic, the virtual asset self-monitoring logic including data and instructions for detecting one or more trigger events of the virtual asset, the trigger events including deviations from pre-established baseline traffic patterns, the virtual asset self monitoring logic further including data and instructions to detect, as a trigger event, a response to a customer request being directed to a destination that is not the customer location of record and further including data and instructions to detect, as a trigger event, an internal elapsed time of defined critical operations changing to a time outside a defined range and further including data and instructions to detect, as a trigger event, an access pattern indicating that messages arrive too infrequently; virtual asset self-reporting logic, the virtual asset self-reporting logic including data and instructions for generating trigger event reporting data if one of the one or more trigger events is detected in the virtual asset by the virtual asset self-monitoring logic; self-reporting communications channel creation logic, the self-reporting communications channel creation logic including data and instructions for opening a self-reporting communications channel between the virtual asset and a virtual asset monitoring system responsive to one of the one or more trigger events being detected in the virtual asset by the virtual asset self-monitoring logic; and trigger event reporting data transfer logic, the trigger event reporting data transfer logic including data and instructions for transferring the trigger event reporting data from the virtual asset to the virtual asset monitoring system when one of the one or more trigger events is detected in the virtual asset by the virtual asset self-monitoring logic; using the virtual asset self-monitoring logic to monitor at least a portion of message traffic sent to the virtual asset to detect any message meeting one or more initial trigger parameters; classifying one or more portions of the detected at least one message as being suspect, the classified portions of the detected message satisfying the one or more predefined trigger parameters; determining, based on the satisfied one or more trigger parameters, which of a plurality of threat scoring services to analyze the classified one or more suspect portions, each of the threat scoring services configured to analyze specific trigger parameters; transferring the one or more suspect portions to the determined threat scoring services; assigning, by the determined threat scoring services, threat scores to the suspect message at least partially based on a potential impact of the suspect message'"'"'s potential security threat on the virtual asset, wherein the assigned threat scores are higher if the potential impact includes compromising financial data of users, and the assigned threat score is lower if the potential security threat is expected to cause a minor decrease in network connectivity speeds; enabling, by providing the threat score to the virtual asset, the virtual asset to secure against the suspect message; for each suspect message, generating suspect message copy data representing a copy of at least a portion of the suspect message; transferring the suspect message copy data to one or more analysis systems for further analysis; determining, through analysis by the one or more analysis systems, an identity of a specific recipient of the detected at least one message; determining one or more second trigger parameters having criteria defining similar messages to the detected at least one message; updating the initial trigger parameters to include the one or more second trigger parameters; and detecting at least one suspect message using the updated initial trigger parameters. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computing system implemented method, which when executed by one or more computing processors, performs process operations comprising:
-
providing a cloud computing environment, the cloud computing environment including one or more virtual assets instantiated within the cloud computing environment, the one or more virtual assets being a component of a network switch, the one or more virtual assets comprising, at instantiation; virtual asset self-monitoring logic including data and instructions for detecting one or more trigger events of the virtual asset, the trigger events including deviations from pre-established baseline traffic patterns, the virtual asset self monitoring logic further including data and instructions to detect, as a trigger event, a response to a customer request being directed to a destination that is not the customer location of record and further including data and instructions to detect, as a trigger event, an internal elapsed time of defined critical operations changing to a time outside a defined range and further including data and instructions to detect, as a trigger event, an access pattern indicating that messages arrive too infrequently; virtual asset self-reporting logic including data and instructions for generating trigger event reporting data if one of the one or more trigger events is detected in the virtual asset by the virtual asset self-monitoring logic; self-reporting communications channel creation logic including data and instructions for opening a self-reporting communications channel between the virtual asset and a virtual asset monitoring system responsive to one of the one or more trigger events being detected in the virtual asset by the virtual asset self-monitoring logic; and trigger event reporting data transfer logic including data and instructions for transferring the trigger event reporting data from the virtual asset to the virtual asset monitoring system when one of the one or more trigger events is detected in the virtual asset by the virtual asset self-monitoring logic; using the virtual asset self-monitoring logic to monitor at least a portion of message traffic sent to the virtual asset to detect any message meeting one or more initial trigger parameters; classifying one or more portions of a detected message as being suspect, the classified portions of the detected message satisfying the one or more initial trigger parameters; determining, based on the satisfied one or more trigger parameters, which of a plurality of threat scoring services to analyze the classified one or more suspect portions, each of the threat scoring services configured to analyze specific trigger parameters; transferring the one or more suspect portions to the determined threat scoring services; assigning, by the determined threat scoring services, threat scores to the suspect message at least partially based on a potential impact of the suspect message'"'"'s potential security threat to the virtual asset, wherein the assigned threat scores are higher if the potential impact includes compromising financial data of users, and the assigned threat score is lower if the potential security threat is expected to cause a minor decrease in network connectivity speeds; enabling, by providing the threat score to the virtual asset, the virtual asset to secure against the suspect message; for each suspect message, generating suspect message copy data representing a copy of at least a portion of the suspect message; transferring the suspect message copy data to one or more analysis systems for further analysis; determining, through analysis by the one or more analysis systems, an identity of a specific recipient of the detected at least one message; determining one or more second trigger parameters having criteria defining similar messages to the detected at least one message; updating the initial trigger parameters to include the one or more second trigger parameters; and detecting at least one suspect message using the updated initial trigger parameters. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification