Security within a software-defined infrastructure

US 10,546,121 B2
Filed: 06/22/2018
Issued: 01/28/2020
Est. Priority Date: 03/25/2015
Status: Active Grant

First Claim

Patent Images

1. A computer program product comprising a computer readable storage medium having stored thereon program instructions programmed to:

establish a security container describing a workload and a set of resources in a software-defined environment, the security container including a set of sub-containers that are self-describing sub-containers having associated metadata describing content of a respectively corresponding sub-container, each sub-container of the set of sub-containers respectively corresponds to a resource-divisible portion of the workload, the set of resources being required by the workload, wherein a sub-container of the set of sub-containers is an operating system sub-container;

monitor the workload and the set of resources for security events; and

responsive to identifying a security event, adjust isolation mechanisms provided by the plurality of sub-containers at various layers of a stack;

wherein;

the set of sub-containers represents an end-to-end run time environment for processing the workload using the set of resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is a computer program product and computer system that includes program instructions programmed to establish a security container describing a workload and a set of resources in a software-defined environment, the security container including a set of sub-containers that are self-describing sub-containers having associated metadata describing content of a respectively corresponding sub-container, each sub-container of the set of sub-containers respectively corresponds to a resource-divisible portion of the workload, the set of resources being required by the workload, wherein a sub-container of the set of sub-containers is an operating system sub-container; monitor the workload and the set of resources for security events; and responsive to identifying a security event, adjust isolation mechanisms provided by the plurality of sub-containers at various layers of a stack. The set of sub-containers represents an end-to-end run time environment for processing the workload using the set of resources.

13 Citations

View as Search Results

14 Claims

1. A computer program product comprising a computer readable storage medium having stored thereon program instructions programmed to:
- establish a security container describing a workload and a set of resources in a software-defined environment, the security container including a set of sub-containers that are self-describing sub-containers having associated metadata describing content of a respectively corresponding sub-container, each sub-container of the set of sub-containers respectively corresponds to a resource-divisible portion of the workload, the set of resources being required by the workload, wherein a sub-container of the set of sub-containers is an operating system sub-container;
  
  monitor the workload and the set of resources for security events; and
  
  responsive to identifying a security event, adjust isolation mechanisms provided by the plurality of sub-containers at various layers of a stack;
  
  wherein;
  
  the set of sub-containers represents an end-to-end run time environment for processing the workload using the set of resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer program product of claim 1, the program instructions further programmed to:
    - determine a set of security criteria for the security container; and
      
      wherein;
      
      monitoring for security events is based on the set of security criteria.
  - 3. The computer program product of claim 1, wherein adjusting isolation mechanisms includes at least one of:
    - inserting an isolation mechanism; and
      
      removing an isolation mechanism.
  - 4. The computer program product of claim 1, the program instructions further programmed to:
    - determine a set of resource-divisible portions of the workload including a compute-resource portion, a storage resource portion, and a network resource portion.
  - 5. The computer program product of claim 4, the program instructions further programmed to:
    - generate the set of sub-containers, each sub-container representing a unique resource-divisible portion of the workload.
  - 6. The computer program product of claim 1, wherein the end-to-end run time environment includes bare metal sub-containers and hypervisor-specific sub-containers.
  - 7. The computer program product of claim 1, wherein monitoring the workload and the set of resources for security events includes deep introspection, condition-based monitoring, and/or applying a behavior model to a resource within the set of resources.

8. A computer system comprising:
- a processor(s) set; and
  
  a computer readable storage medium;
  
  wherein;
  
  the processor set is structured, located, connected, and/or programmed to run program instructions stored on the computer readable storage medium; and
  
  the program instructions include program instructions programmed to;
  
  establish a security container describing a workload and a set of resources in a software-defined environment, the security container including a set of sub-containers that are self-describing sub-containers having associated metadata describing content of a respectively corresponding sub-container, each sub-container of the set of sub-containers respectively corresponds to a resource-divisible portion of the workload, the set of resources being required by the workload, wherein a sub-container of the set of sub-containers is an operating system sub-container;
  
  monitor the workload and the set of resources for security events; and
  
  responsive to identifying a security event, adjust isolation mechanisms provided by the plurality of sub-containers at various layers of a stack;
  
  wherein;
  
  the set of sub-containers represents an end-to-end run time environment for processing the workload using the set of resources.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system of claim 8, the program instructions further programmed to:
    - determine a set of security criteria for the security container; and
      
      wherein;
      
      monitoring for security events is based on the set of security criteria.
  - 10. The computer system of claim 8, wherein adjusting isolation mechanisms includes at least one of:
    - inserting an isolation mechanism; and
      
      removing an isolation mechanism.
  - 11. The computer system of claim 8, the program instructions further programmed to:
    - determine a set of resource-divisible portions of the workload including a compute-resource portion, a storage resource portion, and a network resource portion.
  - 12. The computer system of claim 11, the program instructions further programmed to:
    - generate the set of sub-containers, each sub-container representing a unique resource-divisible portion of the workload.
  - 13. The computer system of claim 8, wherein the end-to-end run time environment includes bare metal sub-containers and hypervisor-specific sub-containers.
  - 14. The computer system of claim 8, wherein monitoring the workload and the set of resources for security events includes deep introspection, condition-based monitoring, and/or applying a behavior model to a resource within the set of resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Brech, Brad L., Crowder, Scott W., Franke, Hubertus, Halim, Nagui, Hogstrom, Matt R., Li, Chung-Sheng, Pattnaik, Pratap C., Pendarakis, Dimitrios, Rao, Josyula R., Ratnaparkhi, Radha P., Williams, Michael D.
Primary Examiner(s)
Korsak, Oleg

Application Number

US16/015,766
Publication Number

US 20180300479A1
Time in Patent Office

585 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5083   Techniques for rebalancing ...

Security within a software-defined infrastructure

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Security within a software-defined infrastructure

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links