CROSS-USER CORRELATION FOR DETECTING SERVER-SIDE MULTI-TARGET INTRUSION
First Claim
Patent Images
1. A method for detecting server-side multi-target intrusions through cross-user correlation, the method comprising:
- detecting a low-probability administrative event associated with a user of a datacenter, wherein the administrative event is one or more of a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with a user, a change to a data file associated with the user, a transfer, an update of status, an unusual port use, and/or an unusual hardware use;
monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments; and
if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classifying the administrative event as an attack.
6 Assignments
0 Petitions
Accused Products
Abstract
Technologies are generally described for time-correlating administrative events within virtual machines of a datacenter across many users and/or deployments. In some examples, the correlation of administrative events enables the detection of confluences of repeated unusual events that may indicate a mass hacking attack, thereby allowing attacks lacking network signatures to be detected. Detection of the attack may also allow the repair of affected systems and the prevention of further hacking before the vulnerability has been analyzed or repaired.
144 Citations
35 Claims
-
1. A method for detecting server-side multi-target intrusions through cross-user correlation, the method comprising:
-
detecting a low-probability administrative event associated with a user of a datacenter, wherein the administrative event is one or more of a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with a user, a change to a data file associated with the user, a transfer, an update of status, an unusual port use, and/or an unusual hardware use; monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments; and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classifying the administrative event as an attack. - View Dependent Claims (2, 5, 6, 7, 8, 9, 10)
-
- 3. (canceled)
-
11-12. -12. (canceled)
-
13. A cloud-based datacenter configured to detect server-side multi-target intrusions through cross-user correlation, the datacenter comprising:
-
a plurality of virtual machines operable to be executed on one or more physical machines; a virtual machine monitor configured to; provide access to the plurality of virtual machines; and detect a low probability administrative event associated with a user based on a list of watched events, wherein the administrative event is one or more of a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with a user, a change to a data file associated with the user, a transfer, an update of status, an unusual port use, and/or an unusual hardware use; and a datacenter controller configured to; monitor confluences of the administrative event within virtual machines of the datacenter through multiple virtual machine monitors across multiple users and/or deployments; and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classify the administrative event as an attack. - View Dependent Claims (16, 18, 22, 23)
-
-
14-15. -15. (canceled)
-
17. (canceled)
-
19-21. -21. (canceled)
-
24. A computer-readable storage medium having instructions stored thereon for detecting server-side multi-target intrusions through cross-user correlation, the instructions comprising:
-
detecting a low probability administrative event associated with a user of a datacenter, wherein the administrative event is one or more of a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with a user, a change to a data file associated with the user, a transfer, an update of status, an unusual port use, and/or an unusual hardware use; monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments; and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classifying the administrative event as an attack. - View Dependent Claims (25, 28, 34, 35)
-
- 26. (canceled)
-
29-33. -33. (canceled)
Specification