THREAT DETECTION AND MITIGATION THROUGH RUN-TIME INTROSPECTION AND INSTRUMENTATION
First Claim
1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,obtaining a measurement at a point in a distributed computing environment;
determining, based at least in part on the measurement, a correlation between a first element in the distributed computing environment and a second element in the distributed computing environment;
generating, based at least in part on the correlation, a graph comprising a plurality of nodes, with a first node of the plurality of nodes associated with the first element and a second node of the plurality of nodes associated with the second element;
determining, from the graph, that the measurement is in noncompliance with a rule; and
triggering a security action based at least in part on the noncompliance that was determined.
1 Assignment
0 Petitions
Accused Products
Abstract
A graph of a plurality of resources in a computing environment is generated, with the graph associating a first resource of the plurality with a second resource of the plurality. Based at least in part on measurements obtained at a point in a test computing environment that corresponds to a point in the computing environment, an expected value or expected range of values is determined. An assessment of a security state of the computing environment is generated based at least in part on a comparison between a measurement obtained at the point in the computing environment and the expected value or expected range of values, and responsive to a determination that the assessment indicates a rule violation in the computing environment, a security action is performed.
144 Citations
20 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, obtaining a measurement at a point in a distributed computing environment; determining, based at least in part on the measurement, a correlation between a first element in the distributed computing environment and a second element in the distributed computing environment; generating, based at least in part on the correlation, a graph comprising a plurality of nodes, with a first node of the plurality of nodes associated with the first element and a second node of the plurality of nodes associated with the second element; determining, from the graph, that the measurement is in noncompliance with a rule; and triggering a security action based at least in part on the noncompliance that was determined. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A system, comprising:
-
one or more processors; and memory including instructions that, as a result of execution by the one or more processors, cause the system to; determine, based at least in part on information collected at a location in a computing environment, a correlation between a first resource and a second resource of the computing environment, the computing environment being associated with a customer of a service provider; generate a graph based at least in part on the correlation, the graph having a first node representing the first resource and a second node representing the second resource; determine, based at least in part on an evaluation of the graph against a rule, that the first resource is in noncompliance with the rule; and cause a security action, dependent at least in part on the noncompliance, to be performed. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, as a result of execution by one or more processors of one or more computer systems, cause the one or more computer systems to at least collectively:
-
generate a graph of a plurality of resources in a computing environment, the graph including a relationship between a first resource of the plurality and a second resource of the plurality; at a point in the computing environment associated with the relationship, obtain a measurement; determine, based at least in part on at least one measurement obtained at a point in a test computing environment that corresponds to the point in the computing environment, a baseline; generate, by walking the graph, an assessment of a security state of the relationship, the assessment based at least in part on a comparison of the measurement with the baseline; and responsive to a determination that the assessment indicates a rule violation in the computing environment, cause performance of a security action. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification