METHOD AND SYSTEM FOR IMPROVING SECURITY AND RELIABILITY IN A NETWORKED APPLICATION ENVIRONMENT

US 20180307849A1
Filed: 04/23/2018
Published: 10/25/2018
Est. Priority Date: 04/12/2012
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium including instructions that, when executed by a processor, cause the processor to perform the steps of:

discovering a resource associated with a distributed application, wherein the distributed application executes on a plurality of compute nodes, and the resource is discovered and monitored within the distributed computing architecture;

determining a classification for the resource based on one or more classification criteria;

determining whether the classification corresponds to a record within a database, wherein the record includes a counter of a quantity of the resource deployed in the distributed computing architecture;

if the classification corresponds to a record within the database, then;

incrementing the counter associated with the record;

orif the classification does not correspond to a record within the database, then;

initializing another record within the database that corresponds to the classification, andinitializing another counter associated with the another record; and

publishing a notification when the counter indicates that a utilization associated with the classification exceeds a pre-determined limit.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security application manages security and reliability of networked applications executing collection of interacting computing elements within a distributed computing architecture. The security application monitors various classes of resources utilized by the collection of nodes within the distributed computing architecture and determine whether utilization of a class of resources is approaching a pre-determined maximum limit. The security application performs a vulnerability scan of a networked application to determine whether the networked application is prone to a risk of intentional or inadvertent breach by an external application. The security application scans a distributed computing architecture for the existence of access control lists (ACLs), and stores ACL configurations and configuration changes in a database. The security application scans a distributed computing architecture for the existence of security certificates, places newly discovered security certificates in a database, and deletes outdated security certificates. Advantageously, security and reliability are improved in a distributed computing architecture.

101 Citations

View as Search Results

40 Claims

1. A non-transitory computer-readable medium including instructions that, when executed by a processor, cause the processor to perform the steps of:
- discovering a resource associated with a distributed application, wherein the distributed application executes on a plurality of compute nodes, and the resource is discovered and monitored within the distributed computing architecture;
  
  determining a classification for the resource based on one or more classification criteria;
  
  determining whether the classification corresponds to a record within a database, wherein the record includes a counter of a quantity of the resource deployed in the distributed computing architecture;
  
  if the classification corresponds to a record within the database, then;
  
  incrementing the counter associated with the record;
  
  orif the classification does not correspond to a record within the database, then;
  
  initializing another record within the database that corresponds to the classification, andinitializing another counter associated with the another record; and
  
  publishing a notification when the counter indicates that a utilization associated with the classification exceeds a pre-determined limit.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the resource comprises an instance of a software application executing within the distributed computing architecture.
  - 3. The non-transitory computer-readable medium of claim 1, further comprising generating a notification when the classification does not correspond to a record within the database.
  - 4. The non-transitory computer-readable medium of claim 1, further comprising retrieving a first threshold value associated with the record, and generating a notification when the counter exceeds the first threshold value.
  - 5. The non-transitory computer-readable medium of claim 4, wherein generating the notification comprises publishing a message to a publication/subscription system indicating that the counter exceeds the first threshold value.
  - 6. The non-transitory computer-readable medium of claim 1, further comprising retrieving a second threshold value associated with the record, and generating a second notification when the counter exceeds the second threshold value.
  - 7. The non-transitory computer-readable medium of claim 6, wherein at least one of the first threshold value and the second threshold value comprises a percentage of a maximum limit.

8. A system, comprising:
- a memory storing instructions; and
  
  a processor that is couple to the memory and, when executing the instructions, is configured to perform the steps of;
  
  discovering a resource associated with a distributed application, wherein the distributed application executes on a plurality of compute nodes, and the resource is discovered and monitored within the distributed computing architecture;
  
  determining a classification for the resource based on one or more classification criteria;
  
  determining whether the classification corresponds to a record within a database, wherein the record includes a counter of a quantity of the resource deployed in the distributed computing architecture;
  
  if the classification corresponds to a record within the database, then;
  
  incrementing the counter associated with the record;
  
  orif the classification does not correspond to a record within the database, then;
  
  initializing another record within the database that corresponds to the classification, andinitializing another counter associated with the another record; and
  
  publishing a notification when the counter indicates that a utilization associated with the classification exceeds a pre-determined limit.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the resource comprises an instance of a software application executing within the distributed computing architecture.
  - 10. The system of claim 8, wherein the processor also performs that step of generating a notification when the classification does not correspond to a record within the database.
  - 11. The system of claim 8, wherein the processor also performs that step of retrieving a first threshold value associated with the record, and generating a notification when the counter exceeds the first threshold value.
  - 12. The system of claim 11, wherein generating the notification comprises publishing a message to a publication/subscription system indicating that the counter exceeds the first threshold value.
  - 13. The system of claim 8, wherein the processor also performs that step of retrieving a second threshold value associated with the record, and generating a second notification when the counter exceeds the second threshold value.
  - 14. The system of claim 13, wherein at least one of the first threshold value and the second threshold value comprises a percentage of a maximum limit.

15. A method, comprising:
- scanning a distributed application that is executing on a plurality of compute nodes to detect a first security vulnerability, wherein the distributed application is stored within at least one memory element included in a distributed computing architecture;
  
  comparing the first security vulnerability against a database that includes a listing of previously-discovered security vulnerabilities; and
  
  if the first security vulnerability is not listed within the database, then;
  
  initializing a record within the database that corresponds to the first security vulnerability;
  
  orif the first security vulnerability is listed within the database, then;
  
  updating a record within the database that corresponds to the first security vulnerability to indicate that the first security vulnerability was detected;
  
  determining that the first security vulnerability is marked as being resolved; and
  
  generating a notification that the first security vulnerability was resolved.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the database includes an issue tracking system that is configured to track whether one or more security vulnerabilities have been resolved.
  - 17. The method of claim 15, wherein the operation further comprises generating a notification when the record corresponding to the first security vulnerability is initialized.
  - 18. The method of claim 17, wherein generating the notification comprises publishing a message to a publication/subscription system indicating that the distributed computing architecture is being scanned for security vulnerabilities.
  - 19. The method of claim 17, wherein generating a notification comprises generating an automatic email indicating that the distributed computing architecture is being scanned for security vulnerabilities.
  - 20. The method of claim 15, wherein scanning the networked application further comprises generating a notification that the distributed computing architecture is being scanned for security vulnerabilities.

21. A system, comprising:
- a memory; and
  
  a processor that is coupled to the memory and, when executing the instructions, is configured to perform the steps of;
  
  scanning a distributed application that is executing on a plurality of compute nodes to detect a first security vulnerability, wherein the distributed application is stored within at least one memory element included in a distributed computing architecture;
  
  comparing the first security vulnerability against a database that includes a listing of previously-discovered security vulnerabilities; and
  
  if the first security vulnerability is not listed within the database, then;
  
  initializing a record within the database that corresponds to the first security vulnerability;
  
  orif the first security vulnerability is listed within the database, then;
  
  updating a record within the database that corresponds to the first security vulnerability to indicate that the first security vulnerability was detected;
  
  determining that the first security vulnerability is marked as being resolved; and
  
  generating a notification that the first security vulnerability was resolved.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The system of claim 21, wherein the database includes an issue tracking system that is configured to track whether one or more security vulnerabilities have been resolved.
  - 23. The system of claim 21, wherein the operation further comprises generating a notification when the record corresponding to the first security vulnerability is initialized.
  - 24. The system of claim 23, wherein generating the notification comprises publishing a message to a publication/subscription system indicating that the distributed computing architecture is being scanned for security vulnerabilities.
  - 25. The system of claim 23, wherein generating a notification comprises generating an automatic email indicating that the distributed computing architecture is being scanned for security vulnerabilities.
  - 26. The system of claim 21, wherein scanning the networked application further comprises generating a notification that the distributed computing architecture is being scanned for security vulnerabilities.

27. A method, comprising:
- discovering an access control list (ACL) associated with a distributed application executing on a plurality of compute nodes, wherein the ACL is stored within at least one memory element included in a distributed computing architecture;
  
  determining whether the ACL corresponds to a first record within a database; and
  
  if the ACL corresponds to a first record within the database, thendetermining that a configuration of the ACL differs from a configuration of the first record; and
  
  initializing a second record within the database that corresponds to the first record and has the configuration of the ACL;
  
  orif the ACL does not correspond to a first record within the database, theninitializing a second record within the database that corresponds to the ACL and has the configuration of the ACL.
- View Dependent Claims (28, 29, 30, 31, 32, 33)
- - 28. The method of claim 27, wherein the ACL comprises a security group that includes one or more source objects, one or more ports, and one or more destination objects.
  - 29. The method of claim 28, wherein the one or more source objects are identifiable via an internet protocol (IP) address.
  - 30. The method of claim 28, wherein the one or more source objects are identifiable based on the one or more source objects included in the security group.
  - 31. The method of claim 28, further comprising computing an exposure metric for the security group based on at least one of the number of source objects included in the security group, the number of ports included in the security group, and the number of destination objects included in the security group.
  - 32. The method of claim 27, further comprising analyzing the ACL to determine whether the ACL is associated with a permission setting that permits the security group to access all routable addresses on the Internet.
  - 33. The method of claim 27, further comprising computing the number of instances of a software application that execute within the ACL.

34. A non-transitory computer-readable medium including instructions that, when executed by a processor, cause the processor to perform the steps of:
- discovering an access control list (ACL) associated with a distributed application executing on a plurality of compute nodes, wherein the ACL is stored within at least one memory element included in a distributed computing architecture;
  
  determining whether the ACL corresponds to a first record within a database; and
  
  if the ACL corresponds to a first record within the database, thendetermining that a configuration of the ACL differs from a configuration of the first record; and
  
  initializing a second record within the database that corresponds to the first record and has the configuration of the ACL;
  
  orif the ACL does not correspond to a first record within the database, theninitializing a second record within the database that corresponds to the ACL and has the configuration of the ACL.
- View Dependent Claims (35, 36, 37, 38, 39, 40)
- - 35. The non-transitory computer-readable medium of claim 34, wherein the ACL comprises a security group that includes one or more source objects, one or more ports, and one or more destination objects.
  - 36. The non-transitory computer-readable medium of claim 35, wherein the one or more source objects are identifiable via an internet protocol (IP) address.
  - 37. The non-transitory computer-readable medium of claim 35, wherein the one or more source objects are identifiable based on the one or more source objects included in the security group.
  - 38. The non-transitory computer-readable medium of claim 35, further comprising computing an exposure metric for the security group based on at least one of the number of source objects included in the security group, the number of ports included in the security group, and the number of destination objects included in the security group.
  - 39. The non-transitory computer-readable medium of claim 34, further comprising analyzing the ACL to determine whether the ACL is associated with a permission setting that permits the security group to access all routable addresses on the Internet.
  - 40. The non-transitory computer-readable medium of claim 34, further comprising computing the number of instances of a software application that execute within the ACL.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netflix, Inc.
Original Assignee
Netflix, Inc.
Inventors
TSEITLIN, Ariel, RAPOPORT, Roy, CHAN, Jason

Granted Patent

US 10,691,814 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/302   where the computing system ...

G06F 11/3051   Monitoring arrangements for...

G06F 16/285   Clustering or classification

G06F 21/00   Security arrangements for p...

G06F 21/45   Structures or tools for the...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/604   Tools and structures for ma...

G06F 2209/504   Resource capping

G06F 2221/034   Test or assess a computer o...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/50   Allocation of resources, e....

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/12   Discovery or management of ...

H04L 43/16   Threshold monitoring

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 67/10   in which an application is ...

H04L 9/3268   using certificate validatio...

Y02D 10/00 : Energy efficient computing,...

View All

METHOD AND SYSTEM FOR IMPROVING SECURITY AND RELIABILITY IN A NETWORKED APPLICATION ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR IMPROVING SECURITY AND RELIABILITY IN A NETWORKED APPLICATION ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links