Cross-user correlation for detecting server-side multi-target intrusion

US 9,197,653 B2
Filed: 06/05/2012
Issued: 11/24/2015
Est. Priority Date: 06/05/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method to detect server-side multi-target intrusions through cross-user correlation, the method comprising:

detecting a low-probability administrative event associated with a user of a datacenter, wherein the administrative event is one or more of a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with the user, a change to a data file associated with the user, a transfer, an update of status, an unusual port use, and/or an unusual hardware use;

monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users;

in response to a determination that the administrative event is detected across the multiple users at a level higher than a predefined probability threshold, classifying the administrative event as an attack;

preventing another attack within the datacenter prior to an identification of a vulnerability of the datacenter, through which the attack occurred, by combining a side channel technique with automated actions, the automated actions designed to alter a security environment within the datacenter and linked to a possible mass attack alert to provide a solution for the attack; and

providing one or more signatures generated for the administrative event based on one or more anomalous characteristics of the administrative event to one or more other datacenters within a same cloud such that the one or more other datacenters are enabled to prevent the attack universally within the cloud prior to the identification of the vulnerability of the datacenter.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies are generally described for time-correlating administrative events within virtual machines of a datacenter across many users and/or deployments. In some examples, the correlation of administrative events enables the detection of confluences of repeated unusual events that may indicate a mass hacking attack, thereby allowing attacks lacking network signatures to be detected. Detection of the attack may also allow the repair of affected systems and the prevention of further hacking before the vulnerability has been analyzed or repaired.

Citations

19 Claims

1. A method to detect server-side multi-target intrusions through cross-user correlation, the method comprising:
- detecting a low-probability administrative event associated with a user of a datacenter, wherein the administrative event is one or more of a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with the user, a change to a data file associated with the user, a transfer, an update of status, an unusual port use, and/or an unusual hardware use;
  
  monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users;
  
  in response to a determination that the administrative event is detected across the multiple users at a level higher than a predefined probability threshold, classifying the administrative event as an attack;
  
  preventing another attack within the datacenter prior to an identification of a vulnerability of the datacenter, through which the attack occurred, by combining a side channel technique with automated actions, the automated actions designed to alter a security environment within the datacenter and linked to a possible mass attack alert to provide a solution for the attack; and
  
  providing one or more signatures generated for the administrative event based on one or more anomalous characteristics of the administrative event to one or more other datacenters within a same cloud such that the one or more other datacenters are enabled to prevent the attack universally within the cloud prior to the identification of the vulnerability of the datacenter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, further comprisingdetecting the low-probability administrative event based on a list of watched events at each hypervisor of the datacenter.
  - 3. The method according to claim 1, wherein the change to the user status includes one or more of a permission change or a super-user addition within a virtual machine.
  - 4. The method according to claim 1, further comprisingexcluding known updates to user deployments from detection.
  - 5. The method according to claim 4, wherein the known updates are excluded by implementing the known updates on virtual machines disconnected from communications external to the datacenter, based on a list, or based on a data record.
  - 6. The method according to claim 1, further comprisingissuing the possible mass attack alert upon detection of the administrative event across the multiple users.
  - 7. The method according to claim 1, wherein the automated actions include one or more of a temporary dual-factor user verification, a lockdown, a reversion of recently occurred matching events across multiple deployments, and/or a notification of one or more users of possibly compromised machine images.
  - 8. The method according to claim 1, further comprisingproviding the side channel technique for an authorized user to enable specifically limited actions to address the vulnerability.

9. A cloud-based datacenter configured to detect server-side multi-target intrusions through cross-user correlation, the datacenter comprising:
- a plurality of virtual machines operable to be executed on one or more physical machines;
  
  a virtual machine monitor configured to;
  
  provide access to the plurality of virtual machines; and
  
  detect a low probability administrative event associated with a user based on a list of watched events, wherein the administrative event is one or more of a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with the user, a change to a data file associated with the user, a transfer, an update of status, an unusual port use, and/or an unusual hardware use; and
  
  a datacenter controller configured to;
  
  monitor confluences of the administrative event within virtual machines of the datacenter through multiple virtual machine monitors across multiple users;
  
  in response to a determination that the administrative event is detected across the multiple users at a level higher than a predefined probability threshold, classify the administrative event as an attack;
  
  prevent another attack within the datacenter prior to an identification of a vulnerability of the datacenter, through which the attack occurred, by combining a side channel technique with automated actions, the automated actions designed to alter a security environment within the datacenter and linked to a possible mass attack alert to provide a solution for the attack; and
  
  provide one or more signatures generated for the administrative event based on one or more anomalous characteristics of the administrative event to one or more other datacenters within a same cloud such that the one or more other datacenters are enabled to prevent the attack universally within the cloud prior to the identification of the vulnerability of the datacenter.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The datacenter according to claim 9, wherein the datacenter controller is further configured toexclude known updates to user deployments from detection.
  - 11. The datacenter according to claim 9, wherein the datacenter controller is further configured toissue the possible mass attack alert upon detection of the administrative event across the multiple users and/or deployments.
  - 12. The datacenter according to claim 9, wherein the datacenter controller is further configured toupdate the list of watched events at each virtual machine monitor of the datacenter for detecting the low probability administrative event.
  - 13. The datacenter according to claim 9, wherein the datacenter controller is further configured toshare signatures for unusual administrative events across multiple datacenters at a summary level.

14. A non-transitory computer-readable storage medium having instructions stored thereon to detect server-side multi-target intrusions through cross-user correlation, the instructions comprising:
- detecting a low probability administrative event associated with a user of a datacenter, wherein the administrative event is one or more of a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with the user, a change to a data file associated with the user, a transfer, an update of status, an unusual port use, and/or an unusual hardware use;
  
  monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users;
  
  in response to a determination that the administrative event is detected across the multiple users at a level higher than a predefined probability threshold, classifying the administrative event as an attack;
  
  preventing another attack within the datacenter prior to an identification of a vulnerability of the datacenter, through which the attack occurred, by combining a side channel technique with automated actions, the automated actions designed to alter a security environment within the datacenter and linked to a possible mass attack alert to provide a solution for the attack; and
  
  providing one or more signatures generated for the administrative event based on one or more anomalous characteristics of the administrative event to one or more other datacenters within a same cloud such that the one or more other datacenters are enabled to prevent the attack universally within the cloud prior to the identification of the vulnerability of the datacenter.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer-readable storage medium according to claim 14, wherein the instructions further comprisedetecting the low probability administrative event based on a list of watched events at each hypervisor of the datacenter.
  - 16. The non-transitory computer-readable storage medium according to claim 14, wherein the change to the user status includes one or more of a permission change or a super-user addition within a virtual machine.
  - 17. The non-transitory computer-readable storage medium according to claim 14, wherein the instructions further compriseexcluding known updates to user deployments from detection.
  - 18. The non-transitory computer-readable storage medium according to claim 14, wherein the instructions further compriseupdating a list of watched events at each hypervisor of the datacenter for detecting the low probability administrative event.
  - 19. The non-transitory computer-readable storage medium according to claim 14, wherein the one or more generated signatures for the administrative event are provided to the one or more other datacenters at a summary level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Empire Technology Development LLC (Allied Inventors Management, LLC)
Original Assignee
Empire Technology Development LLC (Allied Inventors Management, LLC)
Inventors
Kruglick, Ezekiel
Primary Examiner(s)
Su, Sarah

Application Number

US13/811,384
Publication Number

US 20130326623A1
Time in Patent Office

1,267 Days
Field of Search

726/22, 726/23, 726/24, 713/188, 709/224
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

G06F 9/45558   Hypervisor-specific managem...

G06N 7/01   Probabilistic graphical mod...

H04L 63/105   Multiple levels of security

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

Cross-user correlation for detecting server-side multi-target intrusion

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-user correlation for detecting server-side multi-target intrusion

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links