DETECTION AND DEFENSE OF EXTERNAL ATTACKS ON DATA PROCESSING

Abstract

Method (600) executed on a computer for managing an external warning system, comprising the method: Interception (608) of a first subset of a plurality of events (118, 126) by a security agent (114, 122) of a client machine (106, 108) generated by a first execution environment (112A, 222B, 112C; 120) utilizing the client machine, wherein the first subset of the plurality of events is intercepted according to a first learned security policy (116, 124), wherein the first learned security policy is learned based on observing the operation of the first execution environment, wherein the first subset comprises less than half of the plurality of events, and wherein at least one event from the first subset of events is of an event type associated with a malicious code profile; Detection (610) of an irregularity by the security agent and based on the first learned security policy for the first execution environment, based on comparing at least one intercepted event with at least one rule of the first learned security policy; and Execution (612) of a defusing measure by the security agent in response to the detection of the irregularity.

Description

TECHNICAL AREA

[0001] The present disclosure relates to computer security and specifically to warning systems against external attacks. BACKGROUND

[0002] Computer security systems protect the confidentiality of data (e.g., protection against data breaches), the integrity of data (e.g., protection against data integrity violations), and the availability of data (e.g., protection against malfunctions) that is stored, executed, and / or exchanged between computer systems. Nevertheless, unauthorized external access to computer systems can lead to data corruption and / or impaired functionality.

[0003] Unauthorized external access can utilize a variety of attack vectors, such as workstation infiltration, credential theft, exploitation (e.g., buffer overflows, stack overflows, etc.), vulnerabilities (e.g., exploitation of coding weaknesses in applications, kernels, etc.), and escape-to-host attacks.

[0004] Traditional external attack warning systems can suffer from numerous challenges, such as generating an excessively high number of alerts, which requires considerable expertise (e.g., to configure / maintain the external attack warning system and evaluate its output), and having rules that are too rigid (e.g., not allowing approved updates to be carried out) or rules that are too flexible (e.g., not detecting new malicious attack profiles).

[0005] Examples of protection systems include antivirus tools, rootkit detectors, and / or APT (Advanced Persistent Threat) tools, which are configured to prevent infection of a machine or, in the case of an already infected computer, to neutralize an existing threat. A disadvantage is that these tools place a significant resource burden (e.g., runtime overhead) on the machines using them. For example, these tools may require inspecting every incoming network data transmission.

[0006] Another example of a protection system is the configuration of execution policies, where a user defines the expected behavior of a computer system to prevent anything else (e.g., malicious code) from executing. A disadvantage is that execution policies can be too rigid. For example, operating system updates and / or manual system administration sessions may not be advisable while an execution policy is in use.

[0007] Another example of a protection system is whitelisting, which prevents files with unknown or malicious content from being executed. However, whitelisting may not prevent attacks using reputable tools (e.g., nmap or tcpdump) that are commonly used in secure execution environments.

[0008] Another example of a protection system is a network-based intrusion detection system (NIDS). A disadvantage is that many attacks at the network level are difficult or even impossible to detect.

[0009] Another example of a protection system is a host-based intrusion detection system (HIDS), which monitors the behavior of applications on the host by examining data exchange operations with the underlying operating system. However, conventional HIDS are unable to monitor the large number of calls made in network environments where potentially hundreds of different containers and / or virtual machines are running.

[0010] State-of-the-art solutions include “Secure Yet Usable - Protecting Servers and Linux Containers”, S. Barlev, Z. Basil, S. Kohanim, R. Peleg, S. Regev, A. Shulman-Peleg, July 27, 2016, IBM Journal of Research and Development, Volume 60, Issue 4, Pages 12:1-12:10.

[0011] US 2017 / 0208080 A1 discloses a detection program in which predefined events and associated events are extracted from past log data, temporally ordered pattern data are formed from them to create a learning model, and anomalies are detected by comparison with newly arriving event data.

[0012] US 2007 / 0107052 A1 discloses a device for monitoring a processing system, in which system primitives for resource allocation, process activities, network connections, file system operations and device operations are captured by means of several modules, in particular for host-based intrusion detection.

[0013] Consequently, according to the current state of technology, there is a need to address the aforementioned problem. SUMMARY

[0014] According to a first aspect, the present invention provides a computer-executed method for managing an external warning system, comprising: intercepting a first subset of a plurality of events by a security agent of a client machine, which are generated by a first execution environment utilizing the client machine, wherein the first subset of the plurality of events is intercepted according to a first learned security policy, wherein the first learned security policy is learned based on observing the operation of the first execution environment, wherein the first subset comprises less than half of the plurality of events, and wherein at least one event from the first subset of events is an event type that is associated with a malicious code profile;Detection of an anomaly by the security agent, based on the first learned security policy for the first execution environment, by comparing at least one intercepted event with at least one rule of the first learned security policy; and execution of a mitigation action by the security agent in response to the detection of the anomaly.

[0015] According to a further aspect, the present invention provides a computer-executed method for managing an external warning system, comprising: generating a plurality of security policies, which includes a first learned security policy based on a subset of events assigned to a synthetic first execution environment, wherein at least one rule assigned to the first learned security policy is based on an event type that is associated with a malicious code profile; storing the plurality of security policies in a security policy database;Providing at least the first learned security policy to a plurality of clients, wherein the first learned security policy is relevant to a first execution environment deployed by the plurality of clients, the plurality of clients being configured to enforce the first learned security policy; and receiving an alert from a first client that detects an irregularity based on at least one intercepted event generated by the first execution environment deployed on the first client and intercepted by the first client in accordance with the first learned security policy.

[0016] According to another aspect, the present invention provides a computer system for managing a warning system against external attacks, the system comprising: a processor;a physical, computer-readable main memory for storing program instructions which, when executed by the processor, perform the following steps: intercepting a first subset of a plurality of events generated by a first execution environment utilizing a client machine, wherein the first subset of the plurality of events is determined by a first learned security policy, the first learned security policy being learned based on observing the operation of the first execution environment, wherein the first subset comprises less than half of the plurality of events, and wherein at least one event in the first subset of events is of an event type associated with a malicious code profile;Detecting an anomaly based on the first learned security policy for the first execution environment, based on comparing at least one intercepted event with at least one rule of the first learned security policy; and executing a mitigation action in response to the detection of the anomaly.

[0017] According to a further aspect, the present invention provides a system for managing an external warning system, comprising: a security management unit comprising a processor, main memory in which instructions executable by a processor are stored, a security policy database, and an interface, wherein the security management unit is connected to a plurality of nodes for data exchange; wherein the security management unit is configured to: generate a plurality of security policies, including a first learned security policy based on a minority of events associated with a synthetic first execution environment, wherein at least one rule associated with the first learned security policy is based on an event type associated with a malicious code profile;Storing the plurality of security policies in the security policy database; deploying a respective security agent and at least the first learned security policy to a subset of the plurality of nodes, wherein the subset of nodes is configured to host the first execution environment, with respective security agents configured to enforce at least the first learned security policy on each node of the subset of nodes; and receiving an alert from a first security agent deployed to a first node, detecting an irregularity based on at least one intercepted event generated by the first execution environment utilizing the first node and intercepted by the first security agent according to the first learned security policy.

[0018] According to another aspect, the present invention provides a computer program product for managing a warning system against external attacks, wherein the computer program product has a computer-readable storage medium that can be read by a processing circuit and on which instructions for execution by the processing circuit are stored in order to carry out a method for performing the steps of the invention.

[0019] According to another aspect, the present invention provides a computer program stored on a computer-readable medium, which can be loaded into the internal main memory of a digital computer and includes software code sections for carrying out the steps of the invention when the program is executed on a computer.

[0020] Aspects of the present disclosure relate to a computer-executed method that involves intercepting a first subset of a plurality of events by a security agent of a client machine. These events are generated by a first execution environment utilizing the client machine. The first subset of the plurality of events can be intercepted according to a first learned security policy. The first learned security policy can be learned based on observing the operation of the first execution environment. The first subset may comprise less than half of the plurality of events, and at least one event from the first subset of events may be of an event type associated with a malicious code profile.The procedure, executed on a computer, may further include the detection of an anomaly by the security agent and, based on the first learned security policy for the first execution environment, the comparison of at least one intercepted event with at least one rule of the first learned security policy. The procedure, executed on a computer, may further include the execution of a mitigation action by the security agent in response to the detection of the anomaly.

[0021] Further aspects of the present disclosure relate to a computer system comprising a processor and physical, computer-readable main memory for storing program instructions which, when executed by the processor, perform the steps of intercepting a first subset of a plurality of events generated by a first execution environment utilizing a client machine. The first subset of the plurality of events may be determined by a first learned security policy. The first learned security policy may be learned based on observing the operation of the first execution environment. The first subset may comprise less than half of the plurality of events, and at least one event from the first subset of events may be of an event type associated with a malicious code profile.The program instructions can be executed by the processor to further perform the steps of detecting an irregularity based on the first learned security policy for the first execution environment, based on comparing at least one intercepted event with at least one rule of the first learned security policy, and executing a mitigation action in response to the detection of the irregularity.

[0022] Further aspects of the present disclosure relate to a computer program product comprising a computer-readable storage medium containing program instructions. The computer-readable storage medium need not be a volatile signal per se. The program instructions are executable by a processor to cause the processor to perform a procedure that involves intercepting a first subset of a plurality of events generated by a first execution environment utilizing a client machine. The first subset of the plurality of events may be determined by a first learned security policy. The first learned security policy may be learned based on observing the operation of the first execution environment.The first subset may contain less than half of the majority of events, and at least one event from the first subset of events is an event type associated with a malicious code profile. The processor may also perform a procedure that includes detecting an anomaly based on the first learned security policy for the first execution environment, based on comparing at least one intercepted event with at least one rule of the first learned security policy, and executing a mitigation action in response to the anomaly detection.

[0023] Further aspects of this disclosure relate to a system comprising a security management unit (SMU) that includes a processor, main memory in which instructions executable by a processor are stored, a security policy database, and an interface. The SMU can be connected to multiple nodes for data exchange. The SMU can be configured to generate multiple security policies, including an initial learned security policy based on a minority of events associated with a synthetic initial execution environment. At least one rule associated with the initial learned security policy can be based on an event type associated with a malicious code profile.The security management unit can also be configured to store the majority of security policies in the security policy database and to deploy a respective security agent and at least the first learned security policy to a subset of the majority of nodes. This subset of nodes can be configured to provide the initial execution environment via hosting. Each security agent can be configured to enforce at least the first learned security policy on its respective node within this subset of nodes.The security management unit can also be configured to receive an alert from a first security agent deployed to a first node, detecting an irregularity based on at least one intercepted event generated by the first execution environment utilizing the first node and intercepted by the first security agent according to the first learned security policy.

[0024] Further aspects of the present disclosure relate to a computer-executed method that generates a plurality of security policies, including an initial learned security policy based on a subset of events associated with a synthetic first execution environment, wherein at least one rule associated with the initial learned security policy is based on an event type associated with a malicious code profile. The method may further include storing the plurality of security policies in a security policy database and making at least the initial learned security policy available to a plurality of clients. The initial learned security policy may be relevant to an initial execution environment used by the plurality of clients.The majority of clients can be configured to enforce the first learned security policy. The process can also include receiving an alert from a first client that detects an anomaly based on at least one intercepted event generated by the first execution environment deployed on the first client and intercepted by the first client according to the first learned security policy. BRIEF DESCRIPTION OF THE DRAWINGS

[0025] The drawings included in this application are incorporated into the description and form part of it. They illustrate embodiments of the present disclosure and, together with the description, serve to explain the basic concepts of the disclosure. The drawings merely illustrate certain embodiments and do not limit the disclosure. Fig. Figure 1 illustrates a block diagram of an exemplary security environment according to some embodiments of the present disclosure. Fig. Figure 2 illustrates an example of a security policy database according to some embodiments of the present disclosure. Fig. Figure 3 illustrates an example of a topology of a directed acyclic graph (DAG) according to some embodiments of the present disclosure. Fig. Figure 4 illustrates a flowchart of an example of a method for providing security resources to a client machine according to some embodiments of the present disclosure. Fig. Figure 5 illustrates a flowchart of an example of a method for generating a security policy database according to some embodiments of the present disclosure. Fig. Figure 6 illustrates a flowchart of an example of a procedure for enforcing a security policy according to some embodiments of the present disclosure. Fig. Figure 7 illustrates a flowchart of an example of a method for updating a security policy database according to some embodiments of the present disclosure. Fig. Figure 8 illustrates a block diagram of a security management unit according to some embodiments of the present disclosure. Fig. Figure 9 shows a cloud computing environment according to some embodiments of the present disclosure. Fig. Figure 10 shows abstraction model layers according to some embodiments of the present disclosure.

[0026] While the present disclosure is open to various modifications and alternative forms, the details of which are shown by way of example in the drawings and are described in detail. However, it should be clear that the intention is not to limit the present disclosure to the specific embodiments described. On the contrary, the intention is to cover all modifications, equivalents, and alternatives that fall within the scope and meaning of the present disclosure. DETAILED DESCRIPTION

[0027] Aspects of this disclosure relate to computer security and, specifically, to warning systems against external attacks. These aspects develop one or more security policies based on selectively intercepted events generated in a controlled (e.g., training, synthetic, simulated, or pre-production) execution environment. Each security policy may have one or more rules. Each rule may have a set of conditions. A client machine may use one or more security policies. In some embodiments, client machines are servers in a production environment. Relationships between rules, security policies, and client machines may be described by many-to-many relationships stored in a security policy database.The generated security policy can be enforced in an execution environment running on one or more client machines. Enforcement occurs by intercepting specific event types associated with the execution environment and comparing these intercepted events against relevant rules and conditions stored in the security policy. The external attack warning system can generate alerts and, in some cases, mitigate external attacks by comparing selected event types with the security policy.

[0028] For the purposes of this disclosure, an execution environment may comprise software routines that are associated with different process classes. Execution environments may be applications, containers, virtual machines (VMs), database management systems (DBMS), logical partitions (LPARS), and execution units, but are not limited to these. Execution environments may have different levels of granularity according to various embodiments of this disclosure. For example, an execution environment may be defined for each type of application that can be executed on a unit. Alternatively, an execution environment may be defined for multiple applications that belong to the same or a similar class of applications.Thus, the scope of the execution environments can be designed to handle factors such as the complexity and manageability of a security policy database and the computational effort associated with executing the respective security policies.

[0029] For example, a runtime environment that is set up for multiple applications may result in fewer security policies stored in a security policy database (since each security policy covers a larger number of applications), while at the same time resulting in higher computational overhead during operation (since running each security policy requires enforcing a larger number of rules, with only a subset of the rules possibly applicable to the specific application).

[0030] Alternatively, defining an execution environment for each application can lead to a more complex security policy database (due to the larger number of security policies), while at the same time also resulting in reduced computational overhead associated with executing security policies assigned to each execution environment (since each security policy contains only the rules relevant to that specific application).

[0031] For the purposes of this disclosure, an event can be defined as a data transmission generated by or associated with an execution environment. Events can be system calls, operations, commands, processes, tasks, or other occurrences that can be intercepted from, but are not limited to, log files such as a system log file (syslog), an operations log file (operlog), an event log file, a transaction log file, or a message log file. In some embodiments, events can be intercepted from network traffic. In various embodiments, events can be intercepted during transmission, approximately concurrently with the storage of the event (e.g., in a log file), or after the event has been stored (e.g., retrieving historical data from a log file).In the usage herein, an event type refers below to an event class (e.g., a file system mount process, a file access, etc.), while an event refers to the actual execution of an event type, the event being able to contain parameters associated with a particular execution environment.

[0032] Aspects of this disclosure are directed toward a modified HIDS protection solution. The modified HIDS protection solution offers a variety of advantages over conventional protection systems.

[0033] One exemplary advantage of Aspects of the Present Disclosure is low computational overhead. Aspects of the Present Disclosure exhibit low computational overhead by selectively intercepting and evaluating only those events that are most likely associated with an external attack and / or a malicious attack. For example, Aspects of the Present Disclosure can intercept events associated with introducing a new process, mounting the file system, loading libraries, accessing critical files, changing the network configuration, and other events that would likely be used as part of an unauthorized access and / or malicious attack. Advantageously, this strategy reduces computational overhead by limiting the number of intercepted and evaluated events.According to some embodiments of the present disclosure, the number of intercepted events may be significantly less than the total number of events generated during a given period (e.g., less than 10% of all events and in some cases less than 1% of all events).

[0034] Another exemplary advantage of Aspects of the Present Disclosure is automatic learning. Unlike some conventional solutions where a safety policy must be manually defined before implementation, Aspects of the Present Disclosure undergo a learning phase in a controlled (e.g., training, synthetic, simulated, or pre-production) environment that replicates common daily and / or weekly tasks associated with normal operating conditions. Aspects of the Present Disclosure use these training observations to generate rules that define normal and abnormal behavior.

[0035] Another advantage of aspects of the present disclosure is the extensibility of security policies. For example, a rack of identical servers can use a security policy that was generated during a learning phase by any server in the rack, without each server in the rack having to undergo a training phase. This advantage becomes particularly evident in situations with hundreds or thousands of units.

[0036] Another advantage of Aspects of the Present Disclosure is limited learning phases. For example, Aspects of the Present Disclosure can enter a limited learning phase to relearn changes resulting from an approved update process (e.g., operating system update, application update, etc.). In contrast, some conventional security systems would detect an approved update as an anomaly and prevent the update from taking place. Furthermore, some conventional security systems would require manual reconfiguration of a security policy to accommodate all changes resulting from an approved update. Consequently, Aspects of the Present Disclosure advantageously detect an approved update automatically and allow approved updates to occur.Furthermore, aspects of the present disclosure advantageously refine the security policy based on changes made during the approved update to ensure that the security policy appropriately defines normal and abnormal behavior in light of the approved update.

[0037] Another advantage of aspects of this disclosure is the improved management of security policies. The security policies are described in a many-to-many model, which allows each machine to be associated with multiple security policies (e.g., an operating system security policy, a web browsing security policy, and a backup system security policy can be assigned to and enforced on a single machine), and allows each security policy to be associated with multiple machines. Likewise, each rule can be associated with multiple security policies, and each security policy can be associated with multiple rules. Thus, updating a single rule for each security policy and machine associated with the updated rule is readily possible.

[0038] The advantages mentioned above are examples, and not all advantages are listed. There are embodiments of the present disclosure that include all, some, or none of the advantages mentioned above, but at the same time remain within the scope and intent of the present disclosure.

[0039] With reference to the characters, illustrates Fig. 1 An exemplary security environment 100 according to some embodiments of the present disclosure. The security environment 100 may include the security management unit 102, which contains a security policy database 104 and is connected via a network 150 for data exchange with a node 106, a node 108, and a node 110. In some embodiments, the security environment 100 represents a production environment (e.g., a data processing environment that executes real workloads), while in other embodiments, the security environment 100 may represent a controlled environment (e.g., a training environment, a synthetic environment, a simulated environment, or a pre-production environment that executes test workloads). Although the security environment 100 is shown as containing three nodes, embodiments may contain more or fewer nodes.For example, in some embodiments, the Security Management Unit 102 is connected to (or integrated into) a single node for data exchange. Alternatively, in some embodiments, the Security Management Unit 102 is connected to many nodes (e.g., hundreds, thousands, tens of thousands, or more) for data exchange.

[0040] According to various embodiments, nodes 106, 108, and 110 can be units associated with hardware configured to perform computational functions. Nodes 106, 108, and 110 can be, but are not limited to, servers, computers, laptop computers, mainframe computers, or other units. Nodes 106, 108, and 110 can be similar or dissimilar units with similar or dissimilar functions and capabilities. In some embodiments, each node 106, 108, and 110 can represent a separate network or subnetwork of nodes. In some embodiments, each node 106, 108, and 110 can represent a separate production environment.In some embodiments, the security management unit 102 exchanges data with each node 106, 108, and 110, but the nodes 106, 108, and 110 may not be able to communicate with each other. In some embodiments, the nodes 106, 108, and 110 may also be referred to as clients, client units, client machines, and / or machines. In some embodiments, the nodes 106, 108, and 110 represent virtual machines.

[0041] Although nodes 106, 108 and 110 are occasionally referred to as "clients" or "client machines" below, it should be clear that the machines are only "clients" in relation to the security system and can act as servers towards other machines in the network.

[0042] According to various embodiments, the network 150 can be a physical network, a virtual network, or a network that has both physical connections between some units and virtual connections between other units. In various embodiments, the network 150 is a public network, a private network, or a network that has both public and private features.

[0043] In some embodiments, the Security Management Unit 102 comprises one or more units (e.g., a node, a workstation, a laptop computer, a set of servers connected by an interface, or a virtual machine running on one or more units). In some embodiments, the Security Management Unit 102 comprises computer-executable instructions that can be downloaded from a physical storage unit over a network and configured to run on the unit to which they are downloaded. The Security Management Unit 102 is described below with respect to the Fig. 4, Fig. 5, Fig. 6, Fig. 7 to Fig. 8 described in more detail.

[0044] Security Management Unit 102 contains Security Policy Database 104. Although Security Policy Database 104 is shown as integrated into Security Management Unit 102, alternatively, Security Policy Database 104 can be located remotely from Security Management Unit 102 and connected to Security Management Unit 102 via a physical or virtual connection for data exchange.

[0045] Security policies for various execution environments can be stored in the security policy database 104. These security policies can be defined by many-to-many relationships between rules, policies, and machines. In some embodiments, these many-to-many relationships can be defined by numerous tables within the security policy database 104. In some embodiments, security policies are stored as keyed-hash lists (e.g., using execution environment attributes as keys). In other embodiments, security policies are stored as directed acyclic graphs (DAGs), which have security policies as nodes and relationships between security policies as edges connecting the nodes.In some embodiments, the security policies stored in security policy database 104 include static and dynamic rules. Static rules can be independent of the parameters of the execution environment, while dynamic rules can be dependent on the parameters of the execution environment. Thus, one or more parameters of a given execution environment can be replaced by one or more dynamic rules before the security policy is enforced in the selected execution environment. In some embodiments, the security policies stored in security policy database 104 are learned security policies based on observations in a simulated execution environment.In some implementations, the security policies stored in the security policy database 104 are updated through limited relearning phases upon detection of an approved update (e.g., operating system update, software update, etc.) relevant to the security policy. The security policy database 104 is described below in relation to the... Fig. 2 to 3 and 5 are described in more detail.

[0046] In some embodiments, the security management unit 102 is connected to malicious code profiles 140 for data exchange. The malicious code profiles 140 may contain a public or private database of malicious attacks and / or profiles of unauthorized external access. For the purposes of this disclosure, malicious attack profiles and profiles of unauthorized external access are synonymous insofar as they both target unauthorized access to an entity and / or a network, regardless of whether the unauthorized access results in detectable damage. For each attack / unauthorized access, the malicious code profiles 140 may discuss techniques, outputs, countermeasures, code, system calls, processes, tasks, commands, and / or other attributes that may be useful for generating security policies stored in the security policy database 104.

[0047] The security management unit 102 can provide the security agent 114 to node 106. In some embodiments, the security agent 114 has processor-executable instructions that can be downloaded to and executed on node 106, utilizing existing hardware resources allocated to node 106. The security agent 114 can include a security policy 116 and events 118. The security policy 116 can be one or more security policies from the security policy database 104 that are relevant to node 106 based on execution environments that exist or may exist on node 106. The events 118 comprise an intercepted subset of events that are triggered by various execution environments (e.g.,Execution environments A to C (112A to 112C) were created, which are executed on node 106 and intercepted by security agent 114 for evaluation using security policy 116.

[0048] Events 118 can include events generated by various execution environments. For example, events 118 can be system calls and / or aspects of executable code. Events 118 can be intercepted from log files, for example. The number of events 118 may be less than the total number of events generated by the execution environment. In some embodiments, the security agent 114 can intercept events 118 based on those events 118 that have a higher degree of association with malicious attacks than other events generated by the execution environment that are not intercepted.In some embodiments, the events 118 may include events where each event or a majority of the events appear in at least one, a majority, or more than 25%, 50%, 75%, or 90% of the cataloged malicious attack profiles. In some embodiments, the events 118 include events that have a higher occurrence rate in cataloged malicious attack profiles than the average occurrence rate of all events generated by a particular execution environment. In some embodiments, the events 118 represent a minority (e.g., less than 50%, less than half), less than 10%, or less than 1% of the total number of events generated by the execution environment over a period of time (e.g., 1 hour, 1 day, etc.).

[0049] Node 106 can host execution environments A to C (112A to 112C). These execution environments can be similar or dissimilar, utilizing aspects of Node 106. In various embodiments, each node can host more or fewer execution environments than the three shown on Node 106 (A to C, 112A to 112C).

[0050] Security Management Unit 102 is also connected to Node 108. Node 108 can host Execution Environment 120, which may be similar or different to Execution Environments A to C (112A to 112C) shown on Node 106. Node 108 may also contain a Security Agent 122, which stores a Security Policy 124 and Events 126. Although Security Agent 122 may be identical to Security Agent 114 (e.g., both nodes being hosted by Security Management Unit 102), Security Agent 122 may enforce one or more Security Policies 124, which may be similar to or different from the Security Policies 116 enforced by Security Agent 114.Similarly, security agent 122 can intercept events 126 generated by execution environment 120, which may be similar to or different from events 118 intercepted by execution environments A to C 112A to 112C.

[0051] The security management unit 102 is also shown connected to node 110. Node 110 can provide data 128, such as a file system, via hosting. Node 110 can also contain a security agent 130, which stores a security policy 132 and events 134. Although security agent 130 can be the same as security agent 122 and security agent 114, security agent 130 can implement one or more security policies 132 that are similar to or different from security policies 124 and 116, and security agent 130 can intercept events 134, which can be similar to or different from events 126 and 118.For example, the security agent 130 can function as a FIM system (File Integrity Monitoring) and can intercept the events 134 that are associated with file accesses and / or modifications to selected files stored in the data 128.

[0052] Fig. Figure 2 illustrates an example of a security policy database 200 according to some embodiments of the present disclosure. In some embodiments, the security policy database 200 is consistent with the security policy database 104. Fig. 1. The safety policy database 200 can contain a safety rule table 202, a safety policy table 208, and a machine table 214. Those skilled in the art will understand that the tables shown in the safety policy database 200 are presented as an example of a topology for a safety policy database 200, and that in practice there may be more or fewer tables, with more or fewer columns and rows, linked together by one or more mapping tables (not shown).

[0053] The security rules 202 store for each rule, such as rule 1 204A, one or more conditions, such as conditions 1 204B, and one or more measures, such as measure 1 204C. Rule 1 204A can identify a rule (e.g., by a numeric, alphanumeric, lexical, or other identifier).

[0054] Conditions 1 204B can specify one or more conditions relating to one or more events (e.g., processes, system calls, etc.). Conditions 1 204B can be associated with, but are not limited to, a process name, a command line, and / or a file dump of one or more events.

[0055] Action 1 204C can be one or more actions associated with the results of conditions 1 204B. For example, action 1 204C continues monitoring (e.g., by repeating for the next event) based on conditions 1 204B indicating that the event is normal. In another example, action 1 204C issues a warning based on conditions 1 204B indicating that the event is abnormal. In yet another example, action 1 204C mitigates the irregularity in response to conditions 1 204B indicating an irregularity, for example, by terminating one or more processes associated with the irregularity. In some embodiments, more than one action occurs simultaneously or sequentially. For example, in some embodiments, action 1 204C involves simultaneously issuing a warning and terminating an irregularity.In some embodiments, measure 1 204C includes issuing a warning and terminating the irregularity in response to input provided by a safety management unit. In some embodiments, measure 1 204C includes issuing a warning and automatically terminating the irregularity after a period of time has elapsed or after the detection of a second abnormal event.

[0056] The conditions of Article 1 204B can be restrictive or permissive. For example, the conditions of Article 1 204B may include permissive conditions which, if they are classified as applicable, lead to a finding that an intercepted event is an anomaly; otherwise (i.e., if they are classified as not applicable), the intercepted event is classified as a normal event. Thus, in such embodiments, only those events that conform to a specific profile are recognized as anomalous.

[0057] Conversely, the conditions of 1 204B may include restrictive conditions which, if deemed applicable, lead to a finding that an intercepted event is a normal event; otherwise (i.e., if deemed inapplicable), the intercepted event is classified as an anomaly. Thus, in such embodiments, any event that does not conform to a specific profile is considered anomalous.

[0058] Permissive conditions can be advantageous for various workloads (e.g., to limit false positives, such as misidentifying a normal event as an abnormal one), while restrictive conditions can be advantageous for predictable workloads (e.g., to limit false negatives, such as misidentifying an abnormal event as a normal one). Some implementations employ both permissive and restrictive conditions.

[0059] Safety Rules 202 also include a Rule 2 206A with corresponding Conditions 2 206B and Actions 2 206C. Although only two rules and one corresponding Condition(s) and Action(s) are shown for illustrative purposes, it should be noted that Safety Rules Table 202 can contain any number of rules (e.g., thousands). In some embodiments, Safety Rules Table 202 can be generated by automated learning in simulated execution environments (see below with reference to Fig. 5 described in more detail).

[0060] As a non-restrictive example of a permissive security rule (e.g., abnormal if applicable, normal if not applicable), rule 1 204A can be related to intercepted file access functions for selected files. Conditions 1 204B, in response to the interception of an access request to a selected file, can include determining whether the user profile associated with the request has a role lower than "System Administrator" and whether the access request is generated during off-peak hours (e.g., overnight). If both conditions are met, rule 1 204A can execute one or more actions 1 204C, such as sending an alert to a security management entity and / or lowering the privileges associated with the user profile that generated the access request.If any of the conditions of 1 204B is not met, rule 1 204A considers the event to be a normal event and continues monitoring.

[0061] As an example of a restrictive security rule (e.g., normal if applicable, abnormal if not applicable), rule 2 206A could relate to file system mount processes. An event related to mounting a new file system can be intercepted and compared against conditions 2 206B. Conditions 2 206B can determine whether the intercepted event contains privileged authorizations (e.g., read and write profiles) identical to a typical file system mount process detected during the security rule's learning process. If the intercepted event contains non-identical privileged authorizations, rule 2 206A can execute action 2 206C, such as terminating the file system mount process and providing an alert to a security management entity.If the intercepted event contains identical privileged authorizations, the intercepted event can be classified as a normal event.

[0062] Security Policy Table 208 lists sets of security rules for specific execution environments. For example, Security Policy Table 208 may contain a security policy for execution environment 1 210A, which includes one or more rules 210B retrieved from Security Rule Table 202. Similarly, the security policy for execution environment 2 212A may contain one or more rules 212B retrieved from Security Rule Table 202. Security policies can be narrowly defined (e.g., one security policy for a specific application) or broadly defined (e.g., one security policy for a set of applications). Although two examples of security policies are shown in Security Policy Table 208, it should be noted that any appropriate number of security policies may be included in Security Policy Table 208.For example, many dozens, hundreds, or thousands of security policies are possible, based on the granularity of the execution environment definition and the variety of workloads running on clients that use security policies in Security Policy Table 208. Security Policy Table 208 can be created based on training in simulated execution environments (see below in relation to...). Fig. 5 described in more detail).

[0063] Machine table 214 can contain a list of one or more machines that are located in a safety environment (e.g., safety environment 100). Fig. 1) operate. Machine Table 214 assigns specific machines, nodes, clients, client machines, or other entities to an appropriate set of security policies. In various embodiments, Machine Table 214 may also be referred to as a node table, client table, or client machine table.

[0064] Machine Table 214 can include a machine 1 216A and one or more safety policies 216B, which are assigned to machine 1 216A and retrieved from safety policy table 208. Machine Table 214 can also include a machine 2 218A, which is assigned to safety policies 218B, retrieved from safety policy table 208. Although only two machines are included in Machine Table 214 for illustrative purposes, it should be noted that more or fewer machines can be included in Machine Table 214. For example, in some embodiments, Machine Table 214 can include thousands or more machines. Furthermore, in various embodiments, machine 1 216A and machine 2 218A can refer to physical machines or virtual machines.

[0065] The mapping of machines to security policies can be learned through training (e.g., by matching execution profiles or events occurring on a particular machine with execution profiles or events stored in rules of a particular security policy), or by machine type (e.g., all servers have a first set of security policies, all desktops have a second set of security policies, all laptops have a third set of security policies, etc.), or through manual configuration.

[0066] Fig. Figure 3 illustrates an example of a topology of a directed acyclic graph according to some embodiments of the present disclosure. The directed acyclic graph (DAG) 300 is an illustration of a strategy for organizing safety policies according to some embodiments of the present disclosure. The person skilled in the art will understand that the DAG 300 is a topological representation and that the dependencies illustrated by the nodes and edges in the DAG 300 are represented by one or more connected tables, for example, in a safety policy database (e.g., the safety policy database 104 from [reference to relevant document]). Fig. 1 or Fig. 200 out Fig. 2) or by reducing the topological representation to a set of coded, logical instructions that define the nodes and edges of the DAG 300.

[0067] The DAG 300 can contain security policies A through I 302 to 318. Security policies can be dependent on or assigned to one or more other security policies, as shown in the DAG 300. For example, security policy I 318 is dependent on or assigned to security policy H 316. Similarly, security policy F 312 is dependent on or assigned to both security policy E 310 and security policy A 302. Likewise, security policy C 306 and security policy D 308 are each dependent on or assigned to security policy B 304 and security policy A 302, respectively. Some security policies, such as security policy G 314, are not dependent on other security policies.

[0068] A safety policy can be dependent on or assigned to another safety policy if the safety of a machine enforcing the safety policy benefits from the enforcement of the other safety policy as well. In the DAG 300 diagram, a safety policy that is subordinate to and linked to another safety policy is dependent on the other safety policy.

[0069] As shown in DAG 300, some safety guidelines are laterally linked (e.g., safety guideline A 302 is laterally linked to safety guideline G 314). Laterally linked safety guidelines have different meanings in different embodiments. In some embodiments, laterally linked safety guidelines may have dependencies (e.g., safety guideline G 314 could depend on safety guideline A 302). In some embodiments, laterally linked safety guidelines are related to each other but are not dependent on each other (e.g., safety guideline A 302, safety guideline G 314, and safety guideline H 316, which are laterally linked, may be assigned to the same company but are not otherwise related). In some embodiments, there are no lateral links between safety guidelines (e.g.,(The safety guideline G 314 can be unrelated to the safety guideline A 302).

[0070] A security management unit or security agent can retrieve appropriate security policies by recognizing aspects of an execution environment. For example, a security agent might recognize an initial application associated with security policy D 308. The security agent can then request and / or retrieve security policy D 308 and automatically request and / or retrieve the security policies associated with security policy D 308, namely security policy B 304 and security policy A 302. In such an example, security policy D 308 might be a security policy for a specific application, security policy B 304 might be a security policy for a specific operating system (OS), and security policy A 302 might be a security policy associated with a specific machine type (e.g., a computer).a laptop computer or a specific model of laptop computer). Thus, the DAG 300 can provide a rapid organization and retrieval of sets of security policies according to some embodiments of the present disclosure.

[0071] Fig. Figure 4 illustrates a flowchart of an example method for providing security resources to a client machine according to some embodiments of the present disclosure. In some embodiments, the method 400 can be implemented by a security management unit (e.g., the security management unit 102 from Fig. 1) be implemented. In some embodiments, the method 400 can be carried out by executing instructions stored on a computer-readable storage medium by a processor that is connected to the computer-readable storage medium for data exchange.

[0072] In step 402, the security management unit generates a plurality of security policies. In some embodiments, the plurality of security policies can be generated from observations made in simulated execution environments. In alternative embodiments, the plurality of security policies is generated from observations made in real time by actual workloads in production execution environments. Step 402 is described below with respect to Fig. 5 described in more detail.

[0073] In step 404, the security management unit issues a client machine (e.g., a node such as node 106). Fig. 1) a security agent (such as security agent 114 from Fig. 1) together with at least one security policy. In some embodiments, step 404 provides the client machine with the security agent and the at least one security policy by downloading instructions for the security agent and at least a subset of the security policy database from the security management unit to the client machine. In some embodiments, the at least one security policy is provided to the client machine based on the client machine hosting, or being configured to host, an execution environment associated with the at least one security policy.In some embodiments, the security agent is first deployed to the client machine, and the security agent then requests the one or more security policies from the security management unit, based on the security agent's detection of an execution environment used by the client machine. In other embodiments, the security agent queries the security policy database directly using one or more parameters retrieved from the execution environment used by the client machine to detect and retrieve an appropriate security policy.

[0074] In step 406, the security management unit receives alerts from the security agent, which is hosted on the client machine. These alerts may indicate abnormal behavior or otherwise exchange data with the security management unit (e.g., to indicate that the security agent is fully configured and functioning on the client machine). The alerts may be generated in response to the security agent enforcing a security policy on the client machine, as described below. Fig. 6 is described in more detail.

[0075] In step 408, the security management unit receives one or more security policy updates from the security agent deployed on the client machine. These security policy updates can be based on approved updates for one or more execution environments associated with the client machine. Security policy updates are described below with respect to: Fig. 7 described in more detail.

[0076] In step 410, the security management unit saves the updated security policy to the security policy database (e.g., security policy database 104 from Fig. 1 or the security policy database 200 from Fig. 2), and in some cases, the 400 procedure distributes the updated security policy to other security agents running on other client machines.

[0077] Fig. Figure 5 illustrates a flowchart of an example method for generating a security policy database according to some embodiments of the present disclosure. In some embodiments, the method 500 can be implemented by a security management unit (e.g., the security management unit 102 from Fig. 1) be carried out. In some embodiments, the method 500 is carried out by executing instructions stored on a computer-readable storage medium by a processor that is connected to the computer-readable storage medium for data exchange.

[0078] In step 502, the security management unit captures a subset of events for an initial period in a learning environment for one or more execution environments. The subset of captured events can be, but is not limited to, types of system calls. For example, the subset of captured events can include all generated events related to (but not limited to): mounting file systems, loading libraries, network configuration, credential changes, etc. The subset of captured events can be retrieved from log files, for example. In some implementations, the subset of captured events contains fewer than the total number of events generated in the initial period (e.g.,a minority, less than half, less than 50%, 10%, or 1% of the total number of events generated in the first period). In some embodiments, the subset of intercepted events includes events that have a higher occurrence rate compared to the average occurrence rate of all events generated in the first period in malicious attack profiles stored in a malicious attack profile repository (e.g., the 140 malicious code profiles from...). Fig. 1) In some embodiments, the selected events, or a majority of the selected events, include events that appear in a threshold percentage (e.g., at least one, a majority, or more than 25%, 50%, 75%, or 90%) of malicious attack profiles. In some embodiments, several different conditions are used, such that the subset of intercepted events includes an event if it occurs in more than 50% of all attack profiles, or if it occurs in more than 50% of the attack profiles that occurred in the preceding one-year period, or if it occurs in an attack profile that is associated with a subset of the attack profiles, or if it is manually included based on input from a system administrator.In some embodiments, set theory is used to determine a minimum number of event types to be intercepted, such that at least one event associated with each malicious attack profile is configured to be intercepted. In various embodiments, the initial time period is less than or equal to 1 hour, 4 hours, 12 hours, 24 hours, 72 hours, or 1 week. The initial time period may be based, among other things, on the types of execution environments. In various embodiments, determining the number and types of events to be intercepted relies on manual configuration and / or on interfaces to a repository of malicious code profiles and the identification of the respective event types associated with the respective types of malicious code profiles.

[0079] In step 504, the safety management unit generates rules that have specific conditions defining normal and abnormal behavior. In some embodiments, step 504 generates rules that correspond to safety rule table 202. Fig. 2. Match, such that each rule is associated with one or more conditions and one or more measures. Step 504 can generate permissive rules (e.g., if applicable, anomalous; if not applicable, normal), restrictive rules (e.g., if applicable, normal; if not applicable, anomalous), or combinations of permissive and restrictive rules. In some embodiments, step 504 provides an interface to a repository of profiles of malicious attacks (e.g., the profiles of malicious code 140 from Fig. 1) to create additional conditions for each rule, which can provide additional security.

[0080] As a first example, in step 504, the security management unit can generate a plurality of restrictive rules (normal if applicable; anomalous if not applicable) based on each intercepted event from the subset of intercepted events. Thus, in the first example, normal events are simply events identical to those that occurred during the learning process.

[0081] As a second example, in step 504, the security management unit can generate multiple permissive rules (anomalous if applicable; normal if not applicable) based on malicious code profiles retrieved from a repository. Thus, in this second example, normal events are any event that does not match a specific malicious code profile.

[0082] As a third example, the security management unit in step 504 can generate multiple restrictive rules and multiple permissive rules. Thus, in the third example, any event matching a specific malicious code profile is considered abnormal (according to the permissive rules), and some event types (e.g., a file system mount process) that do not match a condition of the learned event type are considered abnormal (according to the restrictive rules).

[0083] In step 506, the security management unit assigns specific rules to specific security policies. Multiple security policies can be assigned to each rule, and multiple rules can be assigned to each security policy. Security policies can contain rules that are relevant to a specific execution environment or a specific subset of an execution environment. As a first example, a security policy can store security rules for a specific application, a specific operating system, and a specific machine type.As a second example, a first security policy can store rules relevant to the specific application, a second security policy can store rules relevant to a specific operating system associated with the specific application, and a third security policy can store rules relevant to a machine type associated with the operating system and / or the specific application. In the case of the second example, step 506 generates a directed acyclic graph (e.g., the DAG 300 from ). Fig. 3), which stores the hierarchy of security policies.

[0084] In step 508, the safety management unit assigns the respective safety policies to the respective machines. In some embodiments, step 508 creates a machine table in a safety policy database, such as machine table 214 from [reference to machine table]. Fig. 2. Multiple security policies can be assigned to each machine, and multiple machines can be assigned to each security policy. The machines can be various types of hardware resources (e.g., servers, desktop computers, laptop computers, mobile phones, etc.), and in some embodiments, the machines can be virtual machines. In some embodiments, the machines are referred to as client computers or client machines.

[0085] In step 510, the security management unit stores the generated rules, policies, and links in a security policy database, such as security policy database 104. Fig. 1 or the security policy database 200 from Fig. 2.

[0086] Fig. Figure 6 illustrates a flowchart of an example method for enforcing a security policy according to some embodiments of the present disclosure. In some embodiments, the method 600 can be carried out by a security agent (e.g., the security agent 114 from Fig. 1) be carried out. In some embodiments, the method 600 is carried out by executing instructions stored on a computer-readable storage medium by a processor that is connected to the computer-readable storage medium for data exchange.

[0087] In step 602, the security agent detects a first execution environment. In some embodiments, step 602 detects a first execution environment by intercepting one or more events associated with the first execution environment and detecting the first execution environment based on the intercepted events. In some embodiments, step 602 extracts one or more universally unique identifiers (UUIDs) or globally unique identifiers (GUIDs) associated with the first execution environment to detect the first execution environment.

[0088] In step 604, the security agent retrieves one or more security policies in response to the detection of the first execution environment. In some embodiments, the one or more security policies are retrieved from local storage. In other embodiments, the one or more security policies are retrieved from a security policy database.

[0089] In step 606, the security agent can replace one or more parameters in the retrieved security policies. These replaced parameters can be parameters retrieved from the first execution environment and associated with conditions of various rules (e.g., dynamic rules) that are linked to the retrieved security policies. Thus, in step 606, by replacing parameters from the first execution environment with one or more dynamic rules, the security agent converts the dynamic rules into static rules that can be enforced in the first execution environment. For example, in an execution environment containing an instance of a virtual machine, replaceable parameters might refer to resource locations (e.g., addresses) of various other hardware resources that the virtual machine possesses.

[0090] In some embodiments, in step 606, the security agent uses the parameters from the first execution environment to identify a suitable path in a directed acyclic diagram (DAG) of rules and / or security policies and to enforce the rules and / or security policies from the identified suitable path.

[0091] In step 608, the security agent intercepts an initial subset of events associated with the first execution environment. In some embodiments, the initial subset of events is determined by the retrieved security policies. In some embodiments, the initial subset of events may consist of events associated with a higher rate of malicious attack profiles than the average rate of all events generated by the execution environment. In some embodiments, the initial subset of events may represent less than 50%, 10%, or 1% of the total number of events generated by the first execution environment for an initial period.

[0092] In step 610, the security agent detects an anomalous event based on at least one of the intercepted events and at least one rule of a retrieved security policy. In various embodiments, the intercepted event can be detected as an anomalous event because it fulfills all the conditions of a security rule (e.g., a permissive security rule that produces a true value), or in alternative embodiments because it does not fulfill one or more conditions of a security rule (e.g., a restrictive security rule that produces an incorrect value).

[0093] In step 612, the security agent can execute a mitigation action in response to the detection of the anomalous event. This mitigation action could, for example, involve generating an alarm and forwarding it to a system administrator (e.g., a security management unit). Another example of a mitigation action could be terminating a process associated with the anomalous event.

[0094] Fig. Figure 7 illustrates a flowchart of an example method for updating a security policy database according to some embodiments of the present disclosure. According to some embodiments, the method 700 can be performed by a security agent (e.g., the security agent 114 from Fig. 1) be carried out. In some embodiments, the method 700 is carried out by executing instructions stored on a computer-readable storage medium by a processor that is connected to the computer-readable storage medium for data exchange.

[0095] In step 702, the security agent enforces one or more security policies by intercepting specific events generated by one or more execution environments (e.g., as in step 608 from Fig. 6 described).

[0096] In step 704, the security agent detects a process performing an approved update relevant to a runtime environment and / or security policy. Step 704 can detect an approved service based on a running tool or command, such as the Windows Update service, an `apt-get` command (e.g., as used in Advanced Packaging Tool (APT) software packages), or a `yum` command (e.g., the Yellowdog Updater Modifier, as used in some Linux systems), but is not limited to these. For example, step 704 can intercept an event and determine that the event contains a command and / or other parameters indicative of an approved update process.

[0097] In step 706, the security agent enters a limited learning phase. This limited learning phase can be configured to observe events generated by the execution environment associated with the approved update for a specified period (e.g., 1 hour, 12 hours, 24 hours, 1 week, etc.). During the limited learning phase, the security agent can lower or stop enforcing the security policy or a subset of it. In one example, the security agent does not enforce the security policy or a subset of it for the duration of the limited learning phase. In another example, the security agent generates alerts triggered by detected anomalies but does not terminate any processes associated with the approved update during the limited learning phase.

[0098] In step 708, the security agent updates the security policy by updating all rules, conditions, and measures associated with the security policy based on the limited learning phase. In some embodiments, step 708 also includes providing the updated security policy to a security management unit. In step 710, the security agent enforces the updated security policy.

[0099] Fig. Figure 8 illustrates a block diagram of a security management unit 800 according to some embodiments of the present disclosure. In some embodiments, the security management unit 800 coordinates with the security management unit 102 and / or the security agent 114. Fig. 1. The Security Management Unit 800 can interface to one or more client machines (e.g., nodes 106, 108, and 110 from Fig. 1) to provide, update, and manage security systems for the client machines. In various embodiments, the Security Management Unit 800 can be any of the ones described in the Fig. 4, Fig. 5, Fig. 6 to Fig. Perform the procedures described in section 7. In some embodiments, the safety management unit 800 issues instructions for one or more of the procedures described in the Fig. 4, Fig. 5, Fig. 6 to Fig. The procedure described in section 7 is made available to a client machine, so that the client machine executes the procedure based on the instructions provided by the security management unit 800. In some embodiments, the security management unit 800 also functions as a security agent (e.g., the security agent 114 from...). Fig. 1), specifically in cases where the security management unit and the security agent are stored in the same machine.

[0100] The Security Management Unit 800 can include a main memory 825, a memory 830, a connection (e.g. BUS) 820, one or more CPUs 805 (also referred to herein as processors 805), an I / O unit interface 810, I / O units 812 and a network interface 815.

[0101] Each CPU 805 retrieves and executes the programming instructions stored in the main memory 825 or memory 830. The connection 820 is used to transfer data, such as programming instructions, between the CPUs 805, the I / O unit interface 810, memory 830, network interface 815, and main memory 825. The connection 820 can be implemented using one or more buses. The CPUs 805 can be a single CPU, multiple CPUs, or a single CPU with multiple processing cores, depending on the embodiment. In some embodiments, a CPU 805 can be a digital signal processor (DSP). The main memory 825 generally represents random-access memory (e.g., static random-access memory (SRAM), dynamic random-access memory (DRAM), or flash memory).Memory 830 generally represents non-volatile storage, such as a hard disk drive, a solid-state drive (SSD), removable memory cards, optical storage, or flash memory units. Alternatively, Memory 830 can be replaced by storage area network (SAN) units, the cloud, or other units connected to the security management unit 800 via the I / O unit interface 810 or to a network 850 via the network interface 815.

[0102] In some embodiments, instructions 860 are stored in main memory 825, and security policies 832, intercepted events 834, and warnings 836 are stored in memory 830. However, in other embodiments, the instructions 860, security policies 832, intercepted events 834, and warnings 836 are stored partly in main memory 825 and partly in memory 830, or they are stored entirely in main memory 825 or entirely in memory 830, or they are accessed via a network 850 using the network interface 815.

[0103] Security policy 832 can have one or more security policies stored in a security policy database. For example, security policy 832 can be linked to security policy database 104. Fig. 1 and / or the security policy database 200 from Fig. 2. The security policies 832 have at least one security policy which has at least one rule that is based on at least one condition. The security policies 832 can be provided to the security management unit 800, or the security policies 832 can be learned based on the execution of learning instructions 862 (e.g., as in relation to Fig. 5 described).

[0104] The intercepted events 834 can represent a subset of events generated by an execution environment and intercepted by a security agent enforcing a security policy for comparison against one or more rules of the security policy. In some embodiments, the intercepted events 834 match events 118, 126, and / or 134. Fig. 1 match.

[0105] Alerts 836 are warnings generated in response to the detection of anomalous behavior and made available to a user interface (e.g., I / O units 812). Alerts 836 may contain, among other data, an alert class (e.g., Emergency, Critical, General, or Informative), an identifier of a client machine, node, and / or execution environment associated with the alert, the name of a process associated with the alert, the name of a program that created the process associated with the alert, a time, and / or a recommended mitigation action.

[0106] Instructions 860 are processor-executable instructions, including the learning instructions 862, the security agent instructions 864, and the security management instructions 866. The learning instructions 862 can be executed by the security management unit 800 to enforce the security policies 832 using a procedure such as the one described above. Fig. 500 are to be generated using the described procedure.

[0107] The security agent's 864 instructions can be configured to execute procedures such as procedure 600. Fig. 6 and the procedure 700 from Fig. 7. In some embodiments, the security agent's instructions 864 are configured to compare intercepted events against one or more security policies and generate alerts indicating anomalous behavior according to the one or more security policies. In some embodiments, the security agent's instructions 864 are configured to send updated security policies, intercepted events, and / or alerts to the security management unit 800 so that the security management unit 800 can store the security policies 832, the intercepted events 834, and / or the alerts 836.In some embodiments, the Security Management Unit 800 acts as both a Security Management Unit 800 and a security agent, and executes the Security Agent's instructions 864 directly, rather than providing the Security Agent's instructions 864 over the network 850 to a client machine.

[0108] The 866 security management instructions can be executed by the 800 security management unit to improve the security of one or more client machines or nodes connected for data exchange using a procedure such as the one relating to Fig. 4 described procedure 400 to manage. In some embodiments, the security management unit 800 executes the security management instructions 866 to manage security for security agents distributed across hundreds or thousands of client machines connected over the network 850.

[0109] In various embodiments, the I / O units 812 can include an interface capable of displaying information and receiving input. For example, the I / O units 812 can display information (e.g., the warnings 836) to a user interacting with the security management unit 800, and receive input from a user (e.g., a selected disarming action).

[0110] The security management unit 800 is connected to network 850 via network interface 815. In some embodiments, network 850 synchronizes with network 150. Fig. 1 match.

[0111] It should be clarified from the outset that the implementation of the teachings set forth herein is not limited to a cloud computing environment, although this disclosure contains a detailed description of cloud computing. Instead, embodiments of the present invention can be implemented together with any type of data processing environment, now known or hereafter invented.

[0112] Cloud computing is a service delivery model that enables seamless, on-demand network access to a shared pool of configurable computing resources (e.g., networks, network bandwidth, servers, processing power, main memory, storage, applications, virtual machines, and services) that can be rapidly provisioned and released with minimal management overhead or interaction with a service provider. This cloud model can include at least five properties, at least three service models, and at least four implementation models.

[0113] The properties are as follows: On-Demand Self-Service: A cloud user can unilaterally and automatically provide data processing functions such as server time and network storage as needed, without requiring human interaction with the service provider.

[0114] Broad Network Access: Functions are available over a network, accessed through standard mechanisms that support use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

[0115] Resource pooling: The provider's data processing resources are pooled to serve multiple users using a multi-tenant model, with various physical and virtual resources being dynamically allocated and reassigned as needed. There is a perceived location independence, as the user generally has no control over or knowledge of the exact location of the provided resources, but may be able to define a location at a higher level of abstraction (e.g., country, state, or data center).

[0116] Rapid Elasticity: Features can be deployed quickly and elastically for rapid horizontal scaling (scale out), in some cases automatically, and released quickly for rapid scale-in. To the user, the available features often appear unlimited and can be purchased in any quantity at any time.

[0117] Measured Service: Cloud systems automatically control and optimize resource usage by employing a measurement function at a certain level of abstraction appropriate for the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource consumption can be monitored, controlled, and reported, creating transparency for both the provider and the user of the service.

[0118] The service models are as follows: Software as a Service (SaaS): The functionality provided to the user consists of using the provider's applications running in a cloud infrastructure. These applications are accessible from various client devices via a thin-client interface, such as a web browser (e.g., web-based email). The user does not manage or control the underlying cloud infrastructure, including the network, servers, operating systems, storage, or even individual application functions, with the possible exception of limited user-specific application configuration settings.

[0119] Platform as a Service (PaaS): The function provided to the user is to deploy applications created or obtained by the user, using programming languages ​​and tools supported by the provider, within the cloud infrastructure. The user does not manage or control the underlying cloud infrastructure, including networks, servers, operating systems, or storage, but has control over the deployed applications and potentially over configurations of the application hosting environment.

[0120] Infrastructure as a Service (IaaS): The functionality provided to the user consists of supplying processing, storage, networking, and other basic data processing resources, enabling the user to deploy and run any software, including operating systems and applications. The user does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and potentially limited control over selected network components (e.g., host firewalls).

[0121] The following are the deployment models: Private Cloud: The cloud infrastructure is operated solely for one organization. It can be managed by the organization or a third party and can be located on the organization's own premises or on external premises.

[0122] Community Cloud: This cloud infrastructure is shared by multiple organizations and supports a specific user community with shared concerns (e.g., mission, security requirements, policies, and regulatory compliance considerations). It can be managed by the organizations themselves or a third party and can be located on-premises or external premises.

[0123] Public Cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization that sells cloud services.

[0124] Hybrid Cloud: The cloud infrastructure is a composition of two or more clouds (private, community or public) that remain separate entities but are connected by a standardized or proprietary technology that enables data and application portability (e.g. cloud audience distribution for load balancing between clouds).

[0125] A cloud computing environment is service-oriented, focusing on statelessness, low coupling, modularity, and semantic interoperability. At the heart of cloud computing lies an infrastructure that comprises a network of interconnected nodes.

[0126] With reference to Fig. Figure 9 illustrates a cloud computing environment 50. As shown, the cloud computing environment 50 has one or more cloud computing nodes 10 with which local data processing units used by cloud users, such as an electronic assistant (PDA) or a mobile phone 54A, a desktop computer 54B, a laptop computer 54C, and / or an automotive computer system 54N, can exchange data. The nodes 10 can exchange data with each other. They can be grouped physically or virtually into one or more networks, such as private, community, public, or hybrid clouds (not shown), as described above, or into a combination thereof. This enables the cloud computing environment 50 to offer infrastructure, platforms, and / or software as a service, for which a cloud user does not need to maintain resources on a local data processing unit.It should be noted that the types of in . Fig. The data processing units 54A to N shown are for illustrative purposes only, and the data processing nodes 10 and the cloud computing environment 50 can exchange data with any type of computer unit via any type of network and / or any type of network-accessible connection (e.g., using a web browser).

[0127] With reference to Fig. 10 shows a set of functional abstraction layers that are used by the cloud computing environment 50 ( Fig. 9) will be provided. It should be clear from the outset that the in Fig. The components, layers, and functions shown in Figure 10 are intended for illustrative purposes only, and embodiments of the invention are not limited to them. As shown, the following layers and corresponding functions are provided: A hardware and software layer 60 contains hardware and software components. Examples of hardware components include: mainframe computers 61; servers based on the RISC (Reduced Instruction Set Computer) architecture 62; servers 63; blade servers 64; storage units 65; and networks and network components 66. In some embodiments, software components include network application server software 67 and database software 68. A virtualization layer 70 provides an abstraction layer from which the following examples of virtual entities can be provided: virtual servers 71, virtual storage 72, virtual networks 73, including virtual private networks, virtual applications and operating systems 74; and virtual clients 75.

[0128] In one example, the administration layer 80 can provide the functions described below. Resource provisioning 81 provides the dynamic procurement of data processing resources and other resources used to perform tasks within the cloud computing environment. Metering and pricing 82 provides cost tracking for the use of resources within the cloud computing environment and billing for the consumption of these resources. In one example, these resources could include application software licenses. Security provides identity verification for cloud users and tasks, as well as protection for data and other resources. A user portal 83 provides users and system administrators with access to the cloud computing environment.Service scope management (84) provides the allocation and management of cloud computing resources so that the required service objectives are met. Service level agreement (SLA) planning and fulfillment (85) provides the advance planning and procurement of cloud computing resources for which a future requirement is anticipated, in accordance with an SLA.

[0129] A workload layer 90 provides examples of the functionality for which the cloud computing environment can be used. Examples of workloads and functions that can be provided by this layer include: mapping and navigation 91; software development and lifecycle management 92; delivery of training in virtual classrooms 93; data analytics processing 94; transaction processing 95; and security management 96.

[0130] In embodiments of the present invention, the system, method, and / or computer program product may be at any possible level of integration of technical details. The computer program product may include a computer-readable storage medium (or media) on which computer-readable program instructions are stored to induce a processor to execute aspects of the present invention.

[0131] A computer-readable storage medium can be a physical unit capable of retaining and storing instructions for use by a system to execute instructions. For example, a computer-readable storage medium can be an electronic storage unit, a magnetic storage unit, an optical storage unit, an electromagnetic storage unit, a semiconductor storage unit, or any suitable combination thereof, without limitation. A non-exhaustive list of more specific examples of computer-readable storage media includes the following: a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), and erasable programmable read-only memory (EPROM).Flash memory), static random-access memory (SRAM), portable compact storage disk-read-only memory (CD-ROM), a DVD (digital versatile disc), a memory stick, a floppy disk, a mechanically coded unit such as punched cards or raised structures in a groove on which instructions are stored, and any suitable combination thereof. A computer-readable storage medium shall not, in its use herein, be understood as volatile signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses guided by a fiber optic cable), or electrical signals transmitted by a wire.

[0132] The computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to individual data processing units or, via a network such as the internet, a local area network, a wide area network, and / or a wireless network, to an external computer or external storage device. The network may include copper transmission cables, fiber optic transmission lines, wireless transmission, routing computers, firewalls, switching units, gateway computers, and / or edge servers. A network adapter card or network interface in each data processing unit receives computer-readable program instructions from the network and forwards them for storage on a computer-readable storage medium within the respective data processing unit.

[0133] Computer-readable program instructions for executing work steps of the present invention may be assembler instructions, ISA (Instruction Set Architecture) instructions, machine instructions, machine-dependent instructions, microcode, firmware instructions, state-setting data, configuration data for integrated circuits, or either source code or object code written in any combination of one or more programming languages, including object-oriented programming languages ​​such as Smalltalk, C++, etc., as well as conventional procedural programming languages ​​such as the programming language "C" or similar programming languages.The computer-readable program instructions can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on the remote computer or server. In the latter case, the remote computer can be connected to the user's computer via any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection can be established with an external computer (for example, via the internet using an internet service provider).In some embodiments, electronic circuits, including, for example, programmable logic circuits, field programmable gate arrays (FPGAs), or programmable logic arrays (PLAs), can execute computer-readable program instructions by using state information from the computer-readable program instructions to personalize the electronic circuits to implement aspects of the present invention.

[0134] Aspects of the present invention are described herein with reference to flowcharts and / or block diagrams or charts of methods, devices (systems), and computer program products according to embodiments of the invention. It is pointed out that each block of the flowcharts and / or block diagrams or charts, as well as combinations of blocks in the flowcharts and / or block diagrams or charts, can be executed by means of computer-readable program instructions.

[0135] These computer-readable program instructions can be provided to a processor of a general-purpose computer, a specialized computer, or another programmable data processing device to create a machine, such that the instructions executed via the processor of the computer or other programmable data processing device generate a means of implementing the functions / steps specified in the block(s) of the flowcharts and / or block diagrams or charts.These computer-readable program instructions may also be stored on a computer-readable storage medium capable of controlling a computer, programmable data processing device, and / or other units to function in a particular manner, such that the computer-readable storage medium on which instructions are stored has a manufactured product, including instructions that implement aspects of the function / step specified in the block(s) of the flowchart and / or block diagrams or charts.

[0136] The computer-readable program instructions can also be loaded onto a computer, other programmable data processing device, or other unit to cause the execution of a series of process steps on the computer or other programmable device or other unit in order to generate a process executed on a computer, such that the instructions executed on the computer, other programmable device, or other unit implement the functions / steps specified in the block(s) of the flowcharts and / or block diagrams or charts.

[0137] The flowcharts and block diagrams or charts in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this context, each block in the flowcharts or block diagrams or charts can represent a module, segment, or subset of instructions, which includes one or more executable instructions for performing the specific logical function(s). In some alternative embodiments, the functions specified in the block may occur in a different order than shown in the figures. For example, two blocks shown consecutively may in reality be executed essentially simultaneously, or the blocks may sometimes be executed in reverse order, depending on the corresponding functionality.It should also be noted that each block of the block diagrams or charts and / or flowcharts, as well as combinations of blocks in the block diagrams or charts and / or flowcharts, can be implemented by special hardware-based systems that perform the specified functions or steps, or execute combinations of special hardware and computer instructions.

[0138] It is understood that the process software (e.g., any of those listed in instructions 860 from Fig. 8 stored instructions and / or any software configured to execute a subset of the instructions relating to the Fig. 4, Fig. 5, Fig. 6 to Fig.The process software (described in section 7) can be deployed manually to client, server, and proxy computers by loading it from a storage medium such as a CD, DVD, etc. Alternatively, it can be deployed automatically or semi-automatically to a computer system by sending the process software to a central server or group of central servers. The process software is then downloaded to the client computers, which execute it. Alternatively, the process software can be sent directly to the client system via email. The process software is then either extracted into a directory or loaded into a directory by executing a set of program instructions that extracts the process software into a directory. Another alternative is to send the process software directly to a directory on the client computer's hard drive.If proxy servers are available, the process selects the proxy server code, determines on which computers the proxy server code should be placed, sends the proxy server code, and then installs the proxy server code on the proxy computer. The process software is transferred to the proxy server and then stored on the proxy server.

[0139] Embodiments of the present invention may also be supplied as part of a service agreement with a customer company, a non-profit organization, a government agency, an internal organizational structure, or the like. These embodiments may involve configuring a computer system to execute and provide software, hardware, and web services that implement some or all of the methods described herein.These embodiments may also include analyzing the customer's operational processes, generating recommendations in response to the analysis, building systems that implement subsets of the recommendations, integrating the systems into existing processes and infrastructures, measuring the use of the systems, allocating expenditures to the users of the systems, and billing, invoicing, or otherwise receiving payments for the use of the systems.

Claims

[1] Method (600) executed on a computer for managing an external warning system, comprising the method: Interception (608) of a first subset of a plurality of events (118, 126) by a security agent (114, 122) of a client machine (106, 108) generated by a first execution environment (112A, 222B, 112C; 120) utilizing the client machine, wherein the first subset of the plurality of events is intercepted according to a first learned security policy (116, 124), wherein the first learned security policy is learned based on observing the operation of the first execution environment, wherein the first subset comprises less than half of the plurality of events, and wherein at least one event from the first subset of events is of an event type associated with a malicious code profile; Detection (610) of an irregularity by the security agent and based on the first learned security policy for the first execution environment, based on comparing at least one intercepted event with at least one rule of the first learned security policy; and Execution (612) of a defusing measure by the security agent in response to the detection of the irregularity. [2] Method according to claim 1, further comprising: Retrieving (604) a first learned security policy by a client machine security agent from a security policy database (104; 200) in response to detecting (602) a first execution environment used by the client machine; wherein the security policy database contains a plurality of learned security policies, wherein each security policy contains at least one security rule, and wherein each security rule contains at least one condition. [3] Method according to claim 2, wherein the security policy database comprises a security rule table (202), a security policy table (208) and a client machine table (214), wherein multiple security rules (210B, 212B) are assigned to at least one security policy (210A, 212A), wherein multiple security policies are assigned to at least one security rule (210B, 212B), wherein multiple client machines (216A, 218A) are assigned to at least one security policy (216B, 218B) and wherein multiple security policies (216B, 218B) are assigned to at least one client machine (216A, 218A). [4] Method according to claim 3, further comprising: Retrieving at least one second learned security policy from the security policy database by the security agent in response to the detection that the client machine is associated with the first learned security policy and the second learned security policy in the security policy database. [5] Method according to any of the preceding claims, wherein the first learned security policy is learned by intercepting a subset of simulated events generated by a simulation of the first execution environment and by generating a plurality of rules based on the intercepted subset of simulated events. [6] Method (400) executed on a computer for managing an external warning system, comprising the method: Generating (402) a plurality of security policies, including an initial learned security policy based on a subset of events associated with a synthetic initial execution environment, wherein at least one rule associated with the initial learned security policy is based on an event type associated with a malicious code profile; Storing the majority of security policies in a security policy database (104; 200); Deploy (404) at least the first learned security policy to a plurality of clients (106, 108), wherein the first learned security policy is relevant to a first execution environment (112A, 112B, 112C; 102) used by the plurality of clients, wherein the plurality of clients are configured to enforce the first learned security policy; and Receiving (406) an alert from a first client indicating an irregularity based on at least one intercepted event (118, 126) generated by the first execution environment deployed on the first client and intercepted by the first client according to the first learned security policy. [7] Method according to claim 6, wherein the plurality of security policies (302, 304, 306, 308, 310, 312, 314, 316, 318) are stored in a directed acyclic graph (DAG) (300) which has rule-containing security policies as nodes and connections between the security policies as edges that specify relationships between nodes. [8] The method of claim 7, wherein the provision of the first learned safety guideline further comprises: Providing a second learned safety policy in response to the finding that a second node matching the second learned safety policy shares an edge in the DAG with a first node matching the first learned safety policy. [9] Method (400, 500) according to one of claims 6 to 8, wherein the generation of a plurality of safety guidelines further comprises: Intercepting (502) a first subset of events from the synthetic first execution environment for a first period of time; Generating (504) a plurality of rules that define normal and abnormal behavior based on the first subset of events from the synthetic first execution environment, wherein each rule is associated with one or more conditions; Storing the majority of rules as the first learned security policy for the first execution environment in the security policy database; and Assigning (510) the first learned security policy (114, 116) to the majority of clients (106, 108). [10] Method according to any one of claims 6 to 9, wherein the first learned security policy is configured to be dynamically modified by each client from the plurality of clients based on respective parameters assigned to the respective first execution environments deployed on each client. [11] Computer system for managing an external warning system, comprising the system: a processor; A physical, computer-readable main memory for storing program instructions which, when executed by the processor, perform the following steps: Intercepting a first subset of a plurality of events (118, 126) generated by a first execution environment (112A, 222B, 112C; 120) utilizing a client machine (106, 108), wherein the first subset of the plurality of events is determined by a first learned security policy, wherein the first learned security policy (116, 124) is learned based on observing the operation of the first execution environment, wherein the first subset comprises less than half of the plurality of events, and wherein at least one event from the first subset of events is an event type associated with a malicious code profile; Detecting an anomaly based on the first learned security policy for the first execution environment, based on comparing at least one intercepted event with at least one rule of the first learned security policy; and Implementing a mitigation measure in response to the detection of the irregularity. [12] Computer system according to claim 11, wherein the first learned security policy comprises at least one static rule that is independent of the first execution environment and at least one dynamic rule that depends on at least one parameter configured in the first execution environment, wherein the processor is furthermore configured to perform the following step: Replace at least one parameter configured in the first execution environment in at least one dynamic rule of the first learned security policy. [13] Computer system according to one of claims 11 or 12, wherein the processor, which is configured to detect an irregularity, is further configured to perform the following step: Comparing a plurality of conditions for an initial rule of the first learned security policy and the one or more intercepted events, where the plurality of conditions refers to a process name, a command line, and a file dump for the one or more intercepted events. [14] Computer system according to one of claims 11 to 13, wherein at least one rule in the first learned security policy is associated with a set of conditions configured to produce a true value or a false value, wherein a true value is configured to execute a mitigation action, and wherein a false value is configured to retry for the next intercepted event. [15] Computer system according to one of claims 11 to 13, wherein at least one rule in the first learned security policy is associated with a set of conditions configured to produce a true value or a false value, wherein a false value is configured to execute a mitigation action, and wherein a true value is configured to retry for the next intercepted event. [16] System for managing an external warning system, comprising: a security management unit comprising a processor, main memory in which instructions executable by a processor are stored, a security policy database and an interface, wherein the security management unit is connected to a plurality of nodes for data exchange; where the security management unit is configured to: Generating a plurality of security policies, including an initial learned security policy based on a minority of events associated with a synthetic initial execution environment, wherein at least one rule associated with the initial learned security policy is based on an event type associated with a malicious code profile; Storing the majority of security policies in the security policy database (104; 200); Provisioning a respective security agent and at least the first learned security policy for a subset of the plurality of nodes (106, 108), wherein the subset of nodes is configured to host the first execution environment (112A, 112B, 112C; 102), wherein respective security agents are configured to enforce at least the first learned security policy on each node of the subset of nodes; and Receiving an alert from a first security agent deployed to a first node, detecting an irregularity based on at least one intercepted event (118, 126) generated by the first execution environment utilizing the first node and intercepted by the first security agent according to the first learned security policy. [17] System according to claim 16, wherein the security management unit is further configured to: Sending a mitigation action to the first security agent in response to the interface being displayed and input being received from the interface, with the first security agent configured to implement the mitigation action. [18] System according to one of claims 16 or 17, wherein the security management unit is configured to generate a plurality of security policies by performing the following steps: Intercepting an initial subset of events from a synthetic initial execution environment for an initial period; Generating a plurality of rules that define normal and abnormal behavior based on the first subset of events, where each rule is associated with one or more conditions; Store the majority of rules as the first learned security policy for the first execution environment in the security policy database; and assign the first learned security policy (114, 116) to the subset of nodes based on the subset of nodes configured to host the first execution environment. [19] System according to one of claims 16 to 18, wherein the security policy database comprises a security rule table, a security policy table and a node table, wherein multiple security rules are assigned to at least one security policy, wherein multiple security policies are assigned to at least one security rule, wherein multiple nodes are assigned to at least one security policy and wherein multiple security policies are assigned to at least one node. [20] System according to any one of claims 16 to 19, wherein the security management unit is further configured to perform the following steps: Receiving an updated first learned security policy from the first security agent, wherein the first security agent is configured to update the first learned security policy in response to the detection of an approved update associated with the first execution environment; Updating the first learned security policy in the security policy database in response to receiving the updated first learned security policy; and Deploying the updated first learned security policy to at least one second security agent, deployed to a second node of the subset of nodes. [21] Computer program product for managing an external warning system, comprising the computer program product: a computer-readable storage medium readable by a processing circuit, on which instructions for execution by the processing circuit for carrying out a method according to one of claims 1 to 10 are stored. [22] A computer program stored on a computer-readable medium, which can be loaded into the internal main memory of a digital computer and which includes software code sections for carrying out the method according to any one of claims 1 to 10 when the program is executed on a computer.

Images