The present disclosure generally relates to cybersecurity systems, and more particularly to detection of malicious code and activity in software containers.
A software container is an instance of a user-space running an application within the operating system (OS) of a host device (e.g., a server). Software containers enable operating-system-level virtualization in which the OS kernel allows the existence of multiple isolated software containers.
A software container (or a container) provides an executable environment with a complete filesystem. The filesystem may contain code, runtime, system tools, system libraries, and so on. That is, execution of a software container can be the same regardless of the underlying infrastructure. Docker is one of the popular existing platforms for creating, migrating, managing, and deploying software containers.
A software container, unlike a virtual machine, does not require or include a separate operating system. Rather, the container relies on the kernel's functionality and uses hardware resources (CPU, memory, I/O, network, etc.) and separate namespaces to isolate the application's view of the operating system. A software container can access the OS kernel's virtualization features either directly or indirectly. For example, Linux kernel can be accessed directly using the libcontainer library or indirectly using the libvirt service.
As demonstrated in
The base image 210 (and its layers 215) can be shared across different software containers. Thus, only the container layer 220 differentiates between one software container and another. The container layer 220 is a readable and writable layer where all data written to the software container 200 are saved in the container layer 220. When the software container 200 is deleted, the writable container layer 220 is also deleted, and the base image 210 remains unchanged. As such, the multiple software containers including the software container 200 can share access to the same base image 210, each of which has its own data state. In the example demonstrated in
The popularity of software containers has been increased due to the easy integration with cloud-computing platform (e.g., Amazon® Web Services, Google® Cloud Platform, Microsoft® Azure, etc.). On such platforms, service providers can offer operating systems to run services and applications. With that said, the increasing reliance on software containers increases the need for secured execution.
When a software application (application) is deployed into a container, its intended behavior is more declarative than in a traditional (non-container) model. For example, the container runtime exposes certain information about a system, such as the storage volumes mounted to the system, the networks that are linked to the system, and the processes which are instructed to execute within the system. However, application specific information, namely information about how a particular application is configured to operate, is not accessible through these common interfaces. These configuration attributes are set within the application's configuration file. The configuration file may be located inside of a container, and is thus not exposed through the container layer's interfaces. This limits the ability of security tools to adjust, at runtime, certain settings and implement security rules that may provide appropriate protection for the unique needs of the application.
As an example, a software container running a web server may be configured to map port 8080 on the host to port 80 on the container. When ports are exposed in this manner, security tools can monitor a list of exposed ports in order to ensure that such a list is consistent with what is specified within an application when it is launched. However, other application specific runtime data, such as ports that are open but not mapped, file paths that the application (e.g., web server) writes to and reads from, and system calls required by the application, are not accessible to security tools because the container layer does not provide a consistent interface from which to describe and retrieve them. This introduces vulnerabilities that can be exploited.
As an example, a user may create an Apache image (a web server application) with a default port set within the configuration file to 80. The user may run the image and map a random ephemeral port on the host to 80. Information about this mapping is available through the container layer, allowing a security tool to retrieve the information and build a rule set to monitor the port.
However, if the container becomes compromised and an attacker creates a new socket on a different port on the container, data can be harvested through the new port from other containers that are located on the same network. Without proper access to the configuration of the application itself, the security tool cannot reliably determine whether the new port is anomalous and should be flagged, or if it is to be considered normal behavior of the application and allowed.
Another cause for potential vulnerabilities in containers is that images, such as those for a web server-based container, are often composed using common software that is in widespread use. As such, configuration parsing knowledge can be developed centrally and applied to multiple customer installations. Containers always explicitly declare the ports that are exposed on the host network and these declarations can be discovered via container engine APIs. Thus, many such images are susceptible to attacks.
It would therefore be therefore advantageous to provide a solution that would secure the execution of software containers.
A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term “some embodiments” or “certain embodiments” may be used herein to refer to a single embodiment or multiple embodiments of the disclosure.
Certain embodiments disclosed herein include a method for runtime detection of vulnerabilities in an application software container. The application software container is configured to execute an application. The method comprises: detecting the application stored in an image of the application software container; identifying, based on at least one predetermined potential location for the application, configuration data stored in the application software container for the application; determining, based on the identified configuration data, at least one intended behavior of the application when executed in the application software container; monitoring execution of the application software container, wherein the monitoring includes comparing the execution of the application software container to the at least one intended behavior; detecting an unauthorized action by the application software container when the execution of the application software container is anomalous as compared to the at least one intended behavior; and generating a detection event when the unauthorized action by the software container is detected.
Certain embodiments disclosed herein also include a non-transitory computer readable medium having stored thereon causing a processing circuitry to execute a process, the process comprising: detecting an application stored in an image of an application software container; identifying, based on at least one predetermined potential location for the application, configuration data stored in the application software container for the application; determining, based on the identified configuration data, at least one intended behavior of the application when executed in the application software container; monitoring execution of the application software container, wherein the monitoring includes comparing the execution of the application software container to the at least one intended behavior; detecting an unauthorized action by the application software container when the execution of the application software container is anomalous as compared to the at least one intended behavior; and generating a detection event when the unauthorized action by the software container is detected.
Certain embodiments disclosed herein also include a system for runtime detection of vulnerabilities in an application software container. The application software container is configured to execute an application. The system comprises: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: detecting the application stored in an image of the application software container; identifying, based on at least one predetermined potential location for the application, configuration data stored in the application software container for the application; determining, based on the identified configuration data, at least one intended behavior of the application when executed in the application software container; monitoring execution of the application software container, wherein the monitoring includes comparing the execution of the application software container to the at least one intended behavior; detecting an unauthorized action by the application software container when the execution of the application software container is anomalous as compared to the at least one intended behavior; and generating a detection event when the unauthorized action by the software container is detected.
The subject matter disclosed herein is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other objects, features, and advantages of the invention will be apparent from the following detailed description taken in conjunction with the accompanying drawings.
It is important to note that the embodiments disclosed herein are only examples of the many advantageous uses of the innovative teachings herein. In general, statements made in the specification of the present application do not necessarily limit any of the various claimed embodiments. Moreover, some statements may apply to some inventive features but not to others. In general, unless otherwise indicated, singular elements may be in plural and vice versa with no loss of generality. In the drawings, like numerals refer to like parts through several views.
The various disclosed embodiments include techniques for detecting and mitigating vulnerabilities in application software containers at runtime. Execution of an application software container is monitored and compared to intended behaviors for the application software container. The intended behaviors may be determined based on a configuration file for the new application software container. Any anomalous behavior in the execution of the application software container is identified as an unauthorized action. When an unauthorized action is identified, a detection event is generated and mitigation actions may be executed.
The detected vulnerabilities may include unknown vulnerabilities. Unknown vulnerabilities are unauthorized actions performed by a software container at runtime. In an embodiment, detection of vulnerabilities is performed in a quarantined execution environment, thereby protecting the host device from being harmed by any unauthorized and potentially malicious action performed by a software container.
A software container provides an executable environment with a complete filesystem. A software container may include a micro-service, a Docker container, a light virtual machine, and the like. An application software container is a software container that is configured to execute a specific application at runtime.
The devices 310 and 320 may be deployed in a datacenter, a cloud computing platform (e.g., a public cloud, a private cloud, or a hybrid cloud), on-premises of an organization, or in a combination thereof. It should be noted that the devices 310 and 320 can be deployed in different geographic locations.
The host device 310 is configured to host and execute a plurality of application (APP) software containers 311-1 through 311-m, where ‘m’ is an integer equal to or greater than 1 (collectively referred to hereinafter as APP containers 311 or individually as an APP container 311, merely for simplicity purposes). Each APP container 311 is a software container configured to execute a specific application.
According to the disclosed embodiments, the host device 310 is configured to host and execute a detector container 315. The detector container 315 is a software container designed to detect vulnerabilities in any of the APP containers 311. The operation of the detector container 315 for detecting vulnerabilities will be discussed in more detail herein below.
In an embodiment, the detector container 315 is configured to intercept any communication into or out of each APP container 311 during runtime of the APP container 311. To this end, the detector container 315 may act as a proxy to the APP container 311. For example, in a Docker architecture, the detector container 315 may proxy any communication between the client and daemon programs of the APP container 311. The intercepted communications may include, for example, system calls, access to a filesystem, access to a virtual machine hosting the APP container, access to a communication port, inbound and outbound network traffic, and so on. Each intercepted communication is analyzed to detect known and unknown vulnerabilities at runtime.
In an optional deployment, the console device 320 also interfaces with one or more external systems 330 through the network 340. Examples for such external systems 330 may include, but are not limited to, an active directory of an origination to retrieve user permissions, access control systems (e.g., Docker Swarm, and Kubernetes management plane), SIEM systems to report on detected vulnerabilities, audit and compliance systems, and the like.
In an embodiment, the console device 320 is configured to host and execute at least one console container 325. The console container 325 is a software container that interfaces with the detector container 315. Specifically, the console container 325 is configured to receive detection events on detected vulnerabilities from the detector container 315 and to report such events to a SIEM system or to a system administrator. In an embodiment, the events may be displayed on a GUI rendered by the console container 325 or on a GUI connected to the console device 320.
The network 340 may be the Internet, the world-wide-web (WWW), a local area network (LAN), a wide area network (WAN), a metro area network (MAN), and the like. It should be noted that the connection between the host device 310 and the console device 320 can be facilitated over a network, such as the network 340.
Detection of unknown vulnerabilities is performed on each APP container 311 when the APP container 311 is executed. To this end, the detector container 315 is configured to monitor system calls indicative of instantiation, running, or both, of a new APP container (e.g., the container 311-2). Based on the monitoring, anomalous behavior may be identified. The anomalous behavior may include, for example performing unauthorized actions.
In an embodiment, the monitoring includes comparing actions performed by the APP container 311 during execution with intended behaviors of the respective APP container 311. To this end, the monitoring may include intercepting any communications into or out of the APP container 311. The intended behaviors for an APP container 311 may be determined based on a configuration file of the APP container 311. When an action performed during execution of the APP container 311 deviates from one or more of the intended behaviors for the APP container 311, an anomaly has occurred and an unauthorized action is identified.
In an embodiment, the deviations from intended behaviors may include unauthorized actions as defined in a predetermined list of unauthorized actions for the application executed by the APP container 311. The list may be dynamically updated. Such unauthorized actions may include, but are not limited to, accessing a virtual machine, system calling an OS kernel, reading or writing from the filesystem, accessing another software container (e.g., another one of the APP containers 311), opening a connection port, running a process, accessing an external network address (e.g., a URL or IP address), and so on. As a non-limiting example, an attempt to access the usr/bin library by the APP container 311 may be determined as an unauthorized action. As another embodiment, accessing a URL associated with an unreportable website may be determined as an unauthorized action. As yet another example, opening a port designated as port 22 would be determined as an unauthorized action.
Upon detection of an unauthorized action indicating a vulnerability in an APP container 311, the detector container 315 is configured to generate and report a detection event to the console device 320. Such an event may include a container identifier of the APP container 311, a type of the detected vulnerability, an abnormal behavior, a combination thereof, and so on. In an embodiment, one or more mitigation actions can be executed when a detection event has been generated. Such a mitigation action may include, for example, halting the operation of the APP container, quarantining the APP container or the infected file, and so on. As mentioned above, the console device 320, via the console container 325, may cause the display of the detection event, of a report, or both, to an external system 335 such as a SEIM device.
In an embodiment, the monitoring may also include quarantining an APP container 311 by migrating the APP container 311 into a quarantined execution environment. The execution of the APP container 311 in the quarantined execution environment is monitored to detect any unauthorized actions performed by the APP container 311. Migration of APP containers during quarantined execution is described further with respect to
The quarantined execution environment 410 includes a virtual machine 411 and a dummy container 412 both executed over an OS kernel 413. The dummy container 412 is a software container designed to mitigate any attempt to infect other containers executed in the same environment with a malicious code generated by an APP container 420 (e.g., one of the APP containers 311,
Upon detection of a new instance of the APP container 420 in the safe execution environment 400, the detector container 315 may be configured to migrate the APP container 420 to the quarantined execution environment 410. Alternatively, the APP container 420 may be monitored when in the safe environment 400 and migrated to the quarantined environment 410 when an unauthorized action is performed in the safe environment 400. In an embodiment, the migration includes exporting the APP container 420 together with all of its contents and metadata to the quarantined execution environment 410. The state of the APP container 420, including networking and storage states, are preserved during the migration.
In the quarantined execution environment 410, the detector container 315-A is configured to monitor the execution of the APP container 420. This includes intercepting any communications into and out of the APP container 420 and determining, based on the intercepted communications, if any unauthorized action is attempted to be performed by the APP container 420.
As noted above, the unauthorized actions may be included in a predefined list. With respect to the APP container 420 executing in the quarantined environment 410, the unauthorized actions may include, but are not limited to, accessing the VM 411, system calling the OS kernel 413, accessing the dummy container 412, reading or writing from the filesystem (not shown), opening a connection port (not shown), running a process, accessing an external network address (e.g., a URL or IP address), and so on.
Upon detection of an unauthorized action by the APP container 420, the detector container 315-A is configured to generate a detection event. In addition, one or more mitigation actions can be performed. Such mitigation actions may include, but are not limited to, terminating the execution of the APP container 420, terminating a specific malicious process executed by the APP container 420 that causes the vulnerability, blocking communications between the APP container 420 and resources external to the APP container 420, sending an alert indicating the detection event (e.g., to the console device 320,
If should be appreciated that detecting unknown vulnerabilities in the quarantined execution environment 410 allows for stopping the propagation of, for example, malware by a malicious APP container. Such attempts to infect other containers executed in the same environment with a malicious code will be trapped by the dummy container 412. When the APP container 420 has executed securely for sufficient time, it may be safely migrated back to the safe execution environment 400
It should be further noted that the safe execution environment 400 is isolated from the quarantined execution environment 410. Thus, any malicious activity performed by the APP container 420 would not affect the safe execution environment 400. The safe execution environment 400 and the quarantined execution environment 410 may be created on the same host device or on different host devices.
In an embodiment, if no vulnerability is detected after execution of the APP container 420 in the quarantined execution environment 410 has occurred for a predetermined period of time, the APP container 420 is migrated back to the safe execution environment 400 for execution therein. When the APP container 420 is migrated back to the safe execution environment 400, the quarantined execution environment 410 is deleted. This process is controlled and orchestrated by the detector container 315-A.
Returning to
It should be appreciated that each device 310 and 320 requires an underlying hardware layer to execute the OS, VMs, and software containers. An example block diagram of a hardware layer 500 is shown in
The processing circuitry 510 may be realized as one or more hardware logic components and circuits. For example, and without limitation, illustrative types of hardware logic components that can be used include Field Programmable Gate Arrays (FPGAs), Application-specific Integrated Circuits (ASICs), System-on-a-chip systems (SOCs), Complex Programmable Logic Devices (CPLDs), general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), and the like, or any other hardware logic components that can perform calculations or other manipulations of information. The memory 515 may be volatile, non-volatile, or a combination thereof. The storage may be magnetic storage, optical storage, and the like.
In one configuration, computer readable instructions to implement one or more embodiments disclosed herein may be stored in the storage 520. The storage 520 may also store other computer readable instructions to implement an operating system, an application program, and the like. Computer readable instructions may be loaded in the memory for execution by the processing circuitry 510.
In another embodiment, the storage 520, the memory 515, or both, are configured to store software. Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the one or more processors, cause the processing circuitry 510 to perform the various functions described herein with respect to at least detection of vulnerabilities.
The network interface 530 allows communication with other external systems or host devices through a network (e.g., the network 340,
At S610, events triggered as a result of changes to the top (application) layer of an APP container (e.g., one of the APP containers 311,
At S620, it is determined if a change to the top layer, to a mounted volume map, or both, of a directory structure within the APP container has been made and, if so, execution continues with S630; otherwise execution returns to S610 to continue monitoring. As an example, such a change may include modifying a file or writing a new file in the top layer. A file may include a file, an object, a data block, and the like.
At S630, the changed (new or modified) file is scanned for known vulnerabilities. Such vulnerabilities may include previously known or newly discovered malware, or any modified version of previously known or newly discovered malware. Malware may include, for example, computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other programs or processes executing malicious code.
In an embodiment, the scanning is performed based on intelligence information received from a console container (e.g., the console container 325). Such information includes definitions of known vulnerabilities such as, but not limited to, signatures of viruses, worms, spyware, or any other type of malware. Thus, in this embodiment, the file is inspected to determine if the file contains, for example, a signature of a known or newly discovered malware. In another embodiment, the scanning of the changed file is also based on one or more heuristics or behavior patterns of malicious programs. This allows for, for example, detection of known malware in any modified versions having different signatures but similar attack behavior.
At S640, it is checked if the changed file is safe, i.e., if no vulnerability was detected. If so, execution continues with S610; otherwise, execution continues with S650. It should be noted that the evaluation of newly modified or new files can be performed in the same manner described herein as long as the changes are made to the top layer of an APP container.
At S650, when the changed file is not safe, a detection event is generated and sent to the console container. The detection event may designate, for example, a container identified, a name of the infected file, a type of the detected vulnerability, and so on. In an embodiment, one or more mitigation actions can be executed in response to the detection event. The mitigation actions may include, but are not limited to, halting the operation of the app container, quarantining the APP container or the infected file, and the like.
At S710, instantiation of a new APP container (e.g., one of the APP containers 311,
At S720, configuration data of each application of the APP container is accessed and analyzed to determine an intended set of behaviors for the application when deployed to a container. The intended set of behaviors may be, for example, included in settings of the respective configuration files. When these intended behaviors have been determined, the execution of the APP container is monitored. During monitoring, the intended set of behaviors is compared to the actual current state of the APP container to detect any anomalous behavior and, thus, to determine whether the execution is anomalous as compared to the intended behaviors. Any anomalous behavior may be identified as an unauthorized action.
In an embodiment, S720 further includes detecting the applications within an image of the APP container. The configuration files for the applications are found by looking in locations of the APP container based on each respective application. Specifically, an application knowledge database may include predetermined potential locations of configuration files within an APP container for each application. When an application is detected, the APP container is searched in the potential locations of configuration files in order to find the configuration file for the application.
At S730, a second quarantined execution environment (e.g., the quarantined execution environment 410,
At S740, the APP container is migrated to the quarantined execution environment for running therein.
At S750, the operation of the APP container in the quarantined execution environment is monitored to detect any attempts to perform any unauthorized actions. As noted above, an unauthorized action may include, but is not limited to, accessing the VM, system calling the OS kernel, accessing the dummy container, reading to or writing from the filesystem (not shown), opening a connection port (not shown), accessing an external network address (e.g., URL or IP address), running a process, and so on.
At S760, it is checked if an unauthorized action was detected. If so, execution continues with S770; otherwise, execution continues with S790. The check may be made, for example, after a predetermined period of time (e.g., 24 hours) has passed since migration of the APP container to the quarantined execution environment. Alternatively, execution may proceed with S770 in real-time when the unauthorized action is detected.
At S770, when an unauthorized action is detected, a detection event is generated. The detection event may designate a container identifier, a type of the detected vulnerability, a process causing the detected vulnerability, and so on.
At optional S780, one or more mitigation actions is executed. The mitigation actions may include, but are not limited to, terminating the execution of the APPEs container, terminating a process causing the unauthorized action, blocking communications between the APP container and at least one external resource (e.g., blocking the APP container from listening to one or more sockets), and sending an alert indicating the generated detection event (e.g., to the console container 325,
As a non-limiting example, when a container listening on a socket that is not intended to be exposed as indicated by the application configuration file, an unauthorized action is detected and the listening by the container is blocked.
At optional S790, when an unauthorized action is not detected, the container is migrated back to a safe environment. In some implementations, the operation of a software container executed in a safe environment may be monitored. Upon detection of an attempt to perform an authorized action, such a software container may be migrated to the quarantined execution environment for further inspection.
At S810, instantiation of a new APP container (e.g., one of the APP containers 311,
At S820, configuration data of each application of the APP container is accessed and analyzed to determine an intended set of behaviors for the application when deployed to a container. The intended set of behaviors may be, for example, included in settings of the respective configuration files. When these intended behaviors have been determined, the execution of the APP container is monitored. During monitoring, the intended set of behaviors is compared to the actual current state of the APP container to detect any anomalous behavior and, thus, to determine whether the execution is anomalous as compared to the intended behaviors. Any anomalous behavior may be identified as an unauthorized action.
At S830, the operation of the APP container is monitored to detect any attempts to perform any unauthorized actions. As noted above, an unauthorized action may include, but is not limited to, accessing a VM, system calling an OS kernel, accessing another software container, reading to or writing from the filesystem (not shown), opening a connection port (not shown), accessing an external network address (e.g., URL or IP address), running a process, and so on.
At S840, it is checked if an unauthorized action was detected. If so, execution continues with S850; otherwise, execution continues with S830. In some implementations, if no unauthorized action is detected in a predetermined period of time (e.g., 24 hours), monitoring may terminate.
At S850, when an unauthorized action is detected, a detection event is generated. The detection event may designate a container identifier, a type of the detected vulnerability, a process causing the detected vulnerability, an unauthorized action, and so on.
At optional S860, one or more mitigation actions is executed. The mitigation actions may include, but are not limited to, terminating the execution of the APP container, terminating a process causing the unauthorized action, blocking communications between the APP container and at least one external resource (e.g., blocking the APP container from listening to one or more sockets), and sending an alert indicating the generated detection event (e.g., to the console container 325,
It should be emphasized that the detection of the known and unknown vulnerabilities as described with respect to
If such an attempt was not detected, a malicious agent will be downloaded and stored to a storage of the host device. However, such a download will be detected as any changes to the filesystem are monitored and scanned. That is, the agent executable file will be scanned for malicious code. Further, any malicious activity performed by such agent will be monitored at runtime when the container (executing such an agent) is executed in the container quarantined execution environment.
As noted above, unlike virtual machines that function within a larger operating system, containers are limited in size, allowing for the possibility to definitively tie application specific configuration data to the runtime state of a container. To this end, in an embodiment, on a per application basis, reference is made to a knowledge base that discloses where the appropriate configuration files for a given application can be found. The desired attributes declared in these configuration files are compared with the actual state of each container in order to detect anomalies.
As a non-limiting example, an Apache webserver and its configuration files may be packaged into a new image of a new APP container, where the configuration file is set to listen to port 80. The new image is scanned and, based on an accessible knowledge base, it is determined that a specific application of the new APP container should only be listening to port 80 and no other ports. This is determined based on which file the Apache webserver uses for its configuration state. The file used by the Apache webserver is parsed in order to extract information about the specific listener configured therein. When the container is launched and there is a request to map port 8080 at the host layer to port 80 of the container, this linkage (mapping) is detected and the container is thereafter monitored to ensure that no other ports are later exposed.
Throughout the container's lifecycle, both which ports are mapped from the network to the container and which what ports are listening on the container (even if they are unmapped) are monitored. If a new port is detected on the container, even if it is not mapped to the connected network, the socket is deemed anomalous if it was not declared in the application's configuration file, and mitigation actions may be taken.
The various embodiments disclosed herein can be implemented as hardware, firmware, software, or any combination thereof. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage unit or computer readable medium consisting of parts, or of certain devices and/or a combination of devices. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces. The computer platform may also include an operating system and microinstruction code. The various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such a computer or processor is explicitly shown. In addition, various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit. Furthermore, a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal.
It should be understood that any reference to an element herein using a designation such as “first,” “second,” and so forth does not generally limit the quantity or order of those elements. Rather, these designations are generally used herein as a convenient method of distinguishing between two or more elements or instances of an element. Thus, a reference to first and second elements does not mean that only two elements may be employed there or that the first element must precede the second element in some manner. Also, unless stated otherwise a set of elements comprises one or more elements.
As used herein, the phrase “at least one of” followed by a listing of items means that any of the listed items can be utilized individually, or any combination of two or more of the listed items can be utilized. For example, if a system is described as including “at least one of A, B, and C,” the system can include A alone; B alone; C alone; 2A; 2B; 2C; 3A; A and B in combination; B and C in combination; A and C in combination; A, B, and C in combination; 2A and C in combination; A, 3B, and 2C in combination; and the like.
All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the principles of the disclosed embodiments and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.
This application claims the benefit of U.S. Provisional Application No. 62/505,320 filed on May 12, 2017. This patent application is also a continuation-in-part of U.S. patent application Ser. No. 15/278,700 filed on Sep. 28, 2016, now pending, which claims the benefit of U.S. Provisional Application No. 62/235,644 filed on Oct. 1, 2015, and from U.S. Provisional Application No. 62/235,641 filed on Oct. 1, 2015. The contents of the above-referenced applications are hereby incorporated by reference.
Number | Name | Date | Kind |
---|---|---|---|
6490620 | Ditmer et al. | Dec 2002 | B1 |
6502102 | Haswell et al. | Dec 2002 | B1 |
6523027 | Underwood | Feb 2003 | B1 |
6704873 | Underwood | Mar 2004 | B1 |
6732162 | Wood et al. | May 2004 | B1 |
7100195 | Underwood | Aug 2006 | B1 |
7103740 | Colgrove | Sep 2006 | B1 |
7577848 | Schwartz et al. | Aug 2009 | B2 |
7596227 | Illowsky et al. | Sep 2009 | B2 |
7640235 | Shulman et al. | Dec 2009 | B2 |
7698741 | Marinescu et al. | Apr 2010 | B2 |
7743420 | Shulman et al. | Jun 2010 | B2 |
7752662 | Shulman et al. | Jul 2010 | B2 |
7752669 | Palliyil et al. | Jul 2010 | B2 |
7779468 | Magdych et al. | Aug 2010 | B1 |
7861303 | Kouznetsov et al. | Dec 2010 | B2 |
7882542 | Neystadt | Feb 2011 | B2 |
8024804 | Shulman et al. | Sep 2011 | B2 |
8051484 | Shulman et al. | Nov 2011 | B2 |
8056141 | Shulman et al. | Nov 2011 | B2 |
8108933 | Mahaffey | Jan 2012 | B2 |
8135948 | Shulman et al. | Mar 2012 | B2 |
8181246 | Shulman et al. | May 2012 | B2 |
8302192 | Cnudde et al. | Oct 2012 | B1 |
8316237 | Felsher et al. | Nov 2012 | B1 |
8499150 | Nachenberg | Jul 2013 | B1 |
8510571 | Chang et al. | Aug 2013 | B1 |
8621613 | McClintock et al. | Dec 2013 | B1 |
8639625 | Ginter et al. | Jan 2014 | B1 |
8677472 | Dotan | Mar 2014 | B1 |
8756683 | Manion et al. | Jun 2014 | B2 |
8806625 | Berger | Aug 2014 | B1 |
8966629 | Sallam | Feb 2015 | B2 |
9003141 | Nielsen et al. | Apr 2015 | B2 |
9098333 | Obrecht et al. | Aug 2015 | B1 |
9203862 | Kashyap | Dec 2015 | B1 |
9223966 | Satish | Dec 2015 | B1 |
9256467 | Singh et al. | Feb 2016 | B1 |
9355248 | Wiest | May 2016 | B1 |
9401922 | Walters | Jul 2016 | B1 |
9594590 | Hsu | Mar 2017 | B2 |
9904781 | Martini et al. | Feb 2018 | B2 |
9928379 | Hoffer | Mar 2018 | B1 |
10223534 | Stopel et al. | Mar 2019 | B2 |
10333967 | Litva et al. | Jun 2019 | B2 |
20010007131 | Galasso et al. | Jul 2001 | A1 |
20030014629 | Zuccherato | Jan 2003 | A1 |
20030079145 | Kouznetsov et al. | Apr 2003 | A1 |
20030120593 | Bansal et al. | Jun 2003 | A1 |
20030229801 | Kouznetsov et al. | Dec 2003 | A1 |
20030233566 | Kouznetsov et al. | Dec 2003 | A1 |
20030233574 | Kouznetsov et al. | Dec 2003 | A1 |
20040133793 | Ginter et al. | Jul 2004 | A1 |
20050120054 | Shulman et al. | Jun 2005 | A1 |
20050177715 | Somin et al. | Aug 2005 | A1 |
20060075494 | Bertman | Apr 2006 | A1 |
20060230451 | Kramer et al. | Oct 2006 | A1 |
20060277606 | Yunus et al. | Dec 2006 | A1 |
20060282664 | Zhao | Dec 2006 | A1 |
20060288420 | Mantripragada et al. | Dec 2006 | A1 |
20070112714 | Fairweather | May 2007 | A1 |
20070130621 | Marinescu et al. | Jun 2007 | A1 |
20070136282 | Takashima | Jun 2007 | A1 |
20070174630 | Shannon et al. | Jul 2007 | A1 |
20070240218 | Tuvell et al. | Oct 2007 | A1 |
20070240220 | Tuvell et al. | Oct 2007 | A1 |
20070240221 | Tuvell et al. | Oct 2007 | A1 |
20070240222 | Tuvell et al. | Oct 2007 | A1 |
20080086773 | Tuvell et al. | Apr 2008 | A1 |
20080134177 | Fitzgerald et al. | Jun 2008 | A1 |
20080168135 | Redlich et al. | Jul 2008 | A1 |
20080177994 | Mayer | Jul 2008 | A1 |
20080196104 | Tuvell et al. | Aug 2008 | A1 |
20080256636 | Gassoway | Oct 2008 | A1 |
20090144823 | Lamastra et al. | Jun 2009 | A1 |
20090158432 | Zheng et al. | Jun 2009 | A1 |
20090217260 | Gebhart et al. | Aug 2009 | A1 |
20090319796 | Kim et al. | Dec 2009 | A1 |
20100011029 | Niemela | Jan 2010 | A1 |
20110116637 | Schiefelbein | May 2011 | A1 |
20110179484 | Tuvell et al. | Jul 2011 | A1 |
20110258701 | Cruz | Oct 2011 | A1 |
20110314542 | Viswanathan et al. | Dec 2011 | A1 |
20110314548 | Yoo | Dec 2011 | A1 |
20110321139 | Jayaraman et al. | Dec 2011 | A1 |
20120008529 | Averbuch et al. | Jan 2012 | A1 |
20120023584 | Yoo | Jan 2012 | A1 |
20120036572 | Yoo | Feb 2012 | A1 |
20120042375 | Yoo | Feb 2012 | A1 |
20120117203 | Taylor et al. | May 2012 | A1 |
20120222123 | Williams | Aug 2012 | A1 |
20130073388 | Heath | Mar 2013 | A1 |
20140059226 | Messerli et al. | Feb 2014 | A1 |
20140173761 | Hong et al. | Jun 2014 | A1 |
20140181894 | Bokern et al. | Jun 2014 | A1 |
20140237550 | Anderson et al. | Aug 2014 | A1 |
20140283071 | Spikes | Sep 2014 | A1 |
20140337234 | Tang et al. | Nov 2014 | A1 |
20150156183 | Beyer et al. | Jun 2015 | A1 |
20150178497 | Lukacs et al. | Jun 2015 | A1 |
20150220735 | Paithane | Aug 2015 | A1 |
20150271139 | Lukacs et al. | Sep 2015 | A1 |
20150332043 | Russello | Nov 2015 | A1 |
20150372980 | Eyada | Dec 2015 | A1 |
20150379287 | Mathur et al. | Dec 2015 | A1 |
20160323315 | Hathaway et al. | Nov 2016 | A1 |
20170004302 | Derbeko et al. | Jan 2017 | A1 |
20170063557 | Chalmandrier-Perna | Mar 2017 | A1 |
20170068676 | Jayachandran et al. | Mar 2017 | A1 |
20170177877 | Suarez et al. | Jun 2017 | A1 |
20170244748 | Krause | Aug 2017 | A1 |
Entry |
---|
Linn, et al., “Protecting Against Unexpected System Calls”, Department of Computer Science, University of Arizona, Tucson, AZ, 2005, url: https://www.usenix.org/legacy/events/sec05/tech/linn.html, pp. 239-254. |
Cziva, et al., “Container-based Network Function Virtualization for Software-Defined Networks,” 2015 IEEE Symposium on Computers and Communication (ISCC), pp. 415-420, Scotland. |
Dhakchianandan, et al., “Memory Efficacious Pattern Matching Intrusion Detection System”, 2013 International Conference on Recent Trends in Information Technology (ICRTIT), pp. 652-656, Anna University, Chennai, India. |
Guenane, et al, “Autonomous Architecture for Managing Firewalling Cloud-Based Service,” 2014 International Conference and Workshop on the Network of the Future (NOF), Paris, France, pp. 1-5. |
Rehak, et al., “Adaptive Multiagent System for Network Traffic Monitoring,” IEEE Intelligent Systems, vol. 24, Issue: 3, 2009, Czechia, pp. 17-25. |
Shouman, et al., “Surviving Cyber Warfare With a Hybrid Multiagent-based Intrusion Prevention System,” IEEE Potentials, vol. 29, Issue: 1, 2010, pp. 32-40. |
Song, et al., “A Control Theoretical Approach for Flow Control to Mitigate Bandwidth Attacks,” 2006 IEEE Information Assurance Workshop, West Point, NY, pp. 348-360. |
Van Niekerk, et al., “Cloud-Based Security Mechanisms for Critical Information Infrastructure Protection,” 2013 International Conference on Adaptive Science and Technology, South Africa, pp. 1-4. |
Wang, et al., “Transport-Aware IP Routers: A Built-in Protection Mechanism to Counter DDoS Attacks,” IEEE Transactions on Parallel and Distributed Systems, vol. 14, Issue: 9, pp. 873-884, Sep. 2003. |
Zhauniarovich, et al., “Moses: Supporting and Enforcing Security Profiles on Smartphones,” IEEE Transactions on Dependable and Secure Computing, vol. 11, Issue: 3, pp. 211-223, 2014. |
Kovatsch, et. al., “A RESTful Runtime Container for Scriptable Internet of Things Applications”, 3rd IEEE International Conference on the Internet of Things, Oct. 2012. |
Mattetti, et. al., “Securing the Infrastructure and the Workloads of Linux Containers”, IEEE Conference on Communications and Network Security (CNS), 2015. |
Pan, et. al., Robust Container Code Recognition System, Fifth World Congress on Intelligent Control and Automation, 2004. |
Azkia, et al., “Reconciling IHE-ATNA Profile with a posteriori Contextual Access and Usage Control Policy in Healthcare Environment”, 2010 Sixth International Conference on Information Assurance and Security, 2010 IEEE, pp. 197-203, Cesson, Sevigne, France. |
Skillen, et al., “Mobiflage: Deniable Storage Encryption for Mobile Devices,” IEEE Transaction on Dependable and Secure Computing, vol. 11, No. 3, May-Jun. 2014, 2013 IEEE, pp. 224-237, Canada. |
Cooper, et. al., “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”, May 2008, pp. 151. |
Housley, et. al., “Internet X 509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”, Apr. 2002, pp. 259. |
Schneier, Bruce., “Economics of Information Security and Privacy III”, 2013, pp. 73-109. |
Balazsi, et al., “Software System for Broadcasting and Monitoring Traffic Information”, 2014 IEEE 12th International Symposium on Intelligent Systems and Informatics (SISY), 2014, pp. 39-42, Subotica, Serbia. |
Jing, et al., “A Context-aware Disaster Response System Using Mobile Software Technologies and Collaborative Filtering Approach”, 2014 IEEE 18th International Conference on Computer Supported Cooperative Work in Design, 2014, pp. 516-522, China. |
Number | Date | Country | |
---|---|---|---|
20180260574 A1 | Sep 2018 | US |
Number | Date | Country | |
---|---|---|---|
62505320 | May 2017 | US | |
62235644 | Oct 2015 | US | |
62235641 | Oct 2015 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 15278700 | Sep 2016 | US |
Child | 15975383 | US |