Patent Grant
12081656
The present disclosure relates generally to cybersecurity threat detection, and specifically to inspection of encrypted disks during threat detection.
Cybersecurity threats are ever present in cloud computing environments, and often leave traces, indicators, and the like, on a disk, storage space, memory, etc., of the workload with which they are associated. For example, a cybersecurity threat can be a misconfiguration, a vulnerability, an exposure, a weak secret, an exposed password, an out of date software application, and the like.
Scanning for cybersecurity threats in a cloud computing environment often includes scanning storage, disks, and the like, for such cybersecurity objects. One method of protecting information includes encrypting storage resources, such as disks, so that even if they are accessed by an unauthorized party, the disk is not readable. However, such encrypted disks also cannot be scanned as a scanner requires an unencrypted volume to access. Encrypted disks present a challenge as decryption keys may not be readily available, and therefore their contents cannot be scanned.
Encryption of disks can be performed at application level, on a cloud platform level, or both. A scanner therefore cannot readily access the information on the disk, or determine what it present on it.
Further complicating matters, certain actions utilized by cloud computing infrastructures, such as Amazon® Web Services (AWS) are restricted, for example to a certain number of operations for a given time frame. Such actions which are utilized in the process of detecting cybersecurity threats pose a severe bottleneck.
It would therefore be advantageous to provide a solution that would overcome the challenges noted above.
A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term “some embodiments” or “certain embodiments” may be used herein to refer to a single embodiment or multiple embodiments of the disclosure.
A system of one or more computers can be configured to perform particular operations or actions by virtue of having software, firmware, hardware, or a combination of them installed on the system that in operation causes or cause the system to perform the actions. One or more computer programs can be configured to perform particular operations or actions by virtue of including instructions that, when executed by data processing apparatus, cause the apparatus to perform the actions.
In one general aspect, method may include detecting an encrypted disk in a cloud computing environment, the encrypted disk encrypted utilizing a first key in a key management system (KMS). Method may also include generating a second key in the KMS, the second key providing access for a principal of an inspection environment. Method may furthermore include generating a snapshot of the encrypted disk. Method may in addition include generating a volume based on the snapshot, where the volume is re-encrypted with the second key. Method may moreover include generating a snapshot of the re-encrypted volume. Method may also include generating an inspectable disk from the snapshot of the re-encrypted volume. Method may furthermore include initiating inspection for a cybersecurity object on the inspectable disk. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.
Implementations may include one or more of the following features. Method may include: determining that the encrypted disk is encrypted based on metadata associated with the encrypted disk. Method may include: associating the second key with a principal of an inspection environment. Method may include: inspecting the inspectable disk for any one of: a file, a text, a regular expression (regex), a secret, a key, a certificate, a virtual workload, and any combination thereof. Method may include: generating the second key utilizing any instruction of: kms:CreateGrant, kms:CreatKey, kms:PutKeyPolicy, and any combination thereof. Method may include: generating volume utilizing any instruction of: kms:ReEncryptFrom, kms:ReEncryptTo, and any combination thereof. Method may include: generating a decrypted inspectable disk, based on the second key. In an embodiment, the generated snapshot is encrypted with the first key. Implementations of the described techniques may include hardware, a method or process, or a computer tangible medium.
In one general aspect, non-transitory computer-readable medium may include one or more instructions that, when executed by one or more processors of a device, cause the device to: detect an encrypted disk in a cloud computing environment, the encrypted disk encrypted utilizing a first key in a key management system (KMS). Medium may furthermore generate a second key in the KMS, the second key providing access for a principal of an inspection environment. Medium may in addition generate a snapshot of the encrypted disk. Medium may moreover generate a volume based on the snapshot, where the volume is re-encrypted with the second key. Medium may also generate a snapshot of the re-encrypted volume. Medium may furthermore generate an inspectable disk from the snapshot of the re-encrypted volume. Medium may in addition initiate inspection for a cybersecurity object on the inspectable disk. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.
In one general aspect, system may include a processing circuitry. System may also include a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: detect an encrypted disk in a cloud computing environment, the encrypted disk encrypted utilizing a first key in a key management system (KMS). System may in addition generate a second key in the KMS, the second key providing access for a principal of an inspection environment. System may moreover generate a snapshot of the encrypted disk. System may also generate a volume based on the snapshot, where the volume is re-encrypted with the second key. System may furthermore generate a snapshot of the re-encrypted volume. System may in addition generate an inspectable disk from the snapshot of the re-encrypted volume. System may moreover initiate inspection for a cybersecurity object on the inspectable disk. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.
Implementations may include one or more of the following features. System where the memory contains further instructions which when executed by the processing circuitry further configure the system to: determine that the encrypted disk is encrypted based on metadata associated with the encrypted disk. System where the memory contains further instructions which when executed by the processing circuitry further configure the system to: associate the second key with a principal of an inspection environment. System where the memory contains further instructions which when executed by the processing circuitry further configure the system to: inspect the inspectable disk for any one of: a file, a text, a regular expression (regex), a secret, a key, a certificate, a virtual workload, and any combination thereof. System where the memory contains further instructions which when executed by the processing circuitry further configure the system to: generate the second key utilizing any instruction of: kms:CreateGrant, kms:CreatKey, kms:PutKeyPolicy, and any combination thereof. System where the memory contains further instructions which when executed by the processing circuitry further configure the system to: generate the volume utilizing any instruction of: kms:ReEncryptFrom, kms:ReEncryptTo, and any combination thereof. System where the memory contains further instructions which when executed by the processing circuitry further configure the system to: generate a decrypted inspectable disk, based on the second key. System where the generated snapshot is encrypted with the first key. Implementations of the described techniques may include hardware, a method or process, or a computer tangible medium.
The subject matter disclosed herein is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other objects, features, and advantages of the disclosed embodiments will be apparent from the following detailed description taken in conjunction with the accompanying drawings.
It is important to note that the embodiments disclosed herein are only examples of the many advantageous uses of the innovative teachings herein. In general, statements made in the specification of the present application do not necessarily limit any of the various claimed embodiments. Moreover, some statements may apply to some inventive features but not to others. In general, unless otherwise indicated, singular elements may be in plural and vice versa with no loss of generality. In the drawings, like numerals refer to like parts through several views.
The various disclosed embodiments include a method and system for reducing use of snapshot copy operations in cybersecurity inspection, is disclosed. In some embodiments, operations such as CopySnapshot in an Amazon® Web Services (AWS) environment are limited, restricted, and the like, for example, to a certain number of operations in a given time frame, to a given number of concurrent operations of a first type, a combination thereof, and the like. It is therefore advantageous to provide an alternate method to reduce use of limited operations, as these are a bottleneck for inspecting workloads in a computing environment.
In an embodiment, a virtual resource is a cloud entity which provides a service, access to a service, provisioning of hardware, and the like, such as a virtual machine, a software container, a serverless function, and the like. In certain embodiments, a principal is a cloud entity which is authorized to act on a resource. For example, according to an embodiment, a principal is a user account, a service account, a role, a combination thereof, and the like.
In some embodiments, the virtual workload 110 is connected a storage disk, a plurality of storage disks, and the like, such as storage disks 112-1 through 112-N, where ‘N’ is an integer having a value of ‘2’ or greater. In some embodiments, the storage disk is provisioned as a virtual disk, as a block address on a block storage, and the like. For example, a block storage is a Simple Storage Service (S3®), according to an embodiment.
In an embodiment, a user account 120 includes unique identifiers, such as email address, username, password, combinations thereof, and the like. A user account is managed by an identity and access management (IAM) service in a cloud environment, according to an embodiment. The IAM service further controls (i.e., defines authorizations, policies, rules, and the like, for) user groups, user roles, permissions, service accounts, and the like, in some embodiments.
In some embodiments an inspector account 130 is deployed in the production environment 102, and is implemented, for example as a user account, a service account, and the like. The inspector account is authorized to communicate with various components of the cloud environment 102 and further communicate with an inspecting cloud environment 104, according to some embodiments.
In certain embodiments, the inspector account 130 is configured to communicate with a key management service (KMS) 140. The KMS 140 is implemented as a virtual workload, a plurality of virtual workloads, and the like, in the production cloud environment 102, according to an embodiment. In some embodiments the KMS 140 is deployed on the cloud computing infrastructure on which the production environment 102 is deployed.
A KMS 140 is configured to store therein keys which are used to access encrypted resources in the production cloud environment 102, such as encrypted disks, encrypted files, and the like, according to an embodiment. The KMS 140 further includes a security policy engine 142, which is configured to associate a security policy with at least a portion of the keys stored in the KMS 140, according to an embodiment. In certain embodiments, a security policy indicates what user accounts are authorized to use a key managed by the KMS 140.
In an embodiment, the inspecting cloud environment 104 is configured to receive information from the production cloud environment 102 and is further configured to detect cybersecurity risks in the production cloud environment 102. In some embodiments, the inspecting cloud environment 104 includes a plurality of inspectors, such as inspector 150, which are each configured to detect a cybersecurity object. A cybersecurity object is, according to an embodiment, a secret, an application, a key, a certificate, a malware, a password, a combination thereof, and the like.
In certain embodiments, the inspector 150 is implemented as a virtual workload, such as a serverless function, deployed in the inspecting cloud environment 104. An inspector 150 is configured to receive information originating from the cloud production environment 102, in some embodiments, and is further configured to inspect the information to discover predefined data objects (i.e., cybersecurity objects) therein.
In an embodiment, the inspecting cloud environment 104 further includes a software container cluster, such as software container cluster 160. The software container cluster 160 is implemented for example utilizing a Kubernetes® (stylized as K8s) application, according to an embodiment. In certain embodiments, each cluster 160 includes a plurality of nodes.
For example, in an embodiment, an inspectable disk is generated based on the disk 112-1 in order to inspect the contents of the disk 112-1. In an embodiment, the inspectable disk is generated based on a snapshot, a clone, a copy, a combination thereof, and the like, of the disk 112-1. In certain embodiments, access to the inspectable disk is provided to the inspector 150 via the inspector account 130. For example, the inspector 150 is configured, in an embodiment, to utilize a service account (e.g., the inspector account 130) to access the inspectable disk and perform operations thereon, such as a read operation to access the contents of the inspectable disk.
In an embodiment, the software container cluster 160 is configured to provision a storage resource attached to a container, for example as a volume which is generated based on the inspectable disk. In certain embodiments, an inspector 150 is configured to access to the volume, and inspect the volume for a cybersecurity object. In an embodiment a plurality of inspectors are configured to each access the volume generated from the inspectable disk. Inspecting the inspectable disk in place of the disk 112-1 in the production environment allows the production environment to continue its operation with minimal interference, while inspecting the contents of the disk 112-1 without disrupting operation in the production environment.
It is beneficial for the inspecting cloud environment to be able to inspect such encrypted disks. In an embodiment, encryption of the disk is provided at the cloud level, application level, a combination thereof, and the like.
While some embodiments illustrate user of cloud managed encryption in AWS, and application level encryption in Azure, it should be readily apparent that the teachings herein can be applied to other cloud infrastructures with appropriate adjustments.
At S210, an encrypted disk is selected for inspection. In an embodiment, the encrypted disk is associated with a virtual workload, for example by provisioning a storage resource to the virtual workload. In an embodiment, a virtual workload is, for example, a virtual machine, a serverless function, a software container, and the like. In an embodiment, an inspection account (i.e., a service account) is utilized in determining that a disk is encrypted in a production cloud environment.
For example, in an embodiment a service account is authorized to access a disk, access metadata of a storage disk, access a storage provisioning system, and the like, to determine if a disk is an encrypted disk. In an embodiment, an encrypted disk includes metadata which indicates that the disk is an encrypted disk.
At S220, a check is performed to determine a level of encryption. In an embodiment, a disk is encrypted at application level, encrypted at cloud level, a combination thereof, and the like. In an embodiment, cloud level encryption (also referred to as cloud managed encryption) includes utilizing a key of a Key Management System (KMS) to encrypt a disk. In an embodiment, if the disk is encrypted at the application level execution continues at S230.
In some embodiments, if the disk is encrypted using cloud managed encryption execution continues at S240. In an embodiment, a disk may be encrypted utilizing one or more methods of cloud managed encryption and application level encryption. The methods for accessing such disks may be used consecutively, until a fully decrypted disk is accessible.
At S230, a check is performed to determine a key type. In an embodiment, a key type is a default key, a custom key, and the like. For example, a KMS in AWS supports two types of keys. The first type is an Elastic Block Store (EBS) default key, and the second type is a custom key. A policy associated with the default key cannot be changed, while for a custom key the policy can be configured, and reconfigured. If the key is a custom key execution continues at S260, according to an embodiment. In an embodiment, if the key is a default key, execution continues at S270.
At S240, a key is fetched from the key vault. For example, in an embodiment, Azure Key Vault is utilized as a KMS, implemented in Azure® cloud environments. At an application level encryption, a disk may be encrypted using Bitlocker (for Windows® operating systems), Cryptoluks (for Linux operating systems), and like, in some embodiments. An inspector account is authorized to fetch keys from a key vault, according to an embodiment. In certain embodiments, a key is a KEK (key encryption key), meaning that the key is encrypted using another asymmetric encryption, and this needs to be decrypted as well.
At S250, the disk is decrypted. In an embodiment the disk is decrypted using the key fetched from the key vault. In some embodiments, an inspectable disk is generated from the decrypted disk, and access thereto is provided to an inspecting cloud environment, where the inspectable disk is inspected for cybersecurity objects. In an embodiment, a disk is encrypted at application level utilizing based on the operating system, for example Microsoft® Windows, or Linux.
Linux disks utilize Cryptoluks, which, in an embodiment, contains two partitions, a first partition which is encrypted and a second partition which is plaintext. The plaintext partition is mounted in the inspecting cloud environment, according to an embodiment. In some embodiments, the plaintext partition includes a file named ‘osluksheader’ which appears in the ‘luks’ directory. In an embodiment, an inspector is configured to execute a decrypt command, for example:
Windows operating system utilizes the Bitlocker application, according to an embodiment. Decrypting a Bitlocker encrypted disk includes, in an embodiment, setting the decoded base64 key from the keyvaults on the disk <secret-file.dat>. Decryption includes, according to an embodiment, executing the following command:
At S260, the disk is decrypted using the custom key. In some embodiments, decryption utilizing a custom key is described in more detail with respect to
At S270, the disk is decrypted using the default key. Decryption utilizing a default key is described in more detail with respect to
At S310, a key policy is attached to a custom key. The custom key is used for decrypting an encrypted disk in a cloud computing environment. In an embodiment, AWS KMS is used in an AWS cloud environment. A kms:PutKeyPolicy instruction is set to provide cross-account permissions, allowing an inspector account access to the required decryption keys, according to an embodiment.
In certain embodiments, the KMS is configured to provide certain instructions (such as DecribeKey, CreateGrant, GenerateDataKey, ReEncrypt, Decrypt, etc.) only to keys in the KMS which have a tag corresponding to permissions granted to the inspector account.
At S320, the encrypted disk is decrypted. In an embodiment, the decrypted disk is utilized in generating an inspectable disk. In some embodiments, the encrypted disk is decrypted by executing an instruction initiated by an inspector account utilizing the decryption key accessed from the KMS, access to which was previously provided to the inspector account.
At S330, an inspectable disk is generated based on the decrypted disk. In certain embodiments, generating an inspectable disk includes generating a clone, a copy, a snapshot, and the like, based on the decrypted disk. In an embodiment the instruction for generating the inspectable disk is initiated by the inspector account.
At S340, access to the inspectable disk is provided to an inspector. In an embodiment, providing access to an inspector includes providing access to the inspectable disk to a service account (e.g., inspector account) which is configured to be assumed by an inspector workload.
In an embodiment, providing access includes sending a copy, a pointer of a clone, a snapshot, and the like, from the inspector account to the inspecting environment over a secure communication channel, such as a secure shell (SSH) communication.
At S350, a volume is generated from the inspectable disk. In an embodiment, a software container cluster is configured to provision a storage, into which a volume is generated based on the inspectable disk.
At S360, an instruction is generated to inspect the volume. In an embodiment, the volume is inspected for cybersecurity objects. In some embodiments, inspection includes searching the volume for files, text, regular expressions (regex), secrets, keys, application identifiers, malware signatures, virtual workloads, misconfigurations, combinations thereof, and the like.
At S410, a key is generated for an inspector account. In an embodiment, the key is generated to allow cross account access, with permissions for the inspector account. For example, an encrypted disk is selected, and a key is generated for the inspector account, to allow the inspector account to access the encrypted disk, according to an embodiment. In some embodiments, the inspector account is a service account which is configured to be assumed by an inspector workload.
At S420, a snapshot is generated of the encrypted disk. In an embodiment, generating the snapshot is performed based on executing an instruction initiated by an inspector account. In certain embodiments, the snapshot is a block-based copy of the encrypted disk at a particular point in time.
At S430, the snapshot is copied with a reencrypt command. Copying a snapshot includes, in an embodiment, executing a CopySnapshot instruction with a ReEncrypt instruction, where reencryption is performed with the generated key. In an embodiment, the instructions are provided by the inspector account, which has kms:CreateGrant and kms:ReEncryptFrom permissions from the KMS.
At S440, access is provided to the copied snapshot. In an embodiment, access is provided to an inspecting cloud environment, such as the inspecting cloud environment 104 of
At S450, a volume is generated from the copied snapshot. In an embodiment, a software container cluster is configured to provision a storage space, into which a volume is generated based on the copied snapshot of the decrypted disk.
At S460, the generated volume is inspected for a cybersecurity object. In an embodiment, inspection includes searching the volume for a file, a text, a regular expression (regex), a secret, a key, a certificate, a virtual workload, a combination thereof, and the like.
At S510, a key is generated for an inspector account. In an embodiment, the key is generated to allow cross account access, with permissions for the inspector account. For example, an encrypted disk is selected, and a key is generated for the inspector account, to allow the inspector account to access the encrypted disk, according to an embodiment. In some embodiments, the inspector account is a service account which is configured to be assumed by an inspector workload.
At S520, a snapshot is generated of an encrypted disk. In an embodiment, the snapshot is stored in a cloud computing environment which is not an inspection environment. In certain embodiments, an instruction which when executed configures a cloud computing environment to generate a snapshot of an encrypted disk, is initiated by an inspector, and inspection controller, and the like.
In an embodiment, the snapshot is encrypted with a key, such as an asymmetric cryptographic encryption key. In some embodiments, the snapshot is encrypted with the same key as the encrypted disk, which the inspection environment does not have access to. In an embodiment, a key which the inspection environment does not have access to is a key which is inaccessible to an inspector, an inspector controller, a principal, a resource, and the like, of an inspection environment.
At S530, a volume is generated with a second key. According to an embodiment, the volume is generated by initiating an instruction in a cloud computing environment which generate a volume which is re-encrypted using the generated key. In certain embodiments, the volume is generated based on the encrypted snapshot.
In some embodiments, the volume is generated utilizing kms:CreateGrant in order to generate a key with a policy which allows access to a KMS key for an inspector (or other principal of the inspection environment), and kms:ReEncryptFrom, which allows to change the first key from the KMS which the inspection environment does not have access to, to the generated key which the inspection environment does have access to (i.e., via execution of the kms:CreateGrant command).
At S540, a snapshot is generated from the re-encrypted volume. In an embodiment, the snapshot is stored in a cloud computing environment which is not an inspection environment. In certain embodiments, an instruction which when executed configures a cloud computing environment to generate a snapshot of the re-encrypted volume, is initiated by an inspector, and inspection controller, and the like.
In an embodiment, the snapshot is encrypted with a key, such as an asymmetric cryptographic encryption key. In some embodiments, the snapshot is encrypted with the same key as the re-encrypted volume, which the inspection environment has access to.
At S550, an inspectable disk is initiated from the snapshot. In an embodiment, initiating an inspectable disk includes generating a snapshot from the re-encrypted volume, and generating an inspectable disk (e.g., a decrypted disk) based on the generated snapshot.
At S560, inspection of the inspectable disk is initiated. In an embodiment, a generated volume (e.g., an inspectable disk) is inspected for a cybersecurity object. In an embodiment, inspection includes searching the inspectable disk for a file, a text, a regular expression (regex), a secret, a key, a certificate, a virtual workload, a malware, a misconfiguration, an exposure, a vulnerability, a combination thereof, and the like.
The processing circuitry 610 may be realized as one or more hardware logic components and circuits. For example, and without limitation, illustrative types of hardware logic components that can be used include field programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), Application-specific standard products (ASSPs), system-on-a-chip systems (SOCs), graphics processing units (GPUs), tensor processing units (TPUs), general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), and the like, or any other hardware logic components that can perform calculations or other manipulations of information.
The memory 620 may be volatile (e.g., random access memory, etc.), non-volatile (e.g., read only memory, flash memory, etc.), or a combination thereof. In an embodiment, the memory 620 is an on-chip memory, an off-chip memory, a combination thereof, and the like. In certain embodiments, the memory 620 is a scratch-pad memory for the processing circuitry 610.
In one configuration, software for implementing one or more embodiments disclosed herein may be stored in the storage 630, in the memory 620, in a combination thereof, and the like. Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the processing circuitry 610, cause the processing circuitry 610 to perform the various processes described herein.
The storage 630 is a magnetic storage, an optical storage, a solid-state storage, a combination thereof, and the like, and is realized, according to an embodiment, as a flash memory, as a hard-disk drive, or other memory technology, or any other medium which can be used to store the desired information.
The network interface 640 is configured to provide the inspector 150 with communication with, for example, the inspector account 130, the container cluster 160, and the like.
It should be understood that the embodiments described herein are not limited to the specific architecture illustrated in
Furthermore, in certain embodiments the virtual workload 110, the database 170, and the like, may be implemented with the architecture illustrated in
The various embodiments disclosed herein can be implemented as hardware, firmware, software, or any combination thereof. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage unit or computer readable medium consisting of parts, or of certain devices and/or a combination of devices. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces. The computer platform may also include an operating system and microinstruction code. The various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such a computer or processor is explicitly shown. In addition, various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit. Furthermore, a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal.
All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the principles of the disclosed embodiment and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the disclosed embodiments, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.
It should be understood that any reference to an element herein using a designation such as “first,” “second,” and so forth does not generally limit the quantity or order of those elements. Rather, these designations are generally used herein as a convenient method of distinguishing between two or more elements or instances of an element. Thus, a reference to first and second elements does not mean that only two elements may be employed there or that the first element must precede the second element in some manner. Also, unless stated otherwise, a set of elements comprises one or more elements.
As used herein, the phrase “at least one of” followed by a listing of items means that any of the listed items can be utilized individually, or any combination of two or more of the listed items can be utilized. For example, if a system is described as including “at least one of A, B, and C,” the system can include A alone; B alone; C alone; 2A; 2B; 2C; 3A; A and B in combination; B and C in combination; A and C in combination; A, B, and C in combination; 2A and C in combination; A, 3B, and 2C in combination; and the like.
This application is a continuation-in-part of U.S. patent application Ser. No. 18/146,074 filed on Dec. 23, 2022, and a continuation-in-part of U.S. patent application Ser. No. 18/146,076 filed on Dec. 23, 2022, both of which claim the benefit of U.S. Provisional Patent Application No. 63/266,031 filed on Dec. 27, 2021. All contents of the preceding applications are hereby incorporated by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6910132 | Bhattacharya | Jun 2005 | B1 |
| 7627652 | Commons et al. | Dec 2009 | B1 |
| 7784101 | Verbowski et al. | Aug 2010 | B2 |
| 8200965 | Fujibayashi et al. | Jun 2012 | B2 |
| 8413239 | Sutton | Apr 2013 | B2 |
| 8499354 | Satish et al. | Jul 2013 | B1 |
| 8595822 | Schrecker et al. | Nov 2013 | B2 |
| 8701200 | Naldurg et al. | Apr 2014 | B2 |
| 8789049 | Hutchins et al. | Jul 2014 | B2 |
| 8898481 | Osburn, III et al. | Nov 2014 | B1 |
| 8914406 | Haugsnes | Dec 2014 | B1 |
| 9009836 | Yarykin et al. | Apr 2015 | B1 |
| 9119017 | Sinha | Aug 2015 | B2 |
| 9165142 | Sanders et al. | Oct 2015 | B1 |
| 9172621 | Dippenaar | Oct 2015 | B1 |
| 9330273 | Khetawat et al. | May 2016 | B2 |
| 9369433 | Paul | Jun 2016 | B1 |
| 9419996 | Porat | Aug 2016 | B2 |
| 9438634 | Ross et al. | Sep 2016 | B1 |
| 9467473 | Jayaraman | Oct 2016 | B2 |
| 9544327 | Sharma et al. | Jan 2017 | B1 |
| 9563385 | Kowalski et al. | Feb 2017 | B1 |
| 9569328 | Pavlov et al. | Feb 2017 | B2 |
| 9582662 | Messick et al. | Feb 2017 | B1 |
| 9607104 | Turner et al. | Mar 2017 | B1 |
| 9646172 | Hahn | May 2017 | B1 |
| 9661009 | Karandikar et al. | May 2017 | B1 |
| 9672355 | Titonis et al. | Jun 2017 | B2 |
| 9712503 | Ahmed | Jul 2017 | B1 |
| 9892261 | Joram et al. | Feb 2018 | B2 |
| 10002247 | Suarez et al. | Jun 2018 | B2 |
| 10032032 | Suarez et al. | Jul 2018 | B2 |
| 10063445 | Preece | Aug 2018 | B1 |
| 10135826 | Reddy | Nov 2018 | B2 |
| 10229125 | Goodman et al. | Mar 2019 | B2 |
| 10255370 | Carpenter et al. | Apr 2019 | B2 |
| 10360025 | Foskett et al. | Jul 2019 | B2 |
| 10412103 | Haugsnes | Sep 2019 | B2 |
| 10412109 | Loureiro et al. | Sep 2019 | B2 |
| 10503904 | Singh et al. | Dec 2019 | B1 |
| 10540499 | Wailly et al. | Jan 2020 | B2 |
| 10554507 | Siddiqui et al. | Feb 2020 | B1 |
| 10567468 | Perlmutter | Feb 2020 | B2 |
| 10572226 | Biskup et al. | Feb 2020 | B2 |
| 10574675 | Peppe et al. | Feb 2020 | B2 |
| 10623386 | Bernat | Apr 2020 | B1 |
| 10630642 | Clark et al. | Apr 2020 | B2 |
| 10664619 | Marelas | May 2020 | B1 |
| 10691636 | Tabaaloute et al. | Jun 2020 | B2 |
| 10725775 | Suarez et al. | Jul 2020 | B2 |
| 10735442 | Swackhamer | Aug 2020 | B1 |
| 10791138 | Siddiqui et al. | Sep 2020 | B1 |
| 10803188 | Rajput et al. | Oct 2020 | B1 |
| 10831898 | Wagner | Nov 2020 | B1 |
| 10915626 | Tang | Feb 2021 | B2 |
| 10924503 | Pereira et al. | Feb 2021 | B1 |
| 10972484 | Swackhamer | Apr 2021 | B1 |
| 10997293 | Wiest et al. | May 2021 | B2 |
| 11005860 | Glyer et al. | May 2021 | B1 |
| 11044118 | Reed | Jun 2021 | B1 |
| 11099976 | Khakare et al. | Aug 2021 | B2 |
| 11165652 | Byrne | Nov 2021 | B1 |
| 11216563 | Veselov et al. | Jan 2022 | B1 |
| 11245730 | Bailey | Feb 2022 | B2 |
| 11271961 | Berger | Mar 2022 | B1 |
| 11334670 | Franco et al. | May 2022 | B2 |
| 11366897 | Ramanathan | Jun 2022 | B1 |
| 11388183 | Hoopes et al. | Jul 2022 | B2 |
| 11444974 | Shakhzadyan | Sep 2022 | B1 |
| 11483317 | Bolignano et al. | Oct 2022 | B1 |
| 11496498 | Wright et al. | Nov 2022 | B2 |
| 11496519 | Gupta | Nov 2022 | B1 |
| 11503063 | Rao | Nov 2022 | B2 |
| 11507672 | Pagnozzi et al. | Nov 2022 | B1 |
| 11516222 | Srinivasan et al. | Nov 2022 | B1 |
| 11520907 | Borowiec | Dec 2022 | B1 |
| 11546360 | Woodford et al. | Jan 2023 | B2 |
| 11556659 | Kumar | Jan 2023 | B1 |
| 11558401 | Vashisht et al. | Jan 2023 | B1 |
| 11558423 | Gordon et al. | Jan 2023 | B2 |
| 11567751 | Cosentino et al. | Jan 2023 | B2 |
| 11570090 | Shen et al. | Jan 2023 | B2 |
| 11614956 | Tsirkin | Mar 2023 | B2 |
| 11645390 | Vijayvargiya et al. | May 2023 | B2 |
| 11662928 | Kumar | May 2023 | B1 |
| 11669386 | Abrol | Jun 2023 | B1 |
| 11750566 | Montilla Lugo | Sep 2023 | B1 |
| 11757844 | Xiao | Sep 2023 | B2 |
| 11770398 | Erlingsson | Sep 2023 | B1 |
| 11792284 | Nanduri | Oct 2023 | B1 |
| 11799874 | Lichtenstein et al. | Oct 2023 | B1 |
| 11803766 | Srinivasan | Oct 2023 | B1 |
| 11841945 | Fogel | Dec 2023 | B1 |
| 11914707 | Ramanathan | Feb 2024 | B1 |
| 11922220 | Haghighat et al. | Mar 2024 | B2 |
| 11936785 | Shemesh et al. | Mar 2024 | B1 |
| 20050283645 | Turner et al. | Dec 2005 | A1 |
| 20070174915 | Gribble et al. | Jul 2007 | A1 |
| 20080075283 | Takahashi | Mar 2008 | A1 |
| 20080221833 | Brown et al. | Sep 2008 | A1 |
| 20080320594 | Jiang | Dec 2008 | A1 |
| 20100281275 | Lee et al. | Nov 2010 | A1 |
| 20120110651 | Van Biljon et al. | May 2012 | A1 |
| 20130124669 | Anderson et al. | May 2013 | A1 |
| 20130160119 | Sartin | Jun 2013 | A1 |
| 20130160129 | Sartin | Jun 2013 | A1 |
| 20140096134 | Barak | Apr 2014 | A1 |
| 20140237537 | Manmohan | Aug 2014 | A1 |
| 20140317677 | Vaidya | Oct 2014 | A1 |
| 20140337613 | Martini | Nov 2014 | A1 |
| 20150033305 | Shear | Jan 2015 | A1 |
| 20150055647 | Roberts | Feb 2015 | A1 |
| 20150163192 | Jain | Jun 2015 | A1 |
| 20150172321 | Kirti et al. | Jun 2015 | A1 |
| 20150254364 | Piduri et al. | Sep 2015 | A1 |
| 20150304302 | Zhang et al. | Oct 2015 | A1 |
| 20160063466 | Sheridan et al. | Mar 2016 | A1 |
| 20160105454 | Li | Apr 2016 | A1 |
| 20160140352 | Nickolov | May 2016 | A1 |
| 20160156664 | Nagaratnam | Jun 2016 | A1 |
| 20160224600 | Munk | Aug 2016 | A1 |
| 20160366185 | Lee et al. | Dec 2016 | A1 |
| 20170026416 | Carpenter et al. | Jan 2017 | A1 |
| 20170034198 | Powers et al. | Feb 2017 | A1 |
| 20170070506 | Reddy | Mar 2017 | A1 |
| 20170104755 | Arregoces | Apr 2017 | A1 |
| 20170185784 | Madou | Jun 2017 | A1 |
| 20170187743 | Madou | Jun 2017 | A1 |
| 20170223024 | Desai | Aug 2017 | A1 |
| 20170237560 | Mueller et al. | Aug 2017 | A1 |
| 20170257347 | Yan | Sep 2017 | A1 |
| 20180004950 | Gupta et al. | Jan 2018 | A1 |
| 20180007087 | Grady et al. | Jan 2018 | A1 |
| 20180026995 | Dufour et al. | Jan 2018 | A1 |
| 20180027009 | Santos | Jan 2018 | A1 |
| 20180063290 | Yang et al. | Mar 2018 | A1 |
| 20180159882 | Brill | Jun 2018 | A1 |
| 20180181310 | Feinberg et al. | Jun 2018 | A1 |
| 20180234459 | Kung | Aug 2018 | A1 |
| 20180239902 | Godard | Aug 2018 | A1 |
| 20180270268 | Gorodissky et al. | Sep 2018 | A1 |
| 20180276084 | Mitkar et al. | Sep 2018 | A1 |
| 20180278639 | Bernstein et al. | Sep 2018 | A1 |
| 20180288129 | Joshi et al. | Oct 2018 | A1 |
| 20180309747 | Sweet et al. | Oct 2018 | A1 |
| 20180321993 | McClory | Nov 2018 | A1 |
| 20180359058 | Kurian | Dec 2018 | A1 |
| 20180359059 | Kurian | Dec 2018 | A1 |
| 20190058722 | Levin et al. | Feb 2019 | A1 |
| 20190068617 | Coleman | Feb 2019 | A1 |
| 20190068627 | Thampy | Feb 2019 | A1 |
| 20190104140 | Gordeychik et al. | Apr 2019 | A1 |
| 20190116111 | Izard et al. | Apr 2019 | A1 |
| 20190121986 | Stopel et al. | Apr 2019 | A1 |
| 20190132350 | Smith et al. | May 2019 | A1 |
| 20190149604 | Jahr | May 2019 | A1 |
| 20190171811 | Daniel et al. | Jun 2019 | A1 |
| 20190191417 | Baldemair et al. | Jun 2019 | A1 |
| 20190207966 | Vashisht et al. | Jul 2019 | A1 |
| 20190220575 | Boudreau et al. | Jul 2019 | A1 |
| 20190245883 | Gorodissky et al. | Aug 2019 | A1 |
| 20190260764 | Humphrey et al. | Aug 2019 | A1 |
| 20200028862 | Lin | Jan 2020 | A1 |
| 20200050440 | Chuppala et al. | Feb 2020 | A1 |
| 20200082094 | McAllister et al. | Mar 2020 | A1 |
| 20200125352 | Kannan | Apr 2020 | A1 |
| 20200244678 | Shua | Jul 2020 | A1 |
| 20200259852 | Wolff et al. | Aug 2020 | A1 |
| 20200287927 | Zadeh et al. | Sep 2020 | A1 |
| 20200320845 | Livny et al. | Oct 2020 | A1 |
| 20200336489 | Wuest et al. | Oct 2020 | A1 |
| 20200387357 | Mathon et al. | Dec 2020 | A1 |
| 20200389469 | Litichever et al. | Dec 2020 | A1 |
| 20210026932 | Boudreau et al. | Jan 2021 | A1 |
| 20210089662 | Muniswamy-Reddy | Mar 2021 | A1 |
| 20210105304 | Kraning et al. | Apr 2021 | A1 |
| 20210149788 | Downie | May 2021 | A1 |
| 20210158835 | Hill et al. | May 2021 | A1 |
| 20210176123 | Plamondon | Jun 2021 | A1 |
| 20210200881 | Joshi et al. | Jul 2021 | A1 |
| 20210203684 | Maor et al. | Jul 2021 | A1 |
| 20210211453 | Cooney | Jul 2021 | A1 |
| 20210216630 | Karr | Jul 2021 | A1 |
| 20210226812 | Park | Jul 2021 | A1 |
| 20210234889 | Burle et al. | Jul 2021 | A1 |
| 20210263802 | Gottemukkula et al. | Aug 2021 | A1 |
| 20210314342 | Oberg | Oct 2021 | A1 |
| 20210320794 | Auh | Oct 2021 | A1 |
| 20210334386 | AlGhamdi et al. | Oct 2021 | A1 |
| 20210357246 | Kumar et al. | Nov 2021 | A1 |
| 20210368045 | Verma | Nov 2021 | A1 |
| 20210382995 | Massiglia | Dec 2021 | A1 |
| 20210382997 | Yi et al. | Dec 2021 | A1 |
| 20210409486 | Martinez | Dec 2021 | A1 |
| 20220012771 | Gustafson | Jan 2022 | A1 |
| 20220086173 | Yavo et al. | Mar 2022 | A1 |
| 20220131888 | Kanso | Apr 2022 | A1 |
| 20220156396 | Bednash | May 2022 | A1 |
| 20220179964 | Qiao et al. | Jun 2022 | A1 |
| 20220182403 | Mistry | Jun 2022 | A1 |
| 20220188273 | Koorapati et al. | Jun 2022 | A1 |
| 20220197926 | Passey et al. | Jun 2022 | A1 |
| 20220215101 | Rioux et al. | Jul 2022 | A1 |
| 20220232024 | Kapoor | Jul 2022 | A1 |
| 20220263656 | Moore | Aug 2022 | A1 |
| 20220284362 | Bellinger et al. | Sep 2022 | A1 |
| 20220309166 | Shenoy et al. | Sep 2022 | A1 |
| 20220326861 | Shachar | Oct 2022 | A1 |
| 20220327119 | Gasper et al. | Oct 2022 | A1 |
| 20220342690 | Shua | Oct 2022 | A1 |
| 20220342997 | Watanabe et al. | Oct 2022 | A1 |
| 20220345481 | Shua | Oct 2022 | A1 |
| 20220350931 | Shua | Nov 2022 | A1 |
| 20220357992 | Karpovsky | Nov 2022 | A1 |
| 20220400128 | Kfir et al. | Dec 2022 | A1 |
| 20220407841 | Karpowicz | Dec 2022 | A1 |
| 20220407889 | Narigapalli et al. | Dec 2022 | A1 |
| 20220413879 | Passey et al. | Dec 2022 | A1 |
| 20220414103 | Upadhyay et al. | Dec 2022 | A1 |
| 20220417011 | Shua | Dec 2022 | A1 |
| 20220417219 | Sheriff | Dec 2022 | A1 |
| 20230007014 | Narayan | Jan 2023 | A1 |
| 20230040635 | Narayan | Feb 2023 | A1 |
| 20230075355 | Twigg | Mar 2023 | A1 |
| 20230087093 | Ithal et al. | Mar 2023 | A1 |
| 20230110080 | Hen | Apr 2023 | A1 |
| 20230123477 | Luttwak et al. | Apr 2023 | A1 |
| 20230125134 | Raleigh et al. | Apr 2023 | A1 |
| 20230134674 | Quinn et al. | May 2023 | A1 |
| 20230136839 | Sundararajan et al. | May 2023 | A1 |
| 20230164148 | Narayan | May 2023 | A1 |
| 20230192418 | Horowitz et al. | Jun 2023 | A1 |
| 20230208870 | Yellapragada et al. | Jun 2023 | A1 |
| 20230231867 | Rampura Venkatachar | Jul 2023 | A1 |
| 20230237068 | Sillifant et al. | Jul 2023 | A1 |
| 20230254330 | Singh | Aug 2023 | A1 |
| 20230297666 | Atamli et al. | Sep 2023 | A1 |
| 20230325814 | Vijayan | Oct 2023 | A1 |
| 20230336578 | Lidgi et al. | Oct 2023 | A1 |
| 20230376586 | Shemesh et al. | Nov 2023 | A1 |
| 20240007492 | Shen et al. | Jan 2024 | A1 |
| 20240037229 | Pabón et al. | Feb 2024 | A1 |
| 20240045838 | Reiss et al. | Feb 2024 | A1 |
| 20240080329 | Reed et al. | Mar 2024 | A1 |
| 20240080332 | Ganesh et al. | Mar 2024 | A1 |
| Number | Date | Country |
|---|---|---|
| 4160983 | Apr 2023 | EP |
| 4254869 | Oct 2023 | EP |
| 2421792 | Jun 2011 | RU |
| Entry |
|---|
| Guo, yu et al. Enabling Encrypted Rich Queries in Distributed Key-Value Stores. IEEE Transactions on Parallel and Distributed Systems, vol. 30, Issue: 6. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8567979 (Year: 2019). |
| Mishra, Bharati; Jena, Debasish et al. Securing Files in the Cloud. 2016 IEEE International Conference on Cloud Computing in Emerging Markets (CCEM). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7819669 (Year: 2016). |
| Kumar, Anuj et al. A New Approach for Security in Cloud Data Storage for IoT Applications Using Hybrid Cryptography Technique. 2020 International Conference on Power Electronics & IoT Applications in Renewable Energy and its Control. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9087010 (Year: 2020). |
| Shuvo, Arfatul Mowla et al. Storage Efficient Data Security Model for Distributed Cloud Storage. 2020 IEEE 8th R10 Humanitarian Technology Conference (R10-HTC). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9356962 (Year: 2020). |
| Ali Gholami; Security and Privacy of Sensitive Data in Cloud Computing: A Survey of Recent Developments; ARIX:2016; pp. 131-150. |
| Christos Kyrkou; Towards artificial-intelligence-based cybersecurity for robustifying automated driving systems against camera sensor attacks; IEEE 2020; pp. 476-481. |
| Henry Hanping Feng; Anomaly Detection Using Call Stack Information; IEEE: Year:2003; pp. 1-14. |
| International Search Report for PCT Application No. PCT/IB2022/060940 dated Feb. 1, 2023. The International Bureau of WIPO. |
| International Search Report for PCT/IB2023/050848, dated May 9, 2023. International Bureau of WIPO. |
| International Search Report of PCT/IB2023/058074, dated Nov. 20, 2023. Searching Authority United States Patent and Trademark Office, Alexandria, Virginia. |
| International Search Report, PCT/IB23/55312. ISA/US, Commissioner for Patents, Alexandria, Virginia. Dated Aug. 30, 2023. |
| Microsoft Build. “Introduction to Azure managed disks”. Aug. 21, 2023, https://docs.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview. |
| Microsoft Docs. “Create a VM from a managed image”. Article. Jan. 5, 2022. https://docs.microsoft.com/en-US/azure/virtual-machines/windows/create-vm-generalized-managed. |
| Written Opinion of the International Searching Authority for PCT Application No. PCT/IB2022/060940 dated Feb. 1, 2023. The International Bureau of WIPO. |
| Written Opinion of the International Searching Authority, PCT/IB23/55312. ISA/US Commissioner for Patents, Alexandria, Virginia. Dated Aug. 30, 2023. |
| Written Opinion of the Searching Authority for PCT/IB2023/050848, dated May 9, 2023. International Bureau of WIPO. |
| Written Opinion of the Searching Authority of PCT/IB2023/058074, dated Nov. 20, 2023. Searching Authority United States Patent and Trademark Office, Alexandria, Virginia. |
| Zhang et al. BMC Bioinformatics 2014. “On finding bicliques in bipartite graphs: a novel algorithm and its application to the integration of diverse biological data types”. http://www.biomedcentral.com/1471-2105/15/110. |
| Sahil Suneja; Safe Inspection of Live Virtual Machines; IEEE; Year:2017; pp. 97-111. |
| Number | Date | Country | |
|---|---|---|---|
| 63266031 | Dec 2021 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 18146074 | Dec 2022 | US |
| Child | 18359493 | US | |
| Parent | 18146076 | Dec 2022 | US |
| Child | 18359493 | US |
