Patent Grant
12267326
The present disclosure relates generally to exposure detection in cloud environments, and specifically to active detection of exposure in cloud environments.
External attack surface management (EASM) is a term which for a technology field and best practices which are utilized in cybersecurity to describe what vulnerabilities an organization has within their network infrastructure, which may include cloud computing environments, local network environments, and the like. For example, an organization may have a virtual private cloud (VPC) implemented in Amazon® Web Services (AWS), Microsoft® Azure, Google® Cloud Platform (GCP), and the like, which serves as a cloud computing environment. The cloud computing environment may include a plurality of workloads, such as virtual machines, container engines, serverless functions, and the like, any of which may pose a security risk, for example by having a vulnerability, allowing an attacker to infiltrate the organization's network in an unintended manner.
EASM technologies aim to discover where an organization is vulnerable, in order for a network administrator to secure the discovered vulnerabilities. For example, discovering an out-of-date operating system (OS) having a known vulnerability running on a virtual machine may require the network administrator to update the OS version, or apply a software patch, in order to address the vulnerability. This is also known as minimizing the external attack surface.
One such technology which may be deployed in order to discover the external attack surface is known is active scanning. Active scanning attempts to infiltrate a network (e.g., access resources in the above mentioned VPC). For example, by sending packets to endpoints in the network. Thus, an active scanner may attempt to access random domains, at random ports, in order to gain access to a network or to a network resource.
This method has some serious drawbacks. For example, attempting to guess random domains, random ports, and the like, creates a large volume of network traffic which the target (i.e., organization's network) must deal with. This may congest the network, and further risks malfunctions, such as a denial of service to other clients, data corruption from incompatible queries, and the like. It is often of upmost importance to an organization to keep a production environment in a fully operational state. Therefore, using an active scanner to test accessibility of an active production environment may be detrimental to this objective, since it would require devotion of substantial resources at least in terms of network bandwidth to perform such tests. Furthermore, these solutions may not present a user with an underlying reason of why access to a network succeeded, or failed.
It would therefore be advantageous to provide a solution that would overcome the challenges noted above.
A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term “some embodiments” or “certain embodiments” may be used herein to refer to a single embodiment or multiple embodiments of the disclosure.
Certain embodiments disclosed herein include a method for performing authorization based active inspection of network paths for a resource. The method comprises: receiving at least one network path to access the resource, wherein the resource is a cloud object deployed in the cloud computing environment, and potentially accessible from a network which is external to the cloud computing environment; and actively inspecting the at least one network path to determine if the resource is accessible through the at least one network path from a network external to the cloud computing environment and requires access authorization.
Certain embodiments disclosed herein also include a non-transitory computer readable medium having stored thereon causing a processing circuitry to execute a process, the process comprising: receiving at least one network path to access the resource, wherein the resource is a cloud object deployed in the cloud computing environment, and potentially accessible from a network which is external to the cloud computing environment; and actively inspecting the at least one network path to determine if the resource is accessible through the at least one network path from a network external to the cloud computing environment and requires access authorization.
Certain embodiments disclosed herein also include a system for performing authorization based active inspection of network paths for a resource. The system comprises: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: receive at least one network path to access the resource, wherein the resource is a cloud object deployed in the cloud computing environment, and potentially accessible from a network which is external to the cloud computing environment; and actively inspect the at least one network path to determine if the resource is accessible through the at least one network path from a network external to the cloud computing environment and requires access authorization.
The subject matter disclosed herein is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other objects, features, and advantages of the disclosed embodiments will be apparent from the following detailed description taken in conjunction with the accompanying drawings.
It is important to note that the embodiments disclosed herein are only examples of the many advantageous uses of the innovative teachings herein. In general, statements made in the specification of the present application do not necessarily limit any of the various claimed embodiments. Moreover, some statements may apply to some inventive features but not to others. In general, unless otherwise indicated, singular elements may be in plural and vice versa with no loss of generality. In the drawings, like numerals refer to like parts through several views.
The various disclosed embodiments include a system and method for performing authorization based active inspection of network paths for a resource, deployed in a cloud computing environment. The method includes receiving at least one network path to access the resource, wherein the resource is a cloud object deployed in the cloud computing environment, and potentially accessible from a network which is external to the cloud computing environment; and actively inspecting the at least one network path to determine if the resource is accessible through the at least one network path from a network external to the cloud computing environment and requires access authorization.
Various techniques of static analysis can be used in order to determine reachability properties of a resource deployed in a cloud computing environment. Reachability properties, or parameters, may be utilized to establish a network path to the resource from an external network through the cloud computing environment. An access instruction may be generated based on the network path to determine if a network path generated through static analysis is indeed a viable path to reach the resource. Determining what network paths are viable is advantageous as it exposes what network paths can be used to access the cloud computing environment from external networks, and therefore what parts of the cloud computing environment are in practice opened to attack. These network paths should be addressed by system administrators as early as possible to minimize the effect of a cyber-attack. Furthermore, determining that a viable network path includes an authorization requirement allows to determine whether security measures (e.g., password requirements, encryption requirements, etc.) are actually in place. For example, an active inspector can determine if a resource which should request authorization does indeed request authorization (or authentication). Where a resource does require authorization, the active inspector may further attempt to provide credentials to determine if the active inspector can successfully authenticate with the resource. Actively inspecting only the network paths which static analysis has revealed to be possible network paths allows to efficiently probe a cloud computing environment's security without creating a network burden, while still achieving the result of determining which network vulnerabilities may be exploited by a malicious third party.
A principal is a cloud entity which acts on a resource, meaning it can request, or otherwise initiate, actions or operations in the cloud environment which cause a resource to perform a function. A principal may be, for example, a user account such as user account 112, a service account such as service account 114, a role, and the like. In an embodiment a user account 112 is implemented as a data structure which includes information about an entity, such as username, a password hash, an associated role, and the like.
The first cloud environment 110 may be implemented utilizing a cloud infrastructure, such as Amazon® Web Services (AWS), Microsoft® Azure, Google® Cloud Platform (GCP), and the like. In an embodiment, the first cloud environment 110 may be implemented as a virtual private cloud (VPC) on such a cloud infrastructure. The first cloud environment 110 may be, for example, a production environment for an organization. A production environment is a computing environment which provides services, for example, to client devices within the production environment and outside of it. An organization may also have a staging environment, which is a computing environment substantially identical to the production environment in at least some deployments of resource (e.g., workloads) which is used for the purpose of testing new policies, new permissions, new applications, new appliances, new resources, and the like, which are not present in the production environment.
It is often of upmost importance to an organization to keep the production environment in a fully operational state. Therefore, using an active scanner to test accessibility to the first cloud environment 110 may be detrimental to this objective, since it would require devotion of substantial resources at least in terms of network bandwidth to perform such tests.
An inspection environment 120 is communicatively connected with the first cloud environment 110, and a public network 130. The public network 130 is also communicatively connected with the first cloud environment 110. In an embodiment, the public network 120 may be, but is not limited to, a wireless, cellular or wired network, a local area network (LAN), a wide area network (WAN), a metro area network (MAN), the Internet, the worldwide web (WWW), similar networks, and any combination thereof.
The inspection environment 120 may be implemented as a VPC in a cloud infrastructure. In an embodiment, the cloud infrastructure of the inspection environment 120 may be the same cloud infrastructure as the first cloud environment 110. In some embodiments, the inspection environment may be implemented as multiple cloud environments, each utilizing a cloud infrastructure. The inspection environment includes a security graph database (DB) 122 for storing a security graph, and at least an active inspector 125.
In an embodiment, the security graph stored in the security graph DB 122 represents at least the first cloud environment 110 using a predefined data schema. For example, each resource and each principal of the first cloud environment 110 may be represented as a corresponding resource node or principal node in the security graph. The various nodes in the security graph may be connected, for example, based on policies, roles, permissions, and the like, which are detected in the first cloud environment 110. A predefined data schema may include data structures including into which values can be inputted to represent a specific cloud entity. For example, a resource may be represented by a template data structure which includes data attributes, whose values uniquely identify the resource, such as address, name, type, OS version, and the like.
The active inspector 125 is configured to receive a network path to access a resource in the first cloud environment 110. In an embodiment, a network path may be stored as a data string which includes one or more reachability parameters. Such parameters include host names, protocols, IP addresses, ports, usernames, passwords, and the like. In certain embodiments, the active inspector 125 is further configured to receive a list of network paths. The network paths may be received periodically. In certain embodiments, the active inspector 125 is also configured to generate an instruction which includes a query for the security graph, such instruction or instructions when executed by the security graph database 122 cause(s) generation of an output including one or more network paths. For example, network paths may be generated every 24 hours, while active inspection may occur once per day, once per week, once per month, and so on.
An example of a static analysis process for generating network paths, also known as determining reachability to a resource, is discussed in more detail in U.S. Non-Provisional patent application Ser. No. 17/179,135 filed on Feb. 18, 2021, the contents of which are hereby incorporated by reference herein. In an embodiment, the active inspector 125 may generate an instruction based on the network path to access the resource associated with the network path. For example, the instruction may be to send a data packet to an IP address of the resource, and receive an acknowledgement (ACK) response. The active inspector 125 may generate a log which includes, for example, the network path, the instruction sent by the active inspector 125, and any response(s) received from the resource. For example, if the active inspector 125 sends an HTTP (hypertext transfer protocol) request, a response may be a 404 error, a 403 error, 500 error, 502 error, and the like.
In an embodiment the active inspector 125 initiates active inspection of a network path to determine if a resource is accessible via the network path from a network which is external to the first cloud environment 110.
A first enrichment node 210 (also referred to as public network node 210) represents a public network, such as public network 130 of
The public network node 210 is connected to a first resource node 220 (also referred to as firewall node 220) representing a firewall workload. The firewall represented by the firewall node 220 may be implemented, for example, as a virtual machine in the first cloud computing environment. Connecting the public network node 210 to the firewall node 220 represents that the firewall is open to sending and receiving communication between itself and the public network.
The firewall node 220 is further connected to a second resource node 230 (also referred to as API gateway node 230) which represents an API (application programming interface) gateway. An API gateway is a workload, for example a serverless function, which can act as a reverse proxy between a client and resources, accepting API calls, directing them to the appropriate service, workload, resource, etc. and returning a result to the client when appropriate.
The API gateway node 230 is connected to a first principal node 240 (also referred to as VM node 240) representing a virtual machine hosting an application and a database, and is also connected to a second principal node 250 (also referred to as container engine node 250) which hosts a plurality of container nodes. The VM node 240 is connected to an application node 242, and a database node 244. The application node 242 may indicate, for example, that a certain application, having a version number, binaries, files, libraries, and the like, is executed on the VM which is represented by the VM node 240.
In an embodiment, the VM node 240 may be connected to a plurality of application nodes. The database node 244 represents a database which is stored on the VM (represented by VM node 240), or stored on a storage accessible by the VM. The database node 244 may include attributes which define a database, such as type (graph, columnar, distributed, etc.), version number, query language, access policy, and the like.
At S310, at least one network path for a first resource in a cloud computing environment is received. The network path, also known as object reachability, includes data (e.g. reachability parameters) for accessing the first resource from a public network, which is not the cloud computing environment of the first resource, such as the Internet. In an embodiment, an active inspector may receive the at least a network path, for example from a security graph. In an embodiment, S320 includes generating an instruction (or instructions) which when executed by a database system storing the security graph return a result of one or more resources, and a respective network path for each of the one or more resources. In certain embodiments, the network paths may be received periodically.
In some embodiments, the first resource may be one of a plurality of first resources, which are each substantially identical. For example, a group of virtual machines which are generated based on the same code or image are substantially identical, since their initial deployment would be identical other than a unique identifier assigned to each machine. In such embodiments it may be beneficial to inspect the at least one network path for a subset of the plurality of first resources, in order to decrease the computation and network resources required. This may be acceptable in such embodiments, as the expectation is that the plurality of VMs would be accessible in similar network paths. In some embodiments, the subset includes one or more first resources.
In an embodiment, each of the received network paths includes a set of reachability parameters to reach a specific cloud object in the cloud environment. The reachability parameters, and hence the network paths are generated by statically analyzing the cloud environment. An example method for such static analysis is described with reference to
At S320, an access instruction is generated to access the first resource based on the network path. In an embodiment, the access instruction is generated by the active inspector deployed outside of the cloud environment where the first resource resides. In certain embodiments, the instruction includes one or more access parameters. Such parameters may include, but are not limited to, a host name, an IP address, a communication protocol, a port, a username, a password, and the like, or combination thereof. A communication protocol may be, for example, HTTP or UDP (user datagram protocol). For example, the instruction may be a ping, GET, CONNECT, or TRACE request over HTTP.
In certain embodiments, a plurality of access instructions may be generated. For example, a plurality of generated access instructions may include a first access instruction having a first request, and a second access instruction having a second request which is different from the first request. For example, the first access instruction may include a CONNECT request, and the second access instruction may include a GET request. In certain embodiments, a plurality of first access instructions may be generated. In such embodiments, each first access instruction may include a same type of request (e.g., CONNECT) with different values (e.g., different web address, different port, and so on). For example, a resource may be reachable at IP address 10.0.0.127, at ports 800 through 805. The IP address and ports would be reachability parameters, based on which an active inspector can generate a plurality of first access instructions based on an HTTP GET request, such as:
At S330, execution of the generated access instruction is caused. The access instruction, when executed, causes an attempt to actually access the resource. In an embodiment, the attempt may result in network traffic being generated, including requests sent to the resource and answers (i.e., data packets) received. While static analysis provides a possible path to access a resource, executing the access instruction provides a real result of an attempt to utilize the possible path, in order to determine which paths are really viable, and which are not. For example, a path may be possible based on static analysis, but not viable, where, for example, an application deployed on the resource prevents such an access from occurring. In an embodiment a network path is determined to be viable (or accessible), if the access instruction, when executed does not return an error message. An error message may be, for example, a timeout (e.g., in response to a “ping” request), a 403 Forbidden (e.g., in response to an HTTP GET request), and the like. In some embodiments, the access instruction may be executed by the active inspector 125.
At S340, a determination is performed to determine if the network path is accessible, based on the execution of the generated access instruction. Performing an active inspection of a cloud environment allows to determine which of the reachability paths (i.e., network paths) are indeed vulnerable, meaning that paths that can be used to gain access into the cloud environment, and which reachability paths (network paths) are not vulnerabilities since the active inspector could not gain access to the resource, therefore the reachability path is not possible in practice. Reachability paths which have been confirmed through both static analysis (i.e., analysis using the security graph) and active inspection are paths which should therefore be considered more vulnerable. In an embodiment, if the network path results in successfully reaching the resource, the network path is determined to be accessible (or viable). If the resource is not reachable by the network path, the network path is determined to be inaccessible (or unviable).
At S350, a security graph is updated based on the network path determination. In certain embodiments, the active inspector may update the security graph, which includes a representation of the cloud environment in which the first resource is deployed, to indicate whether a reachability path is confirmed (i.e., is viable) by active inspection or not, where a confirmed path is a path through which the active inspector successfully accessed a resource. In turn, the security graph may update an alert generated based on determining that a resource has a reachability path through a public network.
At S360, a report is generated based on the execution of the generated instruction. In an embodiment, the report may be generated by the active inspector, which performs this method. In certain embodiments, generating a report may include updating a log with network traffic between the active inspector and the resource. For example, the active inspector may record (e.g., write to a log) the generated instruction, the resource identifier, and a response received from the resource. A response may include, for example, a response code. A response code may indicate success, redirection, client error, server error, and the like, where the client is the active inspector, and the server is the resource. In certain embodiments the security graph stored in the security DB 122 may be updated based on the determined viability of the network paths. For example, if a resource is successfully accessed, or successfully unaccessed (i.e., an attempt was made to access the resource and the attempt was not successful in accessing the resource), this result can be stored as an attribute of a node representing the resource in the security graph. For example, the VM node 240 of
In some embodiments, the active inspector may communicate with a virtual private network (VPN) or a proxy, in order to mask the IP address from which the active inspector is attempting access. This may be useful to test, for example, if a firewall, such as represented by the firewall node 220 of
In some embodiments network path may include a plurality of resources. The method above may be performed on each resource of the plurality of resources, to determine the reachability of each resource.
Utilizing an active inspector using network paths generated from a security graph is advantageous, as attempting to access resources in this manner to determine the viability of a network path (i.e., reachability) requires less resources than, for example, randomly guessing network paths in an attempt to access resources.
In certain embodiments the active inspector may generate a screenshot of a user interface used to access the resource through the network path.
Furthermore, utilizing the active inspector to validate network paths and updating the security graph with the results allows to detect workloads which both contain a vulnerability, and have a validated network path. This allows generating an alert to a user of the cloud environment in order to address such problems by accurately characterizing cybersecurity threats. This in turn allows to utilize resources more efficiently, since the most vulnerable gaps in the cloud environment will be addresses first.
At S405, a security graph is accessed or otherwise obtained from the graph database. Within a security graph, various objects or entities, as may be included in a network or cloud environment of an organization, may be represented as “nodes” or “vertices,” and such “nodes” or “vertices” may be interconnected by one or more “links” or “edges,” the “links” or “edges” representing the relationships between the various objects included in a network or environment. Each object in the graph may be associated with known properties of the object. Examples for such properties may include an object's name, its IP address, various predefined security rules or access rules, and the like.
At S410, possible network paths within the obtained security graph are identified. A network path is a connection of two or more security objects accessible from an external or internal network, and/or an external or internal object. That is, a network path may include sequential representations of possible data/control flows between two or more objects in a graph. In an embodiment, where two objects in a graph are represented as vertices, and where the vertices are joined by an edge, a path may be constructed between the two vertices. A path may be a vertex-only path, describing a sequence of vertex-to-vertex “hops,” an edge-only path, describing only the edges included in the sequence without description of the associated vertices, or a combined edge-vertex path, describing both edges and vertexes included in the sequence.
According to disclosed embodiments, a path shows a connection between security objects and/or computing objects that communicate over a network. An object may be a virtual, physical, or logical entity.
In an embodiment, paths can be identified by traversing the security graph. The traversal can start or end at objects that are connected to an external network (the internet). The traversal of the security graph can be performed using solutions disclosed in the related art, e.g., a breadth-first search (BFS), a tree traversal, and the like, as well as any combination thereof.
In another embodiment, paths can be identified by querying the graph database storing the security graph. Examples of applicable queries include, without limitation, queries configured to identify all paths between a first graph object (node) and a second graph object, queries configured to identify all paths between all graph vertices of a first object type and all graph vertices of a second object type, other, like, queries, and any combination thereof.
Following as performed at S410 through S430, the list of paths are iteratively identified to determine the reachability properties of the path. Specifically, at S415, a path list is populated to include all identified paths. A path list may be a table, list, or other type of data structure. A path list may be unordered or ordered, including ordering according to one or more path properties.
At S420, a path from the path list is selected. At a first run of the method a first path in the list is selected.
At S425, path elements are analyzed to determine reachable properties. Path element analysis, as at S425, is an iterative analysis of each element included in the path selected at S420. The operation of S425 is discussed in detail with reference to
At S430, it is determined whether the last path of the path list has been analyzed, and if so, execution terminates; otherwise, execution returns to S420.
At S455, elements within a selected network path are identified. Elements are network and/or computing objects and relationships (or connections) between such objects. Identification of elements within the selected path may include, without limitation, identification based on properties, and other, like, data, included in the elements, identification of elements based on element identifications provided during the execution of S410 of
Then, at S460 through S480, the list of paths are iteratively processed in order to determine reachable properties of the elements. Specifically, at S460, the next element is selected. The next element is a subsequent element of the set of elements, within the selected path, identified at S455. Where execution of S460 follows the execution of S480, the next element may be an element which, in the selected network path, immediately follows the element relevant to the preceding execution of S470 and S475. Where execution of the method described with respect to
For exemplary purposes, a network path may be a path from a virtual machine (VM), connected to a NIC, connected to a load balancer, connected to a firewall. According to a first example, where S460 is executed for the first time, the first execution of S460 may include the selection of the VM as the selected element. Further, according to a second example, where execution of S460 follows execution of S480, selection of a next element at S460 may include selection of, following the VM, selection of the NIC, or, following the NIC, selection of the load balancer, or, following the load balancer, selection of the firewall.
At S465, it is determined whether the selected element has been analyzed. Determination of whether the selected element may include the determination of whether one or more reachable properties are included in the relevant graph element. As execution of S475 provides for the population of reachable properties into the security graph, an element which does not include such reachable properties in the graph may be assumed to have not been analyzed.
Where, at S465, it is determined that the selected element has been analyzed, execution continues with S460. Where, at S465, it is determined that the selected element has not been analyzed, execution continues with S470.
At S470, reachable properties are determined. Reachable properties are object properties describing if, and how, a given path element is reachable through the selected path, and, specifically, from an external network, an internal network, both, and a combination thereof. Examples of reachable properties include, without limitation, binary properties describing whether an element is reachable, protocols by which the element is reachable, network addresses at which an element is reachable, ports by which an element is reachable, access rules, and the like, as well as any combination thereof.
In an embodiment, a reachable property is determined as a minimal set of reachable properties of all other objects in the path. As a simple example, if a path includes two objects, where one object can receive traffic from any source IP address through port 1515, and the other object can receive traffic only from a source IP address of 173.54.189.188, the reachable property of the second object may be that the second object is reachable through “source IP address 173.54.189.188 and port 1515.”
At S475, reachable properties are populated into the security graph. Reachable properties, as may be determined at S470, may be populated into the graph by processes including, without limitation, labeling or tagging graph vertices (or “nodes”), updating network or graph object properties, generating one or more graph overviews, layers, or graph-adjacent data features, and the like, as well as any combination thereof.
In an embodiment, population of reachable properties into the security graph may include, for each object, population of object network access control lists (NACLs) as described hereinbelow, into the security graph elements corresponding with the various path elements, as well as the population of scope specific NACLs, and other, like, properties into the graph. Scope-specific NACLs are NACLs describing object, path, or network accessibility properties specific to a given scope, where a given scope may be the internet, various given accounts, various given environments, and the like. Scope-specific NACLs may, for example, describe the properties of an object with respect to the object's internet accessibility, where the object may be configured to include different access control properties for internet access and local intranet access.
Further, population of reachable properties into the graph may include population of one or more paths into the graph, including by population processes similar or identical to those described with respect to population of individual objects. Population of paths into the graph may include, without limitation, population of one or more paths into the graph, including a presently-analyzed path, population of one or more path properties, and the like, as well as any combination thereof. Path properties, as may be populated to a graph, are properties describing various attributes of a path, including, without limitation, NACLs applicable to path elements, path segments, or full paths, including full-path aggregate NACLs, and the like, as well as any combination thereof. Further, population of path properties into the graph may include the population of one or more scope-specific path properties, where such scope-specific path properties may be properties relevant to specific scopes, such as those described herein.
Where population of reachable properties includes labeling or tagging a graph, or elements thereof, one or more graph vertices or edges, the corresponding objects or relationships, or both, may be labeled, tagged, or otherwise associated with one or more data features describing relevant reachable properties. In addition, where population of reachable properties to the graph includes updating graph objects, graph vertices and edges, the corresponding objects and relationships, or both, may be directly updated to explicitly include the calculated properties.
Further, where population of reachable properties includes the generation of one or more graph layers or overlays, the generated graph layers or overlays may be data features independent of, but corresponding to, the relevant graphs, where the generated overlays or layers may include one or more data features describing the reachable properties of the various graph elements.
At S480, it is determined whether all elements in the selected path have been analyzed. Determination of whether all elements in the selected path have been analyzed may include, without limitation, determination of whether the immediately preceding execution of S475 relates to the last element in the selected path, determination of whether additional elements remain in the path, determination of whether any additional in-path elements have been analyzed, and the like, as well as any combination thereof.
Where, at S480, it is determined that all elements in the selected path have not been analyzed, execution continues with S460. Where, at S480, it is determined that all elements in the selected path have been analyzed, execution terminates.
The processing circuitry 610 may be realized as one or more hardware logic components and circuits. For example, and without limitation, illustrative types of hardware logic components that can be used include field programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), Application-specific standard products (ASSPs), system-on-a-chip systems (SOCs), graphics processing units (GPUs), tensor processing units (TPUs), general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), and the like, or any other hardware logic components that can perform calculations or other manipulations of information.
The memory 620 may be volatile (e.g., random access memory, etc.), non-volatile (e.g., read only memory, flash memory, etc.), or a combination thereof.
In one configuration, software for implementing one or more embodiments disclosed herein may be stored in the storage 630. In another configuration, the memory 620 is configured to store such software. Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the processing circuitry 610, cause the processing circuitry 610 to perform the various processes described herein.
The storage 630 may be magnetic storage, optical storage, and the like, and may be realized, for example, as flash memory or other memory technology, compact disk-read only memory (CD-ROM), Digital Versatile Disks (DVDs), or any other medium which can be used to store the desired information.
The network interface 640 allows the active inspector 125 to communicate with, for example, a cloud environment, a security graph database, resources from the cloud environment, and the like.
It should be understood that the embodiments described herein are not limited to the specific architecture illustrated in
At S710, a resource, deployed in a cloud computing environment, is selected. In an embodiment, the resource may be selected from a list of resources. A list of resources may be generated, for example, by querying a graph database storing a security graph, the security graph representing the cloud computing environment. In certain embodiments, the security graph may be queried to determine identifiers of resources having associated therewith at least a network path, at least a reachability parameter, or both.
At S720, a network path of the resource is selected. In certain embodiments the network path may include reachability parameters, as discussed in more detail above. In some embodiments, a plurality of network paths may be selected. In an embodiment, a network path may be associated with a resource, for example by storing a resource identifier and corresponding network path in a table stored in a database.
At S730, an access instruction is generated based on the selected network path. The access instruction may be generated as discussed in more detail above. In an embodiment, the access instruction may be generated by an active inspector. The access instruction, when executed by a processing circuitry, configures a system, such as the active inspector, to initiate an access event with the resource. An access event may be, for example, sending a PING instruction, a CONNECT instruction, a GET instruction, and any combination thereof. In certain embodiments a plurality of access instructions may be generated. In some embodiments, a first access instruction of a first type may be generated, and a second access instruction of a second type may be generated. An instruction type may be, for example, a link layer instruction, an Internet layer instruction, a transport layer instruction, an application layer instruction, and the like. For example, a first instruction type may be an internet layer instruction (e.g., a PING instruction) and a second instruction type may be an application layer protocol instruction (e.g., HTTP GET instruction).
At S740, execution is initiated for the generated access instruction. In an embodiment initiating execution of the generated access instruction includes executing the access instruction. In other embodiments, initiating execution of the generated access instruction includes sending the access instruction to a workload in an inspection environment, wherein the workload is configured to execute received access instructions.
At S750, a check is performed to determine if the resource requests authorization. Requesting authorization may include, for example, sending a response to the origin of the access instruction (e.g., the active inspector) to request login credentials. In certain embodiments, the resource may determine if the access instruction includes credentials for accessing the resource. If the access instruction does not include credentials an error may be returned as a response. For example, in HTTP (hypertext transfer protocol), a “403 Forbidden” error may be returned if the resource (i.e., web server) does not receive the proper credentials when attempting to access the resource. In this example, it should be further understood that a web server may provide access to a first resource by utilizing a first uniform resource locator (URL), while a second resource having a second URL would return a “403 Forbidden” error, meaning that each resource within the webserver may be governed by a different access policy.
In some embodiments, the resource may include an indicator that the resource should request authorization. For example, static analysis of the resource may indicate that the resource includes a database of a certain type. The cloud environment in which the database is deployed on the resource may include a policy which states that every database must be password protected, for example. In such embodiments, at S750, the check may be performed to determine if a resource which has an indicator that should request authorization, does indeed request such authorization. In the example of the database, the executed access instruction may include an instruction to access the database without providing a credential, as detailed below.
In an embodiment, execution is optionally continued at S755 if the resource requires authorization. In some embodiments, execution continues at S760 if the resource does not require authorization.
At optional S755, an access attempt is initiated. In an embodiment, initiating an access attempt includes generating another access instruction, including credentials, for accessing the resource through the network path. For example, if the access instruction is:
At S760, outcome of execution of the access instruction is determined. In an embodiment, the determination is performed based on receiving a response from the resource. In an embodiment the response indicates if the access instruction resulted in successful access of the resource, or if access was unsuccessful. In some embodiments the response may indicate if success cannot be determined. For example, an unsuccessful access may be indicated by receiving: a timeout (e.g., to a PING instruction), a “403 Forbidden” error, a “404 Not Found” error, a “500 Internal Server” error, and the like. In embodiments where an access attempt was further initiated in response to determining that authorization is required, a result of the access attempt may be utilized to determine if the access to the resource was successfully achieved.
At S770, the security graph is updated based on the determined outcome of the access instruction execution. For example, an indicator may be associated with the network path to determine if access was achieved, or not. In an embodiment the indicator is a binary indicator. In certain embodiments, the network path may further be associated with credentials which were used to access the resource. For example, the credentials may be represented as a node in the security graph, which is connected to a node representing the resource.
At S780, a check is performed to determine if another network path should be inspected. For example, an active inspector may receive a plurality of network paths through which to access the resource. In some embodiments, an active inspector may receive a single network path, but generates multiple access instructions based on the network path. For example, the active inspector may generate a plurality of access instructions based on a network path to the same host, each instruction including a different port. If another network path should be inspected execution may continue at S720. Execution may continue at S790 if no additional network paths should be inspected.
At S790, a check is performed to determine if another resource should be selected. For example, the active inspector may perform active inspection of each resource from a list of resources. In an embodiment, the active inspector may inspect at least a network path for each resource from the list of resources. If another resource should have network paths inspected execution may continue at S710. If no additional resources should have their network paths inspected execution terminates.
The various embodiments disclosed herein can be implemented as hardware, firmware, software, or any combination thereof. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage unit or computer readable medium consisting of parts, or of certain devices and/or a combination of devices. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces. The computer platform may also include an operating system and microinstruction code. The various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such a computer or processor is explicitly shown. In addition, various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit. Furthermore, a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal.
All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the principles of the disclosed embodiment and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the disclosed embodiments, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.
It should be understood that any reference to an element herein using a designation such as “first,” “second,” and so forth does not generally limit the quantity or order of those elements. Rather, these designations are generally used herein as a convenient method of distinguishing between two or more elements or instances of an element. Thus, a reference to first and second elements does not mean that only two elements may be employed there or that the first element must precede the second element in some manner. Also, unless stated otherwise, a set of elements comprises one or more elements.
As used herein, the phrase “at least one of” followed by a listing of items means that any of the listed items can be utilized individually, or any combination of two or more of the listed items can be utilized. For example, if a system is described as including “at least one of A, B, and C,” the system can include A alone; B alone; C alone; 2A; 2B; 2C; 3A; A and B in combination; B and C in combination; A and C in combination; A, B, and C in combination; 2A and C in combination; A, 3B, and 2C in combination; and the like.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6910132 | Bhattacharya | Jun 2005 | B1 |
| 7627652 | Commons et al. | Dec 2009 | B1 |
| 7784101 | Verbowski et al. | Aug 2010 | B2 |
| 8200965 | Fujibayashi et al. | Jun 2012 | B2 |
| 8352431 | Protopopov et al. | Jan 2013 | B1 |
| 8412688 | Armangau et al. | Apr 2013 | B1 |
| 8413239 | Sutton | Apr 2013 | B2 |
| 8417967 | Foster et al. | Apr 2013 | B2 |
| 8499354 | Satish et al. | Jul 2013 | B1 |
| 8595822 | Schrecker et al. | Nov 2013 | B2 |
| 8701200 | Naldurg et al. | Apr 2014 | B2 |
| 8789049 | Hutchins et al. | Jul 2014 | B2 |
| 8898481 | Osburn, III et al. | Nov 2014 | B1 |
| 8914406 | Haugsnes | Dec 2014 | B1 |
| 9009836 | Yarykin et al. | Apr 2015 | B1 |
| 9094379 | Miller | Jul 2015 | B1 |
| 9119017 | Sinha | Aug 2015 | B2 |
| 9165142 | Sanders et al. | Oct 2015 | B1 |
| 9172621 | Dippenaar | Oct 2015 | B1 |
| 9330273 | Khetawat et al. | May 2016 | B2 |
| 9369433 | Paul | Jun 2016 | B1 |
| 9419996 | Porat | Aug 2016 | B2 |
| 9438634 | Ross et al. | Sep 2016 | B1 |
| 9467473 | Jayaraman | Oct 2016 | B2 |
| 9544327 | Sharma et al. | Jan 2017 | B1 |
| 9563385 | Kowalski et al. | Feb 2017 | B1 |
| 9569328 | Pavlov et al. | Feb 2017 | B2 |
| 9582662 | Messick et al. | Feb 2017 | B1 |
| 9596235 | Badam et al. | Mar 2017 | B2 |
| 9607104 | Turner et al. | Mar 2017 | B1 |
| 9646172 | Hahn | May 2017 | B1 |
| 9661009 | Karandikar et al. | May 2017 | B1 |
| 9672355 | Titonis et al. | Jun 2017 | B2 |
| 9712503 | Ahmed | Jul 2017 | B1 |
| 9892261 | Joram et al. | Feb 2018 | B2 |
| 10002247 | Suarez et al. | Jun 2018 | B2 |
| 10032032 | Suarez et al. | Jul 2018 | B2 |
| 10063445 | Preece | Aug 2018 | B1 |
| 10135826 | Reddy | Nov 2018 | B2 |
| 10229125 | Goodman et al. | Mar 2019 | B2 |
| 10255370 | Carpenter et al. | Apr 2019 | B2 |
| 10360025 | Foskett et al. | Jul 2019 | B2 |
| 10412103 | Haugsnes | Sep 2019 | B2 |
| 10412109 | Loureiro et al. | Sep 2019 | B2 |
| 10459664 | Dreier et al. | Oct 2019 | B1 |
| 10503904 | Singh et al. | Dec 2019 | B1 |
| 10536471 | Derbeko et al. | Jan 2020 | B1 |
| 10540499 | Wailly et al. | Jan 2020 | B2 |
| 10552610 | Vashisht et al. | Feb 2020 | B1 |
| 10554507 | Siddiqui et al. | Feb 2020 | B1 |
| 10567468 | Perlmutter | Feb 2020 | B2 |
| 10572226 | Biskup et al. | Feb 2020 | B2 |
| 10574675 | Peppe | Feb 2020 | B2 |
| 10623386 | Bernat et al. | Apr 2020 | B1 |
| 10630642 | Clark et al. | Apr 2020 | B2 |
| 10664619 | Marelas | May 2020 | B1 |
| 10691636 | Tabaaloute et al. | Jun 2020 | B2 |
| 10721260 | Schlarp et al. | Jul 2020 | B1 |
| 10725775 | Suarez et al. | Jul 2020 | B2 |
| 10735430 | Stoler | Aug 2020 | B1 |
| 10735442 | Swackhamer | Aug 2020 | B1 |
| 10791138 | Siddiqui et al. | Sep 2020 | B1 |
| 10803188 | Rajput et al. | Oct 2020 | B1 |
| 10831898 | Wagner | Nov 2020 | B1 |
| 10915626 | Tang | Feb 2021 | B2 |
| 10924503 | Pereira et al. | Feb 2021 | B1 |
| 10972484 | Swackhamer | Apr 2021 | B1 |
| 10997293 | Wiest et al. | May 2021 | B2 |
| 11005860 | Glyer et al. | May 2021 | B1 |
| 11016954 | Babocichin et al. | May 2021 | B1 |
| 11044118 | Reed et al. | Jun 2021 | B1 |
| 11055414 | Claes | Jul 2021 | B2 |
| 11064032 | Yang et al. | Jul 2021 | B1 |
| 11099976 | Khakare et al. | Aug 2021 | B2 |
| 11102231 | Kraning et al. | Aug 2021 | B2 |
| 11165652 | Byrne | Nov 2021 | B1 |
| 11216563 | Veselov et al. | Jan 2022 | B1 |
| 11245730 | Bailey | Feb 2022 | B2 |
| 11271961 | Berger | Mar 2022 | B1 |
| 11334670 | Franco et al. | May 2022 | B2 |
| 11366897 | Ramanathan et al. | Jun 2022 | B1 |
| 11388183 | Hoopes et al. | Jul 2022 | B2 |
| 11405426 | Nguyen | Aug 2022 | B2 |
| 11444974 | Shakhzadyan | Sep 2022 | B1 |
| 11483317 | Bolignano et al. | Oct 2022 | B1 |
| 11496498 | Wright et al. | Nov 2022 | B2 |
| 11496519 | Gupta et al. | Nov 2022 | B1 |
| 11503063 | Rao | Nov 2022 | B2 |
| 11507672 | Pagnozzi et al. | Nov 2022 | B1 |
| 11516222 | Srinivasan et al. | Nov 2022 | B1 |
| 11520907 | Borowiec et al. | Dec 2022 | B1 |
| 11546360 | Woodford et al. | Jan 2023 | B2 |
| 11556659 | Kumar et al. | Jan 2023 | B1 |
| 11558401 | Vashisht et al. | Jan 2023 | B1 |
| 11558423 | Gordon et al. | Jan 2023 | B2 |
| 11567751 | Cosentino et al. | Jan 2023 | B2 |
| 11570090 | Shen et al. | Jan 2023 | B2 |
| 11575696 | Ithal et al. | Feb 2023 | B1 |
| 11614956 | Tsirkin et al. | Mar 2023 | B2 |
| 11645390 | Vijayvargiya et al. | May 2023 | B2 |
| 11662928 | Kumar et al. | May 2023 | B1 |
| 11663340 | Wu et al. | May 2023 | B2 |
| 11669386 | Abrol | Jun 2023 | B1 |
| 11700233 | St. Pierre | Jul 2023 | B2 |
| 11750566 | Montilla Lugo | Sep 2023 | B1 |
| 11757844 | Xiao | Sep 2023 | B2 |
| 11770398 | Erlingsson | Sep 2023 | B1 |
| 11792284 | Nanduri | Oct 2023 | B1 |
| 11799874 | Lichtenstein | Oct 2023 | B1 |
| 11803766 | Srinivasan | Oct 2023 | B1 |
| 11841945 | Fogel | Dec 2023 | B1 |
| 11914707 | Ramanathan et al. | Feb 2024 | B1 |
| 11922220 | Haghighat et al. | Mar 2024 | B2 |
| 11936785 | Shemesh et al. | Mar 2024 | B1 |
| 12019770 | Nilsson et al. | Jun 2024 | B2 |
| 12050696 | Pieno et al. | Jul 2024 | B2 |
| 12058177 | Crabtree et al. | Aug 2024 | B2 |
| 20030188194 | Currie et al. | Oct 2003 | A1 |
| 20030217039 | Kurtz et al. | Nov 2003 | A1 |
| 20050050365 | Seki et al. | Mar 2005 | A1 |
| 20050251863 | Sima | Nov 2005 | A1 |
| 20050283645 | Turner et al. | Dec 2005 | A1 |
| 20070174915 | Gribble et al. | Jul 2007 | A1 |
| 20070271360 | Sahita et al. | Nov 2007 | A1 |
| 20080075283 | Takahashi | Mar 2008 | A1 |
| 20080221833 | Brown et al. | Sep 2008 | A1 |
| 20080307020 | Ko et al. | Dec 2008 | A1 |
| 20080320594 | Jiang | Dec 2008 | A1 |
| 20090106256 | Safari et al. | Apr 2009 | A1 |
| 20090271863 | Govindavajhala et al. | Oct 2009 | A1 |
| 20100242082 | Keene et al. | Sep 2010 | A1 |
| 20100281275 | Lee et al. | Nov 2010 | A1 |
| 20110055361 | Dehaan | Mar 2011 | A1 |
| 20110276806 | Casper et al. | Nov 2011 | A1 |
| 20120110651 | Van Biljon et al. | May 2012 | A1 |
| 20120297206 | Nord et al. | Nov 2012 | A1 |
| 20130024940 | Hutchins et al. | Jan 2013 | A1 |
| 20130054890 | Desai et al. | Feb 2013 | A1 |
| 20130124669 | Anderson et al. | May 2013 | A1 |
| 20130160119 | Sartin | Jun 2013 | A1 |
| 20130160129 | Sartin | Jun 2013 | A1 |
| 20130290708 | Diaz et al. | Oct 2013 | A1 |
| 20140096134 | Barak | Apr 2014 | A1 |
| 20140115578 | Cooper et al. | Apr 2014 | A1 |
| 20140237537 | Manmohan | Aug 2014 | A1 |
| 20140317677 | Vaidya | Oct 2014 | A1 |
| 20140337613 | Martini | Nov 2014 | A1 |
| 20150033305 | Shear | Jan 2015 | A1 |
| 20150055647 | Roberts | Feb 2015 | A1 |
| 20150163192 | Jain | Jun 2015 | A1 |
| 20150172321 | Kirti et al. | Jun 2015 | A1 |
| 20150254364 | Piduri et al. | Sep 2015 | A1 |
| 20150304302 | Zhang et al. | Oct 2015 | A1 |
| 20150310215 | McBride et al. | Oct 2015 | A1 |
| 20150319160 | Ferguson et al. | Nov 2015 | A1 |
| 20160063466 | Sheridan et al. | Mar 2016 | A1 |
| 20160078231 | Bach et al. | Mar 2016 | A1 |
| 20160103669 | Gamage et al. | Apr 2016 | A1 |
| 20160105454 | Li | Apr 2016 | A1 |
| 20160140352 | Nickolov | May 2016 | A1 |
| 20160156664 | Nagaratnam | Jun 2016 | A1 |
| 20160224600 | Munk | Aug 2016 | A1 |
| 20160299708 | Yang et al. | Oct 2016 | A1 |
| 20160366185 | Lee | Dec 2016 | A1 |
| 20170026416 | Carpenter et al. | Jan 2017 | A1 |
| 20170070506 | Reddy | Mar 2017 | A1 |
| 20170104755 | Arregoces | Apr 2017 | A1 |
| 20170111384 | Loureiro et al. | Apr 2017 | A1 |
| 20170185784 | Madou | Jun 2017 | A1 |
| 20170187743 | Madou | Jun 2017 | A1 |
| 20170223024 | Desai | Aug 2017 | A1 |
| 20170230179 | Mannan et al. | Aug 2017 | A1 |
| 20170237560 | Mueller et al. | Aug 2017 | A1 |
| 20170257347 | Yan | Sep 2017 | A1 |
| 20170285978 | Manasse | Oct 2017 | A1 |
| 20170034198 | Powers et al. | Dec 2017 | A1 |
| 20170374136 | Ringdahl | Dec 2017 | A1 |
| 20180004950 | Gupta | Jan 2018 | A1 |
| 20180007087 | Grady et al. | Jan 2018 | A1 |
| 20180026995 | Dufour et al. | Jan 2018 | A1 |
| 20180027009 | Santos | Jan 2018 | A1 |
| 20180063290 | Yang et al. | Mar 2018 | A1 |
| 20180150412 | Manasse | May 2018 | A1 |
| 20180159882 | Brill | Jun 2018 | A1 |
| 20180181310 | Feinberg et al. | Jun 2018 | A1 |
| 20180191726 | Luukkala | Jul 2018 | A1 |
| 20180219888 | Apostolopoulos | Aug 2018 | A1 |
| 20180234459 | Kung | Aug 2018 | A1 |
| 20180239902 | Godard | Aug 2018 | A1 |
| 20180260566 | Chaganti et al. | Sep 2018 | A1 |
| 20180270268 | Gorodissky et al. | Sep 2018 | A1 |
| 20180276084 | Mitkar et al. | Sep 2018 | A1 |
| 20180278639 | Bernstein et al. | Sep 2018 | A1 |
| 20180288129 | Joshi et al. | Oct 2018 | A1 |
| 20180309747 | Sweet et al. | Oct 2018 | A1 |
| 20180321993 | McClory | Nov 2018 | A1 |
| 20180341768 | Marshall et al. | Nov 2018 | A1 |
| 20180359058 | Kurian | Dec 2018 | A1 |
| 20180359059 | Kurian | Dec 2018 | A1 |
| 20190007271 | Rickards et al. | Jan 2019 | A1 |
| 20190043201 | Strong et al. | Feb 2019 | A1 |
| 20190058722 | Levin et al. | Feb 2019 | A1 |
| 20190068617 | Coleman | Feb 2019 | A1 |
| 20190068627 | Thampy | Feb 2019 | A1 |
| 20190104140 | Gordeychik et al. | Apr 2019 | A1 |
| 20190116111 | Izard et al. | Apr 2019 | A1 |
| 20190121986 | Stopel et al. | Apr 2019 | A1 |
| 20190132350 | Smith et al. | May 2019 | A1 |
| 20190149604 | Jahr | May 2019 | A1 |
| 20190166129 | Gaetjen et al. | May 2019 | A1 |
| 20190171811 | Daniel et al. | Jun 2019 | A1 |
| 20190191417 | Baldemair et al. | Jun 2019 | A1 |
| 20190205267 | Richey et al. | Jul 2019 | A1 |
| 20190207966 | Vashisht et al. | Jul 2019 | A1 |
| 20190220575 | Boudreau et al. | Jul 2019 | A1 |
| 20190245883 | Gorodissky et al. | Aug 2019 | A1 |
| 20190260764 | Humphrey et al. | Aug 2019 | A1 |
| 20190278928 | Rungta et al. | Sep 2019 | A1 |
| 20190354675 | Gan et al. | Nov 2019 | A1 |
| 20190377988 | Qi et al. | Dec 2019 | A1 |
| 20200007314 | Vouk et al. | Jan 2020 | A1 |
| 20200007569 | Dodge et al. | Jan 2020 | A1 |
| 20200012659 | Dageville et al. | Jan 2020 | A1 |
| 20200012818 | Levin et al. | Jan 2020 | A1 |
| 20200028862 | Lin | Jan 2020 | A1 |
| 20200044916 | Kaufman et al. | Feb 2020 | A1 |
| 20200050440 | Chuppala et al. | Feb 2020 | A1 |
| 20200082094 | McAllister et al. | Mar 2020 | A1 |
| 20200106782 | Sion | Apr 2020 | A1 |
| 20200125352 | Kannan | Apr 2020 | A1 |
| 20200145405 | Bosch et al. | May 2020 | A1 |
| 20200244678 | Shua | Jul 2020 | A1 |
| 20200244692 | Shua | Jul 2020 | A1 |
| 20200259852 | Wolff et al. | Aug 2020 | A1 |
| 20200287927 | Zadeh et al. | Sep 2020 | A1 |
| 20200320845 | Livny et al. | Oct 2020 | A1 |
| 20200336489 | Wuest et al. | Oct 2020 | A1 |
| 20200382556 | Woolward et al. | Dec 2020 | A1 |
| 20200387357 | Mathon et al. | Dec 2020 | A1 |
| 20200389431 | St. Pierre | Dec 2020 | A1 |
| 20200389469 | Litichever | Dec 2020 | A1 |
| 20200409741 | Dornemann et al. | Dec 2020 | A1 |
| 20210026932 | Boudreau et al. | Jan 2021 | A1 |
| 20210042263 | Zdornov et al. | Feb 2021 | A1 |
| 20210089662 | Muniswamy-Reddy et al. | Mar 2021 | A1 |
| 20210105304 | Kraning | Apr 2021 | A1 |
| 20210144517 | Guim Bernat et al. | May 2021 | A1 |
| 20210149788 | Downie | May 2021 | A1 |
| 20210158835 | Hill et al. | May 2021 | A1 |
| 20210168150 | Ross et al. | Jun 2021 | A1 |
| 20210176123 | Plamondon | Jun 2021 | A1 |
| 20210176164 | Kung et al. | Jun 2021 | A1 |
| 20210185073 | Ewaida et al. | Jun 2021 | A1 |
| 20210200881 | Joshi et al. | Jul 2021 | A1 |
| 20210203684 | Maor et al. | Jul 2021 | A1 |
| 20210211453 | Cooney | Jul 2021 | A1 |
| 20210216630 | Karr | Jul 2021 | A1 |
| 20210218567 | Richards et al. | Jul 2021 | A1 |
| 20210226812 | Park | Jul 2021 | A1 |
| 20210226928 | Crabtree et al. | Jul 2021 | A1 |
| 20210234889 | Burle et al. | Jul 2021 | A1 |
| 20210263802 | Gottemukkula et al. | Aug 2021 | A1 |
| 20210306416 | Mukhopadhyay et al. | Sep 2021 | A1 |
| 20210314342 | Oberg | Oct 2021 | A1 |
| 20210320794 | Auh et al. | Oct 2021 | A1 |
| 20210329019 | Shua et al. | Oct 2021 | A1 |
| 20210334386 | AlGhamdi et al. | Oct 2021 | A1 |
| 20210357246 | Kumar et al. | Nov 2021 | A1 |
| 20210360032 | Crabtree et al. | Nov 2021 | A1 |
| 20210368045 | Verma | Nov 2021 | A1 |
| 20210382995 | Massiglia et al. | Dec 2021 | A1 |
| 20210382997 | Yi et al. | Dec 2021 | A1 |
| 20210409486 | Martinez | Dec 2021 | A1 |
| 20220012771 | Gustafson | Jan 2022 | A1 |
| 20220030020 | Huffman | Jan 2022 | A1 |
| 20220053011 | Rao et al. | Feb 2022 | A1 |
| 20220086173 | Yavo et al. | Mar 2022 | A1 |
| 20220131888 | Kanso | Apr 2022 | A1 |
| 20220156396 | Bednash et al. | May 2022 | A1 |
| 20220179964 | Qiao | Jun 2022 | A1 |
| 20220182403 | Mistry | Jun 2022 | A1 |
| 20220188273 | Koorapati et al. | Jun 2022 | A1 |
| 20220197926 | Passey et al. | Jun 2022 | A1 |
| 20220210053 | Du | Jun 2022 | A1 |
| 20220215101 | Rioux et al. | Jul 2022 | A1 |
| 20220232024 | Kapoor | Jul 2022 | A1 |
| 20220232042 | Crabtree et al. | Jul 2022 | A1 |
| 20220247791 | Duminuco | Aug 2022 | A1 |
| 20220263656 | Moore | Aug 2022 | A1 |
| 20220284362 | Bellinger et al. | Sep 2022 | A1 |
| 20220309166 | Shenoy et al. | Sep 2022 | A1 |
| 20220326861 | Shachar et al. | Oct 2022 | A1 |
| 20220327119 | Gasper et al. | Oct 2022 | A1 |
| 20220342690 | Shua | Oct 2022 | A1 |
| 20220342997 | Watanabe et al. | Oct 2022 | A1 |
| 20220345481 | Shua | Oct 2022 | A1 |
| 20220350931 | Shua | Nov 2022 | A1 |
| 20220357992 | Karpovsky | Nov 2022 | A1 |
| 20220374519 | Botelho et al. | Nov 2022 | A1 |
| 20220400128 | Kfir et al. | Dec 2022 | A1 |
| 20220407841 | Karpowicz | Dec 2022 | A1 |
| 20220407889 | Narigapalli et al. | Dec 2022 | A1 |
| 20220413879 | Passey et al. | Dec 2022 | A1 |
| 20220414103 | Upadhyay et al. | Dec 2022 | A1 |
| 20220417011 | Shua | Dec 2022 | A1 |
| 20220417219 | Sheriff | Dec 2022 | A1 |
| 20230007014 | Narayan | Jan 2023 | A1 |
| 20230040635 | Narayan | Feb 2023 | A1 |
| 20230075355 | Twigg | Mar 2023 | A1 |
| 20230087093 | Ithal et al. | Mar 2023 | A1 |
| 20230093527 | Shua | Mar 2023 | A1 |
| 20230095756 | Wilkinson et al. | Mar 2023 | A1 |
| 20230110080 | Hen | Apr 2023 | A1 |
| 20230123477 | Luttwak | Apr 2023 | A1 |
| 20230125134 | Raleigh et al. | Apr 2023 | A1 |
| 20230134674 | Quinn et al. | May 2023 | A1 |
| 20230135240 | Cody et al. | May 2023 | A1 |
| 20230136839 | Sundararajan et al. | May 2023 | A1 |
| 20230164148 | Narayan | May 2023 | A1 |
| 20230164182 | Kothari et al. | May 2023 | A1 |
| 20230169165 | Williams et al. | Jun 2023 | A1 |
| 20230171271 | Williams et al. | Jun 2023 | A1 |
| 20230192418 | Horowitz et al. | Jun 2023 | A1 |
| 20230208870 | Yellapragada et al. | Jun 2023 | A1 |
| 20230224319 | Isoyama et al. | Jul 2023 | A1 |
| 20230231867 | Rampura Venkatachar | Jul 2023 | A1 |
| 20230237068 | Sillifant et al. | Jul 2023 | A1 |
| 20230254330 | Singh | Aug 2023 | A1 |
| 20230297666 | Atamli et al. | Sep 2023 | A1 |
| 20230325814 | Vijayan et al. | Oct 2023 | A1 |
| 20230336550 | Lidgi et al. | Oct 2023 | A1 |
| 20230336578 | Lidgi et al. | Oct 2023 | A1 |
| 20230376586 | Shemesh et al. | Nov 2023 | A1 |
| 20240007492 | Shen et al. | Jan 2024 | A1 |
| 20240037229 | Pab?n et al. | Feb 2024 | A1 |
| 20240045838 | Reiss et al. | Feb 2024 | A1 |
| 20240073115 | Chakraborty et al. | Feb 2024 | A1 |
| 20240080329 | Reed et al. | Mar 2024 | A1 |
| 20240080332 | Ganesh et al. | Mar 2024 | A1 |
| 20240146818 | Cody et al. | May 2024 | A1 |
| 20240241752 | Crabtree et al. | Jul 2024 | A1 |
| Number | Date | Country |
|---|---|---|
| 4160983 | Apr 2023 | EP |
| 4254869 | Oct 2023 | EP |
| 2421792 | Jun 2011 | RU |
| 10202009702X | Apr 2021 | SG |
| Entry |
|---|
| International Search Report of PCT/IB2023/058074, dated Nov. 20, 2023. Searching Authority United States Patent and Trademark Office, Alexandria, Virginia. |
| Written Opinion of the Searching Authority of PCT/IB2023/058074, dated Nov. 20, 2023. Searching Authority United States Patent and Trademark Office, Alexandria, Virginia. |
| Jordan, M. et al. Enabling pervasive encryption through IBM Z stack innovations. IBM Journal of Research and Development, vol. 62 Issue: 2/3, https://ieeexplore.ieee.org/stamp/stamp.jsp?tp&arnumber=8270590 (Year: 2018). |
| Leibenger, Dominik et al. EncFS goes multi-user: Adding access control to an encrypted file system. 2016 IEEE Conference on Communications and Network Security (CNS). https://ieeexoplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7860544 (Year: 2016). |
| Siqi Ma; Certified Copy? Understanding Security Risks of Wi-Fi Hotspot based Android Data Clone Services; ACM; Year: 2021; pp. 320-331. |
| No stated author; Downdetector; 2020; retrieved from the Internet https://web.archive.org/web/20201226001244/https://downdetector.com/; pp. 1-8, as printed. (Year: 2020). |
| No stated author; How to Run a Ping Test (Windows) 2020; retrieved from the Internet https://web.archive.org/web/20200811194856/https://support.shaw.ca/t5/internet-articles/how-to-run-a-ping-test-windows/ta-p/6677; pp. 1-6 as printed. (Year: 2020). |
| No stated author; IsltoownRightNow; 2020; retrieved from the Internet https://web.archive.org/web/20201202121557/ https:// www.isitdownrightnow.com/; pp. 1-2 as printed. (Year: 2020). |
| Chang, Bing et al. MobiCeal: Towards Secure and Practical Plausibly Deniable Encryption on Mobile Devices. 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp= &arnumber=8416506 (Year: 2018). |
| Islam, Md Shihabul et al. Secure Real-Time Heterogeneous IoT Data Management System. 2019 First IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA). https://ieeexplore.ieee.org/stamp/ stamp.jsp?tp=&arnumber=9014355 (Year: 2019). |
| Safaryan, Olga A et al. Cryptographic Algorithm Implementation for Data Encryption in DBMS MS SQL Server. 2020 IEEE East-West Design & Test Symposium (EWDTS). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9224775 (Year: 2020). |
| Wassermann, Sarah et al. ViCrypt to the Rescue: Real-Time, Machine-Learning-Driven Video-QoE Monitoring for Encrypted Streaming Traffic. IEEE Transactions on Network and Service Management, vol. 17, Issue: 4. https://ieeexplore.ieee.org/stamp/ stamp.jsp?tp=&arnumber=9250645 (Year: 2020). |
| Ali Gholami; Security and Privacy of Sensitive Data in Cloud Computing: A Survey of Recent Developments; ARIX:2016; pp. 131-150. |
| Christos Kyrkou; Towards artificial-intelligence-based cybersecurity for robustifying automated driving systems against camera sensor attacks; IEEE 2020; pp. 476-481. |
| Guo, yu et al. Enabling Encrypted Rich Queries in Distributed Key-Value Stores. IEEE Transactions on Parallel and Distributed Systems, vol. 30, Issue: 6. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8567979 (Year: 2019). |
| Henry Hanping Feng; Anomaly Detection Using Call Stack Information; IEEE: Year:2003; pp. 1-14. |
| International Search Report for PCT Application No. PCT/IB2022/060940 dated Feb. 1, 2023. The International Bureau of WIPO. |
| International Search Report for PCT/IB2023/050848, dated May 9, 2023. International Bureau of WIPO. |
| International Search Report, PCT/IB23/55312. ISA/US, Commissioner for Patents, Alexandria, Virginia. Dated Aug. 30, 2023. |
| Kumar, Anuj et al. A New Approach for Security in Cloud Data Storage for IOT Applications Using Hybrid Cryptography Technique. 2020 International Conference on Power Electronics & IoT Applications in Renewable Energy and its Control. https://ieeexplore. ieee.org/stamp/stamp.jsp?tp=&arnumber=9087010 (Year: 2020). |
| Microsoft Build. “Introduction to Azure managed disks”. Aug. 21, 2023, https://docs.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview. |
| Microsoft Docs. “Create a VM from a managed image”. Article. Jan. 5, 2022. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-vm-generalized-managed. |
| Mishra, Bharati; Jena, Debasish et al. Securing Files in the Cloud. 2016 IEEE International Conference on Cloud Computing in Emerging Markets (CCEM). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7819669 (Year: 2016). |
| Sahil Suneja; Safe Inspection of Live Virtual Machines; IEEE; Year:2017; pp. 97-111. |
| Shuvo, Arfatul Mowla et al. Storage Efficient Data Security Model for Distributed Cloud Storage. 2020 IEEE 8th R10 Humanitarian Technology Conference (R10-HTC). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9356962 (Year: 2020). |
| Written Opinion of the International Searching Authority for PCT Application No. PCT/IB2022/060940 dated Feb. 1, 2023. The International Bureau of WIPO. |
| Written Opinion of the International Searching Authority, PCT/IB23/55312. ISA/US Commissioner for Patents, Alexandria, Virginia. Dated Aug. 30, 2023. |
| Written Opinion of the Searching Authority for PCT/IB2023/050848, dated May 9, 2023. International Bureau of WIPO. |
| Zhang et al. BMC Bioinformatics 2014. “On finding bicliques in bipartite graphs: a novel algorithm and its application to the integration of diverse biological data types”. http://www.biomedcentral.com/1471-2105/15/110. |
| Number | Date | Country | |
|---|---|---|---|
| 20230336550 A1 | Oct 2023 | US |
