Browse Prior Art Database

Threat Detection and Prevention in a Cloud Environment through Comparative Node Behavior

IP.com Disclosure Number: IPCOM000237545D
Publication Date: 2014-Jun-23
Document File: 3 page(s) / 61K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method for threat detection and prevention in a cloud environment through comparative node behavior is disclosed.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 01 of 3

Threat Detection and Prevention in a Cloud Environment through Comparative Node Behavior

Disclosed is a method for threat detection and prevention in a cloud environment through comparative node behavior.

Cloud environments provide rapid deployment of images for quick scalability and high availability. The proliferation of common images opens a security threat to the homogeneous environment: If images all use the same passwords and file paths (for example), an attack that compromises one node would compromise all nodes.

While the node homogeneity is a potential attack vector, it also provides for easy identification of node specific modifications that could be used to detect or prevent attacks. The disclosed method utilizes a framework that analyzes node specific changes and separates them from cross-node changes to identify potential threats.

At a high level, when multiple instances of a single image are deployed in the cloud for a single workload (for example when setting up several nodes of a cluster), each node should behave identically. That is not to say the nodes should be locked down- administrators might want to add new software, or endpoint managers might install patches on the system. However, it does mean that those changes should appear identically across all the homogeneous nodes, and appear within a short time window. If a filesystem change or process were to appear on one node but not another, it could be considered an attack or at least a red flag, because administrator tools would update every node on the cluster together (or within a bounded time window).

The disclosed method has the following characteristics:

Identification of threats through comparison of filesystem changes across similar nodes


1.

Identification of threats through comparison of executing process changes across similar nodes


2.

Identification of threats through comparison of process resource consumption changes across


3.

similar nodes


Managed updates to synchronized nodes through a new and isolated temporary update node


4.

An example flow is depicted in the Figure below.

1


Pa...