US011663031B2
`
`a2) United States Patent
`US 11,663,031 B2
`(0) Patent No.:
`May30, 2023
`(45) Date of Patent:
`Shua
`
`(54) TECHNIQUES FOR SECURING VIRTUAL
`CLOUD ASSETS AT REST AGAINST CYBER
`THREATS
`
`(71) Applicant: Orea Security LTD., Tel Aviv (IL)
`
`(72)
`
`Inventor: Avi Shua, Tel Aviv (IL)
`
`(58) Field of Classification Search
`CPC wee HO4L 63/1416; HO4L 63/1433; HO4L
`63/1441; GO6F 9/45558; GO6F
`2009/45562; GO6F 2009/45591; GO6F
`2009/45587; GO6F 2201/84
`USPC viececcesesssecsssesenseecersenseenscnssensnecasseseanees 726/25
`
`See application file for complete search history.
`
`(73) Assignee: ORCA SECURITY LTD., Tel Aviv
`(IL)
`
`(56)
`
`(*) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21) Appl. No.: 17/400,364
`
`(22)
`
`Filed:
`
`Aug. 12, 2021
`
`(65)
`
`Prior Publication Data
`
`US 2021/0377287 Al
`
`Dec. 2, 2021
`
`Related U.S. Application Data
`
`(63) Continuation of application No. 16/750,556, filed on
`Jan. 23, 2020.
`
`(60) Provisional application No. 62/797,718, filed on Jan.
`28, 2019.
`
`(51)
`
`(2022.01)
`(2018.01)
`(2019.01)
`(2006.01)
`
`Int. Cl.
`HOAL 9/40
`GO6F 9/455
`GO06F 16/11
`GO6F 11/14
`(52) U.S. Cl.
`CPC...... HOAL 63/1416 (2013.01); GO6F 9/45558
`(2013.01); GO6F 11/1464 (2013.01); GO6F
`16/128 (2019.01); HOAL 63/1433 (2013.01);
`HOAL 63/1441 (2013.01); GOOF 2009/45562
`(2013.01); GO6F 2009/45583 (2013.01); GO6F
`2009/45587 (2013.01); GOOF 2009/45591
`(2013.01); GO6F 2009/45595 (2013.01); GO6F
`2201/84 (2013.01)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`9,092,625 BI1*
`9,177,145 B2
`9,519,781 B2
`9,563,777 B2
`9,798,885 B2
`
`7/2015 Kashyap ............ GO6F 21/52
`11/2015 Todorovie
`12/2016 Golshan et al.
`2/2017 Dengetal.
`10/2017 Denget al.
`(Continued)
`
`OTHER PUBLICATIONS
`
`NPL Search Terms (Year: 2021).*
`(Continued)
`
`Primary Examiner — Syed A Zaidi
`(74) Attorney, Agent, or Firm — Finnegan, Henderson,
`Farabow, Garrett & Dunner, LLP
`
`(57)
`
`ABSTRACT
`
`A method and system for securing virtual cloudassets at rest
`against cyber threats. The method comprises determining a
`location of a view of at least one virtual disk of a protected
`virtual cloud asset, wherein the virtual cloud assetis at rest
`and, when activated,
`instantiated in the cloud computing
`environment; accessing the view ofthe virtual disk based on
`the determined location; analyzing the view of the protected
`virtual cloud asset to detect potential cyber threats risking
`the protected virtual cloud asset, wherein the virtual cloud
`asset is inactive during the analysis; and alerting detected
`potential cyber threats based on a determinedpriority.
`
`16 Claims, 4 Drawing Sheets
`
`a 200
`
`
`
`S210
`Receive a request to scan a VM at rest jor vulnerabilities
`
`$220
`Determine a location of the virtual disk of the VM andits view
`
`
`
`Access a view of the VM at rest
`
`$230
`
`Saag
`
`[
`Analyze the view
`$250
` Report detected threats.
`$260
`
`
`“Trigger a mitigation action
`
`Orca Security Ltd.
`Exhibit 2183
`Wiz v. Orca
`IPR2024-01190
`Ex. 2183-001
`
`Ex. 2183-001
`
`Orca Security Ltd.
`Exhibit 2183
`Wiz v. Orca
`IPR2024-01190
`
`

`

`US 11,663,031 B2
`Page 2
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`10,339,011
`10,412,109
`10,536,471
`10,552,610
`2007/0266433
`2008/0155223
`
`BI*
`B2
`BI*
`BI*
`Al
`Al*
`
`7/2019
`9/2019
`1/2020
`2/2020
`11/2007
`6/2008
`
`2008/0263658
`
`Al*
`
`10/2008
`
`2009/0007 100
`2010/0070726
`
`Al
`Al*
`
`1/2009
`3/2010
`
`2013/0262801
`
`Al*
`
`10/2013
`
`2013/0268763
`
`Al*
`
`10/2013
`
`2014/0137190
`2014/0173723
`
`Al
`Al
`
`5/2014
`6/2014
`
`Bansal wo... eee GO6F 16/188
`Loureiro et al.
`Derbeko wee GO06F 21/53
`Vashisht 00.0.0... GO06F 3/0619
`Moore
`Hiltgen oc. GO6F 21/6218
`718/1
`Michael ........... GO6F 21/562
`726/22
`
`Field
`NO weceeenees GO6F 11/1469
`711/162
`Sancheti 0.0.0... HO4L 67/1095
`711/162
`Sweet occccccceeenen GO6F 21/56
`713/176
`
`Carey et al.
`Singla
`
`2015/0052520 Al
`2015/0161151 Al*
`
`2017/0011138 Al
`2017/0076092 Al*
`2018/0255080 Al
`2018/0293374 Al
`
`2/2015 Crowell et al.
`6/2015 Koryakina.......... GOOF 11/1451
`TAL/114
`
`1/2017 Venkatesh et al.
`3/2017 Kashyap ............. GO6F 21/316
`9/2018 Paine
`10/2018 Chen
`
`OTHER PUBLICATIONS
`
`Pandey, Anjali, and Shashank Srivastava. “An approach for virtual
`machine image security.” 2014 International Conference on Signal
`Propagation and Computer Technology (ICSPCT 2014).
`IEEE,
`2014. (Year: 2014).*
`NPL Search Terms (Year: 2022).*
`U.S. Patent and Trademark Office, Non-final Office Action, dated
`Jul. 21, 2022, 24 pp. for U.S. Appl. No. 16/750,556 (filing date Jan.
`23, 2020).
`
`* cited by examiner
`
`Ex. 2183-002
`
`Ex. 2183-002
`
`

`

`U.S. Patent
`
`May 30, 2023
`
`Sheet 1 of 4
`
`US 11,663,031 B2
`
`100
`
`
`
` External
`
`sysiems
`Network
`17
`Ls
`
`
`120
`
`
`Management
`Console
`
`
`
`OO bescssmsssaanssd
`
`3
`
`Cloud Computing Platform
`118
`
`
`
`FIG. 14
`
`Ex. 2183-003
`
`Ex. 2183-003
`
`

`

`U.S. Patent
`
`May 30, 2023
`
`Sheet 2 of 4
`
`US 11,663,031 B2
`
` Security System
`
`148
`
`FIG. 18
`
`Ex. 2183-004
`
`Ex. 2183-004
`
`

`

`U.S. Patent
`
`May 30, 2023
`
`Sheet 3 of 4
`
`US 11,663,031 B2
`
`
`
`a
`
`S210
`
`Receive a request to scan a VM at rest for vulnerabilities
`
`Determine a location of the virtual disk of the VM and its view
`
`S230
`
`S240
`
`8250
`
`$260
`
`F
`
`Access a view of the VM at rest
`
`.
`
`Analyze the view
`
`Report deiected threats
`
`f
`
`Trigger a mitigation action
`
`
`
`FIG. 2
`
`Ex. 2183-005
`
`Ex. 2183-005
`
`

`

`
`U.S. Patent May 30, 2023 Sheet 4 of 4
`
`
`
`US 11,663,031 B2
`
`140
`
`Memory
`320
`
`r �
`'-· -�
`
`Storage
`
`330
`
`'-- _ _,,,
`I
`
`Processing
`Circuitry
`310
`
`Network
`Interlace
`
`340
`
`l_ 360
`
`FIG.3
`
`Ex. 2183-006
`
`

`

`US 11,663,031 B2
`
`1
`TECHNIQUES FOR SECURING VIRTUAL
`CLOUD ASSETS AT REST AGAINST CYBER
`THREATS
`
`This application is a continuation of U.S. application Ser.
`No. 16/750,556, filed Jan. 23, 2020, now pending, which
`claims the benefit of U.S. Provisional Application No.
`62/797,718 filed on Jan. 28, 2019. Each of the above
`referenced applications are incorporated herein by reference
`in its entirety.
`
`TECHNICAL FIELD
`
`This disclosure relates generally to cyber-security systems
`and, more specifically,
`to techniques for securing virtual
`machines.
`
`BACKGROUND
`
`Organizations have increasingly adapted their applica-
`tions to be run from multiple cloud computing platforms.
`Someleading public cloud service providers include Ama-
`zon®, Microsoft®, Google®, and the like.
`Virtualization plays a key role in a cloud computing,
`allowing multiple applications and users to share the same
`cloud computing infrastructure. For example, a cloud stor-
`age service can maintain data of multiple different users.
`In one instance, virtualization can be achieved by means
`of virtual machines. A virtual machine emulates a number of
`“computers”or instances, all within a single physical device.
`In more detail, virtual machines provide the ability to
`emulate a separate operating system (OS), also referred to as
`a guest OS, and, therefore, a separate computer, from an
`existing OS(the host). This independent instanceis typically
`isolated as a completely standalone environment.
`Modern virtualization technologies are also adapted by
`cloud computing platforms. Examples for such technologies
`includevirtual machines, software containers, and serverless
`functions. With their computing advantages, applications
`and virtual machines running on top of virtualization tech-
`nologies are also vulnerable to some cyber threats. For
`example, virtual machines can execute vulnerable software
`applications or infected operating systems.
`Protection of a cloud computing infrastructure, and, par-
`ticularly, of virtual machines, can be achieved via inspection
`of traffic. Traditionally, traffic inspection is performed by a
`network device connected between a client and a server
`
`(deployed in a cloud computing platform or a data center)
`hosting virtual machines. Traffic inspection may not provide
`an accurate indication of the security status of the server due
`to inherent limitations, such as encryption and whether the
`necessary data is exposed in the communication.
`Furthermore, inspection of computing infrastructure may
`be performed by a network scanner deployed out of path.
`The scanner queries the server to determine if the server
`executes an application that possess a security threat, such as
`vulnerability in the application. The disadvantage of such a
`scanneris that the server may not respondto all queries by
`the scanneror that the server may not expose the necessary
`data in the response. Further, the network scanner usually
`communicates with the server, and the network configura-
`tion may prevent such communication. In addition, some
`types of queries may require credentials to access the server.
`Such credentials may not be available to the scanner.
`Traffic inspection may also be performed bya traflic
`monitor that listens to traffic flows between clients and the
`
`server. The traffic monitor can detect some cyber threats,
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`e.g., based on the volumeoftraffic. However, the monitor
`can detect threats only based on the monitored traffic. For
`example, misconfiguration of the server may not be detected
`by the traffic monitor. As such,traffic monitoring would not
`allow for detection of vulnerabilities in software executed by
`the server.
`To overcomethe limitationsoftraffic inspection solutions,
`some cyber-security solutions, such as vulnerability man-
`agement and security assessment solutions, are based on
`agents installed in each server in a cloud computing platform
`or data center. Using agents is a cumbersome solution for a
`number of reasons,
`including IT resource management,
`governance, and performance. For example,
`installing
`agents in a large data center may take months.
`Further,
`traffic monitoring does not allow detection of
`vulnerabilities in data at rest. Data at rest, in information
`technology, means inactive data that is stored physically in
`any digital form. Data at rest may include data, services,
`and/or services that are inactive but can be accessed or
`
`executed as needed. Similarly, in cloud computing, some
`machines(e.g., virtual machines) mayalso beat rest. Some
`machinesare configured with applications or services which
`are infrequently executed. For example, such a machine may
`be utilized during one month of the year and remain inactive
`for the rest in the year. While at rest, the machines are
`poweredoff, and are not inspected for vulnerabilities, simply
`because scanners and/or installed monitoring agents cannot
`operate on a powered-off machine.
`Another attempt would be to scan a machineat rest when
`the machine is powered on and preserving a log ofits latest
`status. However, this would require keeping an updated log
`of the machine’s configurations and all
`its applications.
`Further, as threats constantly evolve, scanning based on past
`information may not be relevant. As such, when data or a
`machine at rest becomes active, undetected vulnerabilities
`can pose cyberthreats.
`It would therefore be advantageous to provide a security
`solution that would overcomethe deficiencies noted above.
`
`SUMMARY
`
`A summary of several example embodiments of the
`disclosure follows. This summary is provided for the con-
`venience of the reader to provide a basic understanding of
`such embodiments and does not wholly define the breadth of
`the disclosure. This summary is not an extensive overview
`of all contemplated embodiments, and is intended to neither
`identify key or critical elements of all embodiments nor to
`delineate the scope of anyor all aspects. Its sole purpose is
`to present some concepts of one or more embodiments in a
`simplified form as a prelude to the more detailed description
`that is presented later. For convenience, the term “some
`embodiments” or “certain embodiments” may be used
`herein to refer to a single embodiment or multiple embodi-
`ments of the disclosure.
`Certain embodiments disclosed herein include a method
`
`for securing virtual cloud assets at rest against cyberthreats.
`The method comprises determining a location of a view of
`at least one virtual disk of a protected virtual cloud asset,
`wherein the virtual cloudassetis at rest and, when activated,
`instantiated in the cloud computing environment; accessing
`the view of the virtual disk based on the determinedlocation;
`analyzing the view of the protected virtual cloud asset to
`detect potential cyber threats risking the protected virtual
`cloud asset, wherein the virtual cloud assetis inactive during
`the analysis; and alerting detected potential cyber threats
`based on a determined priority.
`
`Ex. 2183-007
`
`Ex. 2183-007
`
`

`

`US 11,663,031 B2
`
`3
`Certain embodiments disclosed herein also include a
`
`system for securing virtual cloudassets at rest against cyber
`threats, comprising: a processing circuitry; and a memory,
`the memory containing instructions that, when executed by
`the processing circuitry, configure the system to: determine
`a location of a view ofat least one virtual disk of a protected
`virtual cloud asset, wherein the virtual cloud assetis at rest
`and, when activated,
`instantiated in a cloud computing
`environment; access the view ofthe virtual disk based on the
`determined location; analyze the view of the protected
`virtual cloud asset to detect potential cyber threats risking
`the protected virtual cloud asset, wherein the virtual cloud
`asset
`is inactive during the analysis; and alert detected
`potential cyber threats based on a determinedpriority.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The subject matter disclosed herein is particularly pointed
`out and distinctly claimed in the claimsat the conclusion of
`the specification. The foregoing and other objects, features,
`and advantagesof the disclosed embodiments will be appar-
`ent from the following detailed description taken in con-
`junction with the accompanying drawings.
`FIGS. 1A and 1B are network diagrams utilized to
`describe the various embodiments.
`FIG.2 is a flowchart illustrating a method detecting cyber
`threats,
`including potential vulnerabilities
`in virtual
`machines executed in a cloud computing platform according
`to some embodiments.
`
`FIG.3 is an example block diagram of the security system
`according to an embodiment.
`
`DETAILED DESCRIPTION
`
`It is important to note that the embodiments disclosed
`herein are only examples of the many advantageous uses of
`the innovative teachings herein.In general, statements made
`in the specification of the present application do not neces-
`sarily limit any of the various claimed embodiments. More-
`over, some statements may apply to someinventive features
`but not to others. In general, unless otherwise indicated,
`singular elements may be in plural and vice versa with no
`loss of generality. In the drawings, like numeralsreferto like
`parts through several views.
`Various techniques disclosed herein include techniques
`for securing data at rest or machines at rest (collectively
`referred to as “machinesatrest’). Data at rest may include
`inactive data that is stored physically in any digital form.
`Machinesat rest may include a virtual machine configured
`service(s) and/or application(s) that are inactive but can be
`accessed or executed as needed. The applications and/or
`services in such machinesat rest are infrequently executed.
`The disclosed techniques are utilized to scan for embedded
`vulnerabilities in machines at rest, when the machine is
`powered off. For example, a machineat rest may be utilized
`during one month of the year and remain inactive for therest
`in the year. According to the disclosed embodiments, the
`machine is scanned for vulnerabilities when it
`is in its
`inactive step.
`FIGS. 1A and 1B show an example network diagram 100
`utilized to describe the various embodiments. A cloud com-
`
`puting platform 110 is communicably connected to a net-
`work 120. Examples of the cloud computing platform 110
`may include a public cloud, a private cloud, a hybrid cloud,
`and the like. Examples of a public cloud include, but are not
`limited to, AWS® by Amazon®, Microsoft Azure®, Google
`Cloud®, and the like. In some configurations, the disclosed
`
`15
`
`25
`
`40
`
`45
`
`50
`
`55
`
`4
`embodiments may be operable in on-premises virtual
`machine environments. The network 120 may be the Inter-
`net,
`the world-wide-web (WWW), a local area network
`(LAN), a wide area network (WAN), and other networks.
`The arrangement of the example cloud computing plat-
`form 110 is shown in FIG. 1B. As illustrated, the platform
`110 includes a server 115 and a storage 117, serving as the
`storage space for the server 115. The server 115 is a physical
`device hosting one or more virtual machines (VMs). In the
`example FIG. 1B, two VMs119-1 and 119-2 are shown, and
`both are protected entities. It should be noted that such a
`protected entity may be anyvirtual cloud asset including, but
`not
`limited to, a software container, a micro-service, a
`serverless function, and the like. For the sake of the discus-
`sion and without limiting the scope of the disclosed embodi-
`ments, VM-119-1 is an active machine and VM 119-2 is a
`machineat rest. That is, VM 119-2 is mostly in an inactive
`state (e.g., being execute a day in a month, a month in a year,
`and remains inactive otherwise.
`
`The storage 117 emulates virtual discs for the VMs 119-1
`and 119-2 executed in by the server 115. The storage 117 is
`typically connected to the server 115 through a high-speed
`connection, such as optical fiber, allowing fast retrieval of
`data. In other configurations, the storage 117 maybepart of
`the server 115. In this example, illustrated in FIG. 1B, a
`virtual disk 118-1 is allocated for the VM 119-1 and the
`virtual disk 118-2 is allocated for the VM 119-2. The server
`115, and, hence, the VMs 119-1 and 119-2, may be executed
`in a client environment 130 within the platform 110.
`The client environment 130 is an environment within the
`
`cloud computing platform 110 utilized to execute cloud-
`hosted applications of the client. A client may belong to a
`specific tenant. In some example embodiments, the client
`environment 130 may bepart of a virtualized environment
`or on-premises virtualization environment,
`such as
`a
`VMware® based solution.
`
`Also deployed in the cloud computing platform 110 is a
`security system 140 configured to perform the various
`disclosed embodiments. In some embodiments, the system
`140 may be part of the client environment 130. In an
`embodiment, the security system 140 mayberealized as a
`physical machine configured to execute a plurality of virtual
`instances, such as, but not
`limited to virtual machines
`executed by a host server. In yet another embodiment, the
`security system 140 may be realized as a virtual machine
`executed by a host server. Such a host server is a physical
`machine (device) and may be either the server 115, a
`dedicated server, a different shared server, or another virtu-
`alization-based computing entity, such as a serverless func-
`tion.
`In an embodiment, the interface between the client envi-
`ronment 130 and the security system 140 can be realized
`using APIs or services provided by the cloud computing
`platform 110. For example, in AWS, a cross account policy
`service can be utilized to allow interfacing the client envi-
`ronment 130 with the security system 140.
`In the deployment, illustrated in FIGS. 1A and 1B, the
`configuration of resources of the cloud computing platform
`110 is performed by means of the management console 150.
`As such, the management console 150 may be queried on the
`current deployment and settings of resources in the cloud
`computing platform 110. Specifically, the management con-
`sole 150 may be queried, by the security system 140, about
`the location (e.g., virtual address) of the virtual disk 118-1
`in the storage 117. The system 140 is configuredto interface
`with the management console 150 through, for example, an
`API.
`
`Ex. 2183-008
`
`Ex. 2183-008
`
`

`

`US 11,663,031 B2
`
`5
`In some example embodiments, the security system 140
`mayfurther interface with the cloud computing platform 110
`and external systems 170. The external systems may include
`intelligence systems, security information and event man-
`agement (STEM) systems, and mitigation tools. The exter-
`nal intelligence systems may include common vulnerabili-
`ties and exposures (CVE®) databases, reputation services,
`security systems (providing feeds on discovered threats),
`and so on. The information provided by the intelligence
`systems may detect certain known vulnerabilities identified
`in, for example, a CVE database.
`In an embodiment, the security system 140 is configured
`to detect vulnerabilities and other cyberthreats related to the
`execution VM 119-1. The detection is performed while the
`VM 119-1 is live, without using any agent installed in the
`server 115 or the VM 119-1, and without relying on coop-
`eration from the guest OS of the VM 119-1.
`According to another embodiment, the security system
`140 is configured to detect vulnerabilities and other cyber
`threats related to the execution VM 119-2. i.e., the machine
`at rest. The detection is performed while the VM 119-2 is
`powered off.
`In both embodiments, the security system 140 can scan
`and detect vulnerable software, non-secure configurations,
`exploitation attempts, compromisedassets, data leaks, data
`mining, and so on. The security system 140 may be further
`utilized to provide security services,
`such as
`incident
`response, anti-ransomware, and cyber-insurance, by access-
`ing the security posture.
`In some embodiments, the security system 140 is config-
`ured to query the cloud management console 150 for the
`address of the virtual disks 118-1 and 118-2, respectively
`serving the VM 119-1, VM 119-2, and a location of the
`snapshot. A VM’s snapshotis a copy of the machine’s virtual
`disk (or disk file) at a given point in time. Snapshots provide
`a change log forthe virtual disk and are used to restore a VM
`to a particular point in time when a failure error occurs.
`Typically, any data that was writable on a VM becomes
`read-only when the snapshotis taken. Multiple snapshots of
`a VM can be created at multiple possible point-in-time
`restore points. When a VM reverts to a snapshot, current
`disk and memory states are deleted and the snapshot
`becomes the new parent snapshot for that VM.
`In an embodiment, a view, or a materialized view, of the
`virtual disk 118-2 associated with the VM 119-2 is accessed.
`A view is a stored query that consumes limited-to-no space,
`consuming only the space required to store the text of the
`query in the data dictionary. A materialized view is a both a
`stored query and a segment. That
`is, a stored query is
`executed, and the results are materialized into the segment.
`For the sake of simplicity, but without limiting the scope of
`the disclosed embodiments,
`the inspection of VM (VM
`119-2) is based on a view stored in the virtual disk 118-2,
`while the inspection of the active (VM 119-1) is based on a
`snapshot stored in the virtual disk 118-1.
`The snapshot of the VM 119-1 is located and may be
`saved from the virtual disk 118-1 for access by the security
`system 140. In an embodiment, the VM’s 119-1 snapshot
`maybe copiedto the system 140. If such a snapshot does not
`exist, the system 140 may take a new snapshot or request
`such an action. The snapshots may be taken on a predefined
`schedule or upon predefined events (e.g., a network event or
`abnormal event). Further, the snapshots may be accessed or
`copied on a predefined schedule or upon predefined events.
`It should be noted that when the snapshotis taken or copied,
`the VM 119 still runs.
`
`25
`
`30
`
`40
`
`45
`
`6
`The view of the VM 119-2 is located and may be saved
`from the virtual disk 118-2 for access by the system 140. In
`an embodiment, the VM’s 119-2 view may be copied to the
`system 140. If such a view does not exist, the system 140
`may generate a query to create a new VM 119-2. The view
`maybe taken when the VM 119-2 is about to transition into
`an inactive state or when the same VM 119-2 is at rest. It
`
`should be noted that when the view is taken or copied, the
`VM 119-2 may beat rest (1.e., inactive and powered off).
`It should be noted that the snapshots and/or views of the
`virtual disk 118-1 and/or 118-2 may not necessarily be
`stored in the storage 117, but, for ease of discussion, it is
`assumed that the snapshot is saved in the storage 117. It
`should be further noted that the snapshots and/or viewsare
`accessed without cooperation of the guest, virtual OS of the
`virtual machine.
`
`is parsed and analyzed by the security
`The snapshot
`system 140 to detect vulnerabilities. This analysis of the
`snapshotdoes not require any interaction and/or information
`from the VM 119-1. As further demonstrated herein, the
`analysis of the snapshot by the system 140 does not require
`any agent installed on the server 115 or VM 119-1.
`Further, the view is parsed and analyzed by the security
`system 140 to detect vulnerabilities. This analysis of the
`views does not require any interaction and/or information
`from the VM 119-2. In fact, the VM 119-2 is in its inactive
`state (at rest) during the analysis. As further demonstrated
`herein, the analysis of the view by the system 140 does not
`require any agent installed on the server 115 or VM 119-2.
`Various techniques can be utilized to analyze the views
`and snapshots, depending on the type of vulnerability and
`cyber threats to be detected. Following are some example
`embodiments for techniques that may be implemented by
`the security system 140.
`In an embodiment, the security system 140 is configured
`to detect whether there is vulnerable code executed by the
`VMs 119-1 and 119-2. In an embodiment, the VM 119-2
`being analyzed is shut down, being, therefore, at rest. The
`VM 119-1 may be running or paused. In an embodiment, to
`detect vulnerabilities existing in the VM 119-2, the security
`system 140 is configured to match installed applicationlists,
`with their respective versions, to a knownlist of vulnerable
`applications. Further, the security system 140 may be con-
`figured to match the application files, either directly, using
`binary comparison, or by computing a cryptographic hash
`against database of files in vulnerable applications. The
`matching may be also on sub-modules of an application.
`Alternatively, the security system 140 mayreadinstallation
`logs of package managers usedto install the packages of the
`application.
`In yet another embodiment, the security system 140 is
`configured to verify whether the vulnerability is relevant to
`the VM 119-2. For example, if there is a vulnerable version
`or module not in use, the priority of that issue is reduced
`dramatically.
`To this end, the security system 140 may be configured to
`check the configuration files of the applications and oper-
`ating system of the VM 119-2 to verify access timesto files
`by the operating system and/or to analyze the application
`and/or system logs in order to deduce whatapplications and
`modules are running.
`In yet another embodiment, the security system 140 may
`instantiate a copy of the VM 119-2 and/or a subset of
`applications of the VM 119-2 on the server 115 or a separate
`server and monitorall activity performed by the instance of
`the VM. The execution of the instance of the VM is an
`isolated sandbox, which can be a full VM or subset of it,
`
`Ex. 2183-009
`
`Ex. 2183-009
`
`

`

`US 11,663,031 B2
`
`7
`such as a software container (e.g., Docker® container) or
`another virtualized instance. The monitored activity may be
`further analyzed to determine abnormality. Such analysis
`may include monitoring of API activity, process creation,
`file activity, network communication, registry changes, and
`active probing of said subset in order to assess its security
`posture. This may include, but is not limited to, actively
`communicating with the VM 119-2 and using either legiti-
`mate communication and/or attack attempts to assess pos-
`ture and, by that, deriving the security posture of the entire
`VM 119-2.
`
`In order to determine if the vulnerability is relevant to the
`VM 119-2, the security system 140 is configured to analyze
`the machine memory, as reflected in the page file. The page
`file is saved in the snapshot and extends how much system-
`committed memory (also known as “virtual memory”) a
`system can back. In an embodiment, analyzing the pagefile
`allows deduction of running applications and modules by the
`VM 119-2. It should be noted that analyzing pages would be
`available only when VM 119-2 hibernates.
`In yet another embodiment, the security system 140 is
`configured to detect cyber threats that do not represent
`vulnerabilities. For example, the security system 140 may
`detect and alert on sensitive data not being encrypted on the
`logical disk, private keys found on the disks, system cre-
`dentials stored clearly on the disk, risky application features
`(e.g., support of weak cipher suites or authentication meth-
`ods), weak passwords, weak encryption schemes, a disabled
`address space layout randomization (ASLR) feature, suspi-
`cious manipulation to a boot record, suspicious PATH,
`LD_LIBRARY_PATH, or LD_PRELOADdefinitions, ser-
`vices running on startup, and the like.
`In an embodiment, the security system 140 may further
`monitor changes in sensitive machine areas, and alert on
`unexpected changes, such as added or changed application
`files without installation. In an example embodiment, this
`can be achieved by computing a cryptographic hash of the
`sensitive areas in the virtual disk and checking for differ-
`ences over time.
`In some embodiments, the detected cyber threats (includ-
`ing vulnerabilities) are reported to a user console 180 and/or
`a security information and event management (SEM) system
`(not shown). The reported cyber threats may befiltered or
`prioritized based, in part, on their determinedrisk. Further,
`the reported cyber threats may be filtered or prioritized
`based, in part, on the risk level of the machine. This also
`reduces the numberofalerts reported to the user.
`In an embodiment, any detected cyber threats related to
`sensitive data, including personally identifiable information,
`or PII, is reported at a higher priority. In an embodiment,
`such data is determined by searching for the PII, analyzing
`the application logs to determine whether the machine
`accessed PH/PH-containing servers, or whether the logs
`themselves contain PI], and searching the machine memory,
`as reflected in the pagefile, for PII.
`In an embodiment, the security system 140 may deter-
`mine the risk of the VM 119 based on communication with
`
`an untrusted network. This can be achieved by analyzing the
`VM’s 119-2 logs as saved in the virtual disk, and can be
`derived from the view.
`In an example embodiment, the security system 140 may
`cause an execution of one or more mitigation actions.
`Examples for such actions may include disabling the VM
`119-2 from execution, updating the VM 119-2 with recent
`patches, and so on.
`The above examples for detecting vulnerabilities may be
`applicable also for a VM 119-1 and may be performed when
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`8
`the VM 119-1 will be started later on. For the active VM
`119-1 the mitigation actions may include blocking traffic
`from untrusted networks, halting the operation of the VM,
`quarantining an infected VM, and the like. The mitigation
`actions may be performed by a mitigation tool and not the
`system 140.
`the example implementation
`It should be noted that
`shown in FIG. 1 is described with respect to a single cloud
`computing platform 110 hosting two VMs 119-1 and 119-2
`in a single server 115, merely for simplicity purposes and
`withoutlimitation on the disclosed embodiments. Typically,
`virtual machines are deployed and executed in a single cloud
`computing platform, a virtualized environment, or data
`center and can be protected without departing from the
`scope of the disclosure. It should be further noted that the
`disclosed embodiments can operate using multiple security
`systems 140, each of which mayoperate in a different client
`environment.
`FIG. 2 shows an example flowchart 200 illustrating a
`method for detecting cyber threats including potential vul-
`nerabilities in virtual machines at rest, according to some
`embodiments. The method maybe performedby the security
`system 140.
`At $210, a request, for example, to scan a VM,at rest, for
`vulnerabilities, is received. A VM atrest is a machine thatis
`currently poweredoff, i.e., not in an operational state. A VM
`at rest is executed at predefined time period but remains
`inactive (powered off) when not executed. The request,
`received at S210, may be received, or otherwise triggered, at
`every predefined time interval or upon detection of an
`external event. An external event may be a preconfigured
`event, such as a network event or abnormaleventincluding,
`withoutlimitation, requests to run the VM 119-2 not accord-
`ing to a schedule, access by an authorized user, andthe like.
`The request may at least designate an identifier of the VM
`to be scanned.
`At $220, a location of a view of the VM,at rest, to be
`scanned is determine