I 1111111111111111 1111111111 111111111111111 IIIII IIIII IIIII lll111111111111111
`
`US011693685B2
`
`(IO) Patent No.: US 11,693,685 B2
`
`c12) United States Patent
`(45)Date of Patent:
`
`Jul. 4, 2023
`
`
`Shua
`
`
`
`AND SENSITIVE DATA ANALYSIS AND
`DETECTION
`
`(54)VIRTUAL MACHINE VULNERABILITIES(58)Field of Classification Search
`
`
`CPC ............. H04L 63/1416; H04L 63/1433; H04L
`
`
`
`
`
`63/1441; G06F 9/45558; G06F 16/128;
`
`G06F 2009/45562; G06F 2009/45583;
`
`G06F 2009/45595; G06F 2201/84
`
`
`
`See application file for complete search history.
`
`
`
`(71)Applicant: Orea Security LTD., Tel Aviv (IL)
`
`
`
`
`
`(72) Inventor: Avi Shua, Tel Aviv (IL)
`
`(56)
`
`
`
`
`(73)A ssignee: Orea Security Ltd., Tel Aviv (IL)
`
`
`
`References Cited
`
`( *) Notice: Subject to any disclaimer, the term ofthis
`
`
`
`
`patent is extended or adjusted under 35
`6/2015 Nijjar
`
`9,069,983 Bl
`
`11/2015 Todorovic
`
`9,177,145 B2
`U.S.C. 154(b) by O days.
`1/2016 Ammons et al.
`
`9,229,758 B2
`
`
`9,268,689 Bl *
`
`
`12/2016 Golshan et al.
`
`9,519,781 B2
`(Continued)
`
`U.S. PATENT DOCUMENTS
`
`2/2016 Chen ................... G06F 12/1027
`
`(21)Appl. No.: 17/361,861
`
`
`
`(22)Filed:Jun. 29, 2021
`
`(65)
`
`
`
`Prior Publication Data
`
`OTHER PUBLICATIONS
`
`
`
`
`
`US 2021/0329019 Al Oct. 21, 2021
`
`Non-Final Office Action U.S. Appl. No. 16/585,967 dated Feb. 3,
`
`
`
`
`
`
`2022, in the United States Patent and Trademark Office.
`Related U.S. Application Data
`(Continued)
`
`
`
`(63) Continuation of application No. 16/585,967, filed on
`
`
`
`
`
`
`Sep. 27, 2019, now Pat. No. 11,431,735.
`Primary Examiner - Benjamin C Wu
`
`
`
`
`
`(74)Attorney, Agent, or Firm - Finnegan, Henderson,
`
`
`
`(60) Provisional application No. 62/797,718, filed on Jan.
`
`
`Farabow, Garrett & Dunner, L.L.P.
`28, 2019.
`
`(51)
`Int. Cl.
`G06F 9/455
`
`H04L 9/40
`
`G06F 16111
`
`(2018.01)
`(2022.01)
`(2019.01)
`(2006.01)
`
`(57)
`
`ABSTRACT
`
`A system and method for securing virtual cloud assets in a
`
`
`
`
`
`
`
`
`cloud computing environment against cyber threats. The
`
`
`
`
`method includes: determining a location of a snapshot of at
`
`
`
`
`least one virtual disk of a protected virtual cloud asset,
`G06F 11114
`(52)
`U.S. Cl.
`
`
`
`wherein the virtual cloud asset is instantiated in the cloud
`CPC ...... G06F 9/45558 (2013.01); G06F 1111464
`
`
`
`
`
`
`
`computing environment; accessing the snapshot of the vir­
`
`
`(2013.01); G06F 161128 (2019.01); H04L
`
`
`
`tual disk based on the determined location; analyzing the
`
`
`
`63/1416 (2013.01); H04L 63/1433 (2013.01);
`
`
`
`snapshot of the protected virtual cloud asset to detect
`
`
`H04L 63/1441 (2013.01); G06F 2009/45562
`
`
`
`
`
`potential cyber threats risking the protected virtual cloud
`
`
`
`(2013.01); G06F 2009/45583 (2013.01); G06F
`
`
`
`
`
`asset; and alerting detected potential cyber threats based on
`
`
`2009/45587 (2013.01); G06F 2009/45591
`a determined priority.
`
`
`
`(2013.01); G06F 2009/45595 (2013.01); G06F
`
`2201/84 (2013.01)
`
`
`
`22 Claims, 4 Drawing Sheets
`
`/ 200
`
`Start
`
`S210
`Receive a request to scan a VM for vulnerabilities
`
`
`
`
`
`S220
`
`
`
`Determine a location of the virtual disk of the VM and its snapshot
`
`
`
`
`
`S230
`
`S240
`
`S250
`
`S260
`
`
`
`
`
`Access a snapshot of virtual disk
`
`
`
`Analyze the snapshot
`
`
`
`
`
`Report detected threats
`
`
`
`Trigger a mitigation action
`
`
`
`End
`
`Ex. 2185-001
`
`Orca Security Ltd.
`Exhibit 2185
`Wiz v. Orca
`IPR2024-01190
`
`

`

`US 11,693,685 B2
`
`Page 2
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`9,563,777
`9,734,325
`9,756,070
`9,798,885
`9,858,105
`10,079,842
`10,402,560
`10,412,109
`10,469,304
`10,534,915
`10,536,471
`10,782,952
`10,812,521
`10,944,778
`11,068,353
`11,120,124
`11,216,563
`11,431,735
`11,516,231
`2007/0266433
`2008/0189788
`
`2008/0263658
`2009/0007 100
`2010/0017512
`2011/0289584
`
`2012/0323853
`2013/019 1643
`2013/0247133
`
`2014/0096135
`2014/0137190
`2015/0052520
`2016/0004449
`2016/0094568
`2016/024 1573
`2016/0364255
`2017/0011138
`2017/003 1704
`2017/0103212
`2017/0111384
`2018/0052762
`2018/0137032
`2018/0255080
`2018/0293374
`2019/0065754
`2020/0042707
`2020/0065487
`2020/0244678
`2020/0244692
`202 1/0336976
`202 1/0377287
`2022/0417270
`
`B2
`Bl
`Bl
`B2
`Bl
`Bl
`B2
`B2
`BI*
`B2
`Bl
`Bl
`BI*
`Bl
`Bl
`B2
`Bl
`B2*
`*
`B2
`Al
`Al*
`
`Al
`Al
`Al
`Al*
`
`Al
`Al
`Al*
`
`*
`
`Al
`Al
`Al
`Al
`Al
`Al*
`Al*
`Al
`Al*
`Al
`Al
`Al
`Al
`Al
`Al
`Al*
`Al
`Al*
`Al*
`Al*
`Al*
`Al*
`Al*
`
`2/2017
`8/2017
`9/2017
`10/2017
`1/2018
`9/2018
`9/2019
`9/2019
`11/2019
`1/2020
`1/2020
`9/2020
`10/2020
`3/2021
`7/2021
`9/2021
`1/2022
`8/2022
`11/2022
`11/2007
`8/2008
`
`10/2008
`1/2009
`1/2010
`11/2011
`
`12/2012
`7/2013
`9/2013
`
`4/2014
`5/2014
`2/2015
`1/2016
`3/2016
`8/2016
`12/2016
`1/2017
`2/2017
`4/2017
`4/2017
`2/2018
`5/2018
`9/2018
`10/2018
`2/2019
`2/2020
`2/2020
`7/2020
`7/2020
`10/2021
`12/2021
`12/2022
`
`Dengetal.
`Neumannetal.
`Crowell et al.
`Dengetal.
`Upadhyayet al.
`Brandwineetal.
`Gilbert
`Loureiro et al.
`Kempe wee HO4L 41/085
`Cherny et al.
`Derbeko
`Doring etal.
`Sharifi Mehr...... HO04L 63/1433
`Golan
`Ved
`Fusenig et al.
`Veselovet al.
`
`Shua we. .. HO4L 63/1433
`Sha veces GO6F 16/128
`Moore
`Bahl wee HO4L 63/1416
`726/25
`
`Michaeletal.
`Field et al.
`Ciano et al.
`Palagummi
`
`........... GO6F 21/562
`726/24
`
`Frieset al.
`Song
`PHICE cicceeeceeeeeeees GO6F 21/577
`726/1
`
`Kunduetal.
`Carey et al.
`Crowell et al.
`Lakshman
`Balasubramanian
`MIXer wees HO4L 63/20
`Chefalas wo... eee GO6F 8/60
`Venkatesh et al.
`Sudhakaran .......... GO6F 16/128
`Deng
`. HO4L 63/1408
`Loureiro ..
`VYaS ieee GO6F 11/3668
`Tannous
`Paine
`Chen
`OCHS veces GO6F 21/577
`Kucherovetal.
`Timashev ......... GO6F 21/561
`Shua.....
`. GOGF 9/45558
`
`Shua ..
`. HO4L 63/1416
`
`Shua ..
`... GO6F 16/128
`Shua wees HO4L 63/1441
`Shua wees GO6F 11/3476
`
`2023/0087080 Al*
`2023/0089313 Al*
`2023/0092220 Al*
`2023/0093527 Al*
`
`3/2023 Shua .......c GO6F 16/128
`.. GOOF 11/1451
`3/2023 Shua..
`
`.. HO4L 63/1441
`3/2023 Shua..
`3/2023 Shua .......c GO6F 11/1464
`
`OTHER PUBLICATIONS
`
`Notice of Allowance U.S. Appl. No. 16/585,967 dated Jul. 7, 2022,
`in the United States Patent and Trademark Office.
`Non-Final Office Action U.S. Appl. No. 17/330,998 dated Mar. 4,
`2022, in the United States Patent and Trademark Office.
`Final Office Action U.S. Appl. No. 17/330,998 dated Jun. 30, 2022,
`in the United States Patent and Trademark Office.
`Notice of Allowance U.S. Appl. No. 17/330,998 dated Aug. 10,
`2022, in the United States Patent and Trademark Office.
`Wei et al., “Managing Security of Virtual Machine Images in a
`Cloud Environment”, CCSW’09, pp. 91-96, Nov. 13, 2009.
`Rani et al.; “An Efficient Approach to Forensic Investigation in
`Cloud using VM Snapshots”, 2015 International Conference on
`Pervasive Computing (ICPC), 5 pages, (2015).
`Almulla et al., “Digital Forensic of a Cloud Based Snapshot”, The
`Sixth International Conference on Innovative Computing Technol-
`ogy (INTECH 2016), pp. 724-729, (2016).
`Pandey et al., “An Approach for Virtual Machine Image Security”,
`Computer Science and Engineering MNNIT, Allahabad, 2014 Inter-
`national Conference on Signal Propagation and Computer Technol-
`ogy (ICSPCT), pp. 616-623, (2014).
`Rajasekaran et al., “Scalable Cloud Security via Asynchronous
`Virtual Machine Introspection”, 8th USENIX Workshop on Hot
`Topics in Cloud Computing, Cover page and pp. 1-6, (2016).
`Kaur et al., “Secure VM Backup and Vulnerability Removal in
`Infrastructure Clouds”, 2014 International Conference on Advances
`in Computing, Communications and Informatics (ICACCD, pp.
`1217-1226, (2014).
`Fernandezetal., “Two patterns for cloud computing: Secure Virtual
`Machine Image Repository and Cloud Policy Management Point’,
`PLoP ’13: Proceedings of the 20th Conference on Pattern Lan-
`guages of Programs Oct. 2013 Article No. 15, Association for
`Computing Machinery (ACM), Cover sheet and pp. 1-11, (2013).
`Fernandez et al. “Building a security reference architecture for
`cloud systems”, Springer, Requirements Eng, vol. 21, pp. 225-249,
`(2016).
`Ammonset al., “Virtual machine images as structured data: the
`Mirage imagelibrary”, IBM Research, Cover sheet 2 pages and pp.
`1-6, (2011).
`“TBM Point ofView Security and Cloud Computing”, IBM SmartCloud
`Enterprise, Cloud Computing White Paper, 13 sheets of cover pages
`and pp. 1-20, (2009).
`Cui et al., “A Less Resource-Consumed Security Architecture on
`Cloud Platform”, Wuhan University Journal of Natural Sciences,
`vol. 21, No. 5, pp. 407-414, (2016).
`Bugielet al., “AmazonIA: WhenElasticity Snaps Back”, CCS’ 11,
`ACM,pp. 389-400, (2011).
`
`* cited by examiner
`
`Ex. 2185-002
`
`Ex. 2185-002
`
`

`

`U.S. Patent
`
`Jul. 4, 2023
`
`Sheet 1 of 4
`
`US 11,693,685 B2
`
`100
`
`User Console
`180
`
`
`
`
`
`
`systems
`1/0
`
`External
`
`
`
`
`Cloud Computing Platform
`ie
`
`Management
`Console
`150
`
`FIG. 1A
`
`Ex. 2185-003
`
`Ex. 2185-003
`
`

`

`U.S. Patent
`
`Jul. 4, 2023
`
`Sheet 2 of 4
`
`US 11,693,685 B2
`
` Security System
`
`4140
`
`110
`
`FIG. 1B
`
`Ex. 2185-004
`
`Ex. 2185-004
`
`

`

`U.S. Patent
`
`Jul. 4, 2023
`
`Sheet 3 of 4
`
`US 11,693,685 B2
`
`200
`
`(~
`
`|
`
`|
`
`Receive a request to scan a VM for vulnerabilities
`|
`Determine a focation of the virtual disk of the VM and its snapshot
`
`Access a snapshot of virtual disk
`
`$210
`
`S220
`
`|
`
`$230
`
`S240
`
`|
`
`Analyze the snapshot
`
`Report detected threats Trigger a mitigation action
`
`|
`
`|
`
`End
`
`FIG. 2
`
`Ex. 2185-005
`
`Ex. 2185-005
`
`

`

`U.S. Patent
`
`Jul. 4, 2023
`
`Sheet 4 of 4
`
`US 11,693,685 B2
`
`Storage
`330
`
`340
`
`Processing
`Circuitry
`310
`
`Network
`interface
`
`FIG. 3
`
`Ex. 2185-006
`
`Ex. 2185-006
`
`

`

`US 11,693,685 B2
`
`1
`VIRTUAL MACHINE VULNERABILITIES
`AND SENSITIVE DATA ANALYSIS AND
`DETECTION
`
`This application is a continuation of U.S. application Ser.
`No. 16/585,967 (now pending), filed Sep. 27, 2019, which
`claims the benefit of U.S. Provisional Application No.
`62/797,718 filed on Jan. 28, 2019. Each of the above-
`referenced application is incorporated herein by reference in
`its entirety.
`
`TECHNICAL FIELD
`
`This disclosure relates generally to cyber-security systems
`and, more specifically,
`to techniques for securing virtual
`machines.
`
`BACKGROUND
`
`Organizations have increasingly adapted their applica-
`tions to be run from multiple cloud computing platforms.
`Someleading public cloud service providers include Ama-
`zon®, Microsoft®, Google®, and the like.
`Virtualization is a key role in a cloud computing, allowing
`multiple applications and users to share the same cloud
`computing infrastructure. For example, a cloud storage
`service can maintain data of multiple different users.
`In one instance, virtualization can be achieved by means
`of virtual machines. A virtual machine emulates a number of
`“computers”or instances, all within a single physical device.
`In more detail, virtual machines provide the ability to
`emulate a separate operating system (OS), also referred to as
`a guest OS, and therefore a separate computer, from an
`existing OS(the host). This independent instanceis typically
`isolated as a completely standalone environment.
`Modern virtualization technologies are also adapted by
`cloud computing platforms. Examples for such technologies
`includevirtual machines, software containers, and serverless
`functions. With their computing advantages, applications
`and virtual machines running on top of virtualization tech-
`nologies are also vulnerable to some cyber threats. For
`example, virtual machines can execute vulnerable software
`applications or infected operating systems.
`Protection of a cloud computing infrastructure, and par-
`ticularly of virtual machines can be achievedvia inspection
`of traffic. Traditionally, traffic inspection is performed by a
`network device connected between a client and a server
`
`(deployed in a cloud computing platform or a data center)
`hosting virtual machines. Traffic inspection may not provide
`an accurate indication of the security status of the server due
`to inherent limitations, such as encryption and whether the
`necessary data is exposed in the communication.
`Furthermore, inspection of computing infrastructure may
`be performed by a network scanner deployed out of path.
`The scanner queries the server to determine if the server
`executes an application that possess a security threat, such as
`vulnerability in the application. The disadvantage of such a
`scanneris that the server may not respondto all queries by
`the scanner, or not expose the necessary data in the response.
`Further, the network scanner usually communicates with the
`server, and the network configuration may prevent it. In
`addition, some types of queries may require credentials to
`access the server. Such credentials may not be available to
`the scanner.
`
`Traffic inspection may also be performed bya traflic
`monitor that listens to traffic flows between clients and the
`
`server. The traffic monitor can detect some cyber threats,
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`e.g., based on the volumeoftraffic. However, the monitor
`can detect threats only based on the monitored traffic. For
`example, misconfiguration of the server may not be detected
`by the traffic monitor. As such,traffic monitoring would not
`allow detection of vulnerabilities in software executed by
`the server.
`To overcomethe limitationsoftraffic inspection solutions,
`some cyber-security solutions, such as vulnerability man-
`agement and security assessment solutions are based on
`agents installed in each server in a cloud computing platform
`or data center. Using agents is a cumbersome solution for a
`number of reasons,
`including IT resources management,
`governance, and performance. For example,
`installing
`agents in a large data center may take months.
`It would therefore be advantageous to provide a security
`solution that would overcomethe deficiencies noted above.
`
`SUMMARY
`
`A summary of several example embodiments of the
`disclosure follows. This summary is provided for the con-
`venience of the reader to provide a basic understanding of
`such embodiments and does not wholly define the breadth of
`the disclosure. This summary is not an extensive overview
`of all contemplated embodiments, and is intended to neither
`identify key or critical elements of all embodiments nor to
`delineate the scope of anyor all aspects. Its sole purpose is
`to present some concepts of one or more embodiments in a
`simplified form as a prelude to the more detailed description
`that is presented later. For convenience, the term “some
`embodiments” or “certain embodiments” may be used
`herein to refer to a single embodiment or multiple embodi-
`ments of the disclosure.
`Certain embodiments disclosed herein include a method
`for securing virtual cloud assets in a cloud computing
`environmentagainst cyber threats, comprising: determining
`a location of a snapshot of at least one virtual disk of a
`protected virtual cloud asset, wherein the virtual cloud asset
`is instantiated in the cloud computing environment; access-
`ing the snapshotof the virtual disk based on the determined
`location; analyzing the snapshot of the protected virtual
`cloud asset
`to detect potential cyber threats risking the
`protected virtual cloudasset; and alerting detected potential
`cyber threats based on a determinedpriority.
`Certain embodiments disclosed herein also include a
`
`non-transitory computer readable medium having stored
`thereon instructions for causing a processing circuitry to
`execute a process, the process comprising: determining a
`location of a snapshot of at least one virtual disk of a
`protected virtual cloud asset, wherein the virtual cloud asset
`is instantiated in the cloud computing environment; access-
`ing the snapshotof the virtual disk based on the determined
`location; analyzing the snapshot of the protected virtual
`cloud asset
`to detect potential cyber threats risking the
`protected virtual cloudasset; and alerting detected potential
`cyber threats based on a determinedpriority.
`Certain embodiments disclosed herein also include a
`
`system for securing virtual cloud assets in a cloud comput-
`ing environment against cyber threats, comprising: a pro-
`cessing circuitry; and a memory, the memory containing
`instructions that, when executed by the processing circuitry,
`configure the system to: determine a location of a snapshot
`of at least one virtual disk of a protected virtual cloudasset,
`wherein the virtual cloud asset is instantiated in the cloud
`
`computing environment; access the snapshot of the virtual
`disk based on the determined location; analyze the snapshot
`of the protected virtual cloud asset to detect potential cyber
`
`Ex. 2185-007
`
`Ex. 2185-007
`
`

`

`US 11,693,685 B2
`
`3
`threats risking the protected virtual cloud asset; and alert
`detected potential cyber threats based on a determined
`priority.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The foregoing and other objects, features, and advantages
`of the disclosed embodiments will be apparent from the
`following detailed description taken in conjunction with the
`accompanying drawings.
`FIGS. 1A and 1B are network diagrams utilized to
`describe the various embodiments.
`
`FIG.2 is a flowchart illustrating a method detecting cyber
`threats,
`including potential vulnerabilities
`in virtual
`machines executed in a cloud computing platform according
`to some embodiments.
`FIG.3 is an example block diagram of the security system
`according to an embodiment.
`
`DETAILED DESCRIPTION
`
`It is important to note that the embodiments disclosed
`herein are only examples of the many advantageous uses of
`the innovative teachings herein.In general, statements made
`in the specification of the present application do not neces-
`sarily limit any of the various claimed embodiments. More-
`over, some statements may apply to someinventive features
`but not to others. In general, unless otherwise indicated,
`singular elements may be in plural and vice versa with no
`loss of generality. In the drawings, like numeralsreferto like
`parts through several views.
`FIGS. 1A and 1B show an example network diagram 100
`utilized to describe the various embodiments. A cloud com-
`
`puting platform 110 is communicably connected to a net-
`work 120. Examples of the cloud computing platform 110
`may include a public cloud, a private cloud, a hybrid cloud,
`and the like. Examples for a public cloud, but are not limited
`to, AWS® by Amazon®, Microsoft Azure®, Google
`Cloud®, and the like. In some configurations, the disclosed
`embodiments operable in on premise virtual machines envi-
`ronments. The network 120 may bethe Internet, the world-
`wide-web (WWW), a local area network (LAN), a wide area
`network (WAN), and other networks.
`The arrangement of the example cloud computing plat-
`form 110 is shown in FIG. 1B. Asillustrated, the platform
`110 includes a server 115 and a storage 117, serving as the
`storage space for the server 115. The server 115 is a physical
`device hosting at least one virtual machine (VM) 119. The
`VM 119 is a protected VM, which may be any virtual cloud
`asset including, but not limited to, a software container, a
`micro-service, a serverless function, and the like.
`The storage 117 emulates virtual discs for the VMs
`executed in by the server 115. The storage 117 is typically
`connected to the server 115 through a high-speed connec-
`tion, such as optic fiber allowing fast retrieval of data. In
`other configurations, the storage 117 may be part of the
`server 115. In this example illustrated in FIG. 1B, virtual
`disk 118-1 is allocated for the VM 119. The server 115, and
`hence the VM 119, may be executed in a client environment
`130 within the platform 110.
`The client environment 130 is an environment within the
`
`cloud computing platform 110 utilized to execute cloud-
`hosted applications of the client. A client may belong to a
`specific tenant. In some example embodiment, the client
`environment 130 may bepart of a virtualized environment
`or on-premises virtualization environment,
`such as
`a
`VMware® based solution.
`
`10
`
`20
`
`40
`
`45
`
`60
`
`4
`Also deployed in the cloud computing platform 110 is a
`security system 140 configured to perform the various
`disclosed embodiments. In some embodiments, the system
`140 may be part of the client environment 130. In an
`embodiment, the security system 140 mayberealized as a
`physical machine configured to execute a plurality of virtual
`instances, such as, but not
`limited to virtual machines
`executed by a host server. In yet another embodiment, the
`security system 140 may be realized as a virtual machine
`executed by a host server. Such a host server is a physical
`machine (device) and may be either the server 115, a
`dedicated server, a different shared server, or another virtu-
`alization-based computing entity, such as a serverless func-
`tion.
`
`In an embodiment, the interface between the client envi-
`ronment 130 and the security system 140 can be realized
`using APIs or services provided by the cloud computing
`platform 110. For example, in AWS, a cross account policy
`service can be utilized to allow interfacing the client envi-
`ronment 130 with the security system 140.
`In the deployment,illustrated in FIG. 1, the configuration
`of resources of the cloud computing platform 110 is per-
`formed by meansof the managementconsole 150. As such,
`the management console 150 may be queried on the current
`deploymentandsettings of resources in the cloud computing
`platform 110. Specifically,
`the management console 150
`may be queried, by the security system 140, about as the
`location (e.g., virtual address) of the virtual disk 118-1 in the
`storage 117. The system 140 is configured to interface with
`the management console 150 through, for example, an API.
`In some example embodiments, the security system 140
`mayfurther interface with the cloud computing platform 110
`and external systems 170. The external systems may include
`intelligence systems, security information and event man-
`agement (SIEM) systems, and mitigation tools. The external
`intelligence systems may include common vulnerabilities
`and exposures (CVE®) databases, reputation services, secu-
`rity systems (providing feeds on discovered threats), and so
`on. The information provided by the intelligence systems
`may detect certain known vulnerabilities identified in, for
`example, a CVE database.
`the security
`According to the disclosed embodiments,
`system 140 is configured to detect vulnerabilities and other
`cyberthreats related to the execution VM 119. The detection
`is performed while the VM 119 is live, without using any
`agent installed in the server 115 or the VM 119, and without
`relying on cooperation from VM 119 guest OS. Specifically,
`the security system 140 can scan and detect vulnerable
`software, non-secure configuration, exploitation attempts,
`compromisedasserts, data leaks, data mining, and so on. The
`security system 140 may be further utilized to provide
`security services, such as incident response, anti-ransom-
`ware, and cyber insurance by accessing the security posture.
`In some embodiments, the security system 140 is config-
`ured to query the cloud management console 150 for the
`address of the virtual disk 118-1 serving the VM 119 and a
`location of the snapshot. A VM’s snapshotis a copy of the
`machine’s virtual disk (or disk file) at a given point in time.
`Snapshots provide a change log for the virtual disk and are
`used to restore a VM to a particular point in time when a
`failure error occurs. Typically, any data that was writable on
`a VM becomes read-only when the snapshot
`is taken.
`Multiple snapshots of a VM can be created at multiple
`possible point-in-time restore points. When a VMreverts to
`a snapshot, current disk and memory states are deleted and
`the snapshot becomes the new parent snapshot for that VM.
`
`Ex. 2185-008
`
`Ex. 2185-008
`
`

`

`US 11,693,685 B2
`
`5
`The snapshot of the VM 119 is located and may be saved
`from the virtual disk 118-1 is accessed by the system 140. In
`an embodiment, the VM’s 119 snapshot maybe copiedto the
`system 140. If such a snapshotdoesnotexist, the system 140
`may take a new snapshot, or request such an action. The
`snapshots may be taken at a predefined schedule or upon
`predefined events (e.g., a network event or abnormalevent).
`Further,
`the snapshots may be accessed or copied on a
`predefined schedule or upon predefined events. It should be
`noted that when the snapshotis taken or copied, the VM 119
`still runs.
`
`Tt should be noted that the snapshot of the virtual disk
`118-1 maynotbe necessary stored in the storage 117, but for
`ease of the discussion it is assumedthat the snapshotis saved
`in the storage 117.
`It should be further noted that
`the
`snapshotis being accessed without cooperation of the guest,
`virtual OS of the virtual machine.
`
`is parsed and analyzed by the security
`The snapshot
`system 140 to detect vulnerabilities. This analysis of the
`snapshot does not require any interaction and/or information
`from the VM 119. As further demonstrated herein,
`the
`analysis of the snapshot by the system 140 does not require
`any agent installed on the server 115 or VM 119.
`Various techniques can be utilized to analyze the snap-
`shots, depending on the type of vulnerability and cyber
`threats to be detected. Following are some example embodi-
`ments for techniques that may be implemented by the
`security system 140.
`In an embodiment, the security system 140 is configured
`to detect whether there is vulnerable code executed by the
`VM 119. The VM 119 being checked may be running,
`paused, or shutdown.Tothis end, the security system 140 is
`configured to match installed application lists, with their
`respective versions, to a known list of vulnerable applica-
`tions. Further, the security system 140 may be configured to
`match the application files, either directly (using binary
`comparison) or by computing a cryptographic hash against
`database of files in vulnerable applications. The matching
`maybealso on sub-modules of an application. Alternatively,
`the security system 140 mayreadinstallation logs of pack-
`age managers usedtoinstall the packages of the application.
`In yet another embodiment, the security system 140 is
`configured to verify whether the vulnerability is relevant to
`the VM 119. For example, if there is a vulnerable version or
`module not in use,
`the priority of that issue is reduced
`dramatically.
`To this end, the security system 140 may be configured to
`check the configuration files of the applications and oper-
`ating system of the VM 119; to verify access times tofiles
`by the operating system; and/or to analyze the active appli-
`cation and/or system logs in order to deduce what applica-
`tions and modules are running.
`In yet another embodiment, the security system 140 may
`instantiate a copy of the VM 119 and/or a subset of appli-
`cations of the VM 119 on the server 115 or a separate server
`and monitor all activity performed by the instance of the
`VM.The execution of the instance of the VM is anisolated
`sandbox, which can be a full VM or subsetof it, such as a
`software container (e.g., Docker® container) or another
`virtualized instances. The monitored activity may be further
`analyzed to determine abnormality. Such analysis may
`include monitoring of API activity, process creation, file
`activity, network communication,
`registry changes, and
`active probing of the said subset
`in order to assess its
`security posture. This may include, but not
`limited to,
`actively communicating with the VM 119, using either
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`legitimate communicate and/or attack attempts, to assess its
`posture and by that deriving the security posture of the entire
`VM 119.
`
`In order to determineif the vulnerability is relevant to the
`VM 119, the security system 140 is configured to analyze the
`machine memory,as reflected in the pagefile. The pagefile
`is saved in the snapshot and extends how much system-
`committed memory (also known as “virtual memory”) a
`system can back. In an embodiment, analyzing the pagefile
`allows deduction of running applications and modules by the
`VM 119.
`
`In an embodiment, the security system 140 is configured
`to read process identification number (PID)files and check
`their access or write times, which are matched against
`process descriptors. The PID can be used to deduce which
`processes are running, and hencethe priority of vulnerabili-
`ties detected in processes existing on the disk. It should be
`noted the PID files are also maintained in the snapshot.
`In yet another embodiment, the security system 140 is
`configured to detect cyber threats that do not represent
`vulnerabilities. For example, the security system 140 may
`detect and alert on sensitive data not being encrypted on the
`logical disk, private keys found on the disks, system cre-
`dentials stored clearly on the disk, risky application features
`(e.g., support of weak cipher suites or authentication meth-
`ods), weak passwords, weak encryption schemes, a disable
`address space layout randomization (ASLR) feature, suspi-
`cious manipulation to a boot record, suspicious PATH,
`LD_LIBRARY_PATH, or LD_PRELOADdefinitions, ser-
`vices running on startup, and the like.
`In an embodiment, the security system 140 may further
`monitor changes in sensitive machine areas, and alert on
`unexpected changes(e.g., added or changed application files
`withoutinstallation). In an example embodiment,this can be
`achieved by computing a cryptographic hashofthe sensitive
`areas in the virtual disk and checking for differences over
`time.
`In some embodiments, the detected cyber threats (includ-
`ing vulnerabilities) are reported to a user console 180 and/or
`a security information and event management (SIEM)sys-
`tem (not shown). The reported cyber threats maybefiltered
`or prioritized based in part on their determinedrisk. Further,
`the reported cyber threats may be filtered or prioritized
`based in part on the risk level of the machine. This also
`reduces the numberof alerts reported to the user.
`In an embodiment, any detected cyber threats related to
`sensitive data (including personally identifiable information,
`PII) is reported at a higher priority. In an embodiment, such
`data is determined by searching for the PII, analyzing the
`application logs to determine whether the machine accessed
`PII/PII containing servers, or whether the logs themselves
`contain PII, and searching the machine memory,as reflected
`in the pagefile, for PII.
`In an embodiment, the security system 140 may deter-
`minethe risk of the VM 119 based on communication with
`an untrusted network. This can be achieved by analyzing the
`VM’s 119 logs as saved in the virtual disk and can be derived
`from the snapshot.
`In an example embodiment, the security system 140 may
`cause an execution of one or more mitigation actions.
`Examples of such actions may include blockingtraffic from
`untrusted networks, halting the operation of the VM, quar-
`antining an infected VM,andthelike. The mitigation actions
`may be performed by a mitigation tool and not the system
`140.
`
`the example implementation
`It should be noted that
`shown in FIG. 1 is described with respect to a single cloud
`
`Ex. 2185-009
`
`Ex. 2185-009
`
`

`

`US 11,693,685 B2
`
`7
`computing platform 110 hosting a single VM 119 in a single
`server 115, merely for simplicity purposes and without
`limitation on the disclosed embodiments. Typically, virtual
`machines are deployed and executed in a single cloud
`computing platform, a virtualized environment, or data
`center and can be protected without departing from the
`scope of the disclosure. It should be further noted that the
`disclosed embodiments can operate using multiple security
`systems 140, each of which may operate in a different client
`environment.
`
`FIG. 2 shows an example flowchart 200 illustrating a
`method for detecting cyber threats including potential vul-
`nerabilities in virtual machines executed in a cloud comput-
`ing platform according to some embodiments. The method
`may be performed by the security system 140.
`At $210, a request, for example,
`to scan a VM for
`vulnerabilities is recetved. The request may be received, or
`otherwise triggered every predefined time interval or upon
`detection of an external event. An external event may be a
`preconfigured event, such as a network event or abnormal
`event including, but not limited to, changes to infrastructure
`such as instantiation of an additional container on existing
`VM,image change on a VM, new VMcreated, unexpected
`shutdowns, access requests from unauthorized users, and the
`like. The request may at least designate an identifier of the
`VM to be scanned.
`
`At $220, a location of a snapshotofa virtual disk of the
`VMto be scanned is determined. In an embodiment, $220
`may include determining the virtual disk allocated for the
`VM,prior to determining the location of the snapshot. As
`noted above,
`this can be achieved by querying a cloud
`management console. At S230, a snapshotofthe virtual disk
`is accessed, or otherwise copied.
`At $240, the snapshot is analyzed to detect cyber threats
`and potential vulnerabilities. S240 may be also include
`detecting cyber threats that do not represent vulnerabilities.
`Examples for cyber threats and vulnerabilities are provided
`above.
`
`In an embodiment, S240 may include comparing the
`snapshot to some baseline, which may include, but is not
`limited to, a copy of the image usedto create the VM,(e.g.,
`lists of appli