(12) United States Patent
`Shua
`
`(10) Patent No.: US 11,740,926 B2
`(45) Date of Patent:
`*Aug. 29, 2023
`
`TECHNIQUES FOR SECURING VIRTUAL
`MACHINES BY ANALYZING DATA FOR
`CYBER THREATS
`
`Applicant:
`
`Orca Security Ltd., Tel Aviv (IL)
`
`Inventor:
`
`Avi Shua, Tel Aviv (IL)
`
`Assignee:
`
`Orca Security Ltd., Tel Aviv (IL)
`
`Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`This patent is subject to a terminal dis-
`claimer.
`
`2009/45587 (2013.01); G06F 2009/45591
`(2013.01); G06F 2009/45595 (2013.01); G06F
`2201/84 (2013.01)
`
`(58) Field of Classification Search
`None
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`9,069,983 B1
`9,177,145 B2
`
`6/2015 Nijjar
`11/2015 Todorovie
`(Continued)
`
`OTHER PUBLICATIONS
`
`(21) Appl. No.: 18/055,220
`
`(22) Filed:
`
`Nov. 14, 2022
`
`(65)
`
`Prior Publication Data
`
`US 2023/0092220 Al Mar. 23, 2023
`
`Related U.S. Application Data
`
`(63) Continuation of application No. 17/330,998, filed on
`May 26, 2021, now Pat. No. 11,516,231, which is a
`(Continued)
`
`(51) Int. Cl.
`HO4L 9/40
`G06F 9/455
`
`(2022.01)
`(2018.01)
`(Continued)
`
`(52) U.S. Cl.
`CPC
`
`G06F 9/45558 (2013.01); G06F 11/1464
`(2013.01); GO6F 16/128 (2019.01); HO4L
`63/1416 (2013.01); HO4L 63/1433 (2013.01);
`HO4L 63/1441 (2013.01); G06F 2009/45562
`(2013.01); G06F 2009/45583 (2013.01); G06F
`
`Non-Final Office Action U.S. Appl. No. 16/585,967 dated Feb. 3,
`2022, in the United States Patent and Trademark Office.
`(Continued)
`
`Primary Examiner — Joseph P Hirl
`Assistant Examiner — Hassan Saadoun
`(74) Attorney, Agent, or Firm — Finnegan, Henderson
`Farabow, Garrett & Dunner LLP
`
`ABSTRACT
`(57)
`A system and method for securing virtual cloud assets in a
`cloud computing environment against cyber threats. The
`method includes: determining a location of a snapshot of at
`least one virtual disk of a protected virtual cloud asset,
`wherein the virtual cloud asset is instantiated in the cloud
`computing environment; accessing the snapshot of the vir-
`tual disk based on the determined location; analyzing the
`snapshot of the protected virtual cloud asset to detect
`potential cyber threats risking the protected virtual cloud
`asset; and alerting detected potential cyber threats based on
`a determined priority.
`
`15 Claims, 4 Drawing Sheets
`
`Start
`
`r "°
`
`Receive a request to scan a VM for vulnerabilities
`
`S210
`
`S220
`
`Determine a location of the virtual disk of the VM and its snapshot
`
`S230
`
`S240
`
`S250
`
`S260
`
`Access a snapshot of virtual disk
`
`Analyze the snapshot
`
`.1
`Report detected threats
`
`Trigger a mitigation action
`
`End
`
`WIZ, Inc. EXHIBIT - 1001
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 11,740,926 B2
`Page 2
`
`Related U.S. Application Data
`
`continuation of application No. 16/585,967, filed on
`Sep. 27, 2019, now Pat. No. 11,431,735.
`
`2019/0065754 Al
`2020/0042707 Al
`2020/0065487 Al
`
`2/2019 Ochs et al.
`2/2020 Kucherov et al.
`2/2020 Timashev et al.
`
`(60) Provisional application No. 62/797,718, filed on Jan.
`28, 2019.
`
`(51)
`
`Int. Cl.
`GO6F 16/11
`GO6F 11/14
`
`(2019.01)
`(2006.01)
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`1/2016 Ammons et al.
`9,229,758 B2
`2/2016 Chen et al.
`9,268,689 B1
`12/2016 Golshan et al.
`9,519,781 B2
`2/2017 Deng et al.
`9,563,777 B2
`8/2017 Neumann et al.
`9,734,325 B1
`9/2017 Crowell et al.
`9,756,070 B1
`10/2017 Deng et al.
`9,798,885 B2
`1/2018 Upadhyay et al.
`9,858,105 B1
`9/2018 Brandwine et al.
`10,079,842 B1
`9/2019 Gilbert
`10,402,560 B2
`9/2019 Loureiro et al.
`10,412,109 B2
`11/2019 Kempe et al.
`10,469,304 B1
`1/2020 Cherny et al.
`10,534,915 B2
`1/2020 Derbeko
`10,536,471 Bl *
`2/2020 Vashisht et al.
`10,552,610 B1
`9/2020 Doring et al.
`10,782,952 B1
`10/2020 Sharifi Mehr
`10,812,521 B1
`10,944,778 B1 * 3/2021 Golan
`11,068,353 B1 * 7/2021 Ved
`11,120,124 B2
`9/2021 Fusenig et al.
`11,216,563 B1
`1/2022 Veselov et al.
`11,431,735 B2
`8/2022 Shua
`11,516,231 B2
`11/2022 Shua
`2007/0266433 Al
`11/2007 Moore
`2008/0189788 Al
`8/2008 Bahl
`2008/0263658 Al
`10/2008 Michael et al.
`2009/0007100 Al
`1/2009 Field et al.
`20 10/00 175 12 Al
`1/2010 Ciano et al.
`2011/0289584 Al
`11/2011 Palagummi
`2012/0072968 Al
`3/2012 Wysopal et al.
`2012/0323853 Al
`12/2012 Fries et al.
`2013/0191643 Al* 7/2013 Song
`
`2013/0247133 Al
`2014/0089916 Al
`2014/0096135 Al
`2014/0137190 Al
`2015/0052520 Al
`2016/0004449 Al *
`
`9/2013 Price et al.
`3/2014 Gross et al.
`4/2014 Kundu et al.
`5/2014 Carey et al.
`2/2015 Crowell et al.
`1/2016 Lakshman
`
`2016/0094568 Al * 3/2016 Balasubramanian
`
`2016/0241573 Al
`2016/0364255 Al
`2017/0011138 Al
`2017/0031704 Al
`2017/0103212 Al *
`2017/0111384 Al
`2018/0052762 Al
`2018/0137032 Al
`2018/0255080 Al
`2018/0293374 Al
`
`8/2016 Mixer
`12/2016 Chefalas et al.
`1/2017 Venkatesh et al.
`2/2017 Sudhakaran et al.
`4/2017 Deng
`4/2017 Loureiro et al.
`2/2018 Vyas et al.
`5/2018 Tannous et al.
`9/2018 Paine
`10/2018 Chen
`
` G06F 21/53
`
` H04L 63/1491
` G06F 9/45558
`
` H04L 9/3265
`713/176
`
` G06F 3/0604
`711/162
`
`G06F 9/45558
`726/23
`
` G06F 3/0619
`
`OTHER PUBLICATIONS
`
`Notice of Allowance U.S. Appl. No. 16/585,967 dated Jul. 7, 2022,
`in the United States Patent and Trademark Office.
`Non-Final Office Action U.S. Appl. No. 17/330,998 dated Mar. 4,
`2022, in the United States Patent and Trademark Office.
`Final Office Action U.S. Appl. No. 17/330,998 dated Jun. 30, 2022,
`in the United States Patent and Trademark Office.
`Notice of Allowance U.S. Appl. No. 17/330,998 dated Aug. 10,
`2022, in the United States Patent and Trademark Office.
`Non-Final Office Action U.S. Appl. No. 17/361,861 dated Aug. 29,
`2022, in the United States Patent and Trademark Office.
`Advisory Action U.S. Appl. No. 17/361,861 dated May 20, 2022, in
`the United States Patent and Trademark Office.
`Final Office Action U.S. Appl. No. 17/361,861 dated Mar. 8, 2022,
`in the United States Patent and Trademark Office.
`Non-Final Office Action U.S. Appl. No. 17/361,861 dated Oct. 25,
`2021, in the United States Patent and Trademark Office.
`Rani et al.; "An Efficient Approach to Forensic Investigation in
`Cloud using VM Snapshots", 2015 International Conference on
`Pervasive Computing (ICPC), 5 pages, (2015).
`Wei et al., "Managing Security of Virtual Machine Images in a
`Cloud Environment", CCSW'09, pp. 91-96, Nov. 13, 2009.
`Almulla et al., "Digital Forensic of a Cloud Based Snapshot", The
`Sixth International Conference on Innovative Computing Technol-
`ogy (INTECH 2016), pp. 724-729, (2016).
`Pandey et al., "An Approach for Virtual Machine Image Security",
`Computer Science and Engineering MNNIT, Allahabad, 2014 Inter-
`national Conference on Signal Propagation and Computer Technol-
`ogy (ICSPCT), pp. 616-623, (2014).
`Rajasekaran et al., "Scalable Cloud Security via Asynchronous
`Virtual Machine Introspection", 8th USENIX Workshop on Hot
`Topics in Cloud Computing, Cover page and pp. 1-6, (2016).
`Kaur et al., "Secure VM Backup and Vulnerability Removal in
`Infrastructure Clouds", 2014 International Conference on Advances
`in Computing, Communications and Informatics (ICACCI), pp.
`1217-1226, (2014).
`Fernandez et al., "Two patterns for cloud computing: Secure Virtual
`Machine Image Repository and Cloud Policy Management Point",
`PLoP '13: Proceedings of the 20th Conference on Pattern Lan-
`guages of Programs Oct. 2013 Article No. 15, Association for
`Computing Machinery (ACM), Cover sheet and pp. 1-11, (2013).
`Fernandez et al. "Building a security reference architecture for
`cloud systems", Springer, Requirements Eng, vol. 21, pp. 225-249,
`(2016).
`Ammons et al., "Virtual machine images as structured data: the
`Mirage image library", IBM Research, Cover sheet 2 pages and pp.
`1-6, (2011).
`"IBM Point of View Security and Cloud Computing", IBM SmartCloud
`Enterprise, Cloud Computing White Paper, 13 sheets of cover pages
`and pp. 1-20, (2009).
`Cui et al., "A Less Resource-Consumed Security Architecture on
`Cloud Platform", Wuhan University Journal of Natural Sciences,
`vol. 21, No. 5, pp. 407-414, (2016).
`Bugiel et al., "AmazonlA: When Elasticity Snaps Back", CCS' 11,
`ACM, pp. 389-400, (2011).
`Notice of Allowance U.S. Appl. No. 17/361,861 dated May 10,
`2023, in the United States Patent and Trademark Office.
`Non-Final Office Action U.S. Appl. No. 17/821,345 dated May 25,
`2023, in the United States Patent and Trademark Office.
`
`* cited by examiner
`
`

`

`U.S. Patent
`
`Aug. 29, 2023
`
`Sheet 1 of 4
`
`US 11,740,926 B2
`
`User Console
`180
`
`Network
`
`120
`
`100
`
`External
`systems
`170
`
`Cloud Computing Platform
`110
`
`Management
`Console
`150
`
`FIG. 1A
`
`

`

`U.S. Patent
`
`Aug. 29, 2023
`
`Sheet 2 of 4
`
`US 11,740,926 B2
`
`Security System
`140
`
`130
`
`110
`
`117
`
`115
`
`118-1
`
`VM
`119
`
`FIG. 1B
`
`

`

`U.S. Patent
`
`Aug. 29, 2023
`
`Sheet 3 of 4
`
`US 11,740,926 B2
`
`c_ Start
`
`200
`
`S210
`
`Receive a request to scan a VM for vulnerabilities
`
`S220
`Determine a location of the virtual disk of the VM and its snapshot
`
`Access a snapshot of virtual disk
`
`Analyze the snapshot
`
`Report detected threats
`
`Trigger a mitigation action
`
`S230
`
`S240
`
`S250
`
`S260
`
`End
`
`FIG. 2
`
`

`

`U.S. Patent
`
`Aug. 29, 2023
`
`Sheet 4 of 4
`
`US 11,740,926 B2
`
`140
`
`X
`
`Memory
`320
`
`%.....
`
`..•
`
`Storage
`330
`
`Processing
`Circuitry
`310
`
`Network
`Interface
`340
`
`L— 360
`
`FIG. 3
`
`

`

`1
`TECHNIQUES FOR SECURING VIRTUAL
`MACHINES BY ANALYZING DATA FOR
`CYBER THREATS
`
`This application is a continuation of U.S. application Ser.
`No. 17/330,998 (now allowed), filed May 26, 2021, which
`is a continuation of U.S. application Ser. No. 16/585,967
`(now U.S. Pat. No. 11,431,735), filed Sep. 27, 2019, which
`claims the benefit of U.S. Provisional Application No.
`62/797,718 filed on Jan. 28, 2019, the contents of each of
`which are hereby incorporated by reference in their entire-
`ties.
`
`TECHNICAL FIELD
`
`This disclosure relates generally to cyber-security systems
`and, more specifically, to techniques for securing virtual
`machines.
`
`US 11,740,926 B2
`
`2
`Traffic inspection may also be performed by a traffic
`monitor that listens to traffic flows between clients and the
`server. The traffic monitor can detect some cyber threats,
`e.g., based on the volume of traffic. However, the monitor
`5 can detect threats only based on the monitored traffic. For
`example, misconfiguration of the server may not be detected
`by the traffic monitor. As such, traffic monitoring would not
`allow detection of vulnerabilities in software executed by
`the server.
`To overcome the limitations of traffic inspection solutions,
`some cyber-security solutions, such as vulnerability man-
`agement and security assessment solutions are based on
`agents installed in each server in a cloud computing platform
`or data center. Using agents is a cumbersome solution for a
`15 number of reasons, including IT resources management,
`governance, and performance. For example, installing
`agents in a large data center may take months.
`It would therefore be advantageous to provide a security
`solution that would overcome the deficiencies noted above.
`
`10
`
`BACKGROUND
`
`20
`
`SUMMARY
`
`Organizations have increasingly adapted their applica-
`tions to be run from multiple cloud computing platforms.
`Some leading public cloud service providers include Ama-
`zon®, Microsoft®, Google®, and the like.
`Virtualization is a key role in a cloud computing, allowing
`multiple applications and users to share the same cloud
`computing infrastructure. For example, a cloud storage
`service can maintain data of multiple different users.
`In one instance, virtualization can be achieved by means
`of virtual machines. A virtual machine emulates a number of
`"computers" or instances, all within a single physical device.
`In more detail, virtual machines provide the ability to
`emulate a separate operating system (OS), also referred to as
`a guest OS, and therefore a separate computer, from an
`existing OS (the host). This independent instance is typically
`isolated as a completely standalone environment.
`Modern virtualization technologies are also adapted by
`cloud computing platforms. Examples for such technologies
`include virtual machines, software containers, and serverless
`functions. With their computing advantages, applications
`and virtual machines running on top of virtualization tech-
`nologies are also vulnerable to some cyber threats. For
`example, virtual machines can execute vulnerable software
`applications or infected operating systems.
`Protection of a cloud computing infrastructure, and par-
`ticularly of virtual machines can be achieved via inspection
`of traffic. Traditionally, traffic inspection is performed by a
`network device connected between a client and a server
`(deployed in a cloud computing platform or a data center)
`hosting virtual machines. Traffic inspection may not provide
`an accurate indication of the security status of the server due
`to inherent limitations, such as encryption and whether the
`necessary data is exposed in the communication.
`Furthermore, inspection of computing infrastructure may
`be performed by a network scanner deployed out of path.
`The scanner queries the server to determine if the server
`executes an application that possess a security threat, such as
`vulnerability in the application. The disadvantage of such a
`scanner is that the server may not respond to all queries by
`the scanner, or not expose the necessary data in the response.
`Further, the network scanner usually communicates with the
`server, and the network configuration may prevent it. In
`addition, some types of queries may require credentials to
`access the server. Such credentials may not be available to
`the scanner.
`
`A summary of several example embodiments of the
`disclosure follows. This summary is provided for the con-
`25 venience of the reader to provide a basic understanding of
`such embodiments and does not wholly define the breadth of
`the disclosure. This summary is not an extensive overview
`of all contemplated embodiments, and is intended to neither
`identify key or critical elements of all embodiments nor to
`30 delineate the scope of any or all aspects. Its sole purpose is
`to present some concepts of one or more embodiments in a
`simplified form as a prelude to the more detailed description
`that is presented later. For convenience, the term "some
`embodiments" or "certain embodiments" may be used
`35 herein to refer to a single embodiment or multiple embodi-
`ments of the disclosure.
`Certain embodiments disclosed herein include a method
`for securing virtual cloud assets in a cloud computing
`environment against cyber threats, comprising: determining
`40 a location of a snapshot of at least one virtual disk of a
`protected virtual cloud asset, wherein the virtual cloud asset
`is instantiated in the cloud computing environment; access-
`ing the snapshot of the virtual disk based on the determined
`location; analyzing the snapshot of the protected virtual
`45 cloud asset to detect potential cyber threats risking the
`protected virtual cloud asset; and alerting detected potential
`cyber threats based on a determined priority.
`Certain embodiments disclosed herein also include a
`non-transitory computer readable medium having stored
`so thereon instructions for causing a processing circuitry to
`execute a process, the process comprising: determining a
`location of a snapshot of at least one virtual disk of a
`protected virtual cloud asset, wherein the virtual cloud asset
`is instantiated in the cloud computing environment; access-
`55 ing the snapshot of the virtual disk based on the determined
`location; analyzing the snapshot of the protected virtual
`cloud asset to detect potential cyber threats risking the
`protected virtual cloud asset; and alerting detected potential
`cyber threats based on a determined priority.
`Certain embodiments disclosed herein also include a
`system for securing virtual cloud assets in a cloud comput-
`ing environment against cyber threats, comprising: a pro-
`cessing circuitry; and a memory, the memory containing
`instructions that, when executed by the processing circuitry,
`65 configure the system to: determine a location of a snapshot
`of at least one virtual disk of a protected virtual cloud asset,
`wherein the virtual cloud asset is instantiated in the cloud
`
`60
`
`

`

`US 11,740,926 B2
`
`3
`computing environment; access the snapshot of the virtual
`disk based on the determined location; analyze the snapshot
`of the protected virtual cloud asset to detect potential cyber
`threats risking the protected virtual cloud asset; and alert
`detected potential cyber threats based on a determined
`priority.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The foregoing and other objects, features, and advantages
`of the disclosed embodiments will be apparent from the
`following detailed description taken in conjunction with the
`accompanying drawings.
`FIGS. 1A and 1B are network diagrams utilized to
`describe the various embodiments.
`FIG. 2 is a flowchart illustrating a method detecting cyber
`threats,
`including potential vulnerabilities
`in virtual
`machines executed in a cloud computing platform according
`to some embodiments.
`FIG. 3 is an example block diagram of the security system
`according to an embodiment.
`
`DETAILED DESCRIPTION
`
`It is important to note that the embodiments disclosed
`herein are only examples of the many advantageous uses of
`the innovative teachings herein. In general, statements made
`in the specification of the present application do not neces-
`sarily limit any of the various claimed embodiments. More-
`over, some statements may apply to some inventive features
`but not to others. In general, unless otherwise indicated,
`singular elements may be in plural and vice versa with no
`loss of generality. In the drawings, like numerals refer to like
`parts through several views.
`FIGS. 1A and 1B show an example network diagram 100
`utilized to describe the various embodiments. A cloud com-
`puting platform 110 is communicably connected to a net-
`work 120. Examples of the cloud computing platform 110
`may include a public cloud, a private cloud, a hybrid cloud,
`and the like. Examples for a public cloud, but are not limited
`to, AWS® by Amazon®, Microsoft Azure®, Google
`Cloud®, and the like. In some configurations, the disclosed
`embodiments operable in on premise virtual machines envi-
`ronments. The network 120 may be the Internet, the world-
`wide-web (WWW), a local area network (LAN), a wide area
`network (WAN), and other networks.
`The arrangement of the example cloud computing plat-
`form 110 is shown in FIG. 1B. As illustrated, the platform
`110 includes a server 115 and a storage 117, serving as the
`storage space for the server 115. The server 115 is a physical
`device hosting at least one virtual machine (VM) 119. The
`VM 119 is a protected VM, which may be any virtual cloud
`asset including, but not limited to, a software container, a
`micro-service, a serverless function, and the like.
`The storage 117 emulates virtual discs for the VMs
`executed in by the server 115. The storage 117 is typically
`connected to the server 115 through a high-speed connec-
`tion, such as optic fiber allowing fast retrieval of data. In
`other configurations, the storage 117 may be part of the
`server 115. In this example illustrated in FIG. 1B, virtual
`disk 118-1 is allocated for the VM 119. The server 115, and
`hence the VM 119, may be executed in a client environment
`130 within the platform 110.
`The client environment 130 is an environment within the
`cloud computing platform 110 utilized to execute cloud-
`hosted applications of the client. A client may belong to a
`specific tenant. In some example embodiment, the client
`
`4
`environment 130 may be part of a virtualized environment
`or on-premises virtualization environment, such as a
`VMware® based solution.
`Also deployed in the cloud computing platform 110 is a
`5 security system 140 configured to perform the various
`disclosed embodiments. In some embodiments, the system
`140 may be part of the client environment 130. In an
`embodiment, the security system 140 may be realized as a
`physical machine configured to execute a plurality of virtual
`10 instances, such as, but not limited to virtual machines
`executed by a host server. In yet another embodiment, the
`security system 140 may be realized as a virtual machine
`executed by a host server. Such a host server is a physical
`machine (device) and may be either the server 115, a
`15 dedicated server, a different shared server, or another virtu-
`alization-based computing entity, such as a serverless func-
`tion.
`In an embodiment, the interface between the client envi-
`ronment 130 and the security system 140 can be realized
`20 using APIs or services provided by the cloud computing
`platform 110. For example, in AWS, a cross account policy
`service can be utilized to allow interfacing the client envi-
`ronment 130 with the security system 140.
`In the deployment, illustrated in FIG. 1, the configuration
`25 of resources of the cloud computing platform 110 is per-
`formed by means of the management console 150. As such,
`the management console 150 may be queried on the current
`deployment and settings of resources in the cloud computing
`platform 110. Specifically, the management console 150
`30 may be queried, by the security system 140, about as the
`location (e.g., virtual address) of the virtual disk 118-1 in the
`storage 117. The system 140 is configured to interface with
`the management console 150 through, for example, an API.
`In some example embodiments, the security system 140
`35 may further interface with the cloud computing platform 110
`and external systems 170. The external systems may include
`intelligence systems, security information and event man-
`agement (SIEM) systems, and mitigation tools. The external
`intelligence systems may include common vulnerabilities
`40 and exposures (CVE®) databases, reputation services, secu-
`rity systems (providing feeds on discovered threats), and so
`on. The information provided by the intelligence systems
`may detect certain known vulnerabilities identified in, for
`example, a CVE database.
`45 According to the disclosed embodiments, the security
`system 140 is configured to detect vulnerabilities and other
`cyber threats related to the execution VM 119. The detection
`is performed while the VM 119 is live, without using any
`agent installed in the server 115 or the VM 119, and without
`so relying on cooperation from VM 119 guest OS. Specifically,
`the security system 140 can scan and detect vulnerable
`software, non-secure configuration, exploitation attempts,
`compromised asserts, data leaks, data mining, and so on. The
`security system 140 may be further utilized to provide
`55 security services, such as incident response, anti-ransom-
`ware, and cyber insurance by accessing the security posture.
`In some embodiments, the security system 140 is config-
`ured to query the cloud management console 150 for the
`address of the virtual disk 118-1 serving the VM 119 and a
`60 location of the snapshot. A VM's snapshot is a copy of the
`machine's virtual disk (or disk file) at a given point in time.
`Snapshots provide a change log for the virtual disk and are
`used to restore a VM to a particular point in time when a
`failure error occurs. Typically, any data that was writable on
`65 a VM becomes read-only when the snapshot is taken.
`Multiple snapshots of a VM can be created at multiple
`possible point-in-time restore points. When a VM reverts to
`
`

`

`US 11,740,926 B2
`
`5
`a snapshot, current disk and memory states are deleted and
`the snapshot becomes the new parent snapshot for that VM.
`The snapshot of the VM 119 is located and may be saved
`from the virtual disk 118-1 is accessed by the system 140. In
`an embodiment, the VM's 119 snapshot may be copied to the
`system 140. If such a snapshot does not exist, the system 140
`may take a new snapshot, or request such an action. The
`snapshots may be taken at a predefined schedule or upon
`predefined events (e.g., a network event or abnormal event).
`Further, the snapshots may be accessed or copied on a
`predefined schedule or upon predefined events. It should be
`noted that when the snapshot is taken or copied, the VM 119
`still runs.
`It should be noted that the snapshot of the virtual disk
`118-1 may not be necessary stored in the storage 117, but for
`ease of the discussion it is assumed that the snapshot is saved
`in the storage 117. It should be further noted that the
`snapshot is being accessed without cooperation of the guest,
`virtual OS of the virtual machine.
`The snapshot is parsed and analyzed by the security
`system 140 to detect vulnerabilities. This analysis of the
`snapshot does not require any interaction and/or information
`from the VM 119. As further demonstrated herein, the
`analysis of the snapshot by the system 140 does not require
`any agent installed on the server 115 or VM 119.
`Various techniques can be utilized to analyze the snap-
`shots, depending on the type of vulnerability and cyber
`threats to be detected. Following are some example embodi-
`ments for techniques that may be implemented by the
`security system 140.
`In an embodiment, the security system 140 is configured
`to detect whether there is vulnerable code executed by the
`VM 119. The VM 119 being checked may be running,
`paused, or shutdown. To this end, the security system 140 is
`configured to match installed application lists, with their
`respective versions, to a known list of vulnerable applica-
`tions. Further, the security system 140 may be configured to
`match the application files, either directly (using binary
`comparison) or by computing a cryptographic hash against
`database of files in vulnerable applications. The matching
`may be also on sub-modules of an application. Alternatively,
`the security system 140 may read installation logs of pack-
`age managers used to install the packages of the application.
`In yet another embodiment, the security system 140 is
`configured to verify whether the vulnerability is relevant to
`the VM 119. For example, if there is a vulnerable version or
`module not in use, the priority of that issue is reduced
`dramatically.
`To this end, the security system 140 may be configured to
`check the configuration files of the applications and oper-
`ating system of the VM 119; to verify access times to files
`by the operating system; and/or to analyze the active appli-
`cation and/or system logs in order to deduce what applica-
`tions and modules are running.
`In yet another embodiment, the security system 140 may
`instantiate a copy of the VM 119 and/or a subset of appli-
`cations of the VM 119 on the server 115 or a separate server
`and monitor all activity performed by the instance of the
`VM. The execution of the instance of the VM is an isolated
`sandbox, which can be a full VM or subset of it, such as a
`software container (e.g., Docker® container) or another
`virtualized instances. The monitored activity may be further
`analyzed to determine abnormality. Such analysis may
`include monitoring of API activity, process creation, file
`activity, network communication, registry changes, and
`active probing of the said subset in order to assess its
`security posture. This may include, but not limited to,
`
`5
`
`6
`actively communicating with the VM 119, using either
`legitimate communicate and/or attack attempts, to assess its
`posture and by that deriving the security posture of the entire
`VM 119.
`In order to determine if the vulnerability is relevant to the
`VM 119, the security system 140 is configured to analyze the
`machine memory, as reflected in the page file. The page file
`is saved in the snapshot and extends how much system-
`committed memory (also known as "virtual memory") a
`10 system can back. In an embodiment, analyzing the page file
`allows deduction of running applications and modules by the
`VM 119.
`In an embodiment, the security system 140 is configured
`15 to read process identification number (PID) files and check
`their access or write times, which are matched against
`process descriptors. The PID can be used to deduce which
`processes are running, and hence the priority of vulnerabili-
`ties detected in processes existing on the disk. It should be
`20 noted the PID files are also maintained in the snapshot.
`In yet another embodiment, the security system 140 is
`configured to detect cyber threats that do not represent
`vulnerabilities. For example, the security system 140 may
`detect and alert on sensitive data not being encrypted on the
`25 logical disk, private keys found on the disks, system cre-
`dentials stored clearly on the disk, risky application features
`(e.g., support of weak cipher suites or authentication meth-
`ods), weak passwords, weak encryption schemes, a disable
`address space layout randomization (ASLR) feature, suspi-
`30 cious manipulation to a boot record, suspicious PATH,
`LD_LIBRARY_PATH, or LD_PRELOAD definitions, ser-
`vices running on startup, and the like.
`In an embodiment, the security system 140 may further
`monitor changes in sensitive machine areas, and alert on
`35 unexpected changes (e.g., added or changed application files
`without installation). In an example embodiment, this can be
`achieved by computing a cryptographic hash of the sensitive
`areas in the virtual disk and checking for differences over
`time.
`In some embodiments, the detected cyber threats (includ-
`ing vulnerabilities) are reported to a user console 180 and/or
`a security information and event management (SIEM) sys-
`tem (not shown). The reported cyber threats may be filtered
`or prioritized based in part on their determined risk. Further,
`45 the reported cyber threats may be filtered or prioritized
`based in part on the risk level of the machine. This also
`reduces the number of alerts reported to the user.
`In an embodiment, any detected cyber threats related to
`sensitive data (including personally identifiable information,
`so PII) is reported at a higher priority. In an embodiment, such
`data is determined by searching for the PII, analyzing the
`application logs to determine whether the machine accessed
`PII/PII containing servers, or whether the logs themselves
`contain PII, and searching the machine memory, as reflected
`55 in the page file, for PII.
`In an embodiment, the security system 140 may deter-
`mine the risk of the VM 119 based on communication with
`an untrusted network. This can be achieved by analyzing the
`VM's 119 logs as saved in the virtual disk and can be derived
`60 from the snapshot.
`In an example embodiment, the security system 140 may
`cause an execution of one or more mitigation actions.
`Examples of such actions may include blocking traffic from
`untrusted networks, halting the operation of the VM, guar-
`65 antining an infected VM, and the like. The mitigation actions
`may be performed by a mitigation tool and not the system
`140.
`
`40
`
`

`

`US 11,740,926 B2
`
`7
`It should be noted that the example implementation
`shown in FIG. 1 is described with respect to a single cloud
`computing platform 110 hosting a single VM 119 in a single
`server 115, merely for simplicity purposes and without
`limitation on the disclosed embodiments. Typically, virtual
`machines are deployed and executed in a single cloud
`computing platform, a virtualized environment, or data
`center and can be protected without departing from the
`scope of the disclosure. It should be further noted that the
`disclosed embodiments can operate using multiple security
`systems 140, each of which may operate in a different client
`environment.
`FIG. 2 shows an example flowchart 200 illustrating a
`method for detecting cyber threats including potential vul-
`nerabilities in virtual machines executed in a cloud comput-
`ing platform according to some embodiments. The method
`may be performed by the security system 140.
`At S210, a request, for example, to scan a VM for
`vulnerabilities is received. The request may be received, or
`otherwise triggered every predefined time interval or upon
`detection of an external event. An external event may be a
`preconfigured event, such as a network event or abnormal
`event including, but not limited to, changes to infrastructure
`such as instantiation of an additional container on existing
`VM, image change on a VM, new VM created, unexpected
`shutdowns, access requests from unauthorized users, and the
`like. The request may at least designate an identifier of the
`VM to be scanned.
`At S220, a location of a snapshot of a virtual dis