( 12 ) United States Patent
`Rosendahl et al .
`
`US 11,106,784 B2
`( 10 ) Patent No .:
`Aug. 31 , 2021
`( 45 ) Date of Patent :
`
`US011106784B2
`
`( 54 ) VERTICALLY INTEGRATED AUTOMATIC
`THREAT LEVEL DETERMINATION FOR
`CONTAINERS AND HOSTS IN A
`CONTAINERIZATION ENVIRONMENT
`
`( 71 ) Applicant : Neu Vector , Inc. , Milpitas , CA ( US )
`
`( 72 )
`
`Inventors : Henrik Rosendahl , Milpitas , CA ( US ) ;
`Fei Huang , Fremont , CA ( US ) ; Gang
`Duan , San Jose , CA ( US )
`( 73 ) Assignee : NeuVector , Inc. , San Jose , CA ( US )
`Subject to any disclaimer , the term of this
`( * ) Notice :
`patent is extended or adjusted under 35
`U.S.C. 154 ( b ) by 423 days .
`( 21 ) Appl . No .: 16 / 155,742
`( 22 ) Filed :
`( 65 )
`
`Oct. 9 , 2018
`
`Prior Publication Data
`Apr. 9 , 2020
`US 2020/0110873 A1
`
`( 51 ) Int . Cl .
`G06F 21/53
`G06F 21/57
`( 52 ) U.S. CI .
`CPC
`
`( 2013.01 )
`( 2013.01 )
`
`GO6F 21/53 ( 2013.01 ) ; G06F 21/577
`( 2013.01 ) ; G06F 2221/034 ( 2013.01 )
`
`( 58 ) Field of Classification Search
`CPC G06F 21/53 ; G06F 21/577 ; G06F 2221/034 ;
`G06F 21/51 ; G06F 21/563 ; G06F 8/61 ;
`GO6F 11/3616
`See application file for complete search history .
`References Cited
`U.S. PATENT DOCUMENTS
`
`( 56 )
`
`G06F 21/53
`HO4L 67/10
`
`2018/0336351 A1 * 11/2018 Jeffries
`2020/0097662 A1 *
`3/2020 Hufsmith
`* cited by examiner
`Primary Examiner — Paul E Callahan
`( 74 ) Attorney , Agent , or Firm Fenwick & West LLP
`( 57 )
`ABSTRACT
`A threat level analyzer probes for one or more threats within
`an application container in a container system . Each threat
`is a vulnerability or a non - conformance with a benchmark
`setting . The threat level analyzer further probes for one or
`more threats within a host of the container service . The
`threat level analyzer generates a threat level assessment
`score based on results from the probing of the one or more
`threats of the application container and the one or more
`threats of the host , and generates a report for presentation in
`a user interface including the threat level assessment score
`and a list of threats discovered from the probe of the
`application container and the host . A report is transmitted by
`the threat level analyzer to a client device of a user for
`presentation in the user interface .
`18 Claims , 7 Drawing Sheets
`
`App Container 104A
`WAN Access 106
`Network Activity 108
`
`Container System 102
`App Container 104B
`Program Libraries 110
`Patch Level 112
`
`App Container
`104N
`Container Configuration
`Data 114
`
`Container Probe
`122
`
`Threat Level Analyzer Container 120
`Network Probe
`124
`
`Host Probe
`126
`
`Threat Level Assessment
`Engine
`128
`
`Report Generator
`134
`
`Threat Level Policy
`Store
`130
`Data Logger
`138
`
`Threat Database
`132
`
`Data Log
`140
`
`Report
`Interface
`136
`Automated Response Engine
`142
`
`Program Libraries 152
`Patch Level 154
`
`Host 150
`Container Service 160
`Patch Level 162
`Service Config Data 164
`
`File System 156
`Host Configuration Data 158
`
`WIZ, Inc. EXHIBIT - 1017
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`U.S. Patent
`
`Aug. 31 , 2021
`
`Sheet 1 of 7
`
`US 11,106,784 B2
`
`
`App
`
`Container 104N Container Configuration Data 114
`
`
`
`Host Probe 126
`
`
`
`Threat Database 132
`
`Data Log 140
`
`
`
`Data Logger 138
`
`Report Interface 136
`
`
`
`Report Generator 134
`
`
`
`
`
`Threat Level Policy Store 130
`
`
`
`
`
`Threat Level Assessment Engine 128
`
`
`
`Network Probe 124
`
`
`
`Container Probe 122
`
`
`
`
`
`Host Configuration Data 158
`
`
`
`File System 156
`
`
`
`
`
`Automated Response Engine 142
`
`Container Service 160 Patch
`
`
`
`Level 162
`
`Host 150
`
`
`
`
`
`Service Config Data 164
`
`FIG . 1
`
`
`
`Level 154 Program Libraries 152 Patch
`
`
`
`
`
`
`
`
`
`
`
`Threat Level Analyzer Container 120
`
`
`Container System 102
`
`
`
`Level 112 Libraries 110 Patch App Container 104B Program
`
`
`
`
`
`
`
`
`Network Activity 108
`
`App Container 104A WAN
`
`
`Access 106
`
`

`

`U.S. Patent
`
`Aug. 31 , 2021
`
`Sheet 2 of 7
`
`US 11,106,784 B2
`
`ISLUSIOK.LT
`
`Scan
`
`200
`
`Threat Severity Count
`214
`
`
`10 40 Mar 05 , 2018 09:06:20
`
`
`61 189 Mar 05 , 2018 09:06:20
`7 12 Mar 05 , 2018 09:06:20
`
`
`
`
`
`
`234 Mar 05. 2018 09:06:22
`
`
`
`
`
`19 234 Mar 05 , 2018 09:06:19
`
`
`18 43 Mar 05 , 2018 09:06:24
`
`17.2
`
`16 : 2
`
`5
`
`
`Finished 17-2
`Finished 7.2
`
`Fixed
`
`1.0.1ubuntu2.17 ..2.19 - Qubuntu .. 14 . 1.4.16-1ubuntu2.4
`1.5.3-2ubuntu4.4 3.13.0-121.170
`Version 3.13.0-139.188
`3.13.0-121.170 3.13.0-115.162
`3.13.0-128.177
`2.14 2.19 - Oubuntu6.9 1.4.16-1ubuntu2.3
`1.5.3-2ubuntu4.3 3.13.0-112.159
`3.13.0-112.159 3.13.0-112.159 3.13.0-112.159
`Version 3.13.0-112.159
`Package linux apt ..eglibc . gnupg libgarypt11 linux linux linux linux
`
`1.0.1ubuntu
`
`
`
`Legend 228
`
`
`
`Urgencyla Score High 4.7 High 4.3 High 10 High 5 High 5 High
`
`
`7.2 . High 6.2 High ..... 2 High || 7.2
`
`
`Package Fixed Version
`226
`
`Package Version 224
`
`Threat Package Location
`
`222
`
`FIG . 2A
`
`Score 220
`
`Threat
`
`
`Threat Severity Individual Level
`218
`
`Detected Threats
`List 216
`
`
`
`
`
`Status Score 1 High Med Time
`
`
`
`finishedi 4.3
`Finished
`
`
`
`
`
`210 Score 212
`
`
`Threat Level
`
`Analysis Assessment Status
`Container Image
`208
`Network Address
`206
`
`
`
`
`
`
`
`
`
`ubuntu : 14.04 ip - 172-31-43-216 nvbeta / node Finished 119 234 Mar 05 , 2018 09:06:24
`
`
`
`
`
`Image
`
`
`
`
`
`
`
`
`
`
`ecs - deploy - docs - 2 - docs - 94e5f ... Idebian : 8 ip - 172-31-43-216 neuvector / docs Finishedl 4.7 1129 1210 Mar 05 , 2018 09:06:17
`Node
`
`
`
`
`
`debian : 8 ip - 172-31-41-138 Invbeta / nginx Finished
`
`
`
`
`
`ubuntu : 14.04ip - 172-31-43-216 nvbeta / node Finished 19
`
`
`Scanning Scheduled : Vulnerability database version : 1.039
`
`
`ubuntu : 14.04 1p - 172-31-43-216 nvbeta / node
`
`debian : 8 ip - 172-31-41-138 redis
`
`OS 204
`
`OS
`
`
`
`
`ecs - wordpress - demo - 4 - wordpr ... debian : 9 ip - 172-31-41-138 Wordpress
`
`
`
`ecs - wordpress - demo - 4 - mysql ... debian : 8 lip - 172-31-41-138 mysql
`
`Container List 202
`
`o Containers Nodes
`Namele
`ontain
`
`Scanned : Failed :
`
`nginx
`
`node1
`
`..node2
`node3
`
`redis
`
`Name CVE - 2017-5754 CVE - 2016-1252 CVE - 2018-1000001 CVE - 2016-6313 CVE - 2016-6313 CVE - 2017-1000379 CVE - 2017-1000364 CVE - 2017-7184 CVE - 2017-1000111
`NAP
`
`ARUAR
`
`

`

`U.S. Patent
`
`Aug. 31 , 2021
`
`Sheet 3 of 7
`
`US 11,106,784 B2
`
`
`
`
`
`
`
`Ensure auditing configured for files and dir . - lect / default / doc
`
`
`
`
`
`
`
`
`
`
`
`Ensure auditing configured for files and dir . / var / lib / docker Ensure auditing configured for files and
`
`
`
`
`
`
`dir . - / etc / docker Ensure auditing configured for files and dir . - docker , service
`
`
`
`
`
`
`Ensure auditing configured for files and dir . docker.socket
`
`
`
`
`
`Ensure auditing is configured for the Docker daemon
`
`Memory 993.5 MB 993.5 MB 993.5 MB
`
`CPUs
`
`1 1
`
`Platform Amazon - ECS Amazon - ECS Amazon - ECS
`
`
`
`
`
`Threat Description 246
`
`
`
`Linux AMI Amazon Linux AMI 2017.03 Amazon 2017.03 Amazon Linux AMI 2016.03
`
`
`
`
`
`
`
`
`
`
`OS
`
`230
`
`
`
`Hardware Info 240
`
`
`
`Platform 238
`
`OS 234
`
`
`
`Node List 232
`
`
`
`
`
`
`
`only trusted users are allowed to control Docker necessary Your operating system vendor may provide support and Ensure Using 17.03.1 verify is it up to date as deemed
`
`Ensure a separate partition for containers has been created
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Ensure the container host has been Hardened
`
`Ensure Docker is up to date
`
`docker X : 497 : ec2 - user
`
`########
`
`Threat.Repart . 242
`
`
`
`
`
`
`
`
`
`Ensure auditing configured for files and dir . - lect / docker / dae
`
`
`
`
`
`
`
`
`
`*
`
`
`
`
`
`File not found
`
`
`
`
`
`File not found
`
`
`
`File not found
`
`FIG . 2B
`
`Message Host Configuration
`
`MTTTTMnry
`INFO ) MARN NOTE INFO INFO INFO1 INFO INFO MARN WARNI WARN INFO ) INFO LINFO INFO INFOI IINFO INFO
`113IIIIIIIIIIII
`Threat.Severity . |
`Level
`-Levet 244
`
`
`
`DOCKET BENCHMARK
`
`Name ip - 172-31-41-138 ip - 172-31-43-216 ip - 172-31-44-255
`
`E Nodes
`
`WWW . ###
`
`
`
`Test number 1 ( 14 ) 1.1 1.2
`
`1.3 ( 2 )
`
`1.9 ( 1 ) . 1.10 ( 1 ) .
`
`5 1.11 ( 1 )
`
`E 1.4 ( 1 ) .
`
`1.8 ( 1 )
`
`1.5 1.6 1.7
`
`

`

`U.S. Patent
`
`Aug. 31 , 2021
`
`Sheet 4 of 7
`
`US 11,106,784 B2
`
`Network 274
`
`External
`
`Non - Container Indicator 268
`
`HTTP
`
`172.311.33.186
`
`172.6
`
`
`
`External Network
`
`HTTP
`
`
`
`Threat Indicator 272 Detected High Network
`
`
`
`86
`
`nginx
`
`264
`
`Connection Type
`
`node 1
`
`HTTP
`
`Threat
`
`Level Assessment Score
`Indicator 266
`
`Redis
`
`
`
`Indicators 262
`
`Container
`
`62
`
`HTTP
`
`Redis
`
`redis
`
`
`
`Detected High Threat Indicator
`270
`
`HTTP
`
`Redis
`
`FIG . 2C
`
`42
`
`node3
`
`

`

`U.S. Patent
`
`Aug. 31 , 2021
`
`Sheet 5 of 7
`
`US 11,106,784 B2
`
`1 1 1 1 1 1 1 1 1 1
`
`1 1
`
`1 I 1
`
`1 1 1 1 1 1 1 1
`
`1 1 1 I
`
`VM 3150
`
`
`
`Machine ( VM ) 315B Virtual
`
`
`
`Container Server 310B
`
`UI Container 365
`Analytics Container 360
`Management Container 355
`
`Virtual Switch 335C
`Cont . Svc . 330C
`
`
`Virtual Switch 335B
`Container Svc . 330B
`
`Hypervisor 340B
`
`VM 315 N
`VM 315 D
`
`
`
`Container Server 310A
`
`
`
`Machine ( VM ) 315A Virtual
`
`Security Container 350
`App Container 320B
`App Container 320A
`
`Hypervisor 340A
`
`
`
`Virtual Switch 335A
`
`
`
`Container Service 330A
`
`FIG . 3
`
`300
`
`Network 390
`
`
`
`Client Device 370B
`
`
`
`Client Device 370A
`
`
`
`
`
`Container System 3052
`
`

`

`U.S. Patent
`
`Aug. 31 , 2021
`
`Sheet 6 of 7
`
`US 11,106,784 B2
`
`400
`
`Probe an application container for threats including vulnerabilities and non
`conformance of benchmark settings
`410
`
`Probe container service host for threats
`420
`
`Generate threat level assessment score based on probed results
`430
`
`Generate report to present in user interface including threat level assessment
`score and list of threats
`440
`
`FIG . 4
`
`

`

`U.S. Patent
`
`Aug. 31 , 2021
`
`Sheet 7 of 7
`
`US 11,106,784 B2
`
`502
`
`524
`
`PROCESSOR
`
`INSTRUCTIONS
`
`504
`524
`
`MAIN MEMORY
`
`INSTRUCTIONS
`
`500
`
`508
`
`GRAPHICS
`DISPLAY
`
`510
`
`ALPHA - NUMERIC
`INPUT DEVICE
`
`512
`
`506
`
`STATIC
`MEMORY
`
`BUS
`
`CURSOR
`CONTROL
`DEVICE
`
`514
`
`520
`
`NETWORK
`INTERFACE
`DEVICE
`
`526
`
`NETWORK
`
`516
`
`STORAGE UNIT
`MACHINE
`READABLE
`MEDIUM
`INSTRUCTIONS 524
`
`522
`
`SIGNAL
`GENERATION
`DEVICE
`
`518
`
`FIG . 5
`
`

`

`2
`FIG . 2A is an exemplary user interface presenting a list of
`containers and their associated threat level scores , along
`with a threat list for a container , as determined by the threat
`level analyzer , according to an example embodiment .
`FIG . 2B is an exemplary user interface presenting a list of
`hosts and a detail interface reporting individual threat tests ,
`as determined by the threat level analyzer , according to an
`example embodiment .
`FIG . 2C is an exemplary user interface presenting a graph
`view of a plurality of containers , and interface elements
`indicating threat level scores and detected high level threats
`for certain containers , according to an example embodiment .
`FIG . 3 illustrates an example container environment with
`an exemplary container architecture in which a threat level
`analyzer , such as the threat level analyzer of FIG . 1 , may
`operate , according to an embodiment .
`FIG . 4 is a flow chart illustrating an exemplary method for
`determining a threat level of a container and host in a
`container system , according to one embodiment .
`FIG . 5 is a block diagram illustrating components of an
`example machine able to read instructions from a machine
`readable medium and execute them in a processor ( or
`controller ) .
`
`DETAILED DESCRIPTION
`
`5
`
`10
`
`15
`
`20
`
`35
`
`US 11,106,784 B2
`
`1
`VERTICALLY INTEGRATED AUTOMATIC
`THREAT LEVEL DETERMINATION FOR
`CONTAINERS AND HOSTS IN A
`CONTAINERIZATION ENVIRONMENT
`
`FIELD OF ART
`
`The disclosure generally relates to the field of container-
`ization security , and specifically to automated threat level
`determination for containers running on containerization
`platforms as well as their hosts .
`BACKGROUND
`
`A recent development in networked infrastructure is the
`container model . In the container model , a kernel of an
`operating system ( e.g. , Linux ) allows for multiple isolated
`user - space instances , or " containers , ” executing simultane
`ously . Each container is isolated from other containers , and
`may access a set of resources that are isolated from other
`containers . Each container also interacts with a container
`service , which may provide various functions , such as an
`application programming interface ( API ) to allow each
`container to access various functions of the container service 25
`( e.g. , establishing communications , communicating with
`other containers , logging ) . One advantage of such a con
`The Figures ( FIGS . ) and the following description relate
`tainer system is the ability of the container system , with the
`to preferred embodiments by way of illustration only . It
`assistance of the container service , to quickly and transpar-
`ently migrate containers between hosts during live opera- 30 should be noted that from the following discussion , alter
`tion , e.g. , for load balancing . Another advantage is that ,
`native embodiments of the structures and methods disclosed
`since virtual emulation of resources , such as in a virtual
`herein will be readily recognized as viable alternatives that
`machine ( VM ) environment , is not being performed to
`may be employed without departing from the principles of
`provide resources to the containers , the overhead compared
`what is claimed .
`to a VM - based environment is much lower .
`Reference will now be made in detail to several embodi
`However , within such container systems , security and
`ments , examples of which are illustrated in the accompany
`threat detection can be a more challenging issue . A container
`ing figures . It is noted that wherever practicable similar or
`system includes many different components , in many cases
`like reference numbers may be used in the figures and may
`more than a traditional system . The container system has a
`host operating system , a container service , multiple appli- 40 indicate similar or like functionality . The figures depict
`embodiments of the disclosed system ( or method ) for pur
`cation containers with their own configuration , with each
`poses of illustration only . One skilled in the art will readily
`application container accessing various resources , such as
`with network connections other containers and to the Inter-
`ognize from the following description that alternative
`embodiments of the structures and methods illustrated
`net . Such a complex system has a broad surface area for
`malicious attackers to penetrate . While traditional systems 45 herein may be employed without departing from the prin
`may have multiple operators for detecting and resolving
`ciples described herein .
`security issues ( e.g. , developers for applications , operations
`Configuration Overview
`staff for hosts , and network security staff for network access
`Embodiments herein disclose a method in a container
`operations ) , having these multiple operators operate on a
`system for determining a threat level assessment for an
`container system is cumbersome , reduces efficiency , and can 50 application container . A threat level analyzer probes for one
`easily cause shortfalls due to the complex division of
`or more threats within an application container in a container
`responsibilities . Therefore , what was lacking , inter alia , was
`system . Each threat is a vulnerability or a non - conformance
`a vertically integrated system to automatically determine ,
`with a benchmark setting . The application container
`report , and respond to threats and security issues in all
`includes computer - readable instructions , and is initiated via
`55 a container service and isolated using operating system - level
`aspects of a container system .
`virtualization .
`The threat level analyzer further probes for one or more
`BRIEF DESCRIPTION OF THE DRAWINGS
`threats within a host of the container service . The threat level
`analyzer generates a threat level assessment score based on
`The disclosed embodiments have advantages and features
`which will be more readily apparent from the detailed 60 results from the probing of the one or more threats of the
`description , the appended claims , and the accompanying
`application container and the one or more threats of the host ,
`figures ( or drawings ) . A brief introduction of the figures is
`and generates a report for presentation in a user interface
`including the threat level assessment score and a list of
`below .
`FIG . 1 illustrates an example of a container system with
`threats discovered from the probe of the application con
`a threat level analyzer to determine a threat level of appli- 65 tainer and the host . A report is transmitted by the threat level
`cation containers and hosts on which the container system
`analyzer to a client device of a user for presentation in the
`reside , according to an example embodiment .
`user interface .
`
`

`

`US 11,106,784 B2
`
`3
`4
`Example Threat Level Analyzer and Container
`division of labor and monitoring resources may cause vari
`ous threats to be missed due to the separation of resources
`Environment
`within an integrated system , and due to the added complex
`FIG . 1 illustrates an example of a container system with
`ity due to the integrated system . In addition , as the container
`a threat level analyzer to determine a threat level of appli- 5 system 102 is highly automated , traditional countermeasures
`cation containers and hosts on which the container system
`against security threats , such as locking down servers based
`reside , according to an example embodiment . FIG . 1 illus-
`on network ( e.g. , IP ) address and network ports , are inef
`trates a simplified view of a container system 102. Some
`fective and defeat the purpose of deploying containers as
`elements , such as separate servers , a local network , and so
`they are crude and indiscriminate , e.g. , by potentially lock
`on , are omitted for sake of clarity . These elements are 10 ing down unaffected app containers due to threats detected
`in other app
`described in further detail with regards to FIG . 3. The
`containers .
`This issue is solved by the installation of the threat level
`container system 102 includes one or more application
`analyzer operating as the threat level analyzer container 120
`( " app " ) containers 104A - N ( generally 104 ) , a threat level
`analyzer container 120 , and the host 150 and container
`within the container system 102. As described in further
`15 detail below , the threat level analyzer container 120 is able
`service 160 upon which the containers execute .
`Container System
`to probe within the app containers 104 , as well as the
`The container system 102 is an operating system ( OS )
`container service 160 and its host 150 , determine a threat
`level virtualization environment whereby one or more “ con-
`level assessment of each of these , generate reports based on
`tainers ” execute on a shared set of resources of a host . For
`the threat assessment , and perform actions in response to
`example , a container may be an instance of a user - space 20 certain determined threats .
`process executing on a resource isolated instance within an
`Application Containers
`OS . Alternatively , the container may itself execute multiple
`The app containers 104A - N ( or app containers 104 ) are
`processes , each sharing the resources of that container . Each
`containers executing within the container system 102. As
`container has access to a set of isolated resources , but does
`noted above , containers , such as the app containers 104 , are
`not have direct access to the actual physical resources of the 25 isolated instances executing with OS level virtualization
`underlying hardware of the host , e.g. , host 150. These
`within an operating system . The operating system may
`physical resources may include a CPU , I / O devices , network
`execute with a single kernel , which provides the necessary
`devices , memory , physical storage , and so on . The isolated
`environment to each of the app containers 104. However ,
`resources are not emulated , as would be the case with
`each app container 104 is isolated from other containers
`resources within a virtual machine , but are rather presented 30 within the container system 102 , and cannot see the
`to the app container as a portion of the physical resources ,
`resources used by the other app containers 104. Therefore ,
`with the remainder of the physical resources hidden from the
`each app container 104 cannot share processes with other
`app container . A container service executing on the host 150 ,
`app containers 104 , and instead communicate similarly to
`such as container service 160 , configures the aforemen-
`processes running on separate OSs and / or separate
`tioned isolated resources for each container . The container 35 machines , e.g. , by network communication , etc.
`system 102 as illustrated in FIG . 1 is a simplified view of the
`Each app container 104 may perform various network
`components of a container system . Additional details of
`activities , such as WAN ( wide area network ) access 106
`components that may be used in a container system 102 ,
`( e.g. , to the Internet ) and network activity 108 ( e.g. , any
`including supporting services , underlying hardware , and so
`access via a local area network ) . Each app container 104
`on , are described with further detail below with regards to 40 may include various program libraries 110 , and each of these
`program libraries may be at a particular patch level 112 .
`FIG . 3 .
`An advantage of such a container system 102 is that each
`Each app container 104 also includes container configura
`tion data 114. Note that although these elements are illus
`container is isolated from other containers in the container
`system 102 , increasing security . Scalability may also be
`trated within different app containers 104 in FIG . 1 , the
`improved , as containers can be easily added and removed 45 illustration is for the sake of organization and does not mean
`without having to be customized for a specific physical
`that each app container 104 is limited to these elements as
`resource layout . Other advantages may also be present in a
`shown . Instead , each app container 104 may include all of
`container system 102. For example , when the same data is
`the elements described here .
`accessed by different containers , only the data portions that
`The WAN access 106 may include any access to an
`vary between the containers may have different instances . 50 external network that is not local to the network upon which
`The data that is the same is not duplicated , thus saving space .
`the app container 104 resides ( e.g. , not on the subnet of the
`The container system 102 may also use less resources than
`app container 104 ) . This may include any WAN , the Internet ,
`a full virtualization environment , as the OS level virtualiza-
`an external LAN ( local area network ) , and so on . For
`tion in the container system 102 does not necessarily require
`example , an app container 104 may have WAN access 106
`the execution of a separate guest OS with its own kernel 55 by executing a web server process , and may create open
`within each container and the precise emulation of all
`network sessions , listen on certain network ports , respond to
`hardware components for that guest OS to execute .
`requests from clients , and so on . WAN access 106 may
`However , a challenge in such a container system 102 is an
`indicate that the app container 104 includes a connection
`increase in complexity due to the number of components
`with which an entity in the external network may access the
`compared to traditional systems ( e.g. , one in which appli- 60 app container 104 , either in an authorized connection , or
`cations run without a container service and without resource
`through unauthorized and / or malicious means . Therefore ,
`isolation ) . This causes threat analysis of the entire container
`WAN access 106 for an app container 104 carries with it a
`system 102 to become more complex compared to a tradi-
`potential risk of having confidential information accessed by
`tional system . For example , in a traditional system the
`an unauthorized entity , either maliciously or accidentally .
`components that are combined within a container system 65
`The network activity 108 may include , but is not limited
`102 may be maintained by different administrators / opera-
`to , transmitting and receiving network data , including net
`tors . However , within the container system 102 , such a
`work packets , using various network protocols , such as
`
`

`

`US 11,106,784 B2
`
`5
`6
`and host configuration data 158 , with each of the program
`TCP / IP , UDP , VPN , and so on , by processes executing in
`libraries 152 having a patch level 154. The host also includes
`each app container 104. Network activity 108 may include
`a container service 160 , which also has a patch level .
`any activity by an app container 104 that uses a network
`The program libraries 152 may be similar to the program
`switch , such as a virtual network switch provided by the
`5 libraries 110 of the app container 104. However , in some
`container service 160 to the app container 104 .
`cases , the program libraries 152 for the host 150 may
`In addition to activities such as WAN access 106 and
`provide additional functions , which are specific to the host
`network activity 108 , the app containers 104 also include
`150. These may include kernel - level operations ( e.g. , power
`various the program libraries 110 which are units of execut-
`management , network management , access right control ,
`able code that may be called to perform various functions .
`Examples of such program libraries 110 include data struc- 10 system calls , etc. ) , admin - level functions ( e.g. , user man
`ture libraries , math libraries , graphical interface presentation
`agement , etc. ) , boot configuration , and so on . The program
`libraries , image rendering libraries , network access libraries ,
`libraries 152 may also include the components of an oper
`I / O device access libraries , and so on . These libraries may be
`ating system , such as a kernel , graphical interface , desktop
`combined in to collections , such as the Apache C ++ Stan-
`environment software , utility applications , and other pro
`dard Library , Java Class Library , Python standard library , 15 grams and applications that may be included with the
`Microsoft WindowsTM API , Linux API , and so on . The
`operating system or separately executing or installed on the
`program libraries 110 may also include self - contained appli-
`host 150 .
`cation packages that perform a function , such as a database ,
`Each of the program libraries 152 of the host 150 may also
`file server , web server , virtual security gateway , and so on .
`include a patch level 154 indicating a version or state of
`These may be commercial application packages that are 20 revision of the corresponding program library 152. As with
`installed within an app container 104 to be executed .
`the patch levels 112 of the program libraries 110 , certain
`The patch level 112 indicates a version number of each of
`patch levels 154 may include state of revisions of the
`the program libraries 110. The version number of a program
`executable code of a program library 152 that have vulner
`library 110 indicates a state of revision of the program
`abilities and other issues that may allow exploitation by a
`library 110 , with each state of revision making changes upon 25 malicious user .
`a previous state of revision by adding features , removing
`The file system 156 is a set of all data stored on the host
`features , correcting errors , removing bugs , and so on . These
`150 and the structure of the data stored on the host 150. The
`revisions may involve changes to the executable code of the
`data may be arranged in a traditional file system structure ,
`program library 110. In particular , a patch level 112 of a
`such as a hierarchal file structure with folders and files
`program library 110 may include executable code that has 30 ( which are stored and indexed using index files , block
`exploitable vulnerabilities . Such a vulnerability occurs when
`pointers , and so on ) . The data may also be arranged in other
`there is an error in the logic of the executable code that
`methods , such as within a relational database , object data
`allows an attacker to exploit the executable code by input-
`base , and so on . Examples of file system architectures
`ting data or manipulating the program library 110 in a way
`include FAT , NTFS , ext3 , UFS . The file system 156 may
`that is unintended by the creators of the program library 110 35 include files that when read by the host 150 may cause the
`and which causes an undesired behavior . Such an undesired
`host 150 to execute malicious program code that exploits
`behavior may include extracting sensitive data ( e.g. , person-
`various vulnerabilities in the program libraries 152 of the
`ally identifiable information ) , taking unauthorized control of
`host .
`an app container 104 , gaining access into restricted memory
`The host configuration data 158 includes configuration
`areas ( e.g. , a memory space allocated to another app con- 40 information for the host . This includes various parameters
`for the host , similar to the container configuration data 114 .
`tainer 104 ) and so on .
`The container configuration data 114 indicates various
`For example , this may include the configuration files and
`configuration information for each app container 104. The
`data within an / etc / folder in the case of Linux , or a registry
`container configuration data 114 includes various attributes ,
`file in the case of Windows . As another example , this may
`properties , characteristics , initialization parameters , set- 45 include configuration and settings for programs that may
`tings , and other metadata related to the app container 104 .
`execute on the host . The host configuration data 158 may
`The container configuration data 114 may include , but is not
`include configuration information for various hardware
`limited to access privileges of the app container 104 ( e.g. ,
`devices , such as network devices , storage devices , and so on .
`root access ) , type of application executing in the app con-
`The host configuration data 158 may also include firmware
`tainer ( e.g. , web server , database , etc. ) , number of processes 50 and other low - level device configuration information , such
`executing in the app container 104 , parameters for the
`as microcode for processors .
`program libraries 110 , and so on .
`The container service 160 , which is described in addi
`Note that although the app containers 104 are shown to be
`tional detail below with regards to FIG . 3 , provides various
`within a monolithic container system 102 , in practice they
`API and other services and functions to enable the contain
`may be spread among multiple hosts on multiple hardware 55 erization of the processes executing in the app containers
`devices , multiple operating system instances , and / or mul-
`104. These may include functions to allow for division of
`tiple virtual machines . These are not shown here for clarity
`resources of the host 150 among the various app containers
`104 , and also for isolation of each app container's view of
`of illustration .
`the resources from other app containers 104. The functions
`Host
`The host 150 is a system upon which the container system 60 of the container service 160 may also allow limiting of the
`resources that are available to each app container 104. The
`102 executes . The host may include one or more hardware
`devices , virtual machines , or a combination thereof . In one
`container service 160 allows for the initialization and con
`embodiment , a host 150 may be an x86 computing device
`figuration of app containers 104 , within which processes
`executing a Linux - based operating system . The computing
`may execute . Examples of container services include
`device of the host 150 may be similar to the computing 65 DockerTM and KubernetesTM
`device described with reference to FIG . 5. The host 150
`The container service 160 may also indicate a patch level
`includes at least program libraries 152 and a file system 156
`162. The patch level 162 indicates the version number of the
`
`

`

`US 11,106,784 B2
`
`7
`8
`when the CVE was discovered , if an attack has been
`container service 160 software , and may also indicate ver-
`generated in the wild , based on that CVE , and so on . The
`sion numbers and / or states of revision of sub - components of
`signature may be a set of instructions that when executed by
`the container service 160. As with the patch level 112