`
`
`
`
`
`1111111111111 III 111111111111101111111111 ]]III 1111111111 VIII] VIII ]III VIII
`
`(12) United States Patent
`Shua
`
`(10) Patent No.: US 11,775,326 B2
`(45) Date of Patent:
`Oct. 3, 2023
`
`(54)
`
`TECHNIQUES FOR SECURING A
`PLURALITY OF VIRTUAL MACHINES IN A
`CLOUD COMPUTING ENVIRONMENT
`
`(58) Field of Classification Search
`N one
`See application file for complete search history.
`
`(71)
`
`Applicant: Orca Security Ltd., Tel Aviv-Jaffa (IL)
`
`(56)
`
`References Cited
`
`(72)
`
`Inventor: Avi Shua. Tel Aviv-Jaffa (IL)
`
`(73)
`
`Assignee Orca Security Ltd., Tel Aviv (IL)
`
`( 5 )
`
`Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 45 days.
`
`(21)
`
`Appl. No.: 18/055,181
`
`(22)
`
`Filed:
`
`Nov. 14, 2022
`
`(65)
`
`Prior Publication Data
`
`US 2023/0087080 Al Mar. 23, 2023
`
`Related U.S. Application Data
`
`(63) Continuation of application No. 17/330,998, filed on
`May 26, 2021, now Pat. No. 11,516,231, which is a
`continuation of application No. 16/585,967, filed on
`Sep. 27, 2019, now Pat. No. 11,431,735.
`
`(60) Provisional application No. 62/797,718, filed on Jan.
`28, 2019.
`
`(51) Int. Cl.
`HO4L 9/40
`GO6F 9/455
`GO6F 16/11
`GO6F 11/14
`
`(2022.01)
`(2018.01)
`(2019.01)
`(2006.01)
`
`(52) U.S. Cl.
`CPC
`
`HO4L 63/1416 (2013.01); GO6F 9/45558
`(2013.01); GO6F 11/1464 (2013.01); GO6F
`16/128 (2019.01); 11041, 63/1433 (2013.01);
`11041. 63/1441 (2013.01); GOOF 2009/45562
`(2013.01); GO6F 2009/4,5583 (2013.01); GO6F
`2009/45587 (2013.01); G061, 2009/45591
`(2013.01); GO6F 2009/45595 (2013.01);
`GO6F 2201/84 (2013.01)
`
`U.S. PATENT DOCUMENTS
`
`9,069,983 B1
`9,177,145 B2
`9,229,758 B2
`9,268,689 B1
`9,519,781 B2
`
`6/2015 Nijjar
`11/2015
`fodorovie
`1/2016 Ammons et al.
`2/2016 Chen et al.
`12/2016 Golshan et al.
`(Continued)
`
`OTHER PUBLICATIONS
`
`"IBM Point of View Security and Cloud Computing", IBM Smart-
`Cloud Enterprise, Cloud Computing White Paper, 13 sheets of
`cover pages and pages 1-20, (2009).
`Advisory Action U.S. Appl. No. 17/361,861 dated May 20, 2022, in
`the United States Patent and Trademark Office.
`(Continued)
`
`Primary Examiner — Joseph P Hirl
`Assistant Examiner — Hassan Saadoun
`(74) Attorney, Agent, or Firm — Finnegan, Henderson,
`Farabow, Garrett & Dimmer, L.L.P.
`
`(57)
`
`ABSTRACT
`
`A system and method for securing virtual cloud assets in a
`cloud computing environment against cyber threats. The
`method includes: determining a location of a snapshot of
`at least one virtual disk of a protected virtual cloud asset,
`wherein the virtual cloud asset is instantiated in the cloud
`computing environment; accessing the snapshot of the vir-
`tual disk based on the determined location; analyzing the
`snapshot of the protected virtual cloud asset to detect poten-
`tial cyber threats risking the protected virtual cloud asset;
`and alerting detected potential cyber threats based on a
`determined priority.
`
`28 Claims, 4 Drawing Sheets
`
`C_ Start
`
` ) r
`
`Receive a request to scan a VM tar vulnerabilities
`
`L
`
`0210
`
`s220
`
`Pieterhune a oration of the virtual disk 01 the VM and its snapshot
`
`S230
`
`S250
`
`S260
`
`Access a snapshot of virtual disk
`
`Analyze the snapshot
`
`Report detected threats
`
`Tripper a mitigation action
`
`End
`
`WIZ, Inc. EXHIBIT - 1001
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 11,775,326 B2
`Page 2
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`9,563,777 B2
`9,734,325 B1
`9,756,070 B1
`9,798,885 B2
`9,858,105 B1
`10,079,842 B1
`10,402,560 B2
`10,412,109 B2
`10,469,304 B1
`10,534,915 B2
`10,536,471 B1 5
`10,782,952 B1
`10,944,778 B1 .
`11,068,353 B1 5
`11,120,124 B2
`11,216,563 B1
`11,431,735 B2
`11,516,231 B2
`2007/0266433 Al
`2008/0189788 Al
`2008/0263658 Al
`2009/0007100 Al
`2010/0017512 Al
`2011/0289584 Al
`2012/0323853 Al
`2013/0191643 Al *
`
`2/2017
`8/2017
`9/2017
`10/2017
`1/2018
`9/2018
`9/2019
`9/2019
`11/2019
`1/2020
`1/2020
`9/2020
`3/2021
`7/2021
`9/2021
`1/2022
`8/2022
`11/2022
`11/2007
`8/2008
`10/2008
`1/2009
`1/2010
`11/2011
`12/2012
`7/2013
`
`4/2014
`2014/0096135 Al
`5/2014
`2014/0137190 Al
`2/2015
`2015/0052520 Al
`2016/0004449 Al. 1/2016
`
`2016/0094568 Al .
`
`3/2016
`
`Dena et al.
`Neumann et al.
`Crowell et al.
`Deng et al.
`Upadhyay et al.
`Brandwinc et al.
`Gilbert
`T.oureiro et al.
`Kempe et al.
`Chcrny et al.
`Derbeko et al
`Doring et al.
`Golan et al.
`Ved
`Fusenig et al.
`Veselov et a.
`Shua
`Shua
`Moore
`Bahl
`Michael et al.
`Field et al.
`Ciano et al.
`Palagummi
`Fries et al.
`Song et al.
`
`G06F 21/53
`
`H04L 63/1491
` G06F 9/45558
`
` H04T, 9/3265
`713/176
`
`Kundu et al.
`Carey et al.
`Crowell et al.
`Lakshman et al. .. G06F 3/0604
`711/162
`
`Balasubramanian et al.
`G06F 9/45558
`726/23
`
`12/2016
`2016/0364255 Al
`1/2017
`2017/0011138 Al
`2/2017
`2017/0031704 Al
`2017/0103212 Al* 4/2017
`2017/0111384 Al
`4/2017
`2018/0137032 Al
`5/2018
`2018/0255080 Al
`9/2018
`2018/0293374 Al
`10/2018
`2020/0042707 Al
`2/2020
`
`Chefalas et al
`Venkatesh et al.
`Sudhakaran et al.
`Deng et al.
`T oureiro et al.
`Tannous et al.
`Paine
`Chen
`Kuchcrov et al.
`
`OTHER PUBLICATIONS
`
`G06F 3/0619
`
`Almulla et al., "Digital Forensic of a Cloud Based Snapshot", 'The
`Sixth International Conference on Innovative Computing Technol-
`ogy (INTECH 2016). pp. 724-729, (2016).
`
`Ammons et al., "Virtual machine images as structured data: the
`Mirage image library", IBM Research, Cover sheet 2 pages and
`pages 1-6, (2011).
`Bugiel et al., "AmazonlA: When Elasticity Snaps Back", CCS' 11,
`ACM, pp. 389-400, (2011).
`Cui et al., "A Less Resource-Consumed Security Architecnire on
`Cloud Platform", Wuhan University Journal of Natural Sciences,
`vol. 21, No. 5, pp. 407-414, (2016).
`Fernandez et al. "Building a security reference architecture for
`cloud systems", Springer, Requirements Eng, vol. 21, pp. 225-
`249, (2016).
`Fernandez et al., "Two patterns for cloud computing: Secure Virtual
`Machine Image Repository and Cloud Policy Management Point",
`PLoP `13: Proceedings of the 20th Conference on Pattern Lan-
`guages of Programs Oct. 2013 Article No.: 15, Association for
`Computing Machinery (ACM), Cover sheet and pages 1-11, (2013).
`Final Office Action U.S. Appl. No. 17/330,998 dated Jun. 30, 2022,
`in the United States Patent and Trademark Office.
`Final Office Action U.S. Appl. No. 17/361,861 dated Mar. 8, 2022,
`in the United States Patent and Trademark Office.
`Kaur et al., "Secure VM Backup and Vulnerability Removal in
`Infrastructure Clouds", 2014 International Conference on Advances
`in Computing, Communications and Informatics (!CACC!), pp.
`1217-1226, (2014).
`Non-Final Office Action U.S. Appl. No. 16/585,967 dated Feb. 3,
`2022, in the United States Patent and Trademark Office.
`Non-Final Office Action U.S. Appl. No. 17/330,998 dated Mar. 4,
`2022, in the United States Patent and Trademark Office.
`Non-Final Office Action U.S. Appl. No. 17/361,861 dated Aug. 29,
`2022, in the United States Patent and Trademark Office.
`Non-Final Office Action U.S. Appl. No. 17/361,861 dated Oct. 25,
`2021, in the United States Patent and Trademark Office.
`Notice of Allowance U.S. Appl. No. 16/585,967 dated Jul. 7, 2022,
`in the United States Patent and Trademark Office.
`Notice of Allowance U.S. Appl. No. 17/330,998 dated Aug. 10,
`2022, in the United States Patent and Trademark Office.
`Pandey et al., "An Approach for Virtual Machine Image Security",
`Computer Science and Engineering MNNIT, Allahahad, 2014
`International Conference on Signal Propagation and Computer
`Technology (ICSPCT), pp. 616-623, (2014).
`Raja sekaran et al., "Scalable Cloud Security via Asynchronous Vir-
`tual Machine Introspection", 8th U SEND( Workshop on Hot Topics
`in Cloud Computing, Cover page and pages 1-6, (2016).
`Rani et al.; "An Efficient Approach to Forensic Investigation in
`Cloud using VM Snapshots", 2015 International Conference on
`Pervasive Computing (!CPC), 5 pages, (2015).
`Wei et al., "Managing Security of Virtual Machine Images in a
`Cloud Environment", CCSW09, pp. 91-96, Nov. 13, 2009.
`* cited by examiner
`
`

`

`U.S. Patent
`
`Oct. 3, 2023
`
`Sheet 1 of 4
`
`US 11,775,326 B2
`
`User Console
`180
`
`Network
`
`120
`
`100
`
`--)
`
`External
`systems
`170
`
`Cloud Computing Platform
`110
`
`Management
`Console
`150
`
`FIG. 1A
`
`

`

`U.S. Patent
`
`Oct. 3, 2023
`
`Sheet 2 of 4
`
`US 11,775,326 B2
`
`Security System
`140
`
`115
`
`VM
`119
`
`117
`
`... ......
`
`118-1
`
`130
`
`110
`
`FIG. 1B
`
`

`

`U.S. Patent
`
`Oct. 3, 2023
`
`Sheet 3 of 4
`
`US 11,775,326 B2
`
` 9 r
`
`200
`
`i
`Receive a request to scan a VM for vulnerabilities
`
`S210
`
`S220
`Determine a location of the virtual disk of the VM and its snapshot
`
`c_ Start
`1
`i
`1,
`i
`1
`
`S230
`
`S240
`
`S250
`
`S260
`
`Access a snapshot of virtual disk
`
`Analyze the snapshot
`
`Report detected threats
`
`Trigger a mitigation action
`
`End
`
`FIG. 2
`
`

`

`U.S. Patent
`
`Oct. 3, 2023
`
`Sheet 4 of 4
`
`US 11,775,326 B2
`
`140
`
`Memory
`320
`
`‘• ,....---.0•.#4
`
`Storage
`330
`
`Processing
`Circuitry
`310
`
`Network
`Interface
`340
`
`L— 360
`
`FIG. 3
`
`

`

`US 11,775,326 B2
`
`TECHNIQUES FOR SECURING A
`PLURALITY OF VIRTUAL MACHINES IN A
`CLOUD COMPUTING ENVIRONMENT
`
`This application is a continuation of U.S. Application No.
`17/330,998 (now U.S. Patent No. 11,516,231), filed May 26,
`2021, which is a continuation of U.S. Application No. 16/
`585,967 (now U.S. Patent No. 11,431,735), filed September
`27, 2019, which claims the benefit of U.S. Provisional
`Applicantion No. 62/797,718 filed on January 28, 2019,
`the contents of each of which are hereby incorporated by
`reference in their entireties.
`
`TECHNICAL FIELD
`
`This disclosure relates generally to cyber-security sys-
`tems and, more specifically, to techniques for securing vir-
`tual machines.
`
`2
`'Traffic inspection may also be performed by a traffic
`monitor that listens to traffic flows between clients and the
`server. The traffic monitor can detect some cyber threats,
`e.g., based on the volume of traffic. However, the monitor
`5 can detect threats only based on the monitored traffic. For
`example, misconfiguration of the server may not be detected
`by the traffic monitor. As such, traffic monitoring would not
`allow detection of vulnerabilities in software executed by
`the server.
`To overcome the limitations of traffic inspection solu-
`tions, some cyber-security solutions, such as vulnerability
`management and security assessment solutions are based
`on agents installed in each server in a cloud computing plat-
`form or data center. Using agents is a cumbersome solution
`for a number of reasons, including IT resources manage-
`ment, governance, and performance. For example, installing
`agents in a large data center may take months.
`It would therefore be advantageous to provide a security
`solution that would overcome the deficiencies noted above.
`
`to
`
`15
`
`RACKGROIJND
`
`20
`
`SUMMARY
`
`Organizations have increasingly adapted their applica-
`A summary of several example embodiments of the dis-
`tions to he run from multiple cloud computing platforms.
`closure follows. This summary is provided for the conveni-
`Some leading public cloud service providers include Ama-
`s ence of the reader to provide a basic understanding of such
`zon®, Microsoft®, Google®, and the like.
`embodiments and does not wholly define the breadth of the
`Virtualization is a key role in a cloud computing, allowing
`disclosure. This summary is not an extensive overview of all
`multiple applications and users to share the same cloud
`contemplated embodiments, and is intended to neither iden-
`computing infrastructure. For example, a cloud storage ser-
`tify key or critical elements of all embodiments nor to
`vice can maintain data of multiple different users.
`O delineate the scope of any or all aspects. Its sole purpose is
`3
`In one instance, virtualization can be achieved by means
`to present some concepts of one or more embodiments in a
`of virtual machines. A virtual machine emulates a number of
`simplified form as a prelude to the more detailed description
`"computers" or instances, all within a single physical
`that is presented later. For convenience, the term "some
`device. In more detail, virtual machines provide the ability
`embodiments" or "certain embodiments" may he used
`to emulate a separate operating system (OS), also referred to 3
`5 herein to refer to a single embodiment or multiple embodi-
`as a guest OS, and therefore a separate computer, from an
`ments of the disclosure.
`existing OS (the host). This independent instance is typi-
`Certain embodiments disclosed herein include a method
`cally isolated as a completely standalone environment.
`for securing virtual cloud assets in a cloud computing envir-
`Modern virtualization technologies are also adapted by
`onment against cyber threats, comprising: determining a
`cloud computing platforms. Examples for such technologies 4
`O location of a snapshot of at least one virtual disk of a pro-
`include virtual machines, software containers, and server-
`tected virtual cloud asset, wherein the virtual cloud asset is
`less functions. With their computing advantages, applica-
`instantiated in the cloud computing environment; accessing
`tions and virtual machines running on top of virtualization
`the snapshot of the virtual disk based on the determined
`technologies are also vulnerable to some cyber threats. For
`location; analyzing the snapshot of the protected virtual
`example, virtual machines can execute vulnerable software 4
`5 cloud asset to detect potential cyber threats risking the pro-
`applications or infected operating systems.
`tected virtual cloud asset; and alerting detected potential
`Protection of a cloud computing infrastructure, and parti-
`cyber threats based on a determined priority.
`cularly of virtual machines can he achieved via inspection of
`Certain embodiments disclosed herein also include a non-
`traffic. Traditionally, traffic inspection is performed by a
`transitory computer readable medium having stored thereon
`network device connected between a client and a server 5
`0 instructions for causing a processing circuitry to execute a
`(deployed in a cloud computing platform or a data center)
`process, the process comprising: determining a location of a
`hosting virtual machines. Traffic inspection may not provide
`snapshot of at least one virtual disk of a protected virtual
`an accurate indication of the security status of the server due
`cloud asset, wherein the virtual cloud asset is instantiated
`to inherent limitations, such as encryption and whether the
`in the cloud computing environment; accessing the snapshot
`necessary data is exposed in the communication.
`5
`5 of the virtual disk based on the determined location; analyz-
`Furthermore, inspection of computing infrastructure may
`ing the snapshot of the protected virtual cloud asset to detect
`be performed by a network scanner deployed out of path.
`potential cyber threats risking the protected virtual cloud
`The scanner queries the server to determine if the server
`asset; and alerting detected potential cyber threats based
`executes an application that possess a security threat, such
`on a determined priority.
`as vulnerability in the application. The disadvantage of such 6
`• Certain embodiments disclosed herein also include a sys-
`a scanner is that the server may not respond to all queries by
`tem for securing virtual cloud assets in a cloud computing
`the scanner, or not expose the necessary data in the
`environment against cyber threats, comprising: a processing
`response. Further, the network scanner usually communi-
`circuitry; and a memory, the memory containing instruc-
`cates with the server, and the network configuration may
`tions that, when executed by the processing circuitry, con-
`5 figure the system to: determine a location of a snapshot of at
`prevent it. In addition, some types of queries may require 6
`credentials to access the server. Such credentials may not
`least one virtual disk of a protected virtual cloud asset,
`be available to the scanner.
`wherein the virtual cloud asset is instantiated in the cloud
`
`

`

`US 11,775,326 B2
`
`3
`computing environment; access the snapshot of the virtual
`disk based on the determined location; analyze the snapshot
`of the protected virtual cloud asset to detect potential cyber
`threats risking the protected virtual cloud asset; and alert
`detected potential cyber threats based on a determined 5
`priority.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`10
`
`The foregoing and other objects, features, and advantages
`of the disclosed embodiments will be apparent from the fol-
`lowing detailed description taken in conjunction with the
`accompanying drawings.
`FIGS. 1A and 113 are network diagrams utilized to
`describe the various embodiments.
`EEG. 2 is a flowchart illustrating a method detecting cyber
`threats,
`including potential vulnerabilities
`in virtual
`machines executed in a cloud computing platform according
`to some embodiments.
`FIG. 3 is an example block diagram of the security system 20
`according to an embodiment.
`
`15
`
`DETAILED DESCRIPTION
`
`4
`or on-premises virtualization environment, such as a
`VMware® based solution.
`Also deployed in the cloud computing platform 110 is a
`security system 140 configured to perform the various dis-
`closed embodiments. In some embodiments, the system 140
`may be part of the client environment 130. Tn an embodi-
`ment, the security system 140 may be realized as a physical
`machine configured to execute a plurality of virtual
`instances, such as, but not limited to virtual machines exe-
`cuted by a host server. Tn yet another embodiment, the secur-
`ity system 140 may he realized as a virtual machine exe-
`cuted by a host server. Such a host server is a physical
`machine (device) and may be either the server 115, a dedi-
`cated server, a different shared server, or another virtualiza-
`non-based computing entity, such as a serverless function.
`In an embodiment, the interface between the client envir-
`onment 130 and the security system 140 can he realized
`using APIs or services provided by the cloud computing
`platform 110. For example, in AWS, a cross account policy
`service can be utilized to allow interfacing the client envir-
`onment 130 with the security system 140.
`In the deployment, illustrated in FIGS. 1, the configura-
`tion of resources of the cloud computing platform 110 is
`performed by means of the management console 150. As
`such, the management console 150 may be queried on the
`current deployment and settings of resources in the cloud
`computing platform 110. Specifically, the management con-
`sole 150 may be queried, by the security system 140, about
`as the location (e.g., virtual address) of the virtual disk 118-1
`in the storage 117. The system 140 is configured to interface
`with the management console 150 through, for example, an
`API.
`In some example embodiments, the security system 140
`may farther interface with the cloud computing platform
`110 and external systems 170. The external systems may
`include intelligence systems, security information and
`event management (STEM) systems, and mitigation tools.
`The external intelligence systems may include common vul-
`nerabilities and exposures (CVE®) databases, reputation
`services, security systems (providing feeds on discovered
`threats), and so on. The information provided by the intelli-
`gence systems may detect certain known vulnerabilities
`identified in, for example, a CVE database.
`According to the disclosed embodiments, the security
`system 140 is configured to detect vulnerabilities and other
`cyber threats related to the execution VM 119. The detection
`is performed while the VM 119 is live, without using any
`agent installed in the server 115 or the VM 119, and without
`relying on cooperation from VM 119 guest OS. Specifically,
`the security system 140 can scan and detect vulnerable soft-
`ware, non-secure configuration, exploitation attempts, com-
`promised asserts, data leaks, data mining, and so on. The
`security system 140 may be further utilized to provide
`security services, such as incident response, anti-ransom-
`ware, and cyber insurance by accessing the security posture.
`In some embodiments, the security system 140 is config-
`ured to query the cloud management console 150 for the
`address of the virtual disk 118-1 serving the VM 119 and a
`location of the snapshot. A VM's snapshot is a copy of the
`machine's virtual disk (or disk file) at a given point in lime.
`Snapshots provide a change log for the virtual disk and are
`used to restore a VM to a particular point in time when a
`failure error occurs. Typically, any data that was writable on
`a VM becomes read-only when the snapshot is taken. Multi-
`ple snapshots of a VM can be created at multiple possible
`point-in-lime restore points. When a VM reverts to a snap-
`
`25
`
`30
`
`It is important to note that the embodiments disclosed
`herein are only examples of the many advantageous uses
`of the innovative teachings herein. In general, statements
`made in the specification of the present application do not
`necessarily limit any of the various claimed embodiments.
`Moreover, some statements may apply to some inventive
`features but not to others. In general, unless otherwise indi-
`cated, singular elements may be in plural and vice versa
`with no loss of generality. In the drawings, like numerals
`refer to like parts through several views.
`FIGS. 1A and 1B show an example network diagram 100
`utilized to describe the various embodiments. A cloud com-
`puting platform 110 is communicably connected to a net-
`work 120. Examples of the cloud computing platform 110
`may include a public cloud, a private cloud, a hybrid cloud,
`and the like. Examples for a public cloud, but are not limited
`to, AWS® by Amazon®, Microsoft Azure®, Google
`Cloud®, and the like. hr some configurations, the disclosed
`embodiments operable in on premise virtual machines
`environments. The network 120 may be the Internet, the
`world-wide-web (WWW), a local area network (IAN), a
`wide area network (WAN), and other networks.
`The arrangement of the example cloud computing plat-
`form 110 is shown in FIG. 1B. As illustrated, the platform
`110 includes a server 115 and a storage 117, serving as the
`storage space for the server 115. The server 115 is a physical
`device hosting at least one virtual machine (VM) 119. The
`VM 119 is a protected VM, which may be any virtual cloud
`asset including, but not limited to, a software container, a
`micro-service, a serverless function, and the like.
`The storage 117 emulates virtual discs for the VMs exe-
`cuted in by the server 115. The storage 117 is typically con- 55
`nected to the server 115 through a high-speed connection,
`such as optic fiber allowing fast retrieval of data. In other
`configurations, the storage 117 may be part of the server
`115. In this example illustrated in FIG. 1B, virtual disk
`118-1 is allocated for the VM 119. The server 115, and 6°
`hence the VM 119, may be executed in a client environment
`130 within the platform 110.
`The client environment 130 is an environment within the
`cloud computing platform 110 utilized to execute cloud-
`hosted applications of the client. A client may belong to a 65
`specific tenant. In some example embodiment, the client
`environment 130 may be part of a virlualized environment
`
`40
`
`45
`
`50
`
`

`

`US 11,775,326 B2
`
`5
`shot, current disk and memory states are deleted and the
`snapshot becomes the new parent snapshot for that VM.
`The snapshot of the VM 119 is located and may be saved
`from the virtual disk 118-1 is accessed by the system 140. In
`an embodiment, the VM's 119 snapshot may be copied to s
`the system 140. If such a snapshot does not exist, the system
`140 may take anew snapshot, or request such an action. The
`snapshots may be taken at a predefined schedule or upon
`predefined events (e.g., a network event or abnormal
`event). Further, the snapshots may he accessed or copied 10
`on a predefined schedule or upon predefined events. It
`should be noted that when the snapshot is taken or copied,
`the VM 119 still runs.
`It should be noted that the snapshot of the virtual disk
`118-1 may not be necessary stored in the storage 117, but 15
`for ease of the discussion it is assumed that the snapshot is
`saved in the storage 117. It should be further noted that the
`snapshot is being accessed without cooperation of the guest,
`virtual OS of the virtual machine.
`The snapshot is parsed and analyzed by the security sys- 20
`tern 140 to detect vulnerabilities. This analysis of the snap-
`shot does not require any interaction and/or information
`from the VM 119. As further demonstrated herein, the ana-
`lysis of the snapshot by the system 140 does not require any
`agent installed on the server 115 or VM 119.
`Various techniques can be utilized to analyze the snap-
`shots, depending on the type of vulnerability and cyber
`threats to be detected. Following are some example embodi-
`ments for techniques that may be implemented by the secur-
`ity system 140.
`In an embodiment, the security system 140 is configured
`to detect whether there is vulnerable code executed by the
`VM 119. The VM 119 being checked may be running,
`paused, or shutdown. To this end, the security system 140
`is configured to match installed application lists, with their 35
`respective versions, to a known list of vulnerable applica-
`tions. Further, the security system 140 may be configured
`to match the application fi les, either directly (using binary
`comparison) or by computing a cryptographic hash against
`database of files in vulnerable applications. The matching 40
`may be also on sub-modules of an application. Alterna-
`tively, the security system 140 may read installation logs
`of package managers used to install the packages of the
`application.
`In yet another embodiment, the security system 140 is 45
`configured to verify whether the vulnerability is relevant to
`the VM 119. For example, if there is a vulnerable version or
`module not in use, the priority of that issue is reduced
`dramatically.
`To this end, the security system 140 may be configured to 5°
`check the configuration files of the applications and operat-
`ing system of the VM 119; to verify access times to files by
`the operating system; and/or to analyze the active applica-
`tion and/or system logs in order to deduce what applications
`and modules are running.
`In yet another embodiment, the security system 140 may
`instantiate a copy of the VM 119 and/or a subset of applica-
`tions of the VM 119 on the server 115 or a separate server
`and monitor all activity performed by the instance of the
`VM. The execution of the instance of the VM is an isolated 6°
`sandbox, which can be a fiill VM or subset of it, such as a
`software container (e.g., Docker® container) or another vir-
`tualized instances. The monitored activity may be further
`analyzed to determine abnormality. Such analysis may
`include monitoring of API activity, process creation, file 65
`activity, network communication, registry changes, and
`active probing of the said subset in order to assess its secur-
`
`30
`
`25
`
`55
`
`6
`ity posture. This may include, but not limited to, actively
`communicating with the VM 119, using either legitimate
`communicate and/or attack attempts, to assess its posture
`and by that deriving the security posture of the entire VM
`119.
`In order to determine if the vulnerability is relevant to the
`VM 119, the security system 140 is configured to analyze
`die machine memory, as reflected in the page file. The page
`file is saved in the snapshot and extends how much system-
`committed memory (also known as "virtual memory") a
`system can back. In an embodiment, analyzing the page
`file allows deduction of running applications and modules
`by the VM 119.
`In an embodiment, the security system 140 is configured
`to read process identification number (PID) files and check
`their access or write times, which are matched against pro-
`cess descriptors. The PID can be used to deduce which pro-
`cesses are running, and hence the priority of vulnerabilities
`detected in processes existing on the disk. It should be noted
`the PID files are also maintained in the snapshot.
`In yet another embodiment, the security system 140 is
`configured to detect cyber tlueats that do not represent vul-
`nerabilities. For example, the security system 140 may
`detect and alert on sensitive data not being encrypted on
`the logical disk, private keys found on the disks, system cre-
`dentials stored clearly on the disk, risky application features
`(e.g., support of weak cipher suites or authentication meth-
`ods), weak passwords, weak encryption schemes, a disable
`address space layout randomization (ASLR) feature, suspi-
`cious manipulation to a boot record, suspicious PATH,
`LD LIBRARY PATH, or LD PRELOAD definitions, ser-
`vices running on startup, and the like.
`In an embodiment, the security system 140 may further
`monitor changes in sensitive machine areas, and alert on
`unexpected changes (e.g., added or changed application
`files without installation). In an example embodiment, this
`can be achieved by computing a cryptographic hash of the
`sensitive areas in the virtual disk and checking for differ-
`ences over time.
`In some embodiments, the detected cyber threats (includ-
`ing vulnerabilities) are reported to a user console 180 and/or
`a security information and event management (SIEM) sys-
`tem (not shown). The reported cyber threats may be filtered
`or prioritized based in part on their determined risk. Further,
`the reported cyber threats may be filtered or prioritized
`based in part on the risk level of the machine. This also
`reduces the number of alerts reported to the user.
`In an embodiment, any detected cyber threats related to
`sensitive data (including personally identifiable information,
`PII) is reported at a higher priority. In an embodiment, such
`data is determined by searching for the PII, analyzing the
`application logs to determine whether the machine accessed
`PIT/PII containing servers, or whether the logs themselves
`contain PII, and searching the machine memory, as reflected
`in the page file, for P11.
`In an embodiment, the security system 140 may deter-
`mine the risk of the VM 119 based on communication with
`an untrusted network. 'Phis can be achieved by analyzing the
`VM's 119 logs as saved in the virtual disk and can be
`derived from the snapshot.
`In an example embodiment, the security system 140 may
`cause an execution of one or more mitigation actions. Exam-
`ples of such actions may include blocking traffic from
`untrusted networks, halting the operation of the VM, quar-
`antining an infected VM, and the like. The mitigation
`actions may be performed by a mitigation tool and not the
`system 140.
`
`

`

`US 11,775,326 B2
`
`5
`
`8
`7
`At optional 5260. a mitigation action may be triggered to
`It should be noted that the example implementation
`mitigate a detected threat or vulnerability. A mitigation
`shown in FIGS. 1 is described with respect to a single
`action may be executed by a mitigation tool and triggered
`cloud computing platform 110 hosting a single VIVI 119 in
`a single server 115, merely for simplicity purposes and with-
`by the system 140. Such an action may include blocking
`traffic from untrusted networks, halting the operation of
`out limitation on the disclosed embodiments. Typically, vir- 5
`the VM, quarantining an infected VM, and the like.
`tual machines are deployed and executed in a single cloud
`FIG. 3 is an example block diagram of the security system
`computing platform, a virtualized environment, or data cen-
`140 according to an embodiment. The security system 140
`ter and can be protected without departing from the scope of
`includes a processing circuitry 310 coupled to a memory
`the disclosure. It should be further noted that the disclosed
`320, a storage 330, and a network interlace 340. In an embo-
`embodiments can operate using multiple security systems 10
`diment, the components of the security system 140 may he
`140, each of which may operate in a different client
`communicatively connected via a bus 360.
`environment.
`The processing circuitry 310 may be realized as one or
`FIG. 2 shows an example flowchart 200 illustrating a
`more hardware logic components and circuits. For example,
`method for detecting cyber threats including potential vul-
`and without limitation. illustrative types of hardware logic
`nerabilities in virtual machines executed in a cloud comput-
`components that can be used include field programmable
`ing platform according to some embodiments. The method
`gate arrays (FPGA5), application-specific integrated circuits
`may be performed by the security system 140.
`At S210, a request, for exa