WIZ, Inc. EXHIBIT - 1001
`WIZ, Inc. v. Orca Security LTD. - IPR2024-00220
`
`

`

`US 11,431,735 B2
` Page 2
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`2015/0052520 Al
`2016/0004449 Al*
`
`2016/0094568 Al*
`
`2017/0011138 Al
`2017/0103212 Al*
`2018/0137032 Al*
`2018/0255080 Al
`2018/0293374 Al
`
`* cited by examiner
`
`2/2015 Crowell et al.
`1/2016 Lakshman ............ GO6F 3/0604
`711/162
`3/2016 Balasubramanian...
`GO06F 9/45558
`726/23
`
`1/2017 Venkatesh et al.
`4/2017 Deng........
`5/2018 Tannous ....
`9/2018 Paine
`10/2018 Chen
`
`bases GO6F 3/0619
`.. GO6F 11/3664
`
`
`

`

`U.S. Patent
`
`Aug. 30, 2022
`
`Sheet 1 of 4
`
`US 11,431,735 B2
`
`100
`
`User Console
`
`180
`
`
`
`
`
` External
`systems
`170
`
`
`
`
`Management
`Console
`150
`
`
`
`Cloud Computing Platform
`110
`
`
`
`FIG. 1A
`
`

`

`U.S. Patent
`
`Aug. 30, 2022
`
`Sheet 2 of 4
`
`US 11,431,735 B2
`
`Security System
`
`140
`
`FIG. 1B
`
`

`

`U.S. Patent
`
`Aug. 30, 2022
`
`Sheet 3 of 4
`
`US 11,431,735 B2
`
`Receive a request to scan a VM for vulnerabilities
`
`$210
`
`Determine a location of the virtual disk of the VM and its snapshot
`
`
`
`Access a snapshotof virtual disk
`
`5230
`
`$240
`
`
`
`
`
`Analyze the snapshot
`
`
`$250
`
`Report detected threats
`
`Trigger a mitigation action
`
`
`FIG. 2
`
`

`

`U.S. Patent
`
`Aug. 30, 2022
`
`Sheet 4 of 4
`
`US 11,431,735 B2
`
`340
`
`Processing
`Circuitry
`310
`
`Network
`Interface
`
`Storage
`330
`
`FIG. 3
`
`

`

`US 11,431,735 B2
`
`1
`TECHNIQUES FOR SECURING VIRTUAL
`MACHINES
`
`This application claims the benefit of U.S. Provisional
`Application No. 62/797,718 filed on Jan. 28, 2019,
`the
`contents of which are hereby incorporated by reference.
`
`TECHNICAL FIELD
`
`‘This disclosure relates generally to cyber-security systems
`and, more specifically,
`to techniques for securing virtual
`machines.
`
`BACKGROUND
`
`Organizations have increasingly adapted their applica-
`tions to be run from multiple cloud computing platforms.
`Some leading public cloud service providers include Ama-
`zon®, Microsoft®, Google®, and the like.
`Virtualization is a keyrole in a cloud computing, allowing
`multiple applications and users to share the same cloud
`computing infrastructure. For example, a cloud storage
`service can maintain data of multiple different users.
`In one instance, virtualization can be achieved by means
`ofvirtual machines. A virtual machine emulates a number of
`
`20
`
`“computers”or instances, all within a single physical device.
`In more detail, virtual machines provide the ability to
`emulate a separate operating system (OS), also referred to as
`a guest OS, and therefore a separate computer, from an
`existing OS(the host). This independent instanceis typically
`isolated as a completely standalone environment.
`Modern virtualization technologies are also adapted by
`cloud computing platforms. Examples tor such technologies
`include virtual machines, software containers, and serverless
`functions. With their computing advantages. applications
`and virtual machines running on top of virtualization tech-
`nologies are also vulnerable to some cyber threats. For
`example, virtual machines can execute vulnerable software
`applications or infected operating systems.
`Protection of a cloud computing infrastructure, and par-
`ticularly of virtual machines can be achieved via inspection
`of traffic. Traditionally, traffic inspection is performed by a
`network device connected between a client and a server
`
`40
`
`2
`by the traffic monitor. As such, traffic monitoring would not
`allow detection of vulnerabilities in software executed by
`the server.
`
`To overcomethe limitationsof traflic inspection solutions,
`some cyber-security solutions, such as vulnerability man-
`agement and security assessment solutions are based on
`agents installed in each server in a cloud computing platform
`or data center. Using agents is a cumbersomesolution for a
`number of reasons,
`including IT resources management,
`governance, and performance.
`['or example.
`installing
`agents in a large data center may take months.
`It would therefore be advantageous to provide a security
`solution that would overcome the deficiencies noted above.
`
`SUMMARY
`
`A summary of several example embodiments of the
`disclosure follows. This summary is provided for the con-
`venience of the reader to provide a basic understanding of
`such embodiments and does not wholly define the breadth of
`the disclosure. This summary is not an extensive overview
`of all contemplated embodiments, and is intended to neither
`identify keyor critical elements of all embodiments nor to
`delineate the scope of anyor all aspects. Its sole purpose is
`to present some concepts of one or more embodiments in a
`simplified form as a prelude to the more detailed description
`that is presented later. For convenience, the term “some
`embodiments” or “certain embodiments” may be used
`herein to refer to a single embodiment or multiple embodi-
`ments of the disclosure.
`Certain embodiments disclosed herein include a method
`
`for securing virtual cloud assets in a cloud computing
`environment against cyber threats, comprising: determining
`a location of a snapshot of at least one virtual disk of a
`protected virtual cloud asset, wherein the virtual cloud asset
`is instantiated in the cloud computing environment; access-
`ing the snapshotofthevirtual disk based on the determined
`location; analyzing, the snapshot of the protected virtual
`cloud asset
`to detect potential cyber threats risking the
`protected virtual cloud asset; and alerting detected potential
`cyber threats based on a determinedpriority.
`Certain embodiments disclosed herein also include a
`
`non-transitory computer readable medium having stored
`thereon instructions for causing a processing circuitry to
`execule a process,
`the process comprising: determining a
`location of a snapshot of at least one virtual disk of a
`protected virtual cloud asset, wherein the virtual cloud asset
`is instantiated in the cloud computing, environment; access-
`ing the snapshotof the virtual disk based on the determined
`location; analyzing the snapshot of the protected virtual
`cloud asset
`to detect potential cyber threats risking the
`protected virtual cloud asset; and alerting detected potential
`cyber threats based on a determinedpriority.
`Certain embodiments disclosed herein also include a
`
`wi on
`
`(deployed in a cloud computing platform or a data center)
`hosting virtual machines. Traflic inspection may not provide
`an accurate indication of the security status of the server due
`to inherent limitations, such as encryption and whether the
`necessary data is exposed in the communication.
`Furthermore, inspection of computing infrastructure may 5
`be performed by a network scanner deployed out of path.
`The scanner queries the server to determine if the server
`executes an application that possess a security threat, such as
`vulnerability in the application. The disadvantage of such a
`scanneris that the server may not respond to all queries by
`the scanner, or not exposethe necessarydata in the response.
`Further, the network scanner usually communicates with the
`system for securing virtual cloud assets in a cloud comput-
`server, and the network configuration may prevent it. In
`ing environment against cyber threats, comprising: a pro-
`addition, some types of queries may require credentials to
`cessing circuitry; and a memory, the memory containing
`access the server. Such credentials may not be available to
`the scanner.
`instructions that, when executed by the processing circuitry,
`configure the system to: determine a location of a snapshot
`Traffic inspection may also be performed byatraffic
`monitor that listens to traffic ows between clients and the
`of at least one virtual disk of a protected virtual cloud asset,
`wherein the virtual cloud asset is instantiated in the cloud
`server. The traffic monitor can detect some cyber threats,
`computing environment; access the snapshot of the virtual
`e.g., based on the volume oftraflic. However, the monitor
`disk based on the determined location; analyze the snapshot
`can detect threats only based on the monitoredtraffic. For
`example, misconfiguration of the server maynot be detected
`of the protected virtual cloud asset to detect potential cyber
`
`60
`
`65
`
`

`

`US 11,431,735 B2
`
`3
`threats risking the protected virtual cloud asset; and alert
`detected potential cyber threats based on a determined
`priority.
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`‘The foregoing and other objects, features, and advantages
`of the disclosed embodiments will be apparent from the
`following detailed description taken in conjunction with the
`accompanying drawings.
`FIGS. 1A and 1B are network diagrams utilized to
`describe the various embodiments.
`
`FIG. 2 is a flowchart illustrating a method detecting cyber
`threats,
`including potential vulnerabilities
`in virtual
`machines executed in a cloud computing platform according
`to same embodiments.
`FIG.3 is an example block diagram of the security system
`according to an embodiment.
`
`DETAILED DESCRIPTION
`
`5
`
`20
`
`It is important to note that the embodiments disclosed
`herein are only examples of the many advantageous uses of
`the innovative teachings herein. In general, statements made
`in the specification of the present application do not neces-
`sarily limit any of the various claimed embodiments. More-
`over, some statements may apply to someinventive features
`but not to others. In general, unless otherwise indicated,
`singular elements maybe in plural and vice versa with no
`loss of generality. In the drawings, like numeralsrefer to like
`parts through several views.
`FIGS. 1A and 1B show an example network diagram 100
`utilized to describe the various embodiments. A cloud com-
`
`we 5
`
`40
`
`puting plattorm 110 is communicably connected to a net-
`work 120. Examples of the cloud computing platform 110
`may include a public cloud, a private cloud, a hybrid cloud,
`and the like. Examples for a public cloud, but are not limited
`to, AWS® by Amazon®, Microsoft Azure®, Google
`Cloud®, andthe like. In some configurations, the disclosed
`embodiments operable in on premise virtual machines envi-
`ronments. The network 120 may be the Internet, the world-
`wide-web (WWW), a local area network (LAN), a wide area
`network (WAN), and other networks.
`The arrangement of the example cloud computing plat-
`form 110 is shown in FIG. 1B. Asillustrated, the platform
`110 includes a server 115 and a storage 117, serving as the
`storage space for the server 115. The server 115 is a physical
`device hosting at least one virtual machine (VM) 119. The
`VM 119 is a protected VM, which maybe any virtual cloud
`asset including, but not limited to, a software container, a 5
`micro-service, a serverless function, and the like.
`The storage 117 emulates virtual discs for the VMs
`executed in by the server 115. The storage 117 is typically
`connected to the server 115 through a high-speed connec-
`tion, such as optic fiber allowing fast retrieval of data. In
`other configurations, the storage 117 may be part of the
`server 115. In this example illustrated in FIG. 1B, virtual
`disk 118-1 is allocated for the VM 119. The server 115, and
`hence the VM 119, may be executed in a client environment
`130 within the platform 110.
`The client environment 130 is an environment within the
`cloud computing platform 110 utilized to execute cloud-
`hosted applications of the client. A client may belong to a
`specific tenant. In some example embodiment, the client
`environment 130 may be part of a virtualized environment
`or on-premises virtualization environment,
`such as
`a
`VMware® based solution.
`
`wi on
`
`60
`
`65
`
`4
`Also deployed in the cloud computing platform 110 is a
`security system 140 configured to perform the various
`disclosed embodiments. In some embodiments, the system
`140 may be part of the client environment 130. In an
`embodiment, the security system 140 maybe realized as a
`physical machine configured to executea plurality of virtual
`instances, such as, but not
`limited to virtual machines
`executed by a host server. In yet another embodiment, the
`security system 140 mayberealized as a virtual machine
`executed by a host server. Such a host server is a physical
`machine (device) and may be either the server 115, a
`dedicated server, a different shared server, or another virtu-
`alization-based computing entity, such as a serverless func-
`tion.
`In an embodiment, the interface between the client envi-
`ronment 130 and the security system 140 can be realized
`using APIs or services provided by the cloud computing
`platform 110. For example, in AWS, a crass account policy
`service can be utilized to allow interfacing the client envi-
`ronment 130 with the security system 140.
`In the deployment, illustrated in FIG. 1, the configuration
`of resources of the cloud computing platform 110 is per-
`formed by meansofthe management console 150. As such,
`the management console 150 may be queried on the current
`deploymentandsettings ofresourcesin the cloud computing
`platform 110. Specifically,
`the management console 150
`may be queried, by the security system 140, about as the
`location (e.g., virtual address) ofthe virtual disk 118-1 in the
`storage 117. The system 140 is configured to interface with
`the managementconsole 150 through, for example, an API.
`In some example embodiments, the security system 140
`mayfurther interface with the cloud computing platform 110
`and external systems 170. ‘lhe external systems may include
`intelligence systems, security information and event man-
`agement (SIEM) systems, and mitigation tools. The external
`intelligence systems may include common vulnerabilities
`
`and exposures (CVE®) databases, reputation services, secu-
`rity systems (providing feeds on discovered threats), and so
`on. The information provided by the intelligence systems
`may detect certain known vulnerabilities identified in, for
`example, a CVE database.
`the security
`According to the disclosed embodiments,
`system 140 is configured to detect vulnerabilities and other
`cyberthreats related to the execution VM 119. The detection
`is performed while the VM 119 is live, without using any
`agent installed in the server 115 or the VM 119, and without
`relying on cooperation from VM 119 guest OS. Specifically,
`the security system 140 can scan and detect vulnerable
`software, non-secure configuration, exploitation attempts,
`compromisedasserts, data leaks, data mining, and so on. The
`security system 140 may be further utilized to provide
`security services, such as incident response, anti-ransom-
`ware, and cyber insurance by accessing the security posture.
`In some embodiments, the security system 140 is config-
`ured to query the cloud management console 150 for the
`address of the virtual disk 118-1 serving the VM 119 and a
`location of the snapshot.A VM’s snapshotis a copy of the
`machine’s virtual disk (or disk file) at a given point in time.
`Snapshots provide a change log for the virtual disk and are
`used to restore a VM to a particular point in time when a
`failure error occurs. Typically, any data that was writable on
`a VM becomes read-only when the snapshot
`is taken.
`Multiple snapshots of a VM can be created at multiple
`possible point-in-time restore points. When a VM reverts to
`a snapshot, current disk and memory states are deleted and
`the snapshot becomes the new parent snapshot for that VM.
`
`
`
`

`

`US 11,431,735 B2
`
`5
`The snapshot of the VM 119 is located and maybe saved
`from the virtual disk 118-1 is accessed by the system 140. In
`an embodiment, the VM’s 119 snapshot may be copied to the
`system 140. If such a snapshot doesnot exist, the system 140
`may take a new snapshot, or request such an action. The
`snapshots may be taken at a predefined schedule or upon
`predefined events (e.g., a network event or abnormal event).
`Further,
`the snapshots may be accessed or copied on a
`predefined schedule or upon predefined events. It should be
`noted that when the snapshotis taken or copied, the VM 119
`still runs.
`
`It should be noted that the snapshot of the virtual disk
`118-1 may not be necessary stored in the storage 117, but for
`ease ofthe discussionit is assumedthat the snapshotis saved
`in the storage 117.
`It should be further noted that
`the
`snapshotis being accessed without cooperation of the guest,
`virtual OS of the virtual machine.
`
`is parsed and analyzed by the security
`The snapshot
`system 140 to detect vulnerabilities. This analysis of the
`snapshot does not require any interaction and/or information
`from the VM 119. As further demonstrated herein,
`the
`analysis of the snapshot by the system 140 does not require
`any agent installed on the server 115 or VM 119.
`Various techniques can be utilized to analyze the snap-
`shots, depending on the type of vulnerability and cyber
`threats to be detected. Following are some example embodi-
`ments for techniques that may be implemented by the
`security system 140.
`In an embodiment, the security system 140 is configured
`to detect whether there is vulnerable code executed by the
`VM 119. The VM 119 being checked may be running,
`paused, or shutdown.To this end, the security system 140 is
`configured to match installed application lists, with their
`respective versions, to a knownlist of vulnerable applica-
`tions. I'urther, the security system 140 maybe configured to
`match the application files, either directly (using binary
`comparison) or by computing a cryptographic hash against
`database of files in vulnerable applications. ‘he matching
`maybe also on sub-modulesofan application. Alternatively,
`the security system 140 mayread installation logs of pack-
`age managers usedto install the packages of the application.
`In yet another embodiment, the security system 140 is
`configured to verify whether the vulnerability is relevant to
`the VM 119. For example,if there is a vulnerable version or
`module not in use,
`the priority of that issue is reduced
`dramatically.
`To this end, the security system 140 maybe configured to
`check the configuration files of the applications and oper-
`ating system of the VM 119; to verify access times tofiles
`bythe operating system; and/or to analyze the active appli-
`cation and/or system logs in order to deduce what applica-
`tions and modules are running.
`In yet another embodiment, the security system 140 may
`instantiate a copy of the VM 119 and/or a subset ofappli-
`cations of the VM119 onthe server 115 or a separate server
`and monitor all activity performed by the instance of the
`VM.The execution of the instance of the VM is an isolated
`sandbox, which can be a full VM or subset of it, such as a
`software container (e.g., Docker® container) or another
`virtualized instances. The monitored activity may be further
`analyzed to determine abnormality. Such analysis may
`include monitoring of API activity, process creation, file
`activity, network communication,
`registry changes, and
`active probing of the said subset
`in order to assess its
`security posture. This may include, but not
`limited to,
`actively communicating with the VM 119, using either
`
`6
`legitimate communicate and/or attack attempts, to assess its
`posture and bythat deriving the security posture of the entire
`VM 119.
`
`In order to determine if the vulnerability is relevant to the
`VM 119,the security system 140 is configured to analyze the
`machine memory,as reflected in the pagefile. The pagefile
`is saved in the snapshot and. extends how much system-
`committed memory (also known as “virtual memory”) a
`system can back. In an embodiment, analyzing the pagefile
`allows deduction of running applications and modules by the
`VM 119.
`Tn an embodiment, the security system 140 is configured
`to read process identification number (PID)files and check
`their access or write times, which are matched against
`process descriptors. The PID can be used to deduce which
`processes are running, and hencethe priority of vulnerabili-
`ties detected in processes existing on the disk. It should be
`noted the PID files are also maintained in the snapshot.
`In yet another embodiment, the security system 140 is
`configured to detect cyber threats that do not represent
`vulnerabilities. For example, the security system 140 may
`detect and alert on sensitive data not being encrypted on the
`logical disk, private keys found on the disks, system cre-
`dentials stored clearly on the disk, risky application features
`(c.g., support of weak cipher suites or authentication meth-
`ods), weak passwords, weak encryption schemes, a disable
`address space layout randomization (ASLR) feature, suspi-
`cious manipulation to a boot record, suspicious PATH,
`LD_LIBRARY_PATH, or LD_PRELOADdefinitions, ser-
`vices running on startup, and thelike.
`In an embodiment, the security system 140 may further
`monitor changes in sensitive machine areas, and alert on
`unexpected changes(e.g., added or changed application files
`withoutinstallation). In an example embodiment, this can be
`achieved by computing a cryptographic hashofthe sensitive
`areas in the virtual disk and checking for differences over
`time.
`In some embodiments, the detected cyber threats (includ-
`ing vulnerabilities) are reported to a user console 180 and/or
`a security information and event management (SIEM) sys-
`tem (not shown). The reported cyber threats may be filtered
`or prioritized based inpart on their determined risk. Further,
`the reported cyber threats may be filtered or prioritized
`based in part on the risk level of the machine. This also
`reduces the numberofalerts reported to the user.
`In an embodiment, any detected cyber threats related to
`sensitive data (including personally identifiable information,
`PID) is reported at a higherpriority. In an embodiment, such
`data is determined by searching for the PII, analyzing the
`application logs to determine whether the machine accessed
`PIVPI containing servers, or whether the logs themselves
`contain PII, and searching the machine memory,as reflected
`in the pagefile, for PII.
`In an embodiment, the security system 140 may deter-
`mine the risk of the VM 119 based on communication with
`
`20
`
`25
`
`40
`
`45
`
`an untrusted network. This can be achieved by analyzing the
`VM’s 119 logsas savedin the virtual disk and can be derived
`from the snapshot.
`In an example embodiment, the security system 140 may
`cause an execution of one or more mitigation actions.
`Examples of such actions may include blockingtraflic from
`untrusted networks, halting the operation of the VM. quar-
`antining an infected VM,andthe like. The mitigation actions
`may be performed by a mitigation tool and. not the system
`140.
`
`60
`
`65
`
`the example implementation
`It should be noted that
`shownin F'IG. 1 is described with respect to a single cloud
`
`

`

`US 11,431,735 B2
`
`7
`computing platform 110 hosting a single VM 119 ina single
`server 115, merely for simplicity purposes and without
`limitation on the disclosed embodiments.‘lypically, virtual
`machines are deployed and executed in a single cloud
`computing platform, a virtualized environment, or data
`center and can be protected without departing from the
`scope of the disclosure. It should be further noted that the
`disclosed embodiments can operate using multiple security
`systems 140, each of which may operate in a different client
`environment.
`FIG. 2 shows an example flowchart 200 illustrating a
`method for detecting cyber threats including potential vul-
`nerabilities in virtual machines executed in a cloud comput-
`ing platform according to some embodiments. The method
`may be performed by the security system 140.
`At $210, a request, for example,
`to scan a VM for
`vulnerabilities is received. The request may be received, or
`otherwise triggered every predefined time interval or upon
`detection of an external event. An external event may be a
`preconfigured event, such as a network event or abnormal
`event including, but not limited to, changesto infrastructure
`such as instantiation of an additional container on existing
`VM,image change on a VM, new VMcreated, unexpected
`shutdowns, access requests from unauthorized users, and the
`like. The request may at least designate an identifier of the
`VMto be scanned.
`At $220, a location of a snapshotof a virtual disk of the
`VMto be scanned is determined. In an embodiment, $220
`may include determining the virtual disk allocated for the
`VM,prior to determining the location of the snapshot. As
`noted above,
`this can be achieved by querying a cloud
`management console. At S230, a snapshotof the virtual disk
`is accessed, or otherwise copied.
`At $240, the snapshot is analyzed to detect cyber threats
`and potential vulnerabilities. S240 may be also include
`detecting cyber threats that do not represent vulnerabilities.
`Examples for cyber threats and vulnerabilities are provided
`above.
`
`
`
`In an embodiment, $240 may include comparing the
`snapshot to some baseline, which may include, but is not
`limited to, a copy of the image usedto create the VM,(e.g.,
`lists of applications, previous snapshots), cryptographic
`hashes gathered in the previous scan, analyzing logs of the
`VMs,
`instantiating a copy of the VM and executing the
`instance or applications executed by the VM in a sandbox,
`analyzing the machine memory,asreflected in the pagefile,
`or any combination of
`these techniques. Some example
`embodiments for analyzing the snapshots and the types of
`detected vulnerabilities and threats are provided above.
`At $250, the detected cyber threats and/or vulnerabilities
`are reported, for example,as alerts. In an embodiment, $250
`mayinclude filtering and prioritizing the reported alerts. In
`an embodiment, the prioritization is based, in part, on the
`risk level of a vulnerable machine. Thefiltering and priori-
`tizing allow to reduce the numberofalerts reported to the
`user. The filtering can be done performed on external
`intelligence on the likelihood of this vulnerability being
`exploited, analyzing the machine configuration in order to
`deduce the vulnerability relevancy, and correlating, the vul-
`nerability with the network location, and by weighting the
`risk of this machine being taken over by the attacker by
`taking into considerationthe criticality of the machinein the
`organizalion based by the contents stored or other assets
`accessible from the VM 110.
`
`At optional $260, a mitigation action may betriggered to
`mitigate a detected threat or vulnerability. A mitigation
`action may be executed by a mitigation tool andtriggered by
`
`20
`
`25
`
`40
`
`45
`
`60
`
`65
`
`8
`the system 140. Such an action may include blockingtraffic
`from untrusted networks, halting the operation of the VM,
`quarantining an infected VM,andthe like.
`FIG.3 is an example block diagram ofthe security system
`140 according to an embodiment. The security system 140
`includes a processing circuitry 310 coupled to a memory
`320, a storage 330, and a network interface 340. In an
`embodiment, the components of the security system 140
`may be communicatively connected via a bus 360.
`The processing circuitry 310 may be realized as one or
`more hardware logic components and circuits. For example,
`and without limitation, illustrative types of hardware logic
`components that can be used include field programmable
`gate arrays (FPGAs), application-specific integrated circuits
`(ASICs), application-specific standard products (ASSPs),
`system-on-a-chip systems (SOCs), general-purpose micro-
`processors, microcontrollers,
`digital
`signal processors
`(DSPs), and the like, or any other hardware logic compo-
`nents that can perform calculations or other manipulations of
`information.
`The memory 310 may be volatile (e.g., RAM, etc.),
`non-volatile (e.g., ROM, flash memory, etc.), or a combi-
`nation thereof. In one configuration, computer readable
`instructions to implement one or more embodiments dis-
`closed herein may be stored in the storage 330.
`In another embodiment, the memory 320 is configured to
`store software. Software shall be construed broadly to mean
`any type of instructions, whether referred to as software,
`firmware. middleware, microcode, hardware description
`language, or otherwise. Instructions may include code(e.g.,
`in source code format, binary code format, executable code
`format, or any other suitable format of code). The instruc-
`tions, when executed by the one or more processors, cause
`the processing circuitry 310 to perform the various processes
`described herein. Specifically,
`the
`instructions, when
`executed, cause the processing circuitry 310 to determine
`over-privileged roles vulnerabilities in serverless functions.
`The storage 330 may be magnetic storage, optical storage,
`and the like, and may be realized, for example, as flash
`memory or other memory technology, CD-ROM,Digital
`Versatile Disks (DVDs), hard-drives, SSD, or any other
`medium which can be used to store the desired information.
`The storage 330 may store communication consumption
`patterns associated with one or more communications
`devices.
`The network interface 340 allows the security system 140
`to communicate with the external systems, suchas intelli-
`gence systems, SIEM systems, mitigation systems, a cloud
`management console, a user console, and the like.
`It should be understood that the embodiments described
`herein are not limited to the specific architecture illustrated
`in FIG. 3, and other architectures may be equally used
`without departing from the scope of the disclosed embodi-
`ments.
`
`The various embodiments disclosed herein can be imple-
`mented as hardware, firmware, software, or any combination
`thereof. Moreover, the software is preferably implemented
`as an application program tangibly embodied on a program
`storage unit or computer readable medium consisting of
`parts, or of certain devices and/or a combination of devices.
`The application program may be uploaded to, and executed
`by, a machine comprising any suitable architecture. Prefer-
`ably, the machine is implemented on a computer platform
`having hardware such as one or more central processing
`units (“CPUs”). a memory, and input/output interfaces. ‘The
`computer platform may also include an operating system
`and microinstruction code. The various processes and func-
`
`

`

`US 11,431,735 B2
`
`9
`tions described herein may be either part of the microin-
`struction code or part of the application program, or any
`combination thereof, which may be executed by a CPU,
`whether or not such a computer or processor is explicitly
`shown. In addition, various other peripheral units may be
`connected to the computer platform such as an additional
`data storage unit and a printing unit. Furthermore, a non-
`transitory computer readable medium is any computer read-
`able medium except for a transitory propagating signal.
`As used herein, the phrase “at least one of” followed by
`a listing of items means that any of the listed items can be
`utilized individually, or any combination of two or more of
`the listed items can be utilized. For example, if a system is
`described as including “at least one of A, B, and C,” the
`system can include A alone; B alone; C alone; A and B in
`combination; B and C in combination; A and C in combi-
`nation; or A, B, and C in combination.
`All examples and conditional language recited herein are
`intended for pedagogical purposes to aid the reader in
`understanding the principles of the disclosed embodiment
`and the concepts contributed by the inventor to furthering
`the art, and are to be construed as being without limitation
`to such specifically recited examples and conditions. More-
`over, all statements herein reciting principles, aspects, and
`embodiments of the disclosed embodiments, as well as
`specific examples thereof, are intended to encompass both
`structural and functional equivalents thereof. Additionally, it
`is intended that such equivalents include both currently
`knownequivalents as well as equivalents developed in the
`future, ie., any elements developed that perform the same
`function, regardless of structure.
`
`ra 0
`
`20
`
`25
`
`30
`
`What is claimed is:
`
`35
`
`40
`
`1. A method for securing virtual cloud assets in a cloud
`computing environment against cyber threats, comprising:
`determininga location of a snapshotof at least one virtual
`disk of a protected virtual cloud asset, wherein the
`virtual cloud asset is instantiated in the cloud comput-
`ing environment;
`accessing the snapshot of the virtual disk based on the
`determined location; analyzing the snapshot of the
`protected virtual cloud asset to detect potential cyber
`threats risking the protected virtual cloud asset; and
`alerting detected potential cyber threats based on a deter-
`minedpriority.
`2. The method of claim 1, further comprising:
`prioritizing each of the detected potential cyber threats
`based on their respective risk to the protected virtual
`cloud asset; and
`mitigating a potential cyber threat posing a risk to the 5
`protected virtual cloud asset.
`3. The method of claim 1, wherein determining the
`location of the snapshot of at least one virtual disk further
`comprises:
`determining a virtual disk allocated to the protected
`virtual cloud asset.
`4. The method of claim 2, further comprising:
`querying