`
`I IIIII IIIIIIII 11111111 JIpllo1111189I1
`
`
`
`US011106784B2
`
`( 12 ) United States Patent
`(12) United States Patent
`Rosendahl et al .
`Rosendahl et al.
`
`( 10 ) Patent No .:
`US 11,106,784 B2
`(10) Patent No.: US 11,106,784 B2
`Aug. 31 , 2021
`( 45 ) Date of Patent :
`Aug. 31, 2021
`(45) Date of Patent:
`
`( 54 ) VERTICALLY INTEGRATED AUTOMATIC
`(54) VERTICALLY INTEGRATED AUTOMATIC
`THREAT LEVEL DETERMINATION FOR
`THREAT LEVEL DETERMINATION FOR
`CONTAINERS AND HOSTS IN A
`CONTAINERS AND HOSTS IN A
`CONTAINERIZATION ENVIRONMENT
`CONTAINERIZATION ENVIRONMENT
`
`( 71 ) Applicant : Neu Vector , Inc. , Milpitas , CA ( US )
`(71) Applicant: NeuVector, Inc., Milpitas, CA (US)
`
`( 72 )
`(72)
`
`Inventors : Henrik Rosendahl , Milpitas , CA ( US ) ;
`Inventors: Henrik Rosendahl, Milpitas, CA (US);
`Fei Huang , Fremont , CA ( US ) ; Gang
`Fei Huang, Fremont, CA (US); Gang
`Duan , San Jose , CA ( US )
`Duan, San Jose, CA (US)
`( 73 ) Assignee : NeuVector , Inc. , San Jose , CA ( US )
`(73) Assignee: NeuVector, Inc., San Jose, CA (US)
`Subject to any disclaimer , the term of this
`( * ) Notice :
`(* ) Notice:
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`patent is extended or adjusted under 35
`U.S.C. 154 ( b ) by 423 days .
`U.S.C. 154(b) by 423 days.
`( 21 ) Appl . No .: 16 / 155,742
`(21) Appl. No.: 16/155,742
`( 22 ) Filed :
`(22) Filed:
`( 65 )
`(65)
`
`Oct. 9 , 2018
`Oct. 9, 2018
`
`Prior Publication Data
`Prior Publication Data
`Apr. 9 , 2020
`US 2020/0110873 A1
`US 2020/0110873 Al
`Apr. 9, 2020
`
`( 51 ) Int . Cl .
`(51) Int. Cl.
`G06F 21/53
`GO6F 21/53
`G06F 21/57
`GO6F 21/57
`( 52 ) U.S. CI .
`(52) U.S. Cl.
`CPC
`CPC
`
`( 2013.01 )
`(2013.01)
`( 2013.01 )
`(2013.01)
`
`GO6F 21/53 ( 2013.01 ) ; G06F 21/577
` GO6F 21/53 (2013.01); GO6F 21/577
`( 2013.01 ) ; G06F 2221/034 ( 2013.01 )
`(2013.01); GO6F 2221/034 (2013.01)
`
`( 58 ) Field of Classification Search
`(58) Field of Classification Search
`CPC G06F 21/53 ; G06F 21/577 ; G06F 2221/034 ;
`CPC .. G06F 21/53; G06F 21/577; G06F 2221/034;
`G06F 21/51 ; G06F 21/563 ; G06F 8/61 ;
`G06F 21/51; G06F 21/563; G06F 8/61;
`GO6F 11/3616
`G06F 11/3616
`See application file for complete search history .
`See application file for complete search history.
`References Cited
`References Cited
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`
`( 56 )
`(56)
`
`G06F 21/53
` G06F 21/53
`HO4L 67/10
` H04L 67/10
`
`2018/0336351 A1 * 11/2018 Jeffries
`2018/0336351 Al* 11/2018 Jeffries
`2020/0097662 A1 *
`3/2020 Hufsmith
`2020/0097662 Al *
`3/2020 Hufsmith
`* cited by examiner
`* cited by examiner
`Primary Examiner — Paul E Callahan
`Primary Examiner — Paul E Callahan
`( 74 ) Attorney , Agent , or Firm Fenwick & West LLP
`(74) Attorney, Agent, or Firm — Fenwick & West LLP
`( 57 )
`ABSTRACT
`(57)
`ABSTRACT
`A threat level analyzer probes for one or more threats within
`A threat level analyzer probes for one or more threats within
`an application container in a container system . Each threat
`an application container in a container system. Each threat
`is a vulnerability or a non - conformance with a benchmark
`is a vulnerability or a non-conformance with a benchmark
`setting . The threat level analyzer further probes for one or
`setting. The threat level analyzer further probes for one or
`more threats within a host of the container service . The
`more threats within a host of the container service. The
`threat level analyzer generates a threat level assessment
`threat level analyzer generates a threat level assessment
`score based on results from the probing of the one or more
`score based on results from the probing of the one or more
`threats of the application container and the one or more
`threats of the application container and the one or more
`threats of the host , and generates a report for presentation in
`threats of the host, and generates a report for presentation in
`a user interface including the threat level assessment score
`a user interface including the threat level assessment score
`and a list of threats discovered from the probe of the
`and a list of threats discovered from the probe of the
`application container and the host . A report is transmitted by
`application container and the host. A report is transmitted by
`the threat level analyzer to a client device of a user for
`the threat level analyzer to a client device of a user for
`presentation in the user interface .
`presentation in the user interface.
`18 Claims , 7 Drawing Sheets
`18 Claims, 7 Drawing Sheets
`
`App Container 104A
`App Container j_C14.8
`WAN Access 106
`WAN Access 106
`Network Activity 108
`Network Activity 108
`
`Container System 102
`Container System 102
`App Container 104B
`App Container LOAU
`Program Libraries 110
`Program Libraries 110
`Patch Level 112
`Patch Level 112
`
`•
`
`App Container
`App Container
`104N
`104N
`Container Configuration
`Container Configuration
`Data 114
`Data 114
`
`Container Probe
`Container Probe
`122
`122
`
`Threat Level Analyzer Container 120
`Threat Level Analyzer Container 120
`Network Probe
`Network Probe
`124
`124
`
`Host Probe
`Host Probe
`126
`126
`
`Threat Level Assessment
`Threat Level Assessment
`Engine
`Engine
`128
`128
`
`Report Generator
`Report Generator
`134
`134
`
`Threat Level Policy
`Threat Level Policy
`Store
`Store
`130
`130
`Data Logger
`Data Logger
`138
`138
`
`Threat Database
`Threat Database
`132
`132
`
`Data Log
`Data Log
`140
`140
`
`Report
`Report
`Interface
`Interface
`136
`136
`Automated Response Engine
`Automated Response Engine
`142
`142
`
`Program Libraries 152
`Program Libraries .1
`Patch Level 154
`Patch Level 154
`
`Host 150
`Host 150
`Container Service 160
`Container Service 160
`Patch Level 162
`Patch Level 162
`Service Config Data 164
`Service Config Data 164
`
`File System 156
`File System 156
`Host Configuration Data 158
`Host Configuration Data 158
`
`WIZ, Inc. EXHIBIT - 1017
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1017
`WIZ, Inc. v. Orca Security LTD.
`
`
`
`U.S. Patent
`lualud °S11
`
`Aug. 31 , 2021
`noz `i£ 'any
`
`Sheet 1 of 7
`L JO I WIN
`
`US 11,106,784 B2
`Zll 178L`90VII Sf1
`
`App Container
`104N
`Container Configuration
`Data 114
`
`Container 104N Container
`Configuration Data 114
`App
`
`Container
`System 102
`104B Program
`Libraries
`110 Patch
`Level 112
`App
`Container
`
`Container System 102
`App Container 104B
`Program Libraries 110
`Patch Level 112
`
`■ ■ ■
`
`App Container 104A
`WAN Access 106
`
`App
`104A WAN
`Container
`Access 106
`
`Network Activity 108
`
`Network
`Activity 108
`
`Threat Level Analyzer Container 120
`
`Threat
`Level
`Analyzer
`Container 120
`
`Host Probe
`126
`
`Host
`Probe 126
`
`Network Probe
`124
`
`Network
`Probe 124
`
`Container Probe
`122
`
`Container
`Probe 122
`
`Threat Database
`132
`
`Threat
`Database 132
`
`Threat Level Policy
`Store
`130
`
`Threat
`Level
`Policy Store 130
`
`Threat Level Assessment
`Engine
`128
`
`Assessment Engine 128
`Threat
`Level
`
`Data Log
`140
`
`Data Log 140
`
`Data Logger
`138
`
`Data
`Logger 138
`
`Report
`Interface
`136
`
`Report Interface 136
`
`Report Generator
`134
`
`Report
`Generator 134
`
`File System 156
`
`File
`System 156
`
`Host Configuration Data 158
`
`Host
`Configuration
`Data 158
`
`Automated Response Engine
`142
`
`Automated
`Response
`Engine 142
`
`Host 150
`
`Host 150
`
`Container Service 160
`Patch Level 162
`
`Container
`Service
`160 Patch
`Level
`162
`
`Service Config Data 164
`
`Service
`Config
`Data 164
`
`FIG. 1
`
`FIG . 1
`
`Program
`Libraries
`152 Patch
`Level 154
`
`Program Libraries 152
`Patch Level 154
`
`
`
`U.S. Patent
`lualud °S11
`
`Aug. 31 , 2021
`noz `i£ 'any
`
`Sheet 2 of 7
`L JO Z WIN
`
`US 11,106,784 B2
`Zll 178L`90VII Sf1
`
`Threat Level
`Analysis Assessment Threat Severity
`Container
`Image 208 Status 210 Score 212
`Count 214
`
`200
`
`200
`Threat
`Severity Count
`214
`
`210
`Score
`212
`
`Threat
`Level
`Assessment Status
`Analysis
`Container Image
`208
`Network Address
`206
`
`Network
`Address 206
`
`OS 204
`
`OS 204
`
`Container
`List 202
`
`Container List 202
`o Containers
`Nodes
`Namele
`ontain
`
`nginx
`
`node1
`
`..node2
`node3
`
`redis
`
`Scanned : Failed :
`
`o Containefis a Nodes
`Image /
`tatusi Score High TVIed !Time
`Node 1
`OS i
`Name40 1
`lip-172-31-43-216 I neuvector/docs Finish
`Mar 05, 2018 09:06:17
` 4.7
`ecs-deploy-docs-2-docs-94e5f... jdebian:8
`210
`j129
` ijp-172-31-41-1381mysqT
`ecs-wordpress-demo-4-mysqj... debian:8
`
`Mar 05, 2018 09:06:20
`4.3
`Finish
`0
`lip-172-31-41-138 wordpress
`Mar 05, 2018 09:06:20
`i
`ecs-wordpress-demo-4-wordpr... debian:9
`debian:8
`lip-172-31-41-138 invbeta/nqinx
`nginx
`1Mar 05, 2018 09:06:20
`189
`Finished
`5
`5
`1 234 !Mar 05, 2018 09:C6:24 I
`lubuntu:14.04ip-172-31-43-216 invbeta/node
`node1
`
`Finished! 7.2
`lubuntu:14.04lip-172-31-43-216.1nvbeta/node
`' 234 Mar 05, 2018 09:06:22
`Finish
`4_.6
`2.
`...opcle2
`4-
` 'Finished
`node3
` iubuntu:14.04iip-172-31-43-2161nvbeta/node
`I
`Mar 05, 2018 09:06:19
`.
`
`'
`-:,
`772
`,
`ip-172-31-41-138 redis
`43 Mar 05, 2018 09:06:24
`+debian:8
`redis
`Finished
`7.2
`
`ISLUSIOK.LT
`
`Scan
`
`Scan
`
`10 40 Mar 05 , 2018
`09:06:20
`61 189
`Mar 05 , 2018
`09:06:20
`7 12 Mar 05 , 2018
`09:06:20
`
`234
`Mar
`05.
`2018
`09:06:22
`
`19 234 Mar 05 , 2018
`09:06:19
`18 43 Mar 05 , 2018
`09:06:24
`
`Status
`Score 1 High
`Med
`Time
`finishedi
`4.3
`Finished
`
`61
`
`5
`
`ubuntu : 14.04 ip - 172-31-43-216
`nvbeta / node
`Finished
`119
`234
`Mar 05 , 2018
`09:06:24
`
`
`
`17.2
`
`16 : 2
`
`17-2
`Finished
`Finished 7.2
`
`Image
`
`ecs - deploy - docs - 2 - docs - 94e5f
`...
`Idebian : 8 ip - 172-31-43-216
`neuvector / docs
`Finishedl
`4.7
`1129
`1210
`Mar 05 , 2018
`09:06:17
`Node
`
`debian : 8 ip - 172-31-41-138
`Invbeta / nginx
`Finished
`
`OS
`
`ecs - wordpress - demo - 4 - wordpr ...
`debian : 9 ip - 172-31-41-138
`Wordpress
`ecs - wordpress - demo - 4 - mysql
`...
`debian : 8 lip - 172-31-41-138
`mysql
`
`ubuntu : 14.04ip - 172-31-43-216
`nvbeta / node
`Finished 19
`Scanning
`Scheduled : Vulnerability
`database
`version : 1.039
`ubuntu : 14.04 1p - 172-31-43-216
`nvbeta / node
`debian : 8 ip - 172-31-41-138
`redis
`
`Legend
`228
`
`Scanned: °failed: Q Scanning: C) Scheduled: 'Vulnerability database version: 1.039
`NN.
`
`1 Fixed Version
`1 3.13.0-139.188
`1 0 1ubuntu2 17
`Z1.9.70.a2Lin.16..14 .
`1.4.16-1 ubuntu2.4
`1.5.3-2ubuntu4.4
`3.13.0-121.170
`3.13.0-121.170
`.13.0-115.162
`3.13.0-128.177
`
`Fixed
`
`1 Version
`3.13.0-112.159
`1.0.1ubuntu2.14
`1 2.19-Oubuntu6.9
`11.4.16-1 ubuntu2.3
`1.5.3-2ubuntu4.3 .1,
`
`1 3.13.0-112.159
`3.13.0-112.159
`3.13.0-112.159
`3.13.0-112.159
`
`1.0.1ubuntu
`
`1.0.1ubuntu2.17 ..2.19 - Qubuntu .. 14 . 1.4.16-1ubuntu2.4
`1.5.3-2ubuntu4.4 3.13.0-121.170
`Version 3.13.0-139.188
`3.13.0-121.170 3.13.0-115.162
`3.13.0-128.177
`2.14 2.19 - Oubuntu6.9 1.4.16-1ubuntu2.3
`1.5.3-2ubuntu4.3 3.13.0-112.159
`3.13.0-112.159 3.13.0-112.159 3.13.0-112.159
`Version 3.13.0-112.159
`Package linux apt ..eglibc . gnupg libgarypt11 linux linux linux linux
`
`1 Package
`linux
`apt
`1 eglitc
`i gnupg
`4
` 1 lib.gcrypt11
`+
`
`1 linux
`linux
`Tinux
`linux
`
`i Score
`4.7
`4.3
`0
`5
`5
`7.2
`6.2
`72
`7.2
`
`Urgencyla
`Score High 4.7 High 4.3 High 10 High 5 High 5 High
`7.2 . High 6.2 High
`
`..... 2 High || 7.2
`
`Urgency,1,2
`1-
`91L
`.1High
`
`High
`High
`High
`
`Name
`CVE-2017-5754
`CVE-2016-1252
`CVE-2018-1000001
`CVE-2016-6313
`1
`CVE-2016-6313
`CVE-2017-1000379
`CVE-2017-1000364
`CVE-2017
`7184
`CVE-2017- 000111
`
`Name CVE - 2017-5754 CVE - 2016-1252 CVE - 2018-1000001 CVE - 2016-6313 CVE - 2016-6313 CVE - 2017-1000379 CVE - 2017-1000364 CVE - 2017-7184 CVE - 2017-1000111
`
`NAP
`
`Package Fixed
`Version 226
`
`Package
`Fixed Version
`226
`
`Package
`Version 224
`
`Package Version 224
`
`Threat
`Package Location
`222
`
`Threat Package
`Location 222
`FIG. 2A
`
`FIG . 2A
`
`Threat
`Individual
`Score 220
`
`Score 220
`
`Threat
`Threat
`Severity
`Individual Level
`218
`
`Threat Severity
`Level 218
`
`\
`Detected
`Threats List
`216
`
`Detected Threats
`List 216
`
`ARUAR
`
`
`
`U.S. Patent
`lualud °S11
`
`Aug. 31 , 2021
`noz `i£ 'any
`
`Sheet 3 of 7
`L JO £ WIN
`
`US 11,106,784 B2
`Zll 178L`90VII Sf1
`
`230
`
`230
`
`Hardware Info 240
`
`Hardware
`Info 240
`
`Platform 238
`
`Platform
`238
`
`OS 234
`
`OS 234
`
`Node List 232
`
`Node
`List 232
`
`
`
`/El Nodes
`
`E Nodes
`
`I Memory
`993.5 MB
` 993.5 MB
`993.5 MB
`
`Memory 993.5 MB 993.5 MB 993.5 MB
`
`CPUs
`
`CPUs
`
`1 1
`
`
`
`Platform
`I Amazon-ECS
`Amazon-ECS
`Amazon-ECS
`
`Platform Amazon - ECS Amazon - ECS Amazon - ECS
`
`OS
`/
`I Amazon Linux AMI 2017.03
`Amazon Linux AMI 2017.03
`Amazon Linux AMI 2016.03
`
`2017.03 Amazon
`2017.03 Amazon
`Linux
`AMI
`Linux
`AMI
`2016.03
`Amazon
`Linux
`AMI
`OS
`
`Name
`I IP-172-31-41-138
`ip-172-31-43-216
`ip-172-31-44-255
`
`Name ip - 172-31-41-138 ip - 172-31-43-216 ip - 172-31-44-255
`
`Threat Description 246
`
`Threat
`Description
`246
`
`DOCKET BENCHMARK
`
`DOCKET
`BENCHMARK
`
`File
`not
`found
`
`File
`not
`found
`
`File not
`found
`
`NFO
`
`NOTFJ
`J INFO
`
`I
`NFO
`J INFO
`I
`NFO
`IINFO-I
`WARR
`WARN
`
`MTTTTMnry
`
`IRE
`NFO
`I INFO
`
`INFO
`
`'Ea*
`I INFO I
`
`
`
`
`
`Level
`
`########
`
`
`
`
`
`WWW . ###
`
`Test number
`El 1(14)
`1.1
`1.2
`a 1 .3(2.)
`
`Test
`number 1 ( 14 ) 1.1 1.2
`
`1.3 ( 2 )
`
`01.4(1)
`
`E 1.4 ( 1 ) .
`
`
`
`
`
`1.5
`
`1.5 1.6 1.7
`
`1.7
`81.8
`
`1.8 ( 1 )
`
`01.9
`
`1.9 ( 1 ) . 1.10 ( 1 ) .
`
`Ei1.10(.1.)
`
`81.11(1]
`
`5 1.11 ( 1 )
`
`Threat.Repart . 242
`
`Threat.Rep.arl
`242
`
`Thr.eat..S.ev.erity.
`L-eve+-244
`
`Message Host
`Configuration
`INFO ) MARN NOTE INFO INFO INFO1 INFO INFO MARN WARNI WARN INFO ) INFO LINFO INFO INFOI IINFO INFO
`113IIIIIIIIIIII
`Threat.Severity . |
`Level
`-Levet 244
`
`Message
`Host Configuration
`insure a separate partition for containers has been created
`Ensure the container host has been Hardened
`Ensure Docker is up to date
`Using 17.03.1 verify is it up to date as deemed necessary
` Your.. Qpera agtem yen. caLinay pravide auppgrtarad,
`Ensure only rusted users are allowed to control Docker ...
`docker x:4 7:ec2-user
`Ensure auditing is configured for the Docker daemon
`Ensure auditing. configured for files and dir. -/var/fibidocker
`Ensure auditing configured for files and dir. -/etc/docker
`Ensure auditing configured for files and dir. — docker. service
`File not found
`Ensure auditing configured for files and dir. — docker.socket
`File not found
`Ensure auditing configured for files and dir. — /ect/default/doc
`File not found
`Ensure auditing configured for files and dir. — /ect/docker/dae
`
`necessary Your
`and Ensure
`operating
`system
`vendor
`may
`provide
`support
`Ensure a separate
`for
`containers has
`partition
`been
`created
`only
`trusted
`users are
`allowed to control
`Docker
`Using
`17.03.1
`verify is it up to date as deemed
`Ensure
`the
`container
`host
`has
`been
`Hardened
`Ensure
`Docker is up to date
`
`docker X : 497 : ec2 - user
`
`Ensure
`auditing
`configured
`for
`files
`and dir . - lect / default / doc
`dir . / var / lib / docker Ensure
`Ensure
`auditing
`configured
`for
`files
`and
`dir . - / etc / docker Ensure
`auditing
`configured
`for
`files
`and dir . - docker , service
`auditing
`configured
`for
`files
`and
`Ensure
`auditing
`configured
`for
`files
`and dir . docker.socket
`Ensure
`auditing is configured
`for the
`Docker
`daemon
`
`*
`
`Ensure
`auditing
`configured
`for
`files
`and dir . - lect / docker / dae
`
`FIG. 2B
`
`FIG . 2B
`
`
`
`U.S. Patent
`lualud °S11
`
`Aug. 31 , 2021
`noz `i£ 'any
`
`Sheet 4 of 7
`L JO 17 JaM1S
`
`US 11,106,784 B2
`Zll 178L`90VII Sf1
`
`External
`Network 274
`
`External
`
`Network 274
`
`•
`
`172.6
`
`172.3 33.186
`
`172.311.33.186
`
`Non-Container
`Indicator 268
`
`Non - Container Indicator 268
`
`HTTP
`
`HTTP
`
`--' External Network
`
`External
`Network
`
`HTTP
`
`HTTP
`
`Detected High
`Network Threat
`Indicator 272
`
`High Network
`Detected
`Threat Indicator 272
`
`86
`
`.
`
`nginx
`
`nginx
`
`Connection
`Type 264
`
`Connection Type
`
`264
`
`node1
`
`node 1
`
`Container
`Indicators 262
`
`Container
`
`Indicators
`262
`
`HTTP
`
`HTTP
`
`Threat Level
`Assessment
`Score Indicator
`266 \
`
`Level Assessment Score
`Indicator 266
`
`Threat
`
`Redis
`
`Redis
`
`62
`
`.
`
`HTTP
`
`HTTP
`
`Redis
`
`Redis
`
`CT
`
`redis
`
`redis
`
`Detected High
`Threat
`Indicator 270
`
`Detected
`High Threat Indicator
`270
`
`HTTP
`
`HTTP
`
`Redis
`
`Redis
`
`FIG. 2C
`
`FIG . 2C
`
`42
`
`node3
`
`node3
`
`
`
`U.S. Patent
`lualud °S11
`
`Aug. 31 , 2021
`noz `i£ 'any
`
`Sheet 5 of 7
`L JO S WIN
`
`US 11,106,784 B2
`Zll 178L`90VII Sf1
`
`1 1 1 1 1 1 1 1 1 1
`
`1 1
`
`1 I 1
`
`1 1 1 1 1 1 1 1
`
`1 1 1 I
`
`Container Server
`310B
`
`Container
`Server 310B
`
`VM
`315C
`
`VM 3150
`
`Virtual Machine (VM)
`315B
`
`Machine ( VM ) 315B
`Virtual
`
`UI
`Container
`365
`
`UI Container 365
`Analytics Container 360
`Management Container 355
`
`Management
`Container
`355
`
`Analytics
`Container
`360
`
`VM
`315
`N
`
`VM 315 N
`VM 315 D
`
`VM
`315
`D
`
`Container
`System
`3052
`
`Container System 305-
`
`Container Server
`310A
`
`Container
`Server 310A
`
`Virtual Machine (VM)
`315A
`
`Machine ( VM ) 315A
`Virtual
`
`Security
`Container
`350
`
`Security Container 350
`App Container 320B
`App Container 320A
`
`App
`Container
`320A
`
`App
`Container
`320B
`
`Cont.
`Svc.
`330C
`
`Virtual Switch 335C
`Cont . Svc . 330C
`
`Virtual
`Switch
`335C
`
`Container
`Svc.
`330B
`
`Switch 335B
`Virtual
`Container Svc . 330B
`
`Virtual Switch
`335B
`
`Hypervisor
`340B
`
`Hypervisor 340B
`
`FIG. 3
`
`FIG . 3
`
`300
`
`300
`
`Network
`390
`
`Network 390
`
`Virtual Switch
`335A
`
`Virtual
`Switch 335A
`
`Container Service
`330A
`
`Container
`Service 330A
`
`Hypervisor
`340A
`
`Hypervisor 340A
`
`Client Device
`370A
`
`Client
`Device 370A
`
`Client Device
`370E
`
`Client
`Device 370B
`
`
`
`U.S. Patent
`U.S. Patent
`
`Aug. 31 , 2021
`Aug. 31, 2021
`
`Sheet 6 of 7
`Sheet 6 of 7
`
`US 11,106,784 B2
`US 11,106,784 B2
`
`400
`400
`
`Probe an application container for threats including vulnerabilities and non
`Probe an application container for threats including vulnerabilities and non-
`conformance of benchmark settings
`conformance of benchmark settings
`410
`410
`
`Probe container service host for threats
`Probe container service host for threats
`420
`420
`
`Generate threat level assessment score based on probed results
`Generate threat level assessment score based on probed results
`430
`430
`
`Generate report to present in user interface including threat level assessment
`Generate report to present in user interface including threat level assessment
`score and list of threats
`score and list of threats
`440
`440
`
`FIG . 4
`FIG. 4
`
`
`
`U.S. Patent
`U.S. Patent
`
`Aug. 31 , 2021
`Aug. 31, 2021
`
`Sheet 7 of 7
`Sheet 7 of 7
`
`US 11,106,784 B2
`US 11,106,784 B2
`
`500
`500
`
`.....-..
`502
`502
`
`PROCESSOR
`PROCESSOR
`
`524
`524
`
`INSTRUCTIONS
`INSTRUCTIONS
`
`508
`508
`
`GRAPHICS
`GRAPHICS
`DISPLAY
`DISPLAY
`
`510
`510
`
`504
`504
`524
`524
`
`MAIN MEMORY
`MAIN MEMORY
`
`INSTRUCTIONS
`INSTRUCTIONS
`
`0
`
`ALPHA - NUMERIC
`ALPHA-NUMERIC
`INPUT DEVICE
`INPUT DEVICE
`
`512
`512
`
`...-----.
`506
`506
`
`STATIC
`STATIC
`MEMORY
`MEMORY
`
`0
`
`P&
`
`BUS
`BUS
`
`CURSOR
`CURSOR
`CONTROL
`CONTROL
`DEVICE
`DEVICE
`
`514
`514
`
`..-----.
`520
`520
`
`NETWORK
`NETWORK
`INTERFACE
`INTERFACE
`DEVICE
`DEVICE
`
` ri_
`
`526
`526
`
`NETWORK
`NETWORK
`
`STORAGE UNIT .---,
`STORAGE UNIT
`516
`516
`MACHINE
`MACHINE-
`READABLE
`READABLE
`MEDIUM
`MEDIUM
`INSTRUCTIONS 524
`INSTRUCTIONS
`524
`
`522
`522
`
`ID
`
`SIGNAL
`SIGNAL
`GENERATION
`GENERATION
`DEVICE
`DEVICE
`
`518
`518
`
`v
`FIG . 5
`FIG. 5
`
`
`
`US 11,106,784 B2
`US 11,106,784 B2
`
`1
`1
`VERTICALLY INTEGRATED AUTOMATIC
`VERTICALLY INTEGRATED AUTOMATIC
`THREAT LEVEL DETERMINATION FOR
`THREAT LEVEL DETERMINATION FOR
`CONTAINERS AND HOSTS IN A
`CONTAINERS AND HOSTS IN A
`CONTAINERIZATION ENVIRONMENT
`CONTAINERIZATION ENVIRONMENT
`
`FIELD OF ART
`FIELD OF ART
`
`The disclosure generally relates to the field of container-
`The disclosure generally relates to the field of container-
`ization security , and specifically to automated threat level
`ization security, and specifically to automated threat level
`determination for containers running on containerization
`determination for containers running on containerization
`platforms as well as their hosts .
`platforms as well as their hosts.
`BACKGROUND
`BACKGROUND
`
`5
`5
`
`2
`2
`FIG . 2A is an exemplary user interface presenting a list of
`FIG. 2A is an exemplary user interface presenting a list of
`containers and their associated threat level scores , along
`containers and their associated threat level scores, along
`with a threat list for a container , as determined by the threat
`with a threat list for a container, as determined by the threat
`level analyzer , according to an example embodiment .
`level analyzer, according to an example embodiment.
`FIG . 2B is an exemplary user interface presenting a list of
`FIG. 2B is an exemplary user interface presenting a list of
`hosts and a detail interface reporting individual threat tests ,
`hosts and a detail interface reporting individual threat tests,
`as determined by the threat level analyzer , according to an
`as determined by the threat level analyzer, according to an
`example embodiment .
`example embodiment.
`FIG . 2C is an exemplary user interface presenting a graph
`FIG. 2C is an exemplary user interface presenting a graph
`10
`10 view of a plurality of containers, and interface elements
`view of a plurality of containers , and interface elements
`indicating threat level scores and detected high level threats
`indicating threat level scores and detected high level threats
`for certain containers , according to an example embodiment .
`for certain containers, according to an example embodiment.
`FIG . 3 illustrates an example container environment with
`FIG. 3 illustrates an example container environment with
`an exemplary container architecture in which a threat level
`15 an exemplary container architecture in which a threat level
`15
`analyzer , such as the threat level analyzer of FIG . 1 , may
`analyzer, such as the threat level analyzer of FIG. 1, may
`operate , according to an embodiment .
`operate, according to an embodiment.
`FIG . 4 is a flow chart illustrating an exemplary method for
`FIG. 4 is a flow chart illustrating an exemplary method for
`determining a threat level of a container and host in a
`determining a threat level of a container and host in a
`container system , according to one embodiment .
`20 container system, according to one embodiment.
`20
`FIG . 5 is a block diagram illustrating components of an
`FIG. 5 is a block diagram illustrating components of an
`example machine able to read instructions from a machine
`example machine able to read instructions from a machine-
`readable medium and execute them in a processor ( or
`readable medium and execute them in a processor (or
`controller ) .
`controller).
`
`35
`35
`
`DETAILED DESCRIPTION
`DETAILED DESCRIPTION
`
`A recent development in networked infrastructure is the
`A recent development in networked infrastructure is the
`container model . In the container model , a kernel of an
`container model. In the container model, a kernel of an
`operating system ( e.g. , Linux ) allows for multiple isolated
`operating system (e.g., Linux) allows for multiple isolated
`user - space instances , or " containers , ” executing simultane
`user-space instances, or "containers," executing simultane-
`ously . Each container is isolated from other containers , and
`ously. Each container is isolated from other containers, and
`may access a set of resources that are isolated from other
`may access a set of resources that are isolated from other
`containers . Each container also interacts with a container
`containers. Each container also interacts with a container
`service , which may provide various functions , such as an
`service, which may provide various functions, such as an
`application programming interface ( API ) to allow each
`application programming interface (API) to allow each
`container to access various functions of the container service 25
`container to access various functions of the container service 25
`( e.g. , establishing communications , communicating with
`(e.g., establishing communications, communicating with
`other containers , logging ) . One advantage of such a con
`other containers, logging). One advantage of such a con-
`The Figures ( FIGS . ) and the following description relate
`tainer system is the ability of the container system , with the
`tainer system is the ability of the container system, with the
`The Figures (FIGS.) and the following description relate
`to preferred embodiments by way of illustration only . It
`assistance of the container service , to quickly and transpar-
`assistance of the container service, to quickly and transpar-
`to preferred embodiments by way of illustration only. It
`ently migrate containers between hosts during live opera- 30 should be noted that from the following discussion , alter
`ently migrate containers between hosts during live opera-
`30 should be noted that from the following discussion, alter-
`tion , e.g. , for load balancing . Another advantage is that ,
`native embodiments of the structures and methods disclosed
`tion, e.g., for load balancing. Another advantage is that,
`native embodiments of the structures and methods disclosed
`since virtual emulation of resources , such as in a virtual
`herein will be readily recognized as viable alternatives that
`since virtual emulation of resources, such as in a virtual
`herein will be readily recognized as viable alternatives that
`machine ( VM ) environment , is not being performed to
`may be employed without departing from the principles of
`machine (VM) environment, is not being performed to
`may be employed without departing from the principles of
`provide resources to the containers , the overhead compared
`provide resources to the containers, the overhead compared
`what is claimed .
`what is claimed.
`to a VM - based environment is much lower .
`to a VM-based environment is much lower.
`Reference will now be made in detail to several embodi
`Reference will now be made in detail to several embodi-
`However , within such container systems , security and
`However, within such container systems, security and
`ments , examples of which are illustrated in the accompany
`ments, examples of which are illustrated in the accompany-
`threat detection can be a more challenging issue . A container
`threat detection can be a more challenging issue. A container
`ing figures . It is noted that wherever practicable similar or
`ing figures. It is noted that wherever practicable similar or
`system includes many different components , in many cases
`system includes many different components, in many cases
`like reference numbers may be used in the figures and may
`like reference numbers may be used in the figures and may
`more than a traditional system . The container system has a
`more than a traditional system. The container system has a
`host operating system , a container service , multiple appli- 40 indicate similar or like functionality . The figures depict
`40 indicate similar or like functionality. The figures depict
`host operating system, a container service, multiple appli-
`embodiments of the disclosed system ( or method ) for pur
`embodiments of the disclosed system (or method) for pur-
`cation containers with their own configuration , with each
`cation containers with their own configuration, with each
`poses of illustration only . One skilled in the art will readily
`poses of illustration only. One skilled in the art will readily
`application container accessing various resources , such as
`application container accessing various resources, such as
`ognize from the following description that alternative
`with network connections other containers and to the Inter-
`recognize from the following description that alternative
`with network connections other containers and to the Inter-
`embodiments of the structures and methods illustrated
`net . Such a complex system has a broad surface area for
`embodiments of the structures and methods illustrated
`net. Such a complex system has a broad surface area for
`malicious attackers to penetrate . While traditional systems 45 herein may be employed without departing from the prin
`45 herein may be employed without departing from the prin-
`malicious attackers to penetrate. While traditional systems
`may have multiple operators for detecting and resolving
`ciples described herein .
`ciples described herein.
`may have multiple operators for detecting and resolving
`security issues ( e.g. , developers for applications , operations
`Configuration Overview
`Configuration Overview
`security issues (e.g., developers for applications, operations
`Embodiments herein disclose a method in a container
`staff for hosts , and network security staff for network access
`Embodiments herein disclose a method in a container
`staff for hosts, and network security staff for network access
`operations ) , having these multiple operators operate on a
`system for determining a threat level assessment for an
`system for determining a threat level assessment for an
`operations), having these multiple operators operate on a
`container system is cumbersome , reduces efficiency , and can 50 application container . A threat level analyzer probes for one
`so application container. A threat level analyzer probes for one
`container system is cumbersome, reduces efficiency, and can
`easily cause shortfalls due to the complex division of
`or more threats within an application container in a container
`or more threats within an application container in a container
`easily cause shortfalls due to the complex division of
`responsibilities . Therefore , what was lacking , inter alia , was
`system . Each threat is a vulnerability or a non - conformance
`system. Each threat is a vulnerability or a non-conformance
`responsibilities. Therefore, what was lacking, inter alia, was
`a vertically integrated system to automatically determine ,
`with a benchmark setting . The application container
`with a benchmark setting. The application container
`a vertically integrated system to automatically determine,
`report , and respond to threats and security issues in all
`includes computer - readable instructions , and is initiated via
`includes computer-readable instructions, and is initiated via
`report, and respond to threats and security issues in all
`55 a container service and isolated using operating system - level
`aspects of a container system .
`55 a container service and isolated using operating system-level
`aspects of a container system.
`virtualization .
`virtualization.
`The threat level analyzer further probes for one or more
`BRIEF DESCRIPTION OF THE DRAWINGS
`The threat level analyzer further probes for one or more
`BRIEF DESCRIPTION OF THE DRAWINGS
`threats within a host of the container service . The threat level
`threats within a host of the container service. The threat level
`analyzer generates a threat level assessment score based on
`The disclosed embodiments have advantages and features
`analyzer generates a threat level assessment score based on
`The disclosed embodiments have advantages and features
`which will be more readily apparent from the detailed 60 results from the probing of the one or more threats of the
`60 results from the probing of the one or more threats of the
`which will be more readily apparent from the detailed
`description , the appended claims , and the accompanying
`application container and the one or more threats of the host ,
`application container and the one or more threats of the host,
`description, the appended claims, and the accompanying
`figures ( or drawings ) . A brief introduction of the figures is
`and generates a report for presentation in a user interface
`and generates a report for presentation in a user interface
`figures (or drawings). A brief introduction of the figures is
`including the threat level assessment score and a list of
`below .
`including the threat level assessment score and a list of
`below.
`FIG . 1 illustrates an example of a container system with
`threats discovered from the probe of the application con
`threats discovered from the probe of the application con-
`FIG. 1 illustrates an example of a container system with
`a threat level analyzer to determine a threat level of appli- 65 tainer and the host . A report is transmitted by the threat level
`65 tainer and the host. A report is transmitted by the threat level
`a threat level analyzer to determine a threat level of appli-
`cation containers and hosts on which the container system
`analyzer to a client device of a user for presentation in the
`analyzer to a client device of a user for presentation in the
`cation containers and hosts on which the container system
`reside , according to an example embodiment .
`user interface .
`user interface.
`reside, according to an example embodiment.
`
`
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
