Graphical query builder for cloud data attack detection
Gespeichert in:
| Titel: | Graphical query builder for cloud data attack detection |
|---|---|
| Patent Number: | 12166,775 |
| Publikationsdatum: | December 10, 2024 |
| Appl. No: | 18/122101 |
| Application Filed: | March 15, 2023 |
| Abstract: | The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a graphical query builder for generating a subject path signature, for example representing a vulnerability path in the cloud environment. A computer-implemented method includes generating a graphical user interface having configurable node elements and edge elements and, in response to user input on the graphical user interface, configuring the node elements to represent entities in a subject path signature in the cloud environment and the edge elements to represent relationships between the entities in the subject path signature. The method also includes generating a query representing the subject path signature, executing the query to qualify a set of network paths in the cloud environment as conforming to the subject path signature, and outputting query results identifying the qualified set of network paths. |
| Inventors: | Normalyze, Inc. (Los Altos, CA, US) |
| Assignees: | Normalyze, Inc. (Los Altos, CA, US) |
| Claim: | 1. A computer-implemented method for analyzing security posture of a cloud environment, the computer-implemented method comprising: generating a graphical user interface having one or more user input mechanisms; based on user input through the one or more user input mechanisms, adding a first node element to the graphical user interface and defining a first entity in the cloud environment represented by the first node element, the first entity comprising at least one of: a cloud account, a compute resource, a storage resource, or a role; defining an edge element representing a relationship between the first entity and a second entity in the cloud environment that is represented by a second node element, the relationship comprising at least one of permissions data or access control data; defining a subject path signature in the cloud environment based on the first node element, the second node element, and the edge element; generating a query representing the subject path signature; executing the query to qualify a set of network paths in the cloud environment as conforming to the subject path signature; and outputting query results identifying the qualified set of network paths. |
| Claim: | 2. The computer-implemented method of claim 1 , wherein executing the query comprises executing the query to qualify one or more compute resources or storage resources as vulnerable to breach attack. |
| Claim: | 3. The computer-implemented method of claim 2 , wherein outputting query results comprises generating a representation of propagation of breach attack along the network paths. |
| Claim: | 4. The computer-implemented method of claim 1 , wherein one or more node elements of the first node element or the second node element comprise configurable variables that define a type of network path for the subject path signature. |
| Claim: | 5. The computer-implemented method of claim 1 , and further comprising a set of return data fields that define properties of the first and second entities to return in response to the query. |
| Claim: | 6. The computer-implemented method of claim 5 , and further comprising: a query preview display pane configured to display one or more of the set of return data fields or the generated query. |
| Claim: | 7. The computer-implemented method of claim 1 , wherein the first node element includes a filter mechanism configured to receive user input defining a filter criterion relative to the first entity represented by the first node element. |
| Claim: | 8. The computer-implemented method of claim 1 , and the edge element comprise a visual link between the first and second node elements on the graphical user interface. |
| Claim: | 9. A computing system comprising: at least one processor; and memory storing instructions executable by the at least one processor, wherein the instructions, when executed, cause the computing system to: generate a graphical user interface having one or more user input mechanisms; based on to user input through the one or more user input mechanisms, adding a first node element to the graphical user interface and defining a first entity in a cloud environment represented by the first node element; define an edge element representing a relationship between the first entity and a second entity in the cloud environment that is represented by a second node element; define a subject path signature in the cloud environment based on the first node element, the second node element, and the edge element; generate a query representing the subject path signature; execute the query to qualify a set of network paths in the cloud environment as conforming to the subject path signature; and output query results identifying the qualified set of network paths. |
| Claim: | 10. The computing system of claim 9 , wherein the instructions, when executed, cause the computing system to execute the query to qualify one or more compute resources or storage resources as vulnerable to breach attack. |
| Claim: | 11. The computing system of claim 10 , wherein the instructions, when executed, cause the computing system to generate a representation of propagation of breach attack along the network paths. |
| Claim: | 12. The computing system of claim 9 , wherein one or more node elements of the first node element or the second node element comprise configurable variables that define a type of network path for the subject path signature. |
| Claim: | 13. The computing system of claim 9 , wherein the instructions, when executed, cause the computing system to generate a set of return data fields that define properties of the first and second entities to return in response to the query. |
| Claim: | 14. The computing system of claim 13 , wherein the instructions, when executed, cause the computing system to: generate a query preview display pane configured to display one or more of the set of return data fields or the generated query. |
| Claim: | 15. The computing system of claim 9 , wherein the first and second entities comprise one or more of: cloud accounts, compute resources, storage resources, or roles; and the relationship comprising at least one of permissions data or access control data. |
| Claim: | 16. The computing system of claim 9 , wherein the first node element includes a filter mechanism configured to receive user input defining a filter criterion relative to the first entity represented by the first node element. |
| Claim: | 17. A computing system comprising: memory storing permissions data and access control data for pairs of compute resources and storage resources in a cloud environment; accumulation logic configured to trace network paths between the compute resources and the storage resources based on the permissions data and the access control data; graphical user interface generator logic configured to: generate a graphical user interface having one or more user input mechanisms; based on to user input through the one or more user input mechanisms, adding a first node element to the graphical user interface and defining a first entity in the cloud environment represented by the first node element; define an edge element representing a relationship between the first entity and a second entity in the cloud environment that is represented by a second node element, the relationship comprising at least one of permissions data or access control data; and define a subject path signature in the cloud environment based on the first node element, the second node element, and the edge element; query generator logic configured to generate a query representing the subject path signature; and query execution logic configured to: execute the query to qualify a set of network paths in the cloud environment as conforming to the subject path signature; and output query results identifying the qualified set of network paths. |
| Claim: | 18. The computing system of claim 17 , wherein the graphical user interface generator logic is configured to generate a query preview display pane configured to display one or more of a set of return data fields or the generated query. |
| Claim: | 19. The computing system of claim 17 , and further comprising: a filter mechanism configured to receive user input defining a filter criterion relative to the first entity represented by the first given node display element. |
| Patent References Cited: | 8190850 May 2012 Davenport et al. 8392997 March 2013 Chen 8402514 March 2013 Thompson 8578442 November 2013 Banerjee 8689324 April 2014 Bowman 9092500 July 2015 Varadharajan et al. 9910881 March 2018 Brooker 10032450 July 2018 Olmstead 10609044 March 2020 Andow 11108828 August 2021 Curtis 11256661 February 2022 Gassner 11271929 March 2022 McFarland 11283809 March 2022 Bogdanich Espina 11374982 June 2022 Keren 11422871 August 2022 Mounirou et al. 11461183 October 2022 Govindan 11477183 October 2022 Brandwine et al. 2004/0034794 February 2004 Mayer 2006/0236408 October 2006 Yan 2006/0242704 October 2006 Aviani 2007/0180498 August 2007 Choudhary 2007/0185875 August 2007 Chang 2007/0226796 September 2007 Gilbert 2008/0104244 May 2008 Chen 2008/0288330 November 2008 Hildebrand 2012/0209997 August 2012 Duan 2012/0210419 August 2012 Choudhary 2014/0068718 March 2014 Mureinik 2014/0201642 July 2014 Vicat-Blanc 2015/0347683 December 2015 Ansari et al. 2016/0366183 December 2016 Smith 2017/0063899 March 2017 Muddu 2017/0078322 March 2017 Seiver 2017/0083837 March 2017 Berlandier 2017/0155672 June 2017 Muthukrishnan 2017/0208151 July 2017 Gil 2017/0299633 October 2017 Pietrowicz 2018/0232528 August 2018 Williamson et al. 2019/0228186 July 2019 Atreya et al. 2019/0243865 August 2019 Rausch 2020/0007455 January 2020 Chhabra et al. 2020/0057864 February 2020 Parthasarathy 2020/0067962 February 2020 Tan 2020/0134076 April 2020 Ogrinz 2020/0186515 June 2020 Bansal 2020/0213357 July 2020 Levin et al. 2020/0272740 August 2020 Obee 2020/0396222 December 2020 Gargaro 2020/0401696 December 2020 Ringlein 2021/0014265 January 2021 Hadar 2021/0084048 March 2021 Kannan 2021/0089353 March 2021 Shear 2021/0089422 March 2021 Kim 2021/0182607 June 2021 Agarwal 2021/0243190 August 2021 Bargury et al. 2021/0243208 August 2021 Rubin 2021/0271565 September 2021 Bhavanarushi et al. 2021/0326314 October 2021 Weber 2021/0336934 October 2021 Deshmukh et al. 2021/0392142 December 2021 Stephens et al. 2022/0021652 January 2022 Moghe 2022/0094614 March 2022 Khurshid 2022/0094643 March 2022 Cook 2022/0116455 April 2022 Raghunath 2022/0198015 June 2022 Webster 2022/0200869 June 2022 Erlingsson 2022/0245175 August 2022 Hawco et al. 2022/0292002 September 2022 Kumar et al. 2022/0335151 October 2022 Stephen et al. 2017049439 March 2017 |
| Other References: | Anonymous, Amazon Neptune features, Amazon Neptune, retrieved on Aug. 15, 2022, 9 pages. Retrieved from the internet [URL: https://aws.amazon.com/neptune/features/ ]. cited by applicant Anonymous, Assign Azure roles using the Azure portal, Microsoft, dated Dec. 29, 2021, 12 pages. Retrieved on Aug. 16, 2022. Retrieved from the internet [URL: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current]. cited by applicant Anonymous, Choose predefined roles, Google Cloud IAM, retrieved on Aug. 15, 2022, 6 pages. Retrieved from the interent [URL: https://cloud.google.com/iam/docs/choose-predefined-roles]. cited by applicant Anonymous, Install the AWS Security Hub App and view the Dashboards, sumo logic, retrieved on Aug. 15, 2022, 6 pages. Retrieved from the internet [URL: https://help.sumologic.com/07Sumo-Logic-Apps/01Amazon_and_AWS/AWS_Security_Hub/3-Install_the_AWS_Security_Hub_App_and_view_the_Dashboards ]. cited by applicant Anonymous, Policies and permission in IAM, Amazon AWS, retrieved on Aug. 15, 2022, 16 pages. Retrieved from he Internet [URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html]. cited by applicant Anonymous, Policy Evaluation Logic, Amazon AWS User Guide, retrieved on Aug. 15, 2022, 19 pages. Retrieved from the internet [URL: https://docs.aws.amazon.com/IAM/latesl/UserGuide/reference_policies_evaluation-logic.html]. cited by applicant Anonymous, Understanding roles, Google Cloud, retrieved on Aug. 15, 2022, 5 pages. Retrieved from the internet URL: https://cloud.google.com/iam/docs/understanding-roles]. cited by applicant Anonymous, What is Azure role-based access control (Azure RBAC)?, Microsoft, dated Jun. 27, 2022, 12 pages. Retrieved on Aug. 16, 2022. Retrieved from the internet [URL: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview]. cited by applicant Anthony, Mastering AWS Security—Create and maintain a secure cloud ecosystem, Packt, dated Oct. 2017, 247 pages. cited by applicant Broadcom, Symantec Cloud Workload Protection for Storage, retrieved on Aug. 15, 2022, 4 pages. Retrieved from he internet [URL: https://techdocs.broadcom.com/us/en/symantec --security-software/endpoint-security-and-management/cloud-workload-protection-for-storage/1-0.hlml?locale=EN_US]. cited by applicant Jing et al., Discover sensitive data by using custom data identifiers with Amazon Macie, Amazon AWS, dated Aug. 26, 2020, 12 pages. Retrieved on Aug. 15, 2022. Retrieved from the internet [URL: https://aws.amazon.com/blogs/security/discover-sensitive-data-by-using-custom-data-identifiers-with-amazon-macie/]. cited by applicant Samaraweera et al., Security and Privacy Implications on Database Systems in Big Data Era: A Survey, IEEE Transactions on Knowledge and Data Engineering vol. 33, No. 1, dated Jul. 2019, 20 pages. cited by applicant U.S. Appl. No. 17/858,903—Notice of Allowance, dated Sep. 28, 2022, 12 pages. cited by applicant U.S. Appl. No. 17/858,907—Notice of Allowance, dated Dec. 1, 2022, 11 pages. cited by applicant U.S. Appl. No. 17/858,914—Notice of Allowance, dated Dec. 2, 2022, 3 pages. cited by applicant U.S. Appl. No. 17/858,914—Notice of Allowance, dated Nov. 21, 2022, 12 pages. cited by applicant U.S. Appl. No. 17/858,919—Non-Final Office Action, dated Sep. 16, 2022, 34 pages. cited by applicant U.S. Appl. No. 17/939,489—Notice of Allowance, dated Nov. 28, 2022, 13 pages. cited by applicant U.S. Appl. No. 17/939,501—Non-Final Office Action, dated Dec. 1, 2022, 15 pages. cited by applicant U.S. Appl. No. 17/939,522—Non-Final Office Action, dated Dec. 19, 2022, 15 pages. cited by applicant Watson, Classify sensitive data in your environment using Amazon Macie, dated Apr. 4, 2018, Amazon AWS, 7 pages. Retrieved on Aug. 15, 2022. Retrieved from the internet [URL: https://aws.amazon.com/blogs/security/classify-sensitive-data-in-your-environment-using-amazon-macie/]. cited by applicant U.S. Appl. No. 17/939,501—Notice of Allowance, dated Mar. 7, 2023, 10 pages. cited by applicant |
| Primary Examiner: | Li, Meng |
| Attorney, Agent or Firm: | Flagship Patents Khan, Sikander M. Volkmann, Chris |
| Dokumentencode: | edspgr.12166775 |
| Datenbank: | USPTO Patent Grants |
| Abstract: | The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a graphical query builder for generating a subject path signature, for example representing a vulnerability path in the cloud environment. A computer-implemented method includes generating a graphical user interface having configurable node elements and edge elements and, in response to user input on the graphical user interface, configuring the node elements to represent entities in a subject path signature in the cloud environment and the edge elements to represent relationships between the entities in the subject path signature. The method also includes generating a query representing the subject path signature, executing the query to qualify a set of network paths in the cloud environment as conforming to the subject path signature, and outputting query results identifying the qualified set of network paths. |
|---|