WO2014118362A1 - Procédé et appareil permettant de surveiller une intrusion dans la sécurité d'un système informatique distribué - Google Patents

Procédé et appareil permettant de surveiller une intrusion dans la sécurité d'un système informatique distribué Download PDF

Info

Publication number
WO2014118362A1
WO2014118362A1 PCT/EP2014/052014 EP2014052014W WO2014118362A1 WO 2014118362 A1 WO2014118362 A1 WO 2014118362A1 EP 2014052014 W EP2014052014 W EP 2014052014W WO 2014118362 A1 WO2014118362 A1 WO 2014118362A1
Authority
WO
WIPO (PCT)
Prior art keywords
performance
host
host computer
signature
degraded
Prior art date
Application number
PCT/EP2014/052014
Other languages
English (en)
Inventor
Leandro AGUIAR
Alberto Avritzer
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2014118362A1 publication Critical patent/WO2014118362A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • the invention relates to a method for monitoring security intrusion of a distributed computer system and in particular monitoring security intrusion using performance signatures in virtualized cloud computing environments.
  • Cloud computing relates to computing concepts that involve a plurality of computers connected to each other by means of a communication network such as the internet.
  • Cloud computing relates to distributed computing over a network, wherein a program or application can be executed or run on several connected computers at the same time.
  • Cloud computing enables ubiquitous convenient on demand network access to a shared pool of configurable computing resources such as networks, servers, storage, applications and services.
  • a key component of cloud computing is virtualization .
  • one host or host computer that
  • Virtual machines can be created quickly and easily in a cloud environment.
  • a virtual machine is a software implementation of a machine that executes programs like a physical machine.
  • a hypervisor can be provided which allows the virtual machines to be quickly provisioned or
  • a hypervisor is a software that manages communications between a physical server' s memory, CPU, or processing capability and the virtual machines that are running on the physical server.
  • a hypervisor is a software that manages communications between a physical server' s memory, CPU, or processing capability and the virtual machines that are running on the physical server.
  • Virtual switches and the hypervisor are two examples of points of attack that are not present in a traditional data center.
  • a single computer host with multiple virtual machines may be attacked by one of the guest operating systems. Further, it is possible that a guest operating system may be used to attack another guest
  • soft failures Some specific types of software failures, called soft failures, have been shown to leave the computer system in a degraded mode. In the degraded mode, the computer system is still operational, but the available system
  • Software failures can be caused by the evolution of the state of one or more software data
  • a system restoration can take advantage of the cyclical nature of telecommunications traffic.
  • Soft failures or soft bugs can also occur as a result of synchronization mechanisms, e.g. semaphores; kernel structures, e.g. file table allocations; database management systems, e.g. database lock deadlocks; or other resource allocation mechanisms that are required for the proper operation of a large multi-layer distributed computer system.
  • a resource of the computer system can be designed with self- healing mechanisms such as timeouts.
  • Security intrusion of a software component can leave the software component in a state where it is still operational but the system available capacity is reduced. Accordingly, it is an object of the present invention to provide a method and an apparatus for monitoring security intrusion of a distributed computer system which allows to detect a security attack on the distributed computer system fast and efficiently.
  • This object is achieved according to a first aspect of the present invention by a method for monitoring security
  • the present invention provides according to a first aspect a method for monitoring security intrusion of a distributed computer system comprising virtual machines running on at least one host computer of the computer system, wherein the method comprises the steps of:
  • performance signature comprises a configurable set of host performance signature components.
  • the host performance signatures of the host computer are captured periodically .
  • the virtual machine performance signature comprises a configurable set of virtual machine signature components.
  • the virtual machine performance signatures of a virtual machine hosted by a host computer are captured if the host performance
  • an identified degraded host performance signature is categorized as
  • a counter value of a current bucket counter of said set of bucket counters provided for a signature component is incremented if a sampled value of the performance signature component exceeds an expected value of said performance signature component and the counter value is decremented if the sampled value of the performance signature component is smaller than the expected value of said performance signature component.
  • the identified degraded performance signature is categorized by calculating a level of degradation of the performance
  • the degraded performance if the calculated level of degradation exceeds the configurable threshold degradation level, the degraded performance
  • the degraded performance signature is categorized as being associated with a software failure and if the calculated level of degradation is lower than the configurable threshold degradation level, the degraded performance signature is categorized as being associated with a security intrusion.
  • the invention further provides according to a further aspect a host computer comprising the features of claim 15. Accordingly, the invention further provides as a second aspect, a host computer adapted to monitor a configurable set of host performance signatures to identify a degraded host performance signature and adapted to monitor virtual machine performance signatures of virtual machines hosted by said host computer if the identified degraded host performance signature indicates a security intrusion to identify virtual machines targeted by the security intrusion.
  • the invention further provides according to a third aspect a distributed computer system comprising the features of claim 16.
  • the present invention further provides according to the third aspect a distributed computer system comprising at least one host computer, wherein said host computer is adapted to monitor a configurable set of host performance signatures to identify a degraded host performance signature and to monitor virtual machine performance signatures of virtual machines hosted by said host computer if the host computer is adapted to monitor a configurable set of host performance signatures to identify a degraded host performance signature and to monitor virtual machine performance signatures of virtual machines hosted by said host computer if the
  • identified degraded host performance signature indicates a security intrusion to identify virtual machines targeted by the security intrusion.
  • Fig. 1 shows schematically a possible embodiment of a
  • Fig. 2 shows a flowchart of a possible embodiment of a
  • FIG. 3 shows a detailed flowchart for illustrating a
  • a distributed computer system can comprise several host computers H connected to each other via a network NW.
  • Each host computer can host one or several virtual machines VM.
  • the distributed computer system can be a cloud computing system with a plurality of computer hosts each having virtual machines.
  • the virtual machines are software implementations of a machine that can execute programs like a physical machine.
  • the virtual machine VM can be a system virtual machine that provides a complete system platform and which supports the execution of a complete operating system.
  • the virtual machine VM can also be a process virtual machine which is designed to run a program and which supports a corresponding associated process.
  • a platform virtualization is performed on a given hardware platform by a host software which creates a simulated
  • the guest software is not limited to user applications.
  • the host H can also allow the execution of complete operating systems OS.
  • the guest software executes as if it were running directly on the physical hardware.
  • Virtual machines VM hosted by the host devices or host computers H can be created and decommissioned in the cloud environment of the distributed computer system shown in Fig. 1.
  • the network NW shown in Fig. 1 can be formed by the internet.
  • the distributed computer system of Fig. 1 allows cloud computing which relies on sharing of resources to achieve coherence and economies of scale and to maximize the effectiveness of the shared resources. Resources of the distributed system are usually not only shared by multiple users but can also be dynamically reallocated per demand.
  • a cloud computer facility that serves European users during European business hours with a specific application such as email may reallocate the same resources to serve North American users during North America' s business hours with a different application such as a webserver.
  • the cloud computing approach maximizes the use of computing resources, thus reducing environmental damages by reducing power
  • Fig. 1 can provide services by cloud computing providers CCP.
  • Cloud computing providers offer their services according to
  • the cloud environment illustrated in Fig. 1 can be a private cloud, a public cloud, a community cloud, a hybrid cloud or a distributed cloud.
  • the distributed computer system shown in Fig. 1 can comprise one or several host computers H which are adapted to monitor a configurable set of host performance signatures to identify a degraded host performance signature and to monitor virtual machine performance signatures of virtual machines VM hosted by the host computer H if the identified degraded host performance signature indicates a security intrusion to identify virtual machines VM targeted by the security
  • Fig. 2 shows a flowchart of a possible embodiment of a method for monitoring security intrusion of a distributed computer system such as shown in Fig. 1 according to an aspect of the present invention.
  • a first step SA the host performance signatures of a host computer H are monitored to identify a degraded host
  • each host computer H can comprise several virtual machines VM.
  • the number of virtual machines implemented on a host computer H can vary.
  • an associated virtual machines implemented on a host computer H
  • Each host performance signature can comprise a configurable set of host performance signature components.
  • a performance signature is a mechanism which allows to detect anomalous behavior indicative of a hostile attack on the distributed computer system. Further, a performance signature can form a metric to guide an automated development of a patch to correct flaws exploited by the respective hostile attack. The deviation from a normal pattern of operation can signal a potential system subversion. Monitoring for
  • anomalous behavior requires defining variables or components that might indicate an attack and continually observing these defined variables during system operation of the distributed computer system.
  • the values of these observed variables or components during operation of the system constitute a performance signature. If the monitored variables or
  • a security warning can be issued by a host computer H of the distributed computer system.
  • criteria for a suspicious behavior are predefined.
  • a security warning for each variable or group of related variables or components criteria for a suspicious behavior are predefined.
  • the variables or signature components can be for example processor usage of a processor within a host computer, a processor interrupt rate, an interrupt handling time, a transmission control protocol (TCP) throughput, system availability, an average queue length .
  • TCP transmission control protocol
  • step SA the configurable set of host performance signatures of a host computer H is monitored to identify a degraded host performance signature.
  • the host performance signatures of the host computer are captured periodically.
  • a monitoring infrastructure or device is able to capture the performance signature of a host computer
  • the distributed computer system comprises two layers, i.e. the cloud computing host computers H and the hosted virtual machines VM.
  • the cloud computing host computers H For each virtual machine VM hosted by a host computer H, an associated configurable set of virtual machine performance signatures can be provided.
  • the virtual machine performance signatures can comprise a configurable set of virtual machine signature components.
  • performance signature of the respective host computer H indicates a security intrusion of the respective host
  • a two-pronged approach for software performance monitoring is provided, wherein the software performance signature of the cloud computing host computers H and of the virtual machines VM running on the cloud environment are tracked .
  • one set of multiple buckets or bucket counters is used for the cloud computing host computer H and another set of multiple buckets or bucket counters is used for each virtual machine VM hosted by the host computer H.
  • degraded mode performance signatures that occur as a result of a software failure or soft fault
  • degraded mode performance signatures that occur as a result of a security intrusion.
  • performance signatures can be associated with soft faults and with security attacks.
  • the software monitoring is performed for both layers, i.e. the host layer and the virtual machine layer.
  • Security intrusions are initially detected at the host layer. After the security intrusion is detected an additional monitoring is triggered to identify the virtual machine VM that was the target of the security attack.
  • the virtualized cloud computing environment is monitored for deviations from a resulting statistical superposition of the performance usage of several virtual machines.
  • a cloud computing host effective
  • performance signature is categorized into a performance signature that is associated with soft faults and into a performance signature that is associated with a security intrusion. Further, the virtual machines degraded performance signatures can also be categorized into performance
  • the method according to the present invention can use two sets of multiple bucket counters for the host computer H and each virtual machine VM.
  • Each bucket counter comprises a configurable counter depth which can be tuned dynamically. By dynamic tuning of the bucket counter depth, it is possible to quickly detect defective or degraded performance signatures. With this dynamically tuned depth it is possible to sample a variability in the measured
  • the performance signatures of the host computer H and/or virtual machines VM are sampled frequently.
  • the method as illustrated in the flowchart of Fig. 2 can be implemented in a monitoring software tool executed by a computer of the distributed computer system.
  • the monitoring entity or monitoring tool is designed or configured to capture a performance signature periodically for each layer comprising cloud computing host computers H and virtual machines VM hosted by the host computers H.
  • capturing the performance signature can be adaptable.
  • the adaptable capturing period comprises 10 seconds.
  • the same monitoring procedure is applied for each layer of the system.
  • Fig. 3 illustrates a flowchart of a possible embodiment of a method for monitoring a security intrusion of a distributed computer system comprising virtual machines VM running on at least host computer H of the computer system.
  • the distributed computer system can comprise several layers, in particular a cloud computing host layer and a virtual machine layer.
  • the same monitoring procedure is applied as illustrated in Fig. 3. Accordingly, in a possible embodiment, a monitoring procedure for the performance signature of the cloud computing host computer H is performed and the same monitoring procedure is performed for the virtual machine layer.
  • the monitoring of the virtual machines VM is initiated after a security intrusion is detected at the cloud computing host computer H hosting these virtual machines VM.
  • N[i] is a current bucket for the i-th signature component.
  • monitoring routine illustrated in Fig. 3 comprises several steps.
  • a first step SI the monitoring routine is started.
  • the monitoring routine can be executed periodically at the cloud computing host computer H.
  • step S2 it is checked whether the current bucket counter N[i] for the i-th
  • step S3 it is checked whether the sample value S of the current performance signature component i exceeds an expected value of the performance signature component or not. If the sample value S of the performance signature component i exceeds the expected value of the performance signature component, the counter value d of the current bucket counter is incremented in step S4. On the contrary, if the expected value of the performance signature component is smaller than the expected value of the
  • the counter value d is decremented in step S5. If the counter value d of the current bucket counter of the set of contiguous bucket counters overflows a maximum depth D of the current bucket counter N[i], the maximum depth of the next bucket counter of the set of contiguous bucket counters is calculated dynamically. In a possible embodiment, a number of occurrences d of sampled values that are greater than
  • N[i] is a reference average expected value of the component i
  • ⁇ [ ⁇ ] is a reference expected standard deviation of the performance signature component i.
  • D N [ i] represents the depth of the bucket counter N[i] . If any of the last available bucket counters i of the different sets of contiguous bucket counters provided for the signature components i of a
  • performance signature is identified in a possible embodiment as being degraded. If any of the last available bucket counters i overflows, the detection of a soft fault or security intrusion can be signaled. In the monitoring routine as illustrated in Fig. 3, the levels of K contiguous bucket counters for each performance signature component i are tracked. Consequently, K times i bucket counters are
  • N[i] is incremented when the current bucket counter overflows, i.e. when the counter value d[i] first exceeds the depth of the bucket D N[i] . Further N[i] is
  • D N+l[i] D MAX[i] /(S N[i] -(x[i]+ ⁇ [ ⁇ ])) , wherein D MAX ⁇ is the maximum depth configured for the first bucket counter of each performance signature component i. I is the dimension of a performance signature vector.
  • the counter value d[i] of a performance signature component, the value N[i] indicating the current bucket counter for the performance signature component i can be reset to zero and the maximum depth can be initialized to D MAX .
  • the method operates by modeling K contiguous bucket counters. A ball is dropped in the current bucket, i.e. the current bucket counter is increased or incremented if the sampled value for the ith component of the performance signature exceeds an expected value for the ith component of the performance signature.
  • a ball is removed from the current bucket, i.e., the current bucket counter is decremented, if the sampled value of the ith component of the performance signature is smaller than the expected value of the ith component of the performance signature.
  • the method dynamically computes the depth of the next bucket for the ith component.
  • the monitoring procedure as illustrated in Fig. 3 changes its estimation for the expected value of the ith component by adding one standard deviation to the expected value of the metric. This is equivalent to moving to the next bucket. If a bucket underflows the monitoring routine, it can subtract one standard deviation from its estimation of the expected value of the ith component. This is equivalent to moving down to the previous bucket.
  • N[i] represents the current bucket index of the ith component.
  • d[i] represents the number of balls stored in the current bucket for the ith component. The monitoring routine reacts quickly to
  • step S6 After having incremented the counter value D[i] of the ith component, it is checked in step S6, whether the counter value exceeds the maximum depth of bucket N for the ith component. If the counter value does not exceed the maximum depth, the routine stops in step S7. If the current counter value exceeds the maximum depth DN, adjustments are performed in step S8, as illustrated in
  • step S10 After having decremented the counter value d in step S5, it is checked in step S10, whether the counter value is lower than zero. If the counter value is lower than zero, the counter value d is set to zero in step Sll. In step S12, it is checked, whether the current bucket index for the ith component exceeds zero. If this is the case, adaptions are performed in step S13 as illustrated in Fig. 3. If in step S10, it is decided that the counter value is not beneath zero, the process stops in step S14. After the adaption step S13, the routine is also terminated in step S14. As can be seen Fig.
  • step S2 if in step S2, it is found that the current bucket index of the ith component has reached its total number of bucket counters used for the component i, a subroutine is executed in step S15, wherein a fault security categorization is performed.
  • performance signature is categorized in this subroutine by calculating in a possible implementation a level of
  • the degraded performance signature is categorized as being associated with a software failure. If the calculated level of degradation is lower than the configured threshold value, the degraded performance signature is categorized by the subroutine as being
  • a process for assessing an impact of a security attack can be used, wherein a system affecting metric for an observation period is defined as a fraction of time the respective system satisfies a defined specification.
  • a resource failure-based model can be defined and a resource usage-based model can be defined for the system.
  • Results for each of a plurality of states of the resource failure-based model and the resource usage-based model can be obtained.
  • the resource failure-based model and the resource usage-based model can be solved and a term fraction of time each model spends on each of the plurality of states can be obtained. Further, a state probability according to the term fraction can be obtained to generate a measure of the system affecting metric according to the state probability.
  • the sub - routine performed in step S15 cannot decide if it is a soft fault or a security intrusion and if the event impacts several variables it is assumed that the event is a security
  • the monitoring process as illustrated in Fig. 3 can be implemented as follows:
  • the invention has a superior performance because monitoring is performed at the cloud computing host computer H periodically and on the virtual machines VM on demand after a security intrusion is detected.
  • the dynamic tuning for soft faults and security intrusion provides a good baseline performance at low loads because it is only activated when the performance signature metric exceeds a predefined target.
  • the superior performance of the method according to the present invention is achieved by using two sets of multiple contiguous bucket counters for cloud computing host computers H and virtual machines VM to track bursts in an arrival process using a variable depth bucket to validate moments where the estimate of performance metric should be changed.
  • the dynamic tuning delivers a superior performance at high loads, because it quickly adjusts the current bucket depth when it detects significant degradation in the performance signature.
  • the performance signature can also decrease non-linearly with the maximum depth of the bucket MAx[i] us j_ n g a generic function F N[i] (D MAX[i] ) to estimate D N+l[i] as the system degrades and by making the bucket depth
  • the method for monitoring security intrusion of a distributed computer system can be used in different entities or
  • the method triggers soft faults and security intrusion declarations when the estimate of the performance signature for any of its
  • the dynamic tuning performed by the monitoring process can be used to compliment overload control algorithms to protect the computer system against denial of service attacks, because it reacts very quickly to slowdowns of the departure process.
  • the method according to the present invention is very
  • the implemented method according to the present invention provides a low overhead and is resilient against temporary increases of loads or data traffic caused for instance by multiple users or client devices.
  • the method according to the present invention allows to detect quickly a malicious attack on the distributed computer system. Depending on the level of degradation, dangers can be categorized as resulting from a soft fault, from a malicious attack or from temporary increases of the load.
  • a normalized level of degradation between zero and 1.0 can be calculated and compared with two threshold levels, TH1, TH2 to perform the categorization. If the level of degradation exceeds a first load threshold value of TH1 e.g. 0.3, the degradation results from a soft fault or is the result of a malicious attack. If the level of degradation is higher than a second high
  • threshold level TH2 of e.g. 0.7, it is decided that it is a result of a soft fault and the affected software component or virtual machine VM can for instance be rebooted.
  • the level of degradation lies between both threshold levels TH1, TH2, for instance in a range between 0.3 and 0.7, it is decided in a possible implementation that there is a security intrusion, i.e. a malicious system attack.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

L'invention concerne un procédé et un appareil permettant de surveiller une intrusion dans la sécurité d'un système informatique distribué comprenant des machines virtuelles s'exécutant sur au moins un ordinateur hôte dudit système informatique, ledit procédé comprenant les étapes consistant à : surveiller (S1) les signatures de performances d'hôte d'un ordinateur hôte pour identifier une signature de performances d'hôte dégradée de l'ordinateur hôte respectif ; et déclencher une surveillance supplémentaire (S2) des signatures de performances de machines virtuelles hébergées par l'ordinateur hôte si une signature de performances d'hôte dégradée identifiée de l'ordinateur hôte indique une intrusion dans la sécurité pour identifier les machines virtuelles de l'ordinateur hôte ciblées par l'intrusion dans la sécurité.
PCT/EP2014/052014 2013-02-01 2014-02-03 Procédé et appareil permettant de surveiller une intrusion dans la sécurité d'un système informatique distribué WO2014118362A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201361759582P 2013-02-01 2013-02-01
US61/759,582 2013-02-01

Publications (1)

Publication Number Publication Date
WO2014118362A1 true WO2014118362A1 (fr) 2014-08-07

Family

ID=50190408

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2014/052014 WO2014118362A1 (fr) 2013-02-01 2014-02-03 Procédé et appareil permettant de surveiller une intrusion dans la sécurité d'un système informatique distribué

Country Status (1)

Country Link
WO (1) WO2014118362A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9485273B2 (en) 2014-12-09 2016-11-01 At&T Intellectual Property I, L.P. System and method to diffuse denial-of-service attacks using virtual machines
CN107251519A (zh) * 2015-03-18 2017-10-13 赫尔实验室有限公司 基于网络可控性分析来检测对移动无线网络的攻击的***和方法
US10826943B2 (en) 2018-08-21 2020-11-03 At&T Intellectual Property I, L.P. Security controller

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010152458A (ja) * 2008-12-24 2010-07-08 Fujitsu Ltd 性能測定プログラム及び性能測定方法並びに性能測定機能を有する情報処理装置。

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010152458A (ja) * 2008-12-24 2010-07-08 Fujitsu Ltd 性能測定プログラム及び性能測定方法並びに性能測定機能を有する情報処理装置。

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9485273B2 (en) 2014-12-09 2016-11-01 At&T Intellectual Property I, L.P. System and method to diffuse denial-of-service attacks using virtual machines
US9819697B2 (en) 2014-12-09 2017-11-14 At&T Intellectual Property I, L.P. Diffusing denial-of-service attacks by using virtual machines
US10505977B2 (en) 2014-12-09 2019-12-10 At&T Intellectual Property I, L.P. Diffusing denial-of-service attacks by using virtual machines
CN107251519A (zh) * 2015-03-18 2017-10-13 赫尔实验室有限公司 基于网络可控性分析来检测对移动无线网络的攻击的***和方法
CN107251519B (zh) * 2015-03-18 2020-06-12 赫尔实验室有限公司 用于检测通信网络上的假信息的攻击的***、方法和介质
US10826943B2 (en) 2018-08-21 2020-11-03 At&T Intellectual Property I, L.P. Security controller

Similar Documents

Publication Publication Date Title
US9594881B2 (en) System and method for passive threat detection using virtual memory inspection
EP2645294B1 (fr) Système et procédé pour une attestation de plate-forme sécurisée
US10826933B1 (en) Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints
US10320833B2 (en) System and method for detecting creation of malicious new user accounts by an attacker
WO2016082501A1 (fr) Procédé, appareil et système pour traiter des comportements d'attaque d'application en nuage dans un système informatique en nuage
US8271838B2 (en) System and method for detecting security intrusions and soft faults using performance signatures
US20150052614A1 (en) Virtual machine trust isolation in a cloud environment
US9817970B2 (en) Method for detecting attacks on virtual machines
EP2835948B1 (fr) Procédé de traitement d'une règle de signature, serveur et système de prévention d'intrusion
US20180173549A1 (en) Virtual network function performance monitoring
WO2016155835A1 (fr) Technique de mise à l'échelle d'une application comprenant un ensemble de machines virtuelles
WO2013166126A1 (fr) Systèmes et procédés de sécurité mobile sur la base d'une attestation dynamique
US9336386B1 (en) Exploit detection based on heap spray detection
US10558810B2 (en) Device monitoring policy
US20190081970A1 (en) Specifying system, specifying device, and specifying method
CN104866407A (zh) 一种虚拟机环境下的监控***及监控方法
Denz et al. A survey on securing the virtual cloud
WO2014193378A1 (fr) Désactivation et déclenchement de nœuds sur la base d'un problème de sécurité
CN108183884B (zh) 一种网络攻击判定方法及装置
WO2014118362A1 (fr) Procédé et appareil permettant de surveiller une intrusion dans la sécurité d'un système informatique distribué
Memarian et al. EyeCloud: A BotCloud detection system
Joseph et al. Detection of malware attacks on virtual machines for a self-heal approach in cloud computing using VM snapshots
Zhang et al. Host-based dos attacks and defense in the cloud
US7657793B2 (en) Accelerating software rejuvenation by communicating rejuvenation events
Michelin et al. Mitigating dos to authenticated cloud rest apis

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14707338

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14707338

Country of ref document: EP

Kind code of ref document: A1