[go: up one dir, main page]

WO2020091591A1 - A system and method for enabling vulnerability detection of cloud container based service deployment - Google Patents

A system and method for enabling vulnerability detection of cloud container based service deployment Download PDF

Info

Publication number
WO2020091591A1
WO2020091591A1 PCT/MY2019/050078 MY2019050078W WO2020091591A1 WO 2020091591 A1 WO2020091591 A1 WO 2020091591A1 MY 2019050078 W MY2019050078 W MY 2019050078W WO 2020091591 A1 WO2020091591 A1 WO 2020091591A1
Authority
WO
WIPO (PCT)
Prior art keywords
container
vectorized
exposures
document
vulnerabilities
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/MY2019/050078
Other languages
French (fr)
Inventor
Ehsan Mostajeran GOORTANI
Bukhary Ikhwan Bin ISMAIL
Mohd Nizam Bin MOHD MYDIN
Rajendar KANDAN
Mohammad Fairus Bin KHALID
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mimos Bhd
Original Assignee
Mimos Bhd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Bhd filed Critical Mimos Bhd
Publication of WO2020091591A1 publication Critical patent/WO2020091591A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the present invention relates to a system and method for enabling vulnerability detection of cloud container based service deployment.
  • the present invention provides time to time prediction of vulnerabilities through machine learning.
  • a cloud container is designed to virtualize a single application which creates an isolation boundary at the application level.
  • Container is easier for scalable rapid deployment as it consists of independent subsystem of network, memory and file system.
  • new challenges of security control are introduced.
  • Cloud containers may also be at risk due to the injection of vulnerabilities to the images which can harm the cloud infrastructure. Exposure to the external resources may expose cloud containers to vulnerabilities.
  • US 20170098072 A1 entitled RUNTIME DETECTION OF VULNERABILITIES IN AN APPLICATION LAYER OF SOFTWARE CONTAINERS having a filing date of 28 September 2016 (Applicant: Twistlock, Ltd.) discloses a system and method for detecting vulnerabilities in software containers at runtime.
  • the US 072 A1 Publication provides runtime vulnerability detection and utilizes CVE database and other security databases for known threats data.
  • the US 072 A1 Publication only able to detect vulnerabilities in software containers at runtime. Further, the US 072 A1 Publication only detect for vulnerability when a new file is created, modified or both and requires changes in the container for initiating vulnerability detection.
  • US 20170109536 A1 (hereinafter referred to as the US 536 A1 Publication) entitled STATIC DETECTION OF VULNERABILITIES IN BASE IMAGES OF SOFTWARE CONTAINERS having a filing date of 13 October 2016 (Applicant: Twistlock, Ltd.) discloses a system and method for detecting vulnerabilities in base images of software containers.
  • the US 536 A1 Publication provides static image in a non-runtime environment vulnerability detection and utilizes CVE database and other security databases for known threats data.
  • the US 536 A1 Publication only detects vulnerabilities in static images of software container.
  • the US 536 A1 Publication is configured to receive an event indicating that a base image in an image registry has been changed or added to initiate detection and utilises unitary signature such as a check-sum of a layer and a hash function computed over the contents of the layer generation when no vulnerability is detected.
  • US 9438634 B1 (hereinafter referred to as the US 634 B1 Patent) entitled MICROSEGMENTED NETWORKS THAT IMPLEMENT VULNERABILITY SCANNING having a filing date of 28 August 2015 (Patentee: VARMOUR NETWORKS Inc.) discloses systems for providing vulnerability scanning within distributed microservices.
  • the US 634 B1 Patent provides real-time vulnerabilities which utilizes active probe controller to implement execution of scanning schedules or cause vulnerability scanning to occur when potential malicious or suspicious activity, or network traffic is detected for any workload.
  • the database for known threats, vulnerabilities or exploits is not disclose in The US 634 B1 Patent.
  • the present invention discloses a system and method which enable vulnerability detection of the cloud container based service deployment by through machine learning which enables time to time prediction of vulnerabilities and providing efficient and intelligent vulnerabilities detection at dynamic runtime stage and static image.
  • the present invention relates to a system and method for enabling vulnerability detection of cloud container based service deployment.
  • the present invention provides time to time prediction of vulnerabilities through machine learning.
  • a system (100) for enabling vulnerability detection of cloud container based service deployment comprising a user interface (102) for displaying vulnerabilities information to a user; at least one vulnerability detection server (104) enabling detection of vulnerabilities; a container deployment engine (1 10) comprising a plurality of containers (1 12A, 1 12B, 1 12C, 1 12D) for deploying services on at least one host or across a plurality of host; a plurality of images (1 14A, 1 14B, 1 14C, 1 14D) within the container deployment engine (1 10) for distributing services in a series of layers; and at least one common vulnerability and exposure database (106) and at least one exploit database (108) connected to the vulnerability detection server (104) for providing vulnerabilities information.
  • the vulnerability detection server (104) further comprising at least one Data Extractor (1 18) having means for obtaining a container identifier and name of the container; extracting information of the container in the container deployment engine; and merging all information obtained for generating a vectorized document of each container; at least one Data Binder (120) having means for obtaining common vulnerabilities and exposures identifier; submitting query to at least one common vulnerabilities and exposures database (106) and at least one exploit database (108); and merging information obtained for generating a vectorized document of each common vulnerabilities and exposures; at least one Data Converter (122) having means for obtaining the vectorized document of each container from at least one Data Extractor (1 18) and the vectorized document of each common vulnerabilities and exposures from at least one Data Binder (120); and handling conversions of the said documents; at least one Core module (124) having means for obtaining relevancy between the vectorized document of each container and the vectorized document of each common vulnerabilities and exposures, and associating the vectorised documents to the corresponding common vulnerabilities exposures identifier; and at least one database (1
  • the information obtained for generating a vectorized document of each common vulnerabilities and exposures through at least one Data Binder may comprise of analysis description, product affected by, number of affected version, vulnerability conditions, Metasploit modules and description of the patch or guide information of common vulnerabilities exposures identification.
  • a further aspect of the invention provides that a method (200) for enabling vulnerability detection of cloud container based service deployment comprises steps of binding, filtering and vectorizing common vulnerabilities and exposures identifier for obtaining a vectorized document of each common vulnerabilities and exposures through at least one Data Binder (202); extracting, filtering and vectorizing container information for obtaining a vectorized document of each container through at least one Data Extractor (204); determining availability of evaluation history (206); evaluating the vectorized document of each common vulnerabilities and exposures and the vectorized document of each container, if evaluation history is not available (208); and performing prediction of vulnerabilities from outcome of relevancy comparison between vectorised document of each common vulnerabilities and exposures and the vectorised document of each container, if evaluation history is available (210).
  • the binding, filtering and vectorizing common vulnerabilities and exposures identifier for obtaining a vectorized document of each common vulnerabilities and exposures through at least one Data Binder (202) further comprises steps of (300) obtaining common vulnerabilities exposures identifier of each vulnerability (302); connecting to a common vulnerabilities exposures database (304); obtaining information of common vulnerabilities exposures identifier (306); connecting to an exploit database (308) for obtaining information of exploits (310); performing data cleansing for filtering information of common vulnerabilities exposures and exploits (312); merging information obtained for vectorizing information (314); tagging information merged as a vectorized document of each common vulnerabilities and exposures (316); and presenting the vectorized document of each common vulnerabilities and exposures to at least one Data Converter (122) (318).
  • the extracting, filtering and vectorizing container information for obtaining a vectorized document of each container through at least one Data Extractor (204) further comprises steps of (400): connecting to a container deployment engine (1 10) for obtaining container identifier (402); identifying container deployment directory from a host to a container (404); obtaining access from the host to the container (406); obtaining a package list of the container (408); obtaining file name and binaries of the container (410); obtaining operating system information of the container (412); merging obtained information for vectorising information upon filtering and cleansing the obtained information (414); tagging the information as a vectorized document of each container (416); and presenting the vectorized document of each container to at least one Data Converter (122) (418).
  • Another aspect of the invention provides that presenting the vectorized document of each common vulnerabilities and exposures to at least one Data Converter (122) (318) further comprising steps of (500): appending vectorized documents of each common vulnerabilities and exposures as training set (502a); separating each work in vectorized documents of each common vulnerabilities and exposures and applying inverse document frequency to the vectorized documents of each common vulnerabilities and exposures (504a); applying term frequency to vectorized documents of each common vulnerabilities and exposures (506a); generating vector space values of vectorized documents of each common vulnerabilities and exposures and indexing vectorized documents of each common vulnerabilities and exposures with common vulnerabilities exposures identifier (508a); generating vector space matrix of vectorized documents of each common vulnerabilities and exposures (510a); and submitting vector space matrix to at least one Core module (124) for relevancy comparison between vectorized documents of each common vulnerabilities and exposures and vectorized document of each container (512a).
  • a further aspect of the invention provides that presenting the vectorized document of each container to at least one Data Converter (122) (418) further comprising steps of (500): receiving the vectorized document of each container as testing set (502b); separating each work in the vectorized document of each container and applying inverse document frequency data to the vectorized document of each container (504b); applying term frequency to the vectorized document of each container (506b); generating vector space values of the vectorized document of each container and storing vector space values for prediction (508b); generating vector space matrix of the vectorized document of each container (510b); and submitting vector space matrix to at least one Core module (124) for relevancy comparison (512b) between vectorized documents of each common vulnerabilities and exposures and the vectorized document of each container.
  • sending the vector space matrix to the Core module (124) for relevancy comparison and evaluation (512a) further comprises steps of (600); receiving vector space matrix of vectorized documents of each common vulnerabilities and exposures and vectorized documents of each container from at least one Data Converter (601 ); determining availability of prediction training set for relevancy comparison to detect vulnerabilities (602); if prediction training set is available (602a): performing relevancy comparison between vector space matrix of the vectorized document of each container with a vectorized document of outcome as classifier to predict (604); determining if relevancy is detected from relevancy comparison (605); if relevancy is detected (605a); retrieving common vulnerabilities exposures identifier of vectorized documents of each common vulnerabilities and exposures to be included in a report (608); and displaying the report to a user (618); if relevancy is not detected (605b); generating a report based on relevancy comparison outcome, (606); and displaying the report to a user (618); if prediction training set is not available (602b); performing relevancy comparison vector space matrix of
  • sending the vector space matrix to the Core module (124) for relevancy comparison and evaluation (512b) further comprises steps of (600): receiving vector space matrix of vectorized documents of each common vulnerabilities and exposures and the vectorized document of each container from at least one Data Converter (601 ); determining availability of prediction training set for relevancy comparison for detecting vulnerabilities (602); if prediction training set is available (602a): performing relevancy comparison between vector space matrix of the vectorized document of each container with a vectorized document of outcome as classifier to predict (604); determining if relevancy is detected from relevancy comparison (605); if relevancy is detected (605a); retrieving common vulnerabilities exposures identifier of vectorized documents of each common vulnerabilities and exposures to be included in a report (608); and displaying the report to a user (618); if relevancy is not detected (605b); generating a report based on relevancy evaluation outcome, (606); and displaying the report to a user (618); if prediction training set is not available (602b); performing relevancy comparison vector
  • Fig. 1.0 illustrates a general system architecture of the present invention for enabling vulnerability detection of a cloud container based service deployment.
  • Fig 2.0 is a flowchart illustrating a general methodology of the present invention for detecting vulnerabilities in the cloud container.
  • Fig. 2.0a illustrates a schematic diagram of the configuration of the system architecture of the present invention.
  • Fig. 3.0 is a flowchart illustrating the steps involved in binding, filtering and vectorizing common vulnerabilities and exposures identifier for obtaining a vectorized document of each container.
  • Fig. 4.0 is a flowchart illustrating the steps involved in extracting, filtering and vectorizing container information for obtaining a vectorized document of each common vulnerabilities and exposures.
  • Fig. 5.0 is a flowchart illustrating the steps involved in converting information for obtaining vector space values and vector space matrix.
  • Fig. 6.0 is a flowchart illustrating the steps involved for relevancy comparison for detecting vulnerabilities.
  • the present invention relates to a system and method for enabling vulnerability detection of cloud container based service deployment.
  • the present invention relates to a system and method that enables efficient and intelligent flow of vulnerabilities detection with time to time prediction of vulnerabilities through machine learning.
  • the present invention also allows vulnerabilities detection at dynamic runtime stage and static image.
  • FIG. 1.0 illustrates a general system architecture of the present invention for enabling vulnerability detection of a cloud container based service deployment.
  • the system comprising a user interface (102), at least one vulnerability detection server (104), a container deployment engine (1 10), a plurality of images (1 14A, 1 14B, 1 14C, 1 14D), at least one common vulnerabilities and exposures database (106) and at least one exploits database (108).
  • the user interface (102) displays vulnerabilities information and a report to a user wherein the vulnerabilities information is provided to the user interface (102) through the vulnerability detection server (104).
  • the vulnerability detection server (104) interacts with the common vulnerabilities exposures database (106) and the exploit database (108) for obtaining information pertaining to the vulnerabilities and exploits.
  • the vulnerabilities and exploits information may also be obtained from other external databases and not limited to the common vulnerabilities and exposures database (106) and the exploit database (108).
  • the vulnerability detection server (104) also interacts with the container deployment engine (1 10) for detecting vulnerabilities and exploits in at least one host.
  • the container deployment engine (1 10) comprising a plurality of containers (1 12A, 1 12B, 1 12C, 1 12D) which deploys services in an isolated environment of the host or across a plurality of hosts, and the plurality of images (1 14A, 1 14B, 1 14C, 1 14D) in a layered architecture.
  • the services of the container deployment engine (1 10) are distributed by packaging services in a series of layers of the plurality of images (1 14A, 1 14B, 1 14C, or 1 14D).
  • the layers may include a system to host applications and services, files and binaries, and packages and libraries. As illustrated in FIG.
  • the vulnerability detection server (104) comprising a plurality of components which utilizes machine learning instructions for handling detection of vulnerabilities, wherein the plurality of components includes at least one database (1 16), at least one Data Extractor (1 18), at least one Data Binder (120), at least one Data Converter (122), and at least one Core module (124).
  • the database (1 16) within the vulnerability detection server (104) allows the information obtained in regard to vulnerabilities and exploits, and other relevant information and documents to be stored and managed.
  • the Data Extractor (1 18) within the vulnerability detection server (104) obtains and extracts a container identifier along with the container information such as package list, files, and binaries. The extracted container information extracted is merged and presented into a vectorized document of each container, also known as a ContDoc.
  • the Data Binder (120) obtains a common vulnerabilities and exposures identifier as an input and generates a query to common vulnerabilities and exposures database (106) and exploit database (108) for obtaining information pertaining to the vulnerabilities and exploits.
  • the information to be obtained from the common vulnerabilities and exposures database (106) and exploit database (108) is defined specifically prior to each query.
  • the information obtained will be merged and presented into a vectorized document of each common vulnerabilities and exposures also known as a VulDoc.
  • the vectorized document of each container generated through the Data Extractor (1 18) and the vectorized document of each common vulnerabilities and exposures generated through the Data Binder (120) are then presented to the Data Converter (122).
  • the Data Converter (122) provides conversions of the vectorized documents into trained documents for predicting vulnerabilities and exploits allowing efficient and intelligent flow for detecting vulnerabilities from time to time at dynamic runtime stage and static image.
  • the Data Converter (122) utilizes two components namely a Re-trainer or a PredDoc within the Core module (124) which is also known as a vectorized document of outcome as classifier to predict) and a vector author.
  • the Core module (124) obtains relevancy between the vectorized document of each container and the vectorized document of each common vulnerabilities and exposures, and further associates the said relevancy obtained to the corresponding common vulnerabilities and exposures identifier through two components namely a Relevancy Author and an Indexer within the Core module (124).
  • FIG. 2.0 is a flowchart illustrating the general methodology of the present invention for detecting vulnerabilities in cloud container (200).
  • the Data Binder (120) first binds, filters, vectorizes and indexes the common vulnerabilities and exposures identifier for obtaining the vectorized document of each common vulnerabilities and exposures (202).
  • the common vulnerabilities and exposures information including exploits information is first gathered from both common vulnerabilities and exposures database (106) and exploit database (108) to be filtered accordingly.
  • the filtered information is subsequently vectorized, indexed, and stored in the database (1 16).
  • the Data Extractor (1 18) extracts, filters and vectorizes the container information for obtaining the vectorized document of each container (204).
  • the name and the information of the container which obtained from the container deployment engine (1 10) is extracted and filtered accordingly.
  • the information of container which have been filtered is subsequently vectorized.
  • Availability of evaluation history is determined (206). If the evaluation history is not available, the evaluation is performed between the vectorized document of each common vulnerabilities and exposures and the vectorized document of each container through the Core module (124) (208). However, if the evaluation history of the container information is available, the prediction is performed promptly using relevancy outcome from evaluation history through the Core module (124) (210).
  • FIG. 2.0a illustrates a schematic diagram of the configuration of the system architecture of the present invention as illustrated in FIG. 2.0.
  • the common vulnerabilities and exposures identifier is first obtained through the Data Binder (120).
  • the Data Binder (120) then submits a query to the common vulnerabilities and exposures database (106) and the exploit database (108) for obtaining common vulnerabilities and exposures information, wherein the information may include general information of the common vulnerabilities and exposures such as description, platform, available codes, tags as well as exploit information.
  • the common vulnerabilities and exposures information obtained through the Data Binder (120) is therefore merged and presented as a vectorized document of each common vulnerabilities and exposures. Thereafter, the vectorized document of each common vulnerabilities and exposures is presented to the Data Converter (122) wherein the Data Converter (122) subsequently filters and vectorizes the vectorized document of each common vulnerabilities and exposures as a bag of vectors.
  • the container identifier and container information such as operating system, application and packages, files and binaries which corresponds to the name of each container is obtained through the Data Extractor (1 18).
  • the information of the container obtained from the container deployment engine (1 10) is extracted, filtered, and vectorized accordingly an being presented as a vectorized document of each container.
  • the vectorized document of each container is presented to the Data Converter (122) wherein the Data Converter (122) subsequently filters and vectorizes the vectorized document of each container as a bag of vectors.
  • the Data Converter (122) subsequently presents the vectorized document of each common vulnerabilities and exposures and the vectorized document of each container to the Core module (124) for evaluating relevancy and indexing, wherein the vectorized document of each common vulnerabilities and exposures is used for detecting vulnerability from the vectorized document of each container.
  • Each vectorized document of each common vulnerabilities and exposures presented to the Core module (124) is indexed and subsequently stored in the database (1 16) for future evaluation.
  • FIG. 3.0 is a flowchart illustrating the steps involves in binding, filtering and vectorizing the common vulnerabilities and exposures identifier for obtaining the vectorized document of each common vulnerabilities and exposures as illustrated in FIG. 2.0, step 202 and FIG. 2.0a.
  • the common vulnerabilities and exposures identifier of each vulnerability is obtained by the Data Binder (120) (302).
  • a query is made to the common vulnerabilities and exposures database (106) (304) for obtaining the information of the common vulnerabilities and exposures identifier including information such as analysis description, product affected by, number of affected version, vulnerability conditions, Metasploit modules, and description of the patch and guide (306).
  • query is also made to the exploit database (108) (308) in order to obtain information of exploits which corresponds to the common vulnerabilities and exposures identifier such as exploit identifier title, code comments, platform name, aliases and tags (310).
  • FIG. 4.0 is a flowchart illustrating the steps involves in extracting, filtering and vectorizing container information for obtaining the vectorized document of each container (400) as illustrates in FIG. 2.0, step 204 as well as FIG. 2.0a. As illustrated in FIG.
  • the Data Extractor (1 18) first interacts with the container deployment engine (1 10) in order to obtain the information of the container including a running container identifier (402). Thereafter, the Data Extractor (1 18) identifies the container deployment directory from the host to the container (1 12A, 1 12B, 1 12C, 1 12D) (404) and obtains access with privilege from the host to container (1 12A, 1 12B, 1 12C, 1 12D) based on the obtained container identifier (406). Subsequently, a package list of specific container (1 12A, 1 12B, 1 12C or 1 12D) is obtained (408) together with a list of file names and binaries (410).
  • the operating system of the container (1 12A, 1 12B, 1 12C, 1 12D) and other relevant files pertaining to the container (1 12A, 1 12B, 1 12C, 1 12D) are also obtained (412).
  • the information obtained is merged accordingly and vectorizes information upon filtering and cleansing of the same (414).
  • the said vectorized information is tagged as a vectorized document of each container (416) and presented to the Data Converter (122) (418).
  • FIG. 5.0 is a flowchart illustrating the steps involved in converting information for obtaining vector space values and vector space matrix in both vectorized document of each common vulnerabilities and exposures and vectorized document of each container (500).
  • the vectorized document of each common vulnerabilities and exposures and vectorized document of each container are presented to the Data Converter (122) for further vectorization steps.
  • the steps involved in converting information of the vectorized document of each common vulnerabilities and exposures and the vectorized document of each container are simultaneously performed.
  • All available vectorized documents of each common vulnerabilities and exposures received by the Data Converter (122) is appended as a training set (502a) and subsequently each work in the vectorized document of each common vulnerabilities and exposures is separated and is applied with inverse document frequency, IDF (504a). Further to the application of the inverse document frequency, each vectorized document of each common vulnerabilities and exposures is subsequently applied with term frequency (506a). Thereafter, the Data Converter (122) generates vector space values of each vectorized document of each common vulnerabilities and exposures and indexes the vectorized document of each common vulnerabilities and exposures with the common vulnerabilities and exposures identifier (508a).
  • the Data Converter (122) further generates vector space matrix of each vectorized document of each common vulnerabilities and exposures (510a) and subsequently presented the same to the Core module (124) for relevancy comparison (512a). Simultaneous to the step 502a, the vectorized document of each container received from the Data Extractor (1 18) are also appended as training set (502b). Further, each work in the vectorized document of each container are separated and is applied with inverse document frequency, IDF (504b). Subsequent to the application of IDF, the vectorized document of each container is applied with term frequency (506b). Thereafter, the Data Converter (122) generates vector space values of the vectorized document of each container and stores the same for prediction of vulnerabilities (508b). The Data Converter (122) further generates vector space matrix of the vectorized document of each container (510b) and subsequently presented the vector space matrix of the vectorized document of each container to the Core module (124) for relevancy comparison (510b).
  • FIG. 6.0 is a flowchart illustrating the steps involved for relevancy comparison in order to detect vulnerabilities.
  • the Core module (124) determines the availability of prediction training set for relevancy comparison to detect vulnerabilities (602). If the training set is available (602a), the vector space matrix of the vectorized document of each container will be compared to the vectorized document of outcome as classifier to predict for relevancy comparison (604). Thereafter, the Core module (124) determines whether any relevancy is detected from the outcome of the relevancy comparison (605).
  • the common vulnerabilities and exposures identifier of the vectorized document of each common vulnerabilities and exposures is retrieved to be included in a report (608) and subsequently display the report to the user (618).
  • a report will be generated based on the relevancy comparison outcome (606) and the report will be presented to the user (618).
  • vector space matrix of the vectorized document of each container will be compared to vector space matrix of the vectorized document of each common vulnerabilities and exposures for relevancy comparison (610). If relevancy is detected (61 1 a), the vectorized document of each container is tagged to be included in the vectorized document of outcome as classifier to predict (614) and to be utilized as a train data set (616a) for future prediction.
  • the said vectorized document of outcome as classifier to predict (614) and to be utilized as the train data set (616a) further comprises of two routes.
  • the train data set obtained (616a) will be used for relevancy comparison in step 604.
  • the Core module (124) determines whether any relevancy is detected from the outcome of the relevancy comparison (605). If relevancy is detected from the evaluation (605a), the common vulnerabilities and exposures identifier of the vectorized document of each common vulnerabilities and exposures is retrieved to be included in a report (608) and subsequently display the report to the user (618). Nevertheless, if there is no relevancy detected from the relevancy evaluation (605b), a report will be generated based on the relevancy comparison outcome (606) and the report will be presented to the user (618).
  • the common vulnerabilities and exposures identifier of the vectorized document of each common vulnerabilities and exposures is then retrieved to be included in a report (616b).
  • the report is then displayed to the user (618).
  • a report will be generated based on the relevancy comparison outcome (616) and displayed to the user (618).
  • the present invention relates to a system and method which enables efficient and intelligent flow of vulnerabilities detection by providing time to time prediction of vulnerabilities and allowing vulnerabilities detection during dynamic runtime stage and static image using machine learning.
  • the present invention utilizes at least one vulnerability detection server (104) which comprising at least one Data Extractor (1 18) for generating vectorized document of each container, at least one Data Binder (120) for generating vectorized document of each common vulnerabilities and exposures, at least one Data Converter (122) for converting vectorized documents of each container and vectorized documents of each common vulnerabilities of exposures and at least on Core module (124) for relevancy comparison.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present invention relates to a system and method for enabling vulnerability detection of cloud container based service. In particular, the present invention relates to a system and method that enables efficient and intelligent flow of vulnerabilities detection utilizing at least one vulnerability detection server (104) comprising at least one Data Extractor (118) for generating vectorized document of each container, at least one Data Binder (120) for generating vectorized document of each common vulnerabilities and exposures, at least one Data Converter (122) for converting vectorized documents of each container and vectorized documents of each common vulnerabilities of exposures and at least on Core module (124) for relevancy comparison. The present invention provides time to time prediction of vulnerabilities by utilizing machine learning instructions. The present invention allows vulnerabilities detection during dynamic runtime stage and static image.

Description

A SYSTEM AND METHOD FOR ENABLING VULNERABILITY DETECTION OF CLOUD CONTAINER BASED SERVICE DEPLOYMENT
FIELD OF INVENTION
The present invention relates to a system and method for enabling vulnerability detection of cloud container based service deployment. In particular, the present invention provides time to time prediction of vulnerabilities through machine learning.
BACKGROUND OF INVENTION
A cloud container is designed to virtualize a single application which creates an isolation boundary at the application level. Container is easier for scalable rapid deployment as it consists of independent subsystem of network, memory and file system. However, as the container is becoming more popular the traditional virtual machine, new challenges of security control are introduced.
Vulnerabilities exist within applications and services, and appear as a serious threat to cloud infrastructure. Cloud containers may also be at risk due to the injection of vulnerabilities to the images which can harm the cloud infrastructure. Exposure to the external resources may expose cloud containers to vulnerabilities.
Current system and method for detecting vulnerabilities in the cloud container provides limitation in regards to sources to scan and detect vulnerabilities. Thus, detection for vulnerabilities provided in the current invention is not accurate. Current method also requires more time to be executed due to the detection of vulnerability being done separately such as in the system, packages, files, binaries and etc.
United States Patent Application Publication No. US 20170098072 A1 (hereinafter referred to as the US 072 A1 Publication) entitled RUNTIME DETECTION OF VULNERABILITIES IN AN APPLICATION LAYER OF SOFTWARE CONTAINERS having a filing date of 28 September 2016 (Applicant: Twistlock, Ltd.) discloses a system and method for detecting vulnerabilities in software containers at runtime. The US 072 A1 Publication provides runtime vulnerability detection and utilizes CVE database and other security databases for known threats data. The US 072 A1 Publication only able to detect vulnerabilities in software containers at runtime. Further, the US 072 A1 Publication only detect for vulnerability when a new file is created, modified or both and requires changes in the container for initiating vulnerability detection.
United States Patent Application Publication No. US 20170109536 A1 (hereinafter referred to as the US 536 A1 Publication) entitled STATIC DETECTION OF VULNERABILITIES IN BASE IMAGES OF SOFTWARE CONTAINERS having a filing date of 13 October 2016 (Applicant: Twistlock, Ltd.) discloses a system and method for detecting vulnerabilities in base images of software containers. The US 536 A1 Publication provides static image in a non-runtime environment vulnerability detection and utilizes CVE database and other security databases for known threats data. The US 536 A1 Publication only detects vulnerabilities in static images of software container. Further, the US 536 A1 Publication is configured to receive an event indicating that a base image in an image registry has been changed or added to initiate detection and utilises unitary signature such as a check-sum of a layer and a hash function computed over the contents of the layer generation when no vulnerability is detected.
United States Patent No. US 9438634 B1 (hereinafter referred to as the US 634 B1 Patent) entitled MICROSEGMENTED NETWORKS THAT IMPLEMENT VULNERABILITY SCANNING having a filing date of 28 August 2015 (Patentee: VARMOUR NETWORKS Inc.) discloses systems for providing vulnerability scanning within distributed microservices. The US 634 B1 Patent provides real-time vulnerabilities which utilizes active probe controller to implement execution of scanning schedules or cause vulnerability scanning to occur when potential malicious or suspicious activity, or network traffic is detected for any workload. The database for known threats, vulnerabilities or exploits is not disclose in The US 634 B1 Patent.
Due to the drawbacks and limitation of the currently available system and method, the present invention discloses a system and method which enable vulnerability detection of the cloud container based service deployment by through machine learning which enables time to time prediction of vulnerabilities and providing efficient and intelligent vulnerabilities detection at dynamic runtime stage and static image. SUMMARY OF INVENTION
The present invention relates to a system and method for enabling vulnerability detection of cloud container based service deployment. In particular, the present invention provides time to time prediction of vulnerabilities through machine learning.
One aspect of the invention provides that a system (100) for enabling vulnerability detection of cloud container based service deployment comprising a user interface (102) for displaying vulnerabilities information to a user; at least one vulnerability detection server (104) enabling detection of vulnerabilities; a container deployment engine (1 10) comprising a plurality of containers (1 12A, 1 12B, 1 12C, 1 12D) for deploying services on at least one host or across a plurality of host; a plurality of images (1 14A, 1 14B, 1 14C, 1 14D) within the container deployment engine (1 10) for distributing services in a series of layers; and at least one common vulnerability and exposure database (106) and at least one exploit database (108) connected to the vulnerability detection server (104) for providing vulnerabilities information.
The vulnerability detection server (104) further comprising at least one Data Extractor (1 18) having means for obtaining a container identifier and name of the container; extracting information of the container in the container deployment engine; and merging all information obtained for generating a vectorized document of each container; at least one Data Binder (120) having means for obtaining common vulnerabilities and exposures identifier; submitting query to at least one common vulnerabilities and exposures database (106) and at least one exploit database (108); and merging information obtained for generating a vectorized document of each common vulnerabilities and exposures; at least one Data Converter (122) having means for obtaining the vectorized document of each container from at least one Data Extractor (1 18) and the vectorized document of each common vulnerabilities and exposures from at least one Data Binder (120); and handling conversions of the said documents; at least one Core module (124) having means for obtaining relevancy between the vectorized document of each container and the vectorized document of each common vulnerabilities and exposures, and associating the vectorised documents to the corresponding common vulnerabilities exposures identifier; and at least one database (1 16) for handling detection of vulnerability in the container deployment engine (1 10).
Another aspect of the invention provides that the information obtained for generating a vectorized document of each common vulnerabilities and exposures through at least one Data Binder may comprise of analysis description, product affected by, number of affected version, vulnerability conditions, Metasploit modules and description of the patch or guide information of common vulnerabilities exposures identification.
A further aspect of the invention provides that a method (200) for enabling vulnerability detection of cloud container based service deployment comprises steps of binding, filtering and vectorizing common vulnerabilities and exposures identifier for obtaining a vectorized document of each common vulnerabilities and exposures through at least one Data Binder (202); extracting, filtering and vectorizing container information for obtaining a vectorized document of each container through at least one Data Extractor (204); determining availability of evaluation history (206); evaluating the vectorized document of each common vulnerabilities and exposures and the vectorized document of each container, if evaluation history is not available (208); and performing prediction of vulnerabilities from outcome of relevancy comparison between vectorised document of each common vulnerabilities and exposures and the vectorised document of each container, if evaluation history is available (210).
Yet another aspect of the invention provides that the binding, filtering and vectorizing common vulnerabilities and exposures identifier for obtaining a vectorized document of each common vulnerabilities and exposures through at least one Data Binder (202) further comprises steps of (300) obtaining common vulnerabilities exposures identifier of each vulnerability (302); connecting to a common vulnerabilities exposures database (304); obtaining information of common vulnerabilities exposures identifier (306); connecting to an exploit database (308) for obtaining information of exploits (310); performing data cleansing for filtering information of common vulnerabilities exposures and exploits (312); merging information obtained for vectorizing information (314); tagging information merged as a vectorized document of each common vulnerabilities and exposures (316); and presenting the vectorized document of each common vulnerabilities and exposures to at least one Data Converter (122) (318).
Still another aspect of the invention provides that the extracting, filtering and vectorizing container information for obtaining a vectorized document of each container through at least one Data Extractor (204) further comprises steps of (400): connecting to a container deployment engine (1 10) for obtaining container identifier (402); identifying container deployment directory from a host to a container (404); obtaining access from the host to the container (406); obtaining a package list of the container (408); obtaining file name and binaries of the container (410); obtaining operating system information of the container (412); merging obtained information for vectorising information upon filtering and cleansing the obtained information (414); tagging the information as a vectorized document of each container (416); and presenting the vectorized document of each container to at least one Data Converter (122) (418).
Another aspect of the invention provides that presenting the vectorized document of each common vulnerabilities and exposures to at least one Data Converter (122) (318) further comprising steps of (500): appending vectorized documents of each common vulnerabilities and exposures as training set (502a); separating each work in vectorized documents of each common vulnerabilities and exposures and applying inverse document frequency to the vectorized documents of each common vulnerabilities and exposures (504a); applying term frequency to vectorized documents of each common vulnerabilities and exposures (506a); generating vector space values of vectorized documents of each common vulnerabilities and exposures and indexing vectorized documents of each common vulnerabilities and exposures with common vulnerabilities exposures identifier (508a); generating vector space matrix of vectorized documents of each common vulnerabilities and exposures (510a); and submitting vector space matrix to at least one Core module (124) for relevancy comparison between vectorized documents of each common vulnerabilities and exposures and vectorized document of each container (512a).
A further aspect of the invention provides that presenting the vectorized document of each container to at least one Data Converter (122) (418) further comprising steps of (500): receiving the vectorized document of each container as testing set (502b); separating each work in the vectorized document of each container and applying inverse document frequency data to the vectorized document of each container (504b); applying term frequency to the vectorized document of each container (506b); generating vector space values of the vectorized document of each container and storing vector space values for prediction (508b); generating vector space matrix of the vectorized document of each container (510b); and submitting vector space matrix to at least one Core module (124) for relevancy comparison (512b) between vectorized documents of each common vulnerabilities and exposures and the vectorized document of each container.
Yet another aspect of the invention provides that sending the vector space matrix to the Core module (124) for relevancy comparison and evaluation (512a) further comprises steps of (600); receiving vector space matrix of vectorized documents of each common vulnerabilities and exposures and vectorized documents of each container from at least one Data Converter (601 ); determining availability of prediction training set for relevancy comparison to detect vulnerabilities (602); if prediction training set is available (602a): performing relevancy comparison between vector space matrix of the vectorized document of each container with a vectorized document of outcome as classifier to predict (604); determining if relevancy is detected from relevancy comparison (605); if relevancy is detected (605a); retrieving common vulnerabilities exposures identifier of vectorized documents of each common vulnerabilities and exposures to be included in a report (608); and displaying the report to a user (618); if relevancy is not detected (605b); generating a report based on relevancy comparison outcome, (606); and displaying the report to a user (618); if prediction training set is not available (602b); performing relevancy comparison vector space matrix of the vectorized document of each container with vector space matrix of vectorized documents of each common vulnerabilities and exposures for relevancy comparison (610); determining if relevancy is detected from the relevancy comparison (61 1 ); if relevancy is detected (61 1 a); tagging the vectorized document of each container to be included in the vectorized document of outcome as classifier to predict, (614); obtaining the vectorized document of outcome as classifier to predict as a train data set for future prediction (616a); reiterating steps 604, 605, 650a, 608, 618, 605b, 606, 618; tagging the vectorized document of each container to be included in the vectorized document of outcome as classifier to predict (614); retrieving the common vulnerabilities exposures identifier of vectorized documents of each common vulnerabilities and exposures to be included in a report (616b); and displaying the report to a user (618); if relevancy is not detected (61 1 b); generating a report based on relevancy comparison outcome (612); and displaying the report to a user (618).
Still another aspect of the invention provides that sending the vector space matrix to the Core module (124) for relevancy comparison and evaluation (512b) further comprises steps of (600): receiving vector space matrix of vectorized documents of each common vulnerabilities and exposures and the vectorized document of each container from at least one Data Converter (601 ); determining availability of prediction training set for relevancy comparison for detecting vulnerabilities (602); if prediction training set is available (602a): performing relevancy comparison between vector space matrix of the vectorized document of each container with a vectorized document of outcome as classifier to predict (604); determining if relevancy is detected from relevancy comparison (605); if relevancy is detected (605a); retrieving common vulnerabilities exposures identifier of vectorized documents of each common vulnerabilities and exposures to be included in a report (608); and displaying the report to a user (618); if relevancy is not detected (605b); generating a report based on relevancy evaluation outcome, (606); and displaying the report to a user (618); if prediction training set is not available (602b); performing relevancy comparison vector space matrix of the vectorized document of each container with vector space matrix of vectorized documents of each common vulnerabilities and exposures for relevancy comparison (610); determining if relevancy is detected from the relevancy comparison (61 1 ); if relevancy is detected (61 1 a); tagging the vectorized documents of each container to be included in the vectorized document of outcome as classifier to predict (614); obtaining the vectorized document of outcome as classifier to predict as a train data set for future prediction (616a); reiterating steps 604, 605, 650a, 608, 618, 605b, 606, 618; tagging the vectorized document of each container to be included in the vectorized document of outcome as classifier to predict, (614); retrieving the common vulnerabilities exposures identifier of vectorized documents of each common vulnerabilities and exposures to be included in a report (616b); and displaying the report to a user (618); if relevancy is not detected (61 1 b); generating a report based on relevancy comparison outcome (612); and displaying the report to a user (618).
The present invention consists of features and a combination of parts hereinafter fully described and illustrated in the accompanying drawings, it being understood that various changes in the details may be made without departing from the scope of the invention or sacrificing an of the advantages of the present invention.
BRIEF DESCRIPTION OF ACCOMPANING DRAWINGS
To further clarify various aspects of some embodiments of the present invention, a more particular description of the invention will be rendered by references to specific embodiments thereof, which are illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail through the accompanying drawings.
Fig. 1.0 illustrates a general system architecture of the present invention for enabling vulnerability detection of a cloud container based service deployment.
Fig 2.0 is a flowchart illustrating a general methodology of the present invention for detecting vulnerabilities in the cloud container.
Fig. 2.0a illustrates a schematic diagram of the configuration of the system architecture of the present invention. Fig. 3.0 is a flowchart illustrating the steps involved in binding, filtering and vectorizing common vulnerabilities and exposures identifier for obtaining a vectorized document of each container.
Fig. 4.0 is a flowchart illustrating the steps involved in extracting, filtering and vectorizing container information for obtaining a vectorized document of each common vulnerabilities and exposures.
Fig. 5.0 is a flowchart illustrating the steps involved in converting information for obtaining vector space values and vector space matrix.
Fig. 6.0 is a flowchart illustrating the steps involved for relevancy comparison for detecting vulnerabilities.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention relates to a system and method for enabling vulnerability detection of cloud container based service deployment. In particular, the present invention relates to a system and method that enables efficient and intelligent flow of vulnerabilities detection with time to time prediction of vulnerabilities through machine learning. The present invention also allows vulnerabilities detection at dynamic runtime stage and static image. Hereinafter, it is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned without departing from the scope of the appended claims.
Reference is first made to FIG. 1.0 which illustrates a general system architecture of the present invention for enabling vulnerability detection of a cloud container based service deployment. As illustrated in Fig. 1.0, the system comprising a user interface (102), at least one vulnerability detection server (104), a container deployment engine (1 10), a plurality of images (1 14A, 1 14B, 1 14C, 1 14D), at least one common vulnerabilities and exposures database (106) and at least one exploits database (108).
The user interface (102) displays vulnerabilities information and a report to a user wherein the vulnerabilities information is provided to the user interface (102) through the vulnerability detection server (104). The vulnerability detection server (104) interacts with the common vulnerabilities exposures database (106) and the exploit database (108) for obtaining information pertaining to the vulnerabilities and exploits. However, the vulnerabilities and exploits information may also be obtained from other external databases and not limited to the common vulnerabilities and exposures database (106) and the exploit database (108).
The vulnerability detection server (104) also interacts with the container deployment engine (1 10) for detecting vulnerabilities and exploits in at least one host. As illustrated in FIG. 1.0, the container deployment engine (1 10) comprising a plurality of containers (1 12A, 1 12B, 1 12C, 1 12D) which deploys services in an isolated environment of the host or across a plurality of hosts, and the plurality of images (1 14A, 1 14B, 1 14C, 1 14D) in a layered architecture. The services of the container deployment engine (1 10) are distributed by packaging services in a series of layers of the plurality of images (1 14A, 1 14B, 1 14C, or 1 14D). The layers may include a system to host applications and services, files and binaries, and packages and libraries. As illustrated in FIG. 1.0, the vulnerability detection server (104) comprising a plurality of components which utilizes machine learning instructions for handling detection of vulnerabilities, wherein the plurality of components includes at least one database (1 16), at least one Data Extractor (1 18), at least one Data Binder (120), at least one Data Converter (122), and at least one Core module (124). The database (1 16) within the vulnerability detection server (104) allows the information obtained in regard to vulnerabilities and exploits, and other relevant information and documents to be stored and managed. Further, the Data Extractor (1 18) within the vulnerability detection server (104) obtains and extracts a container identifier along with the container information such as package list, files, and binaries. The extracted container information extracted is merged and presented into a vectorized document of each container, also known as a ContDoc.
The Data Binder (120) on the other hand obtains a common vulnerabilities and exposures identifier as an input and generates a query to common vulnerabilities and exposures database (106) and exploit database (108) for obtaining information pertaining to the vulnerabilities and exploits. The information to be obtained from the common vulnerabilities and exposures database (106) and exploit database (108) is defined specifically prior to each query. The information obtained will be merged and presented into a vectorized document of each common vulnerabilities and exposures also known as a VulDoc.
The vectorized document of each container generated through the Data Extractor (1 18) and the vectorized document of each common vulnerabilities and exposures generated through the Data Binder (120) are then presented to the Data Converter (122). The Data Converter (122) provides conversions of the vectorized documents into trained documents for predicting vulnerabilities and exploits allowing efficient and intelligent flow for detecting vulnerabilities from time to time at dynamic runtime stage and static image. The Data Converter (122) utilizes two components namely a Re-trainer or a PredDoc within the Core module (124) which is also known as a vectorized document of outcome as classifier to predict) and a vector author. The Core module (124) obtains relevancy between the vectorized document of each container and the vectorized document of each common vulnerabilities and exposures, and further associates the said relevancy obtained to the corresponding common vulnerabilities and exposures identifier through two components namely a Relevancy Author and an Indexer within the Core module (124).
Reference is now made to FIG. 2.0. FIG. 2.0 is a flowchart illustrating the general methodology of the present invention for detecting vulnerabilities in cloud container (200). As illustrated in FIG. 2.0, the Data Binder (120) first binds, filters, vectorizes and indexes the common vulnerabilities and exposures identifier for obtaining the vectorized document of each common vulnerabilities and exposures (202). The common vulnerabilities and exposures information including exploits information is first gathered from both common vulnerabilities and exposures database (106) and exploit database (108) to be filtered accordingly. The filtered information is subsequently vectorized, indexed, and stored in the database (1 16).
Subsequently, the Data Extractor (1 18) extracts, filters and vectorizes the container information for obtaining the vectorized document of each container (204). The name and the information of the container which obtained from the container deployment engine (1 10) is extracted and filtered accordingly. The information of container which have been filtered is subsequently vectorized.
Availability of evaluation history is determined (206). If the evaluation history is not available, the evaluation is performed between the vectorized document of each common vulnerabilities and exposures and the vectorized document of each container through the Core module (124) (208). However, if the evaluation history of the container information is available, the prediction is performed promptly using relevancy outcome from evaluation history through the Core module (124) (210).
Reference is now made to FIG. 2.0a. FIG. 2.0a illustrates a schematic diagram of the configuration of the system architecture of the present invention as illustrated in FIG. 2.0. As illustrated in FIG. 2.0a and step 202 from FIG. 2.0, the common vulnerabilities and exposures identifier is first obtained through the Data Binder (120). The Data Binder (120) then submits a query to the common vulnerabilities and exposures database (106) and the exploit database (108) for obtaining common vulnerabilities and exposures information, wherein the information may include general information of the common vulnerabilities and exposures such as description, platform, available codes, tags as well as exploit information. The common vulnerabilities and exposures information obtained through the Data Binder (120) is therefore merged and presented as a vectorized document of each common vulnerabilities and exposures. Thereafter, the vectorized document of each common vulnerabilities and exposures is presented to the Data Converter (122) wherein the Data Converter (122) subsequently filters and vectorizes the vectorized document of each common vulnerabilities and exposures as a bag of vectors.
Subsequently, with reference to step 204 of FIG. 2.0, the container identifier and container information such as operating system, application and packages, files and binaries which corresponds to the name of each container is obtained through the Data Extractor (1 18). The information of the container obtained from the container deployment engine (1 10) is extracted, filtered, and vectorized accordingly an being presented as a vectorized document of each container. Thereafter, the vectorized document of each container is presented to the Data Converter (122) wherein the Data Converter (122) subsequently filters and vectorizes the vectorized document of each container as a bag of vectors.
The Data Converter (122) subsequently presents the vectorized document of each common vulnerabilities and exposures and the vectorized document of each container to the Core module (124) for evaluating relevancy and indexing, wherein the vectorized document of each common vulnerabilities and exposures is used for detecting vulnerability from the vectorized document of each container. Each vectorized document of each common vulnerabilities and exposures presented to the Core module (124) is indexed and subsequently stored in the database (1 16) for future evaluation.
Reference is now made to FIG. 3.0 whereby FIG. 3.0 is a flowchart illustrating the steps involves in binding, filtering and vectorizing the common vulnerabilities and exposures identifier for obtaining the vectorized document of each common vulnerabilities and exposures as illustrated in FIG. 2.0, step 202 and FIG. 2.0a. First, the common vulnerabilities and exposures identifier of each vulnerability is obtained by the Data Binder (120) (302). Thereafter, a query is made to the common vulnerabilities and exposures database (106) (304) for obtaining the information of the common vulnerabilities and exposures identifier including information such as analysis description, product affected by, number of affected version, vulnerability conditions, Metasploit modules, and description of the patch and guide (306). Thereafter, query is also made to the exploit database (108) (308) in order to obtain information of exploits which corresponds to the common vulnerabilities and exposures identifier such as exploit identifier title, code comments, platform name, aliases and tags (310).
Subsequently, the Data Binder (120) performs data cleansing for filtering the obtained common vulnerabilities and exposures and exploits information (312) and further merges the common vulnerabilities and exposures and exploits information accordingly for vectorizing the information (314). Further, the vectorized information of each specific common vulnerabilities and exposures identifier is tagged as a vectorized document of each common vulnerabilities and exposures (316). Finally, the vectorized document of each common vulnerabilities and exposures is presented to the Data Converter (122) (318). Reference is now made to FIG. 4.0. FIG. 4.0 is a flowchart illustrating the steps involves in extracting, filtering and vectorizing container information for obtaining the vectorized document of each container (400) as illustrates in FIG. 2.0, step 204 as well as FIG. 2.0a. As illustrated in FIG. 4.0, the Data Extractor (1 18) first interacts with the container deployment engine (1 10) in order to obtain the information of the container including a running container identifier (402). Thereafter, the Data Extractor (1 18) identifies the container deployment directory from the host to the container (1 12A, 1 12B, 1 12C, 1 12D) (404) and obtains access with privilege from the host to container (1 12A, 1 12B, 1 12C, 1 12D) based on the obtained container identifier (406). Subsequently, a package list of specific container (1 12A, 1 12B, 1 12C or 1 12D) is obtained (408) together with a list of file names and binaries (410). The operating system of the container (1 12A, 1 12B, 1 12C, 1 12D) and other relevant files pertaining to the container (1 12A, 1 12B, 1 12C, 1 12D) are also obtained (412). The information obtained is merged accordingly and vectorizes information upon filtering and cleansing of the same (414). The said vectorized information is tagged as a vectorized document of each container (416) and presented to the Data Converter (122) (418).
Reference is now made to FIG. 5.0 whereby FIG. 5.0 is a flowchart illustrating the steps involved in converting information for obtaining vector space values and vector space matrix in both vectorized document of each common vulnerabilities and exposures and vectorized document of each container (500). As illustrated in FIG. 3.0, step 318 and FIG. 4.0, step 418, the vectorized document of each common vulnerabilities and exposures and vectorized document of each container are presented to the Data Converter (122) for further vectorization steps. As illustrated in FIG. 5.0, the steps involved in converting information of the vectorized document of each common vulnerabilities and exposures and the vectorized document of each container are simultaneously performed. All available vectorized documents of each common vulnerabilities and exposures received by the Data Converter (122) is appended as a training set (502a) and subsequently each work in the vectorized document of each common vulnerabilities and exposures is separated and is applied with inverse document frequency, IDF (504a). Further to the application of the inverse document frequency, each vectorized document of each common vulnerabilities and exposures is subsequently applied with term frequency (506a). Thereafter, the Data Converter (122) generates vector space values of each vectorized document of each common vulnerabilities and exposures and indexes the vectorized document of each common vulnerabilities and exposures with the common vulnerabilities and exposures identifier (508a). The Data Converter (122) further generates vector space matrix of each vectorized document of each common vulnerabilities and exposures (510a) and subsequently presented the same to the Core module (124) for relevancy comparison (512a). Simultaneous to the step 502a, the vectorized document of each container received from the Data Extractor (1 18) are also appended as training set (502b). Further, each work in the vectorized document of each container are separated and is applied with inverse document frequency, IDF (504b). Subsequent to the application of IDF, the vectorized document of each container is applied with term frequency (506b). Thereafter, the Data Converter (122) generates vector space values of the vectorized document of each container and stores the same for prediction of vulnerabilities (508b). The Data Converter (122) further generates vector space matrix of the vectorized document of each container (510b) and subsequently presented the vector space matrix of the vectorized document of each container to the Core module (124) for relevancy comparison (510b).
Reference is now made to FIG. 6.0. FIG. 6.0 is a flowchart illustrating the steps involved for relevancy comparison in order to detect vulnerabilities. Upon receiving vector space matrix of the vectorized document of each common vulnerabilities and exposures and the vectorized document of each container from the Data Converter (122) (601 ), the Core module (124) determines the availability of prediction training set for relevancy comparison to detect vulnerabilities (602). If the training set is available (602a), the vector space matrix of the vectorized document of each container will be compared to the vectorized document of outcome as classifier to predict for relevancy comparison (604). Thereafter, the Core module (124) determines whether any relevancy is detected from the outcome of the relevancy comparison (605). If relevancy is detected from the evaluation (605a), the common vulnerabilities and exposures identifier of the vectorized document of each common vulnerabilities and exposures is retrieved to be included in a report (608) and subsequently display the report to the user (618). Flowever, if there is no relevancy detected from the relevancy evaluation (605b), a report will be generated based on the relevancy comparison outcome (606) and the report will be presented to the user (618).
Alternatively, if the prediction training set is not available (602b), vector space matrix of the vectorized document of each container will be compared to vector space matrix of the vectorized document of each common vulnerabilities and exposures for relevancy comparison (610). If relevancy is detected (61 1 a), the vectorized document of each container is tagged to be included in the vectorized document of outcome as classifier to predict (614) and to be utilized as a train data set (616a) for future prediction.
The said vectorized document of outcome as classifier to predict (614) and to be utilized as the train data set (616a) further comprises of two routes. In the first route, the train data set obtained (616a) will be used for relevancy comparison in step 604. Thereafter, the Core module (124) determines whether any relevancy is detected from the outcome of the relevancy comparison (605). If relevancy is detected from the evaluation (605a), the common vulnerabilities and exposures identifier of the vectorized document of each common vulnerabilities and exposures is retrieved to be included in a report (608) and subsequently display the report to the user (618). Nevertheless, if there is no relevancy detected from the relevancy evaluation (605b), a report will be generated based on the relevancy comparison outcome (606) and the report will be presented to the user (618).
In the second route, the common vulnerabilities and exposures identifier of the vectorized document of each common vulnerabilities and exposures is then retrieved to be included in a report (616b). The report is then displayed to the user (618). However, if there is no relevancy detected (61 1 b) from the relevancy evaluation, a report will be generated based on the relevancy comparison outcome (616) and displayed to the user (618).
The present invention relates to a system and method which enables efficient and intelligent flow of vulnerabilities detection by providing time to time prediction of vulnerabilities and allowing vulnerabilities detection during dynamic runtime stage and static image using machine learning. The present invention utilizes at least one vulnerability detection server (104) which comprising at least one Data Extractor (1 18) for generating vectorized document of each container, at least one Data Binder (120) for generating vectorized document of each common vulnerabilities and exposures, at least one Data Converter (122) for converting vectorized documents of each container and vectorized documents of each common vulnerabilities of exposures and at least on Core module (124) for relevancy comparison.
Throughout this specification, unless the context requires otherwise, the word“comprise”, or variations such as“comprises” or comprising, will be understood to imply the inclusion of a stated step or element to integer or group of steps or elements or integers, but not the exclusion of any other step or element or integer or group of steps, element or integers. Thus, in the context of this specification, the term“comprising” is used in an inclusive sense and thus should be understood as meaning“including principally, but not necessarily solely”.

Claims

1. A system (100) for enabling vulnerability detection of cloud container based service deployment comprising:
a user interface (102) for displaying vulnerabilities information to a user;
at least one vulnerability detection server (104) enabling detection of vulnerabilities;
a container deployment engine (1 10) comprising a plurality of containers (1 12A, 1 12B, 1 12C, 1 12D) for deploying services on at least one host or across a plurality of host;
a plurality of images (1 14A, 1 14B, 1 14C, 1 14D) within the container deployment engine (1 10) for distributing services in a series of layers; and at least one common vulnerability and exposure database (106) and at least one exploit database (108) connected to the vulnerability detection server (104) for providing vulnerabilities information;
characterized in that
the vulnerability detection server (104) further comprising:
at least one Data Extractor (1 18) having means for:
obtaining a container identifier and name of the container;
extracting information of the container in the container deployment engine; and
merging all information obtained for generating a vectorized document of each container;
at least one Data Binder (120) having means for:
obtaining common vulnerabilities and exposures identifier;
submitting query to at least one common vulnerabilities and exposures database (106) and at least one exploit database (108); and
merging information obtained for generating a vectorized document of each common vulnerabilities and exposures;
at least one Data Converter (122) having means for:
obtaining the vectorized document of each container from at least one Data Extractor (1 18) and the vectorized document of each common vulnerabilities and exposures from at least one Data Binder (120); and
handling conversions of the said documents;
at least one Core module (124) having means for:
obtaining relevancy between the vectorized document of each container and the vectorized document of each common vulnerabilities and exposures, and
associating the vectorised documents to the corresponding common vulnerabilities exposures identifier; and
at least one database (1 16) for handling detection of vulnerability in the container deployment engine (1 10).
2. The system according to claim 1 , wherein information obtained for generating a vectorized document of each common vulnerabilities and exposures through at least one Data Binder comprising analysis description, product affected by, number of affected version, vulnerability conditions, Metasploit modules and description of the patch or guide information of common vulnerabilities exposures identification.
3. A method (200) for enabling vulnerability detection of cloud container based service deployment comprises steps of:
binding, filtering and vectorizing common vulnerabilities and exposures identifier for obtaining a vectorized document of each common vulnerabilities and exposures through at least one Data Binder (202);
extracting, filtering and vectorizing container information for obtaining a vectorized document of each container through at least one Data Extractor
(204);
determining availability of evaluation history (206);
evaluating the vectorized document of each common vulnerabilities and exposures and the vectorized document of each container, if evaluation history is not available (208); and
performing prediction of vulnerabilities from outcome of relevancy comparison between vectorised document of each common vulnerabilities and exposures and the vectorised document of each container, if evaluation history is available (210).
4. The method (200) according to claim 3, wherein binding, filtering and vectorizing common vulnerabilities and exposures identifier for obtaining a vectorized document of each common vulnerabilities and exposures through at least one Data Binder (202) further comprises steps of (300):
obtaining common vulnerabilities exposures identifier of each vulnerability (302);
connecting to a common vulnerabilities exposures database (304); obtaining information of common vulnerabilities exposures identifier (306); connecting to an exploit database (308) for obtaining information of exploits (310);
performing data cleansing for filtering information of common vulnerabilities exposures and exploits (312);
merging information obtained for vectorizing information (314);
tagging information merged as a vectorized document of each common vulnerabilities and exposures (316); and
presenting the vectorized document of each common vulnerabilities and exposures to at least one Data Converter (122) (318).
5. The method (200) according to claim 3, wherein extracting, filtering and vectorizing container information for obtaining a vectorized document of each container through at least one Data Extractor (204) further comprises steps of (400):
connecting to a container deployment engine (1 10) for obtaining container identifier (402);
identifying container deployment directory from a host to a container (404); obtaining access from the host to the container (406);
obtaining a package list of the container (408);
obtaining file name and binaries of the container (410);
obtaining operating system information of the container (412);
merging obtained information for vectorising information upon filtering and cleansing the obtained information (414);
tagging the information as a vectorized document of each container (416); and
presenting the vectorized document of each container to at least one Data Converter (122) (418).
6. The method (200) according to claim 4, wherein presenting the vectorized document of each common vulnerabilities and exposures to at least one Data Converter (122) (318) further comprising steps of (500):
appending vectorized documents of each common vulnerabilities and exposures as training set (502a);
separating each work in vectorized documents of each common vulnerabilities and exposures and applying inverse document frequency to the vectorized documents of each common vulnerabilities and exposures (504a); applying term frequency to vectorized documents of each common vulnerabilities and exposures (506a);
generating vector space values of vectorized documents of each common vulnerabilities and exposures and indexing vectorized documents of each common vulnerabilities and exposures with common vulnerabilities exposures identifier (508a);
generating vector space matrix of vectorized documents of each common vulnerabilities and exposures (510a); and
submitting vector space matrix to at least one Core module (124) for relevancy comparison between vectorized documents of each common vulnerabilities and exposures and vectorized document of each container (512a).
7. The method (200) according to claim 5, wherein presenting the vectorized document of each container to at least one Data Converter (122) (418) further comprising steps of (500):
receiving the vectorized document of each container as testing set (502b); separating each work in the vectorized document of each container and applying inverse document frequency data to the vectorized document of each container (504b);
applying term frequency to the vectorized document of each container (506b); generating vector space values of the vectorized document of each container and storing vector space values for prediction (508b);
generating vector space matrix of the vectorized document of each container (510b); and
submitting vector space matrix to at least one Core module (124) for relevancy comparison (512b) between vectorized documents of each common vulnerabilities and exposures and the vectorized document of each container.
8. The method (200) according to claim 6, wherein sending the vector space matrix to the Core module (124) for relevancy comparison and evaluation (512a) further comprises steps of (600):
receiving vector space matrix of vectorized documents of each common vulnerabilities and exposures and vectorized documents of each container from at least one Data Converter (601 );
determining availability of prediction training set for relevancy comparison to detect vulnerabilities (602);
if prediction training set is available (602a):
performing relevancy comparison between vector space matrix of the vectorized document of each container with a vectorized document of outcome as classifier to predict (604);
determining if relevancy is detected from relevancy comparison (605);
if relevancy is detected (605a);
retrieving common vulnerabilities exposures identifier of vectorized documents of each common vulnerabilities and exposures to be included in a report (608); and
displaying the report to a user (618);
if relevancy is not detected (605b);
generating a report based on relevancy comparison outcome, (606); and
displaying the report to a user (618);
if prediction training set is not available (602b);
performing relevancy comparison vector space matrix of the vectorized document of each container with vector space matrix of vectorized documents of each common vulnerabilities and exposures for relevancy comparison (610);
determining if relevancy is detected from the relevancy comparison (61 1 );
if relevancy is detected (61 1 a);
tagging the vectorized document of each container to be included in the vectorized document of outcome as classifier to predict (614);
obtaining the vectorized document of outcome as classifier to predict as a train data set for future prediction (616a); reiterating steps 604, 605, 650a, 608, 618, 605b, 606,
618;
tagging the vectorized document of each container to be included in the vectorized document of outcome as classifier to predict (614);
retrieving the common vulnerabilities exposures identifier of vectorized documents of each common vulnerabilities and exposures to be included in a report (616b); and
displaying the report to a user (618);
if relevancy is not detected (61 1 b);
generating a report based on relevancy comparison outcome (612); and
displaying the report to a user (618).
9. The method (200) according to claim 7, wherein sending the vector space matrix to the Core module (124) for relevancy comparison and evaluation (512b) further comprises steps of (600):
receiving vector space matrix of vectorized documents of each common vulnerabilities and exposures and the vectorized document of each container from at least one Data Converter (601 );
determining availability of prediction training set for relevancy comparison for detecting vulnerabilities (602);
if prediction training set is available (602a):
performing relevancy comparison between vector space matrix of the vectorized document of each container with a vectorized document of outcome as classifier to predict (604);
determining if relevancy is detected from relevancy comparison (605);
if relevancy is detected (605a);
retrieving common vulnerabilities exposures identifier of vectorized documents of each common vulnerabilities and exposures to be included in a report (608); and
displaying the report to a user (618);
if relevancy is not detected (605b);
generating a report based on relevancy evaluation outcome, (606); and displaying the report to a user (618);
if prediction training set is not available (602b);
performing relevancy comparison vector space matrix of the vectorized document of each container with vector space matrix of vectorized documents of each common vulnerabilities and exposures for relevancy comparison (610); determining if relevancy is detected from the relevancy comparison (61 1 );
if relevancy is detected (61 1 a);
tagging the vectorized documents of each container to be included in the vectorized document of outcome as classifier to predict (614);
obtaining the vectorized document of outcome as classifier to predict as a train data set for future prediction (616a);
reiterating steps 604, 605, 650a, 608, 618, 605b, 606, 618;
tagging the vectorized document of each container to be included in the vectorized document of outcome as classifier to predict, (614);
retrieving the common vulnerabilities exposures identifier of vectorized documents of each common vulnerabilities and exposures to be included in a report (616b); and
displaying the report to a user (618);
if relevancy is not detected (61 1 b);
generating a report based on relevancy comparison outcome (612); and
displaying the report to a user (618).
PCT/MY2019/050078 2018-10-30 2019-10-16 A system and method for enabling vulnerability detection of cloud container based service deployment Ceased WO2020091591A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2018001830 2018-10-30
MYPI2018001830A MY193224A (en) 2018-10-30 2018-10-30 A system and method for enabling vulnerability detection of cloud container based service deployment

Publications (1)

Publication Number Publication Date
WO2020091591A1 true WO2020091591A1 (en) 2020-05-07

Family

ID=70462651

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2019/050078 Ceased WO2020091591A1 (en) 2018-10-30 2019-10-16 A system and method for enabling vulnerability detection of cloud container based service deployment

Country Status (2)

Country Link
MY (1) MY193224A (en)
WO (1) WO2020091591A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112667348A (en) * 2020-12-19 2021-04-16 前海飞算科技(深圳)有限公司 MySQL containerization method and system and computer equipment
US12314387B2 (en) 2022-03-29 2025-05-27 Dazz, Inc. Systems and methods for cybersecurity alert deduplication, grouping, and prioritization

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150207811A1 (en) * 2012-07-31 2015-07-23 Hewlett-Packard Development Company, L.P. Vulnerability vector information analysis
US20160232358A1 (en) * 2015-02-09 2016-08-11 Cisco Technology, Inc. Information Technology Vulnerability Assessment
US20170318048A1 (en) * 2016-04-29 2017-11-02 Ciena Corporation System and method for monitoring network vulnerabilities
US20180034842A1 (en) * 2016-07-26 2018-02-01 Booz Allen Hamilton Inc. Automated machine learning scheme for software exploit prediction
US20180121649A1 (en) * 2016-10-31 2018-05-03 International Business Machines Corporation Identification and Recovery of Vulnerable Containers

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150207811A1 (en) * 2012-07-31 2015-07-23 Hewlett-Packard Development Company, L.P. Vulnerability vector information analysis
US20160232358A1 (en) * 2015-02-09 2016-08-11 Cisco Technology, Inc. Information Technology Vulnerability Assessment
US20170318048A1 (en) * 2016-04-29 2017-11-02 Ciena Corporation System and method for monitoring network vulnerabilities
US20180034842A1 (en) * 2016-07-26 2018-02-01 Booz Allen Hamilton Inc. Automated machine learning scheme for software exploit prediction
US20180121649A1 (en) * 2016-10-31 2018-05-03 International Business Machines Corporation Identification and Recovery of Vulnerable Containers

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112667348A (en) * 2020-12-19 2021-04-16 前海飞算科技(深圳)有限公司 MySQL containerization method and system and computer equipment
CN112667348B (en) * 2020-12-19 2021-10-29 飞算数智科技(深圳)有限公司 MySQL containerization method and system and computer equipment
US12314387B2 (en) 2022-03-29 2025-05-27 Dazz, Inc. Systems and methods for cybersecurity alert deduplication, grouping, and prioritization

Also Published As

Publication number Publication date
MY193224A (en) 2022-09-26

Similar Documents

Publication Publication Date Title
KR102340021B1 (en) Method and apparatus for providing visibility of security into container images
US12079570B1 (en) Systems and methods for packaging reusable generative artificial intelligence pipelines
US8225281B1 (en) Automated baseline deployment system
US20110265177A1 (en) Search result presentation
CN116209997A (en) System and method for classifying software vulnerabilities
JP6301256B2 (en) Processing method, computer program, and metadata support server
CN110659206A (en) Simulation architecture establishing method, device, medium and electronic equipment based on microservice
CN109583226A (en) Data desensitization process method, apparatus and electronic equipment
Zeng et al. Formal verification of secure information flow in cloud computing
US10394793B1 (en) Method and system for governed replay for compliance applications
WO2022105662A1 (en) Topology-driven completion of chemical data
WO2020091591A1 (en) A system and method for enabling vulnerability detection of cloud container based service deployment
Meneses et al. Identifying “Soft 404” error pages: analyzing the lexical signatures of documents in distributed collections
CN107403110A (en) HDFS data desensitization method and device
US20110264703A1 (en) Importing Tree Structure
Khan et al. Development and design strategies of evidence collection framework in cloud environment
Wrona et al. Assisted content-based labelling and classification of documents
CN106528577B (en) Method and device for setting file to be cleaned
US12177243B1 (en) Synchronization of vulnerability checks between security console and distributed engines
Miller Scalable platform for malicious content detection integrating machine learning and manual review
Scanlon et al. Digital evidence bag selection for P2P network investigation
Guru et al. Development of a cloud-based platform for reproducible science: A case study of an IUCN Red List of Ecosystems Assessment
CN115017037B (en) Interface testing method, device, equipment and storage medium
CN117556419A (en) Methods, devices, systems and computer-readable storage media for unauthorized analysis
CN116521732A (en) YApi label-based interface query method and device, storage medium and electronic device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19879529

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19879529

Country of ref document: EP

Kind code of ref document: A1