WO2015005763A1 - A system and method for cloud provider to provide virtual machine subscription service - Google Patents

A system and method for cloud provider to provide virtual machine subscription service Download PDF

Info

Publication number
WO2015005763A1
WO2015005763A1 PCT/MY2014/000098 MY2014000098W WO2015005763A1 WO 2015005763 A1 WO2015005763 A1 WO 2015005763A1 MY 2014000098 W MY2014000098 W MY 2014000098W WO 2015005763 A1 WO2015005763 A1 WO 2015005763A1
Authority
WO
WIPO (PCT)
Prior art keywords
super user
subscriber
scs
user control
service
Prior art date
Application number
PCT/MY2014/000098
Other languages
French (fr)
Inventor
Boon Keong SEAH
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2015005763A1 publication Critical patent/WO2015005763A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Definitions

  • the present invention relates to a system and method to provide virtual machine subscription service to enable super user control limit to avoid insider security threats.
  • Virtual machine subscription service enables super user control limit to avoid insider security threats.
  • super user of virtual machines have full control in the virtual machine deployment.
  • super user is a security threat as it can copy, delete, and modify virtual machine applications and storage without being detected.
  • super user is able to perform the said tasks remotely through cryptographic network protocol such as SSH (Secure Shell) or RDP (Remote Desktop Protocol).
  • SSH Secure Shell
  • RDP Remote Desktop Protocol
  • Super user of virtual machine is able to leak important data without being noticed as there is no specific application or module to monitor or control activities of said super user.
  • limitations of the cloud infrastructure provider do not provide super user control subscription for virtual machine subscriber and currently cloud infrastructure provider administrator does not monitor activities in the infrastructure. The said limitation drives to the need for enabling super user control subscription by cloud infrastructure provider in which super user has the highest privileged over virtual machine application deployment.
  • US ⁇ 07 Patent provides a system and method for adaptive network security using intelligent packet analysis in which the analysis tasks are perform on the monitored network data traffic in order to identify attacks upon network.
  • the system as proposed in the US "107 Patent does not provide a web service based subscription as proposed in the US ⁇ 07 Patent as it requires extra development work to customize for integration into their API (Application Programming Interface).
  • the US ⁇ 07 Patent does not provide accountability for configuration as compared to the present invention which requires the submitter (Subscriber-! ) and approver (Subscribed) to enable accountability feature.
  • the invention as proposed in the US '107 Patent does not provide for definition of parameters such as command type allowed, list of virtual machines as compared to the present invention which provide dynamic configuration through web service subscription which defined parameters or a set of command. Further, the invention as proposed in the US ⁇ 07 Patent does not provide network access rules that are integrated for the list of Internet Protocol (IP) which further enable multiple IP's activities to be monitored as proposed in the present invention.
  • IP Internet Protocol
  • US 2008/0104393 A1 discloses a cloud-based access control list wherein a system that can assist users to manage a personal active directory for all of their information maintained within a cloud-based environment.
  • the US '393 Publication provide identity of the client that accesses data which is being monitored and recorded in a log wherein a system is able to track the manner the information is being accessed.
  • the invention as disclosed in the US '393 Publication does not provide a web service based subscription as proposed in the present invention. Instead, it provides an undefined gateway interface to the cloud.
  • the US '393 Publication does not provide accountability for configuration as compared to the present invention which requires the submitter (Subscriberl) and approver (Subscribed) to enable accountability feature. Restricting access is allocated to data files through access control list (ACL) as compared to the present invention which target for SSH and RDP command of VM access. Further, the US '393 Publication does not provide network access rules that are integrated for the list of IP which further enable multiple IP's activities to be monitored as proposed in the present invention.
  • Detection of anomalous user behavior based on the sequence of their requests within a web session was proposed in an IEEE 2012 paper entitled "Detecting Anomalous User Behaviours in Workf low-driven Web Applications”; Xiaowei Li, Yuan Xue and Bradley Malin.
  • a method to detect anomalous user behaviors in workflow-driven web applications which focuses on modeling data-oriented workflows based on decomposition of the web sessions is proposed in the said paper.
  • Ability to identify three (3) types of attack such as cross-site request forgery; workflow violation; and guideline violation is provided.
  • Hidden Markov Model HMM is utilized to characterize workflows on a per-object basis.
  • VM Virtual Machine
  • RDP Transmission Layer Security
  • the present invention relates to a system and method to provide virtual machine subscription service to enable super user control limit to avoid insider security threats.
  • One aspect of the present invention provides a system for cloud provider to provide virtual machine subscription service to enable super user control limit.
  • the system comprising at least one cloud provider administrator (102) and at least one virtual machine subscriber (104) in communication with at least one cloud infrastructure provider portal within a portal access; at least one networking protocol suite (110) in communication with at least one cloud service provider (CSP) portal (112) within a network; and at least one super user control service (SCS) (108) in communication with the at least one cloud infrastructure provider portal within a portal access and in communication with at least one cloud service provider (CSP) portal (112) within a network; said super user control service (SCS) enables virtual machine (VM) subscription service by enabling super user control limit to avoid insider security threats.
  • SCS super user control service
  • the at least one super user control service (SCS) (108) further comprising at least one interface layer (122) for enabling super user rules configuration for super user control service (SCS) subscriber through cloud infrastructure provider portal; at least one super user creator and rules validator (116) for creating and validating rules; at least one super user control service (SCS) storage (118) for storing super user service (SCS) subscriber user information and super user rules information; at least one packet interception engine (120) for verifying super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer; at least one packet queue module (114) for queuing network packet for analysis by said packet interception engine (120).
  • SCS super user control service
  • said super user control service (SCS) subscriber further comprising first super user control service (SCS) subscriber (Subscriber 1 )and second super user control service (SCS) subscriber (Subscriber 2) in a group of administrator of virtual machines or administrator of cloud infrastructure provider portal.
  • the at least one cloud service provider (CSP) portal (112) further comprising at least one cloud service provider (CSP) server with a super user control service (SCS) authorization call back service for said cloud service provider (CSP) server to monitor request for Subscriber 2 authorization process.
  • a further preferred aspect of the invention provides a method for cloud provider to provide virtual machine subscription service to enable super user control limit.
  • the method comprising steps of forwarding super user control service (SCS) commands from cloud service provider (CSP) server to super user control service (SCS) interface layer (202); executing super user creator and rules validator at super user control service (SCS) server for creating and validating rules (206); registering configuration parameters in super user control service (SCS) storage and log all activities (224); returning status of registered configuration parameters (226); forwarding network packet into a network queue to be analyze by packet interception engine (302); executing packet interception engine to verify super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer (307).
  • SCS super user control service
  • the step for executing packet interception engine to verify super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer further comprises steps of determining protocol type of network packet (308); initiating handshaking protocols based on protocol type of network packet (314a, 314b); retrieving Subscriber 1 information from handshake protocol (316a, 316b); retrieving Subscriber 1 public and private key and using said public and private keys to enable super user control service (SCS) to decrypt channel (318a, 318b); intercepting said unencrypted channel by reading Subscriber 1 rules from super user control service (SCS) storage (320); verifying list of matching file by super user control service (SCS) in Subscriber 1's protocol list, directory list subscribed by Subscriber 1 and list of command allowed by Subscriber 1 (322, 324, 326);dropping network packet if no match is found in the protocol list and directory list subscribed by Subscriber 1 and if no match is found in said list of commands allowed by Subscriber 1 (328); and
  • a further preferred aspect of the invention provides that said super user control service (SCS) commands comprising Subscriber 1 user information and configuration parameters such as list of Internet Protocols (IPs) subscribing to super user control service (SCS), Subscriber 1 user login, protocols allowed, public and private keys, list of directories allowed to be performed by Subscriber 1 and associated commands to be performed by Subscriber 1 and call back authorization service for Subscriber 2.
  • SCS super user control service
  • the step for executing super user creator and rules validator at super user control service (SCS) server for creating and validating rules further comprising creating record for Subscriber 1 if Subscriber 1 information is not found in said super user control service (SCS) storage (208); validating authentication and authorization of Subscriber 1 against super user control service (SCS) storage (210); generate a unique Subscriber 1 hash code and log activities (210) if authenticated and authorized; else returning to super user control service (SCS) for unsuccessful authentication and authorization (214); and parsing and validating allowed parameters (222).
  • SCS super user control service
  • step of forwarding network packet into a network queue to be analyze by packet interception engine further which further comprises steps of storing network packet by super user control service (SCS) into network queue (304); and determining availability of network queue (306).
  • SCS super user control service
  • the step for returning to super user control service (SCS) for unsuccessful authentication and authorization further comprises steps of awaiting super user control service (SCS) authorization callback for Subscriber 2 (216); forwarding Subscriber 2 authentication information and Subscriber 1 hash code (218); and returning unsuccessful status for Subscriber 2 authorization and authentication (220).
  • SCS super user control service
  • FIG. 1 illustrates the architecture of the system of the present invention.
  • FIG. 2 is a flowchart illustrating the methodology of the present invention for super user control service (SCS) subscriber registration and configuration rules.
  • FIG. 3 is a flowchart illustrating the methodology of the present invention for super user control service (SCS) packet network interception engine.
  • SCS super user control service
  • the present invention provides a system and method to provide virtual machine subscription service to enable super user control limit to avoid insider security threats.
  • FIG. 1.0 illustrates the general architecture of the system of the present invention.
  • the system (100) comprising a cloud provider administrator (102) and a virtual machine subscriber (104) in communication with a cloud infrastructure provider portal within a portal access; a networking protocol suite (110) in communication with a cloud service provider (CSP) portal (112) within a network; and a super user control service (SCS) (108) in communication with a cloud infrastructure provider portal within a portal access and in communication with a cloud service provider (CSP) portal (112) within a network.
  • the said super user control service (SCS) enables virtual machine (V ) subscription service by enabling super user control limit to avoid insider security threats.
  • the super user control service (SCS) (108) further comprising an interface layer (122) for enabling super user rules configuration for super user control service (SCS) subscriber through cloud infrastructure provider portal; a least one super user creator and rules validator (116) for creating and validating rules; a super user control service (SCS) storage (118) for storing super user service (SCS) subscriber user information and super user rules information; a packet interception engine (120) for verifying super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer; a packet queue module (114) for queuing network packet for analysis by said packet interception engine (120).
  • SCS super user control service
  • the said super user control service (SCS) subscriber further comprising first super user control service (SCS) subscriber (Subscriber 1 ) and second super user control service (SCS) subscriber (Subscriber 2) in a group of administrator of virtual machines or administrator of cloud infrastructure provider portal and the said cloud service provider (CSP) portal (112) further comprising a cloud service provider (CSP) server with a super user control service (SCS) authorization call back service for said cloud service provider (CSP) server to monitor request for Subscriber 2 authorization process.
  • SCS super user control service
  • cloud service provider (CSP) server first forwards super user control service (SCS) commands to super user control service (SCS) interface layer (202).
  • the said super user control service (SCS) commands comprising Subscriber 1 user information and configuration parameters such as list of Internet Protocols (IPs) subscribing to super user control service (SCS), Subscriber 1 user login, protocols allowed, public and private keys, list of directories allowed to be performed by Subscriber 1 and associated commands to be performed by Subscriber 1 and call back authorization service for Subscriber 2.
  • IPs Internet Protocols
  • SCS super user control service
  • super user creator and rules validator is executed at super user control service (SCS) server for creating and validating rules (206).
  • SCS super user control service
  • Super user creator and rules validator is executed at super user control service (SCS) server to create and validate rules by first creating record for Subscriber 1 if Subscriber 1 information is not found in said super user control service (SCS) storage (208). Thereafter, authentication and authorization of Subscriber 1 is validated against super user control service (SCS) storage (210) wherein a unique Subscriber 1 hash code and log activities is generated (210) if authenticated and authorized, else it is returned to super user control service (SCS) for unsuccessful authentication and authorization (214).
  • SCS super user control service
  • Network packet is forwarded into a network queue to be analyzed by packet interception engine (302). Thereafter, packet interception engine is executed to verify super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer (307).
  • the execution of packet interception engine to verify super user rules obtained from said super user control service (SCS) storage prior to forwarding to virtual machine on cloud network layer begins by first determining protocol type of network packet (308). Upon confirming the packet type (312a, 312b), handshaking protocols are initiated based on protocol type of network packet (314a, 314b) and Subscriber 1 information is retrieved from said handshake protocol (316a, 316b).
  • Subscriber 1 public and private key is retrieved using said public and private keys to enable super user control service (SCS) to decrypt channel (318a, 318b) and said unencrypted channel is intercepted by reading Subscriber 1 rules from super user control service (SCS) storage (320).
  • the list of matching file is verified by super user control service (SCS) in Subscriber 1's protocol list, directory list subscribed by Subscriber 1 and list of command allowed by Subscriber 1 (322, 324, 326).
  • the said network packet will be dropped if no match is found in the protocol list and directory list subscribed by Subscriber 1 and if no match is found in said list of commands allowed by Subscriber 1 (328).
  • the said channel is encrypted with subscriber's private key of respective protocol type upon completion of packet interception analysis when a match is found in the protocol list or the directory list of the command list (330) to allow network packet to continue (310).
  • Network packet is allowed to automatic continue (310) if protocol type of network packet is not determined.
  • the present invention enables super user control subscription service by cloud infrastructure provider in which said super user has control access limitation over virtual machine application deployment by utilizing five main features namely interface layer; super user control service (SCS) storage; super user creator and rules validator; packet interception engine and packet queue. Further, the present invention deploys the used of logging activities of the said super user upon providing validation for authentication and authorization of Subscriber 1 (Submitter) and Subscriber 2 (Approver) to enhance security of the super user control subscription service.
  • SCS super user control service
  • Subscriber 1 Subscriber 1
  • Subscriber 2 Approver

Abstract

Super user control subscription service by cloud infrastructure provider in which said super user has control access limitation over virtual machine application deployment by utilizing five main features namely interface layer; super user control service (SCS) storage; super user creator and rules validator; packet interception engine and packet queue. Further, the present invention deploys the used of logging activities of the said super user upon providing validation for authentication and authorization of Subscriber 1 {Submitter) and Subscriber 2 (Approver) to enhance security of the super user control subscription service. The present invention comprising at least one cloud provider administrator (102) and at least one virtual machine subscriber (104) in communication with at least one cloud infrastructure provider portal within a portal access; at least one networking protocol suite (110) in communication with at least one cloud service provider (CSP) portal (112) within a network; and at least one super user control service (SCS) (108) in communication with the at least one cloud infrastructure provider portal within a portal access and in communication with at least one cloud service provider (CSP) portal (112) within a network; said super user control service (SCS) enables virtual machine (VM) subscription service by enabling super user control limit to avoid insider security threats. The at least one interface layer (122) enables super user rules configuration for super user control service (SCS) subscriber through cloud infrastructure provider portal; the at least one super user creator and rules validator (116) creates and validates rules; the super user control service (SCS) storage (118) stores super user service (SCS) subscriber user information and super user rules information; the packet interception engine (120) verifies super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer and the packet queue module (114) queues network packet for analysis by said packet interception engine (120).

Description

A SYSTEM AND METHOD FOR CLOUD PROVIDER TO PROVIDE VIRTUAL MACHINE SUBSCRIPTION SERVICE
FIELD OF INVENTION
The present invention relates to a system and method to provide virtual machine subscription service to enable super user control limit to avoid insider security threats.
BACKGROUND ART
Virtual machine subscription service enables super user control limit to avoid insider security threats. At present, super user of virtual machines have full control in the virtual machine deployment. There are certain drawbacks in which super user is a security threat as it can copy, delete, and modify virtual machine applications and storage without being detected. Further, super user is able to perform the said tasks remotely through cryptographic network protocol such as SSH (Secure Shell) or RDP (Remote Desktop Protocol). Super user of virtual machine is able to leak important data without being noticed as there is no specific application or module to monitor or control activities of said super user. Moreover, limitations of the cloud infrastructure provider do not provide super user control subscription for virtual machine subscriber and currently cloud infrastructure provider administrator does not monitor activities in the infrastructure. The said limitation drives to the need for enabling super user control subscription by cloud infrastructure provider in which super user has the highest privileged over virtual machine application deployment.
One example of adaptive network security using intelligent packet analysis was proposed in United States Patent No. US 6,499,107 B1 (hereinafter denoted as the US Ί07 Patent). The US Ί07 Patent provide a system and method for adaptive network security using intelligent packet analysis in which the analysis tasks are perform on the monitored network data traffic in order to identify attacks upon network. The system as proposed in the US "107 Patent does not provide a web service based subscription as proposed in the US Ί07 Patent as it requires extra development work to customize for integration into their API (Application Programming Interface). Further, the US Ί07 Patent does not provide accountability for configuration as compared to the present invention which requires the submitter (Subscriber-! ) and approver (Subscribed) to enable accountability feature. The invention as proposed in the US '107 Patent does not provide for definition of parameters such as command type allowed, list of virtual machines as compared to the present invention which provide dynamic configuration through web service subscription which defined parameters or a set of command. Further, the invention as proposed in the US Ί07 Patent does not provide network access rules that are integrated for the list of Internet Protocol (IP) which further enable multiple IP's activities to be monitored as proposed in the present invention.
Another mechanism was proposed in United States Patent Publication No. US 2008/0104393 A1 (hereinafter denoted as the US '393 Publication). The US '393 Publication discloses a cloud-based access control list wherein a system that can assist users to manage a personal active directory for all of their information maintained within a cloud-based environment. The US '393 Publication provide identity of the client that accesses data which is being monitored and recorded in a log wherein a system is able to track the manner the information is being accessed. However, the invention as disclosed in the US '393 Publication does not provide a web service based subscription as proposed in the present invention. Instead, it provides an undefined gateway interface to the cloud.
The US '393 Publication does not provide accountability for configuration as compared to the present invention which requires the submitter (Subscriberl) and approver (Subscribed) to enable accountability feature. Restricting access is allocated to data files through access control list (ACL) as compared to the present invention which target for SSH and RDP command of VM access. Further, the US '393 Publication does not provide network access rules that are integrated for the list of IP which further enable multiple IP's activities to be monitored as proposed in the present invention.
Detection of anomalous user behavior based on the sequence of their requests within a web session was proposed in an IEEE 2012 paper entitled "Detecting Anomalous User Behaviours in Workf low-driven Web Applications"; Xiaowei Li, Yuan Xue and Bradley Malin. A method to detect anomalous user behaviors in workflow-driven web applications (WDWAs) which focuses on modeling data-oriented workflows based on decomposition of the web sessions is proposed in the said paper. Ability to identify three (3) types of attack such as cross-site request forgery; workflow violation; and guideline violation is provided. Further, Hidden Markov Model (HMM) is utilized to characterize workflows on a per-object basis. It does not provide dynamic configuration through web service subscription for restricting remote administration of Virtual Machine (VM) and administrator of Cloud Infrastructure Provider. In contrast, the present invention monitors specific protocol such as SSH and RDP over TLS (Transport Layer Security) through defined parameters or a set of commands.
The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is only provided to illustrate one exemplary technology area where some embodiments described herein may be practice.
SUMMARY OF INVENTION
The present invention relates to a system and method to provide virtual machine subscription service to enable super user control limit to avoid insider security threats.
One aspect of the present invention provides a system for cloud provider to provide virtual machine subscription service to enable super user control limit. The system comprising at least one cloud provider administrator (102) and at least one virtual machine subscriber (104) in communication with at least one cloud infrastructure provider portal within a portal access; at least one networking protocol suite (110) in communication with at least one cloud service provider (CSP) portal (112) within a network; and at least one super user control service (SCS) (108) in communication with the at least one cloud infrastructure provider portal within a portal access and in communication with at least one cloud service provider (CSP) portal (112) within a network; said super user control service (SCS) enables virtual machine (VM) subscription service by enabling super user control limit to avoid insider security threats. The at least one super user control service (SCS) (108) further comprising at least one interface layer (122) for enabling super user rules configuration for super user control service (SCS) subscriber through cloud infrastructure provider portal; at least one super user creator and rules validator (116) for creating and validating rules; at least one super user control service (SCS) storage (118) for storing super user service (SCS) subscriber user information and super user rules information; at least one packet interception engine (120) for verifying super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer; at least one packet queue module (114) for queuing network packet for analysis by said packet interception engine (120).
In a preferred aspect of the invention, there is provided that said super user control service (SCS) subscriber further comprising first super user control service (SCS) subscriber (Subscriber 1 )and second super user control service (SCS) subscriber (Subscriber 2) in a group of administrator of virtual machines or administrator of cloud infrastructure provider portal. In yet another aspect of the invention there is provided that the at least one cloud service provider (CSP) portal (112) further comprising at least one cloud service provider (CSP) server with a super user control service (SCS) authorization call back service for said cloud service provider (CSP) server to monitor request for Subscriber 2 authorization process.
A further preferred aspect of the invention provides a method for cloud provider to provide virtual machine subscription service to enable super user control limit. The method comprising steps of forwarding super user control service (SCS) commands from cloud service provider (CSP) server to super user control service (SCS) interface layer (202); executing super user creator and rules validator at super user control service (SCS) server for creating and validating rules (206); registering configuration parameters in super user control service (SCS) storage and log all activities (224); returning status of registered configuration parameters (226); forwarding network packet into a network queue to be analyze by packet interception engine (302); executing packet interception engine to verify super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer (307). The step for executing packet interception engine to verify super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer further comprises steps of determining protocol type of network packet (308); initiating handshaking protocols based on protocol type of network packet (314a, 314b); retrieving Subscriber 1 information from handshake protocol (316a, 316b); retrieving Subscriber 1 public and private key and using said public and private keys to enable super user control service (SCS) to decrypt channel (318a, 318b); intercepting said unencrypted channel by reading Subscriber 1 rules from super user control service (SCS) storage (320); verifying list of matching file by super user control service (SCS) in Subscriber 1's protocol list, directory list subscribed by Subscriber 1 and list of command allowed by Subscriber 1 (322, 324, 326);dropping network packet if no match is found in the protocol list and directory list subscribed by Subscriber 1 and if no match is found in said list of commands allowed by Subscriber 1 (328); and encrypting channel with subscriber's private key of respective protocol type upon completion of packet interception analysis when a match is found in the protocol list or the directory list of the command list (330) to allow network packet to continue (310) else automatically allowing network packet to continue (310) if protocol type of network packet is not determined.
A further preferred aspect of the invention provides that said super user control service (SCS) commands comprising Subscriber 1 user information and configuration parameters such as list of Internet Protocols (IPs) subscribing to super user control service (SCS), Subscriber 1 user login, protocols allowed, public and private keys, list of directories allowed to be performed by Subscriber 1 and associated commands to be performed by Subscriber 1 and call back authorization service for Subscriber 2.
In another aspect of the invention there is provided that the step for executing super user creator and rules validator at super user control service (SCS) server for creating and validating rules further comprising creating record for Subscriber 1 if Subscriber 1 information is not found in said super user control service (SCS) storage (208); validating authentication and authorization of Subscriber 1 against super user control service (SCS) storage (210); generate a unique Subscriber 1 hash code and log activities (210) if authenticated and authorized; else returning to super user control service (SCS) for unsuccessful authentication and authorization (214); and parsing and validating allowed parameters (222).
In yet another aspect of the invention is a the step of forwarding network packet into a network queue to be analyze by packet interception engine further which further comprises steps of storing network packet by super user control service (SCS) into network queue (304); and determining availability of network queue (306).
In another aspect of the invention there is provided that the step for returning to super user control service (SCS) for unsuccessful authentication and authorization (214) further comprises steps of awaiting super user control service (SCS) authorization callback for Subscriber 2 (216); forwarding Subscriber 2 authentication information and Subscriber 1 hash code (218); and returning unsuccessful status for Subscriber 2 authorization and authentication (220).
The present invention consists of features and a combination of parts hereinafter fully described and illustrated in the accompanying drawings, it being understood that various changes in the details may be made without departing from the scope of the invention or sacrificing any of the advantages of the present invention.
BRIEF DESCRIPTION OF ACCOMPANYING DRAWINGS
To further clarify various aspects of some embodiments of the present invention, a more particular description of the invention will be rendered by references to specific embodiments thereof, which are illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail through the accompanying drawings in which: FIG. 1 illustrates the architecture of the system of the present invention.
FIG. 2 is a flowchart illustrating the methodology of the present invention for super user control service (SCS) subscriber registration and configuration rules. FIG. 3 is a flowchart illustrating the methodology of the present invention for super user control service (SCS) packet network interception engine.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention provides a system and method to provide virtual machine subscription service to enable super user control limit to avoid insider security threats.
Hereinafter, this specification will describe the present invention according to the preferred embodiments. It is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned without departing from the scope of the appended claims.
Referring to FIG. 1.0, the system (100) according to the present invention is illustrated. FIG. 1.0 illustrates the general architecture of the system of the present invention. As illustrated in FIG. 1.0, the system (100) comprising a cloud provider administrator (102) and a virtual machine subscriber (104) in communication with a cloud infrastructure provider portal within a portal access; a networking protocol suite (110) in communication with a cloud service provider (CSP) portal (112) within a network; and a super user control service (SCS) (108) in communication with a cloud infrastructure provider portal within a portal access and in communication with a cloud service provider (CSP) portal (112) within a network. The said super user control service (SCS) enables virtual machine (V ) subscription service by enabling super user control limit to avoid insider security threats.
The super user control service (SCS) (108) further comprising an interface layer (122) for enabling super user rules configuration for super user control service (SCS) subscriber through cloud infrastructure provider portal; a least one super user creator and rules validator (116) for creating and validating rules; a super user control service (SCS) storage (118) for storing super user service (SCS) subscriber user information and super user rules information; a packet interception engine (120) for verifying super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer; a packet queue module (114) for queuing network packet for analysis by said packet interception engine (120). The said super user control service (SCS) subscriber further comprising first super user control service (SCS) subscriber (Subscriber 1 ) and second super user control service (SCS) subscriber (Subscriber 2) in a group of administrator of virtual machines or administrator of cloud infrastructure provider portal and the said cloud service provider (CSP) portal (112) further comprising a cloud service provider (CSP) server with a super user control service (SCS) authorization call back service for said cloud service provider (CSP) server to monitor request for Subscriber 2 authorization process.
Referring to FIG. 2.0, an embodiment of the method (200) of the present invention for super user control service (SCS) subscriber registration and configuration rules is illustrated. Generally, cloud service provider (CSP) server first forwards super user control service (SCS) commands to super user control service (SCS) interface layer (202). The said super user control service (SCS) commands comprising Subscriber 1 user information and configuration parameters such as list of Internet Protocols (IPs) subscribing to super user control service (SCS), Subscriber 1 user login, protocols allowed, public and private keys, list of directories allowed to be performed by Subscriber 1 and associated commands to be performed by Subscriber 1 and call back authorization service for Subscriber 2. Thereafter, super user creator and rules validator is executed at super user control service (SCS) server for creating and validating rules (206). Super user creator and rules validator is executed at super user control service (SCS) server to create and validate rules by first creating record for Subscriber 1 if Subscriber 1 information is not found in said super user control service (SCS) storage (208). Thereafter, authentication and authorization of Subscriber 1 is validated against super user control service (SCS) storage (210) wherein a unique Subscriber 1 hash code and log activities is generated (210) if authenticated and authorized, else it is returned to super user control service (SCS) for unsuccessful authentication and authorization (214). Call back service to check for Subscriber 2 authorization with Subscriber 1 hash code further comprising awaiting super user control service (SCS) authorization callback for Subscriber 2 (216). Thereafter, Subscriber 2 authentication information and Subscriber 1 hash code (218) is forwarded and unsuccessful status is returned for Subscriber 2 authorization and authentication (220). Upon ensuring matching value for Subscriber 1 hash code is returned, allowed parameters are parsed and validated (222). Subsequently, the configuration parameters are registered in said super user control service (SCS) storage and all activities are logged (224). Thereafter, super user control service (SCS) server will return the status of registered configuration parameters (226). Referring to FIG. 3.0, the methodology of super user control service (SCS) packet network interception engine is illustrated. Network packet is forwarded into a network queue to be analyzed by packet interception engine (302). Thereafter, packet interception engine is executed to verify super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer (307). The execution of packet interception engine to verify super user rules obtained from said super user control service (SCS) storage prior to forwarding to virtual machine on cloud network layer begins by first determining protocol type of network packet (308). Upon confirming the packet type (312a, 312b), handshaking protocols are initiated based on protocol type of network packet (314a, 314b) and Subscriber 1 information is retrieved from said handshake protocol (316a, 316b). Subsequently, Subscriber 1 public and private key is retrieved using said public and private keys to enable super user control service (SCS) to decrypt channel (318a, 318b) and said unencrypted channel is intercepted by reading Subscriber 1 rules from super user control service (SCS) storage (320). The list of matching file is verified by super user control service (SCS) in Subscriber 1's protocol list, directory list subscribed by Subscriber 1 and list of command allowed by Subscriber 1 (322, 324, 326). The said network packet will be dropped if no match is found in the protocol list and directory list subscribed by Subscriber 1 and if no match is found in said list of commands allowed by Subscriber 1 (328). The said channel is encrypted with subscriber's private key of respective protocol type upon completion of packet interception analysis when a match is found in the protocol list or the directory list of the command list (330) to allow network packet to continue (310). Network packet is allowed to automatic continue (310) if protocol type of network packet is not determined.
The present invention enables super user control subscription service by cloud infrastructure provider in which said super user has control access limitation over virtual machine application deployment by utilizing five main features namely interface layer; super user control service (SCS) storage; super user creator and rules validator; packet interception engine and packet queue. Further, the present invention deploys the used of logging activities of the said super user upon providing validation for authentication and authorization of Subscriber 1 (Submitter) and Subscriber 2 (Approver) to enhance security of the super user control subscription service. Throughout this specification, unless the context requires otherwise, the word "comprise", or variations such as "comprises" or "comprising", will be understood to imply the inclusion of a stated step or element or integer or group of steps or elements or integers, but not the exclusion of any other step or element or integer or group of steps, elements or integers. Thus, in the context of this specification, the term "comprising" is used in an inclusive sense and thus should be understood as meaning "including principally, but not necessarily solely".
It will be appreciated that the foregoing description has been given by way of illustrative example of the invention and that all such modifications and variations thereto as would be apparent to persons of skill in the art are deemed to fall within the broad scope and ambit of the invention as herein set forth.

Claims

1. A system (100) for cloud provider to provide virtual machine subscription service to enable super user control limit comprising:
at least one cloud provider administrator (102) and at least one virtual machine subscriber (104) in communication with at least one cloud infrastructure provider portal (106) within a portal access; at least one networking protocol suite (110) in communication with at least one cloud service provider (CSP) portal (112) within a network; and at least one super user control service (SCS) (108) in communication with the at least one cloud infrastructure provider portal (106) within a portal access and in communication with at least one cloud service provider (CSP) portal (112) within a network; said super user control service (SCS) enables virtual machine (VM) subscription service by enabling super user control limit to avoid insider security threats characterized in that
the at least one super user control service (SCS) (108) further comprising:
at least one interface layer (122) for enabling super user rules configuration for super user control service (SCS) subscriber through cloud infrastructure provider portal;
at least one super user creator and rules validator (116) for creating and validating rules;
at least one super user control service (SCS) storage (118) for storing super user service (SCS) subscriber user information and super user rules information;
at least one packet interception engine (120) for verifying super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer;
at least one packet queue module (114) for queuing network packet for analysis by said packet interception engine (120). A system according to Claim 1 wherein said super user control service (SCS) subscriber (108) further comprising first super user control service (SCS) subscriber (Subscriber 1)and second super user control service (SCS) subscriber (Subscriber 2) in a group of administrator of virtual machines or administrator of cloud infrastructure provider portal.
A system according to Claim 1 wherein the at least one cloud service provider (CSP) portal (112) further comprising at least one cloud service provider (CSP) server with a super user control service (SCS) authorization call back service for said cloud service provider (CSP) server to monitor request for Subscriber 2 authorization process.
A method (200) for cloud provider to provide virtual machine subscription service to enable super user control limit comprising steps of:
forwarding super user control service (SCS) commands from cloud service provider (CSP) server to super user control service (SCS) interface layer (202);
executing super user creator and rules validator at super user control service (SCS) server for creating and validating rules (206);
registering configuration parameters in super user control service (SCS) storage and log all activities (224);
returning status of registered configuration parameters (226);
forwarding network packet into a network queue to be analyze by packet interception engine (302);
executing packet interception engine to verify super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer (307)
characterized in that
executing packet interception engine to verify super user rules obtained from said super user control service (SCS) storage prior to forwarding to at least one virtual machine on cloud network layer further comprises steps of :
determining protocol type of network packet (308); initiating handshaking protocols based on protocol type of network packet (314a, 314b);
retrieving Subscriber 1 information from handshake protocol (316a, 316b);
retrieving Subscriber 1 public and private key and using said public and private keys to enable super user control service
(SCS) to decrypt channel (318a, 318b);
intercepting said unencrypted channel by reading Subscriber 1 rules from super user control service (SCS) storage (320);
verifying list of matching file by super user control service (SCS) in
Subscriber 1's protocol list, directory list subscribed by
Subscriber 1 and list of command allowed by Subscriber 1 (322,
324, 326);
dropping network packet if no match is found in the protocol list and directory list subscribed by Subscriber 1 and if no match is found in said list of commands allowed by Subscriber 1 (328); and encrypting channel with subscriber's private key of respective protocol type upon completion of packet interception analysis when a match is found in the protocol list or the directory list of the command list (330) to allow network packet to continue (310) else automatically allowing network packet to continue (310) if protocol type of network packet is not determined.
A method according to Claim 4 wherein said super user control service (SCS) commands comprising Subscriber 1 user information and configuration parameters such as list of Internet Protocols (IPs) subscribing to super user control service (SCS), Subscriber 1 user login, protocols allowed, public and private keys, list of directories allowed to be performed by Subscriber 1 and associated commands to be performed by Subscriber 1 and call back authorization service for Subscriber 2.
A method according to Claim 4 wherein executing super user creator and rules validator at super user control service (SCS) server for creating and validating rules (206) further comprising steps of: creating record for Subscriber 1 if Subscriber 1 information is not found in said super user control service (SCS) storage (208);
validating authentication and authorization of Subscriber 1 against super user control service (SCS) storage (210);
If authenticated and authorized, generate a unique Subscriber 1 hash code and log activities (210); else
returning to super user control service (SCS) for unsuccessful authentication and authorization (214); and
parsing and validating allowed parameters (222).
A method according to Claim 4 wherein forwarding network packet into a network queue to be analyze by packet interception engine (302) further comprising steps of:
storing network packet by super user control service (SCS) into network queue (304); and
determining availability of network queue (306).
A method according to Claim 6 wherein returning to super user control service (SCS) for unsuccessful authentication and authorization (214) further comprising steps of:
awaiting super user control service (SCS) authorization callback for Subscriber 2 (216);
forwarding Subscriber 2 authentication information and Subscriber 1 hash code (218); and
returning unsuccessful status for Subscriber 2 authorization and authentication (220).
PCT/MY2014/000098 2013-07-12 2014-05-09 A system and method for cloud provider to provide virtual machine subscription service WO2015005763A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2013002662A MY178206A (en) 2013-07-12 2013-07-12 A system and method for cloud provider to provide virtual machine subscription service
MYPI2013002662 2013-07-12

Publications (1)

Publication Number Publication Date
WO2015005763A1 true WO2015005763A1 (en) 2015-01-15

Family

ID=51265801

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2014/000098 WO2015005763A1 (en) 2013-07-12 2014-05-09 A system and method for cloud provider to provide virtual machine subscription service

Country Status (2)

Country Link
MY (1) MY178206A (en)
WO (1) WO2015005763A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6499107B1 (en) 1998-12-29 2002-12-24 Cisco Technology, Inc. Method and system for adaptive network security using intelligent packet analysis
US20070156897A1 (en) * 2005-12-29 2007-07-05 Blue Jungle Enforcing Control Policies in an Information Management System
US20080104393A1 (en) 2006-09-28 2008-05-01 Microsoft Corporation Cloud-based access control list
US20110265168A1 (en) * 2010-04-26 2011-10-27 Vmware, Inc. Policy engine for cloud platform

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6499107B1 (en) 1998-12-29 2002-12-24 Cisco Technology, Inc. Method and system for adaptive network security using intelligent packet analysis
US20070156897A1 (en) * 2005-12-29 2007-07-05 Blue Jungle Enforcing Control Policies in an Information Management System
US20080104393A1 (en) 2006-09-28 2008-05-01 Microsoft Corporation Cloud-based access control list
US20110265168A1 (en) * 2010-04-26 2011-10-27 Vmware, Inc. Policy engine for cloud platform

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
XIAOWEI LI; YUAN XUE; BRADLEY MALIN: "Detecting Anomalous User Behaviours in Workflow-driven Web Applications", IEEE, 2012

Also Published As

Publication number Publication date
MY178206A (en) 2020-10-06

Similar Documents

Publication Publication Date Title
JP6941146B2 (en) Data security service
US10454902B2 (en) Techniques for secure data extraction in a virtual or cloud environment
US7818788B2 (en) Web application security frame
CN105027493B (en) Safety moving application connection bus
US8850219B2 (en) Secure communications
US8528047B2 (en) Multilayer access control security system
US20070192344A1 (en) Threats and countermeasures schema
JP6678457B2 (en) Data security services
KR20180120157A (en) Data set extraction based pattern matching
US7934087B2 (en) Techniques for secure event recording and processing
JP7309880B2 (en) Timestamp-based authentication including redirection
US20220200973A1 (en) Blockchain schema for secure data transmission
Donald et al. A secure authentication scheme for MobiCloud
Saleh et al. SignedQuery: Protecting users data in multi-tenant SaaS environments
US20220343095A1 (en) Fingerprint-Based Device Authentication
Erquiaga et al. Observer effect: How Intercepting HTTPS traffic forces malware to change their behavior
EP3677006B1 (en) Detection of the network logon protocol used in pass-through authentication
WO2015005763A1 (en) A system and method for cloud provider to provide virtual machine subscription service
Renault et al. Toward a security model for the future network of information
Sukiasyan Secure data exchange in IIoT
US20230308433A1 (en) Early termination of secure handshakes
Foltz et al. Secure Endpoint Device Agent Architecture.
Sayler Custos: A flexibly secure key-value storage platform
Foltz et al. Enterprise Security with Endpoint Agents
Shinde et al. Preserving Integrity of Evidence with Blockchain Technology in Cloud Forensics for Immigration Management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14747420

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14747420

Country of ref document: EP

Kind code of ref document: A1