Search

US-12625686-B1 - Provider network deficiency management

US12625686B1US 12625686 B1US12625686 B1US 12625686B1US-12625686-B1

Abstract

A system for provider network deficiency management includes a deficiency management computing system in a provider network having a machine-readable definition file and a knowledge graph. A method for provider network deficiency management includes receiving a machine-readable definition file and generating a knowledge graph based on the machine-readable definition file. Additionally or alternatively, the method can include any or all of: scanning provider network infrastructure; analyzing software for vulnerabilities; determining a deficiency finding based on the knowledge graph; providing the deficiency finding in a user interface; or any other suitable processes.

Inventors

  • Sean Patrick Maher
  • Raghuveer Ketireddy
  • Trevor Tonn
  • David M. Wheeler

Assignees

  • AMAZON TECHNOLOGIES, INC.

Dates

Publication Date
20260512
Application Date
20220930

Claims (20)

  1. 1 . A method comprising: scanning a set of resources, including one or more of software resources or hardware resources, associated with a provider network customer cloud, including scanning a virtual machine instance of the set of resources by scanning one or more ports of the virtual machine instance for listeners; analyzing source code associated with the set of resources; receiving a machine-readable definition file declaring the set of resources; generating a knowledge graph for the set of resources based on the scanning of the set of resources, the analyzing of the source code, and the machine-readable definition file, wherein the knowledge graph comprises a set of nodes and edges representing a data communication channel between a first resource of the set of resources and a second resource of the set of resources, wherein the set of nodes and edges comprises a plug component node, a plug node, a socket node, a socket component node, a first edge from the plug component node to the plug node, a second edge from the plug node to the socket node, and a third edge from the socket component node to the socket node, and wherein at least one of the first resource and the second resource is a hardware resource of the hardware resources; determining a deficiency finding based on the knowledge graph; and providing the deficiency finding in a user interface.
  2. 2 . The method of claim 1 , wherein generating the knowledge graph for the set of resources is further based on applying semantic reasoning to an initial knowledge graph generated based on the scanning of the set of resources, the analyzing of the source code, and the machine-readable definition file.
  3. 3 . The method of claim 1 , further comprising determining the deficiency finding based on traversing the knowledge graph.
  4. 4 . A method comprising: receiving a machine-readable definition file declaring a set of resources including one or more of software resources or hardware resources, wherein the machine-readable definition file is based at least in part on a scan of the set of resources, including a scan for listeners at one or more ports of a virtual machine instance of the set of resources; generating a knowledge graph for the set of resources based on the machine-readable definition file, wherein the knowledge graph comprises a set of nodes and edges representing a data communication channel between a first resource of the set of resources and a second resource of the set of resources, wherein the set of nodes and edges comprises a plug component node, a plug node, a socket node, a socket component node, a first edge from the plug component node to the plug node, a second edge from the plug node to the socket node, and a third edge from the socket component node to the socket node, and wherein at least one of the first resource and the second resource is a hardware resource of the hardware resources; determining a deficiency finding based on the knowledge graph; and providing the deficiency finding.
  5. 5 . The method of claim 4 , wherein generating the knowledge graph for the set of resources is further based on scanning container images associated with a provider network customer cloud.
  6. 6 . The method of claim 4 , wherein source code is deployed to the set of resources in source code form, interpretable form, or executable form.
  7. 7 . The method of claim 4 , wherein the set of resources declared by the machine-readable definition file is deployed in a provider network customer cloud.
  8. 8 . The method of claim 4 , wherein the set of resources declared by the machine-readable definition file is planned to be deployed in a provider network customer cloud.
  9. 9 . The method of claim 4 , wherein generating the knowledge graph for the set of resources is further based on applying semantic reasoning to an initial knowledge graph for the set of resources.
  10. 10 . The method of claim 4 , wherein determining the deficiency finding is based on traversing the knowledge graph.
  11. 11 . The method of claim 10 , wherein providing the deficiency finding comprises providing the deficiency finding to a customer of a provider network in a graphical user interface, a command line interface, or in a response to an application programming language request.
  12. 12 . The method of claim 10 , wherein the deficiency finding comprises data representing a finding, a severity indication, a description of the finding, a detailed trace of the finding, and a recommendation to remediate the finding.
  13. 13 . The method of claim 4 , wherein the knowledge graph comprises a set of semantic triples representing the set of resources and comprises a web ontology language (OWL) ontology.
  14. 14 . A system comprising: one or more electronic devices to implement a deficiency management computing system, the deficiency management computing system comprising instructions which when executed by one or more processors cause the deficiency management computing system to: receive a machine-readable definition file declaring a set of resources for a provider network customer cloud, the set of resources including one or more of software resources or hardware resources, wherein the machine-readable definition file is based at least in part on a scan of the set of resources, including a scan for listeners at one or more ports of a virtual machine instance of the set of resources; generate a knowledge graph for the set of resources based on the machine-readable definition file, wherein the knowledge graph comprises a set of nodes and edges representing a data communication channel between a first resource of the set of resources and a second resource of the set of resources, wherein the set of nodes and edges comprises a plug component node, a plug node, a socket node, a socket component node, a first edge from the plug component node to the plug node, a second edge from the plug node to the socket node, and a third edge from the socket component node to the socket node, and wherein at least one of the first resource and the second resource is a hardware resource of the hardware resources; determine a deficiency finding based on the knowledge graph; and provide the deficiency finding in a user interface.
  15. 15 . The system of claim 14 , wherein the instructions when executed by the one or more processors further cause the deficiency management computing system to generate the knowledge graph for the set of resources based on scanning container images, serverless function deployment packages, data storage bucket configurations, or key-value database tables associated with the provider network customer cloud.
  16. 16 . The system of claim 14 , wherein the instructions when executed by the one or more processors further cause the deficiency management computing system to generate the knowledge graph for the set of resources based on analyzing source code associated with the provider network customer cloud.
  17. 17 . The system of claim 16 , wherein the source code associated with the provider network customer cloud is deployed to the set of resources in the provider network customer cloud in source code form, interpretable form, or executable form.
  18. 18 . The system of claim 14 , wherein the set of resources declared by the machine-readable definition file is deployed in the provider network customer cloud.
  19. 19 . The system of claim 14 , wherein the set of resources declared by the machine-readable definition file is planned to be deployed in the provider network customer cloud.
  20. 20 . The system of claim 14 , wherein the knowledge graph comprises a set of semantic triples representing the set of resources and comprises a web ontology language (OWL) ontology.

Description

TECHNICAL FIELD The present disclosure relates generally to deficiency management systems and methods for identifying, classifying, prioritizing, remediating, and mitigating software, hardware, data storage, and network vulnerabilities, and more specifically to a new and useful system and method for provider network deficiency management. BACKGROUND Conventional systems and methods for vulnerability management can be classified into one of three approaches: design approaches relying on static analysis of machine-readable infrastructure definition files, code approaches based on static and dynamic analysis of software, and infrastructure approaches based on scanning infrastructure components. However, each of these approaches comes with its limitations. Further, many vulnerability management systems and methods apply only one or two of these approaches or apply all three approaches independently resulting in security flaws going undetected (too many false negatives) or inaccurate flaw detection (too many false positives). Thus, there is a need in the vulnerability management field to create an improved and useful system and method for provider network deficiency management. BRIEF DESCRIPTION OF DRA WINGS Various examples in accordance with the present disclosure will be described with reference to the drawings, in which: FIG. 1 is a schematic of a provider network system for deficiency management. FIG. 2 is a schematic of a method for provider network deficiency management. FIG. 3 depicts a graphical user interface (GUI) variation for providing a deficiency finding. FIG. 4 depicts a graphical user interface (GUI) variation for providing a deficiency finding. FIG. 5 depicts a graphical user interface (GUI) variation for providing a deficiency finding. FIG. 6 illustrates a generic modelling mechanic for modelling in the knowledge graph a data communication channel between a sender and a receiver. FIG. 7 depicts sub-knowledge graph variations for representing network reachability. FIG. 8 depicts sub-knowledge graph variations for representing package vulnerability. FIG. 9 depicts a sub-knowledge graph variation for representing source code analysis. FIG. 10 depicts a sub-knowledge graph variation for representing components and data communication channels in a system. FIG. 11 depicts sub-knowledge graph variations for representing components and data communication channels in a system. FIG. 12 provides examples of visual notations for a plug and socket modeling mechanic. FIG. 13 provides an example of a RDF model that uses a plug and socket modeling mechanic. FIG. 14 provides a hardware design example that uses a plug and socket modeling mechanic. FIG. 15 depicts examples of ways of modeling a queue channel in the knowledge graph at different levels of abstraction. FIG. 16 depicts an example of modeling the queue channel in the knowledge graph using the plug and socket modeling mechanic. FIG. 17 depicts an example of using the plug and socket modeling mechanic to model a channel between a serverless function and a database in the knowledge graph. FIG. 18 depicts an example of using the plug and socket modeling mechanic to model for representing source code analysis. FIG. 19 illustrates a provider network environment in which the techniques disclosed herein can be implemented, according to some examples. FIG. 20 illustrates an electronic device that can be used in an implementation of the techniques disclosed herein, according to some examples. It will be appreciated that for simplicity or clarity of illustration, elements illustrated in the figures have not necessarily been drawn to scale. For example, the dimensions of an element may be exaggerated relative to another element for clarity. Further, if considered appropriate, reference numerals have been repeated among the figures to indicate corresponding or analogous elements. DETAILED DESCRIPTION The following description is not intended to limit the invention to the examples described, but rather to enable any skilled person in the art to make and use this invention. 1. Overview The present disclosure relates to a system and a method for provider network deficiency management. As shown in FIG. 1, a system 100 for provider network deficiency management includes a deficiency management computing system in a provider network having a machine-readable definition file and a knowledge graph. Additionally or alternatively, the system can include or interface with any or all of: a graph computing framework (equivalently referred to herein as a graph engine); a deficiency analysis engine, a deficiency finding, or any other suitable components or combination of components. As shown in FIG. 2, a method 200 for provider network deficiency management includes receiving a machine-readable definition file 210 and generating a knowledge graph based on the machine-readable definition file 220. Additionally or alternatively, the method 200 can include any or all of: scanning