Search

US-12625958-B2 - Behavior based identification of malicious workloads in a runtime environment

US12625958B2US 12625958 B2US12625958 B2US 12625958B2US-12625958-B2

Abstract

Software bill of materials (SBOM) vulnerability systems do not monitor software components behavior in real time, and rather rely on the static periodic updates. This gap leaves cloud-native software applications exposed to 0-day or supply chain attacks that exploit vulnerabilities that are not known or updated into the public vulnerability data sources. The techniques described herein provide dynamic and intelligent identification of 0-day and supply chain attacks in runtime environments, mitigate the attacks in real-time, and share intelligence to prevent a malicious workload from being deployed through the CI/CD pipeline.

Inventors

  • Robert Edgar Barton
  • Bhavik Pradeep Shah
  • Barry Qi Yuan

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260512
Application Date
20231221

Claims (20)

  1. 1 . A method implemented by a controller of a network, the method comprising: receiving first usage data including a software bill of materials (SBOM) associated with an application; deploying the application to a container of a plurality of containers; generating, based on first usage data, a baseline for the container of the plurality of containers that is hosting the application, the baseline comprising a baseline behavior of the application and the SBOM; storing an updated SBOM associated with a software package deployed for the application; receiving, from the application, second usage data associated with the container; identifying, based on the second usage data, a change in behavior of the application from the baseline behavior of the application; determining that the change in the behavior of the application represents malicious behavior; using the updated SBOM that is stored, correlating the malicious behavior to a software component in the updated SBOM; performing, based on the malicious behavior, an action associated with the software component.
  2. 2 . The method of claim 1 , wherein the controller is implemented as part of a cloud native environment or as part of a software package deployed on premise at a site of a customer.
  3. 3 . The method of claim 1 , wherein the application comprises a cloud-native application.
  4. 4 . The method of claim 1 , wherein the baseline for the container comprises a baseline software bill of materials (SBOM) and one or more baseline behaviors associated with the container, the baseline SBOM being generated based on one or more SBOMs included in the first usage data.
  5. 5 . The method of claim 1 , wherein determining that the container is exhibiting the malicious behavior is based at least in part on: identifying a difference between a baseline behavior associated with the container and one or more new behaviors indicated in the second usage data; and generating, using a machine learning model, a confidence score indicating that the new behavior is malicious.
  6. 6 . The method of claim 1 , wherein the malicious behavior comprises one of forming a new control connection, privilege escalation, data exfiltration, or causing the application to crash.
  7. 7 . The method of claim 1 , wherein performing the action comprises one or more of: sending instructions to the application to cause the application to block one or more connections of the container; generating and sending an alert to a user interface of a user associated with the application; sending, to a threat intelligence database, an indication of the malicious behavior and a library associated with a change in a SBOM of the container; or storing, in a vulnerability database associated with the network, the indication of the malicious behavior and the library associated with the change in the SBOM of the container.
  8. 8 . The method of claim 1 , wherein the second usage data is received in response to an event, the event comprising an update to the container or a new functionality or a new code being pushed to the container.
  9. 9 . A system comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving first usage data including a software bill of materials (SBOM) associated with an application; deploying the application to a container of a plurality of containers; generating, based on first usage data, a baseline for the container of the plurality of containers that is hosting the application, the baseline comprising a baseline behavior of the application and the SBOM; storing an updated SBOM associated with a software package deployed for the application; receiving, from the application, second usage data associated with the container; identifying, based on the second usage data, a change in behavior of the application from the baseline behavior of the application; determining that the change in the behavior of the application represents malicious behavior; using the updated SBOM that is stored, correlating the malicious behavior to a software component in the updated SBOM; performing, based on the malicious behavior, an action associated with the software component.
  10. 10 . The system of claim 9 , wherein the system is implemented by a controller, the controller being implemented as part of a cloud native environment or as part of a software package deployed on premise at a site of a customer.
  11. 11 . The system of claim 9 , wherein the application comprises a cloud-native application.
  12. 12 . The system of claim 9 , wherein the baseline for the container comprises a baseline software bill of materials (SBOM) and one or more baseline behaviors associated with the container, the baseline SBOM being generated based on one or more SBOMs included in the first usage data.
  13. 13 . The system of claim 9 , wherein determining that the container is exhibiting the malicious behavior is based at least in part on: identifying a difference between a baseline behavior associated with the container and one or more new behaviors indicated in the second usage data; and generating, using a machine learning model, a confidence score indicating that the new behavior is malicious.
  14. 14 . The system of claim 9 , wherein the malicious behavior comprises one of forming a new control connection, privilege escalation, data exfiltration, or causing the application to crash.
  15. 15 . The system of claim 9 , wherein performing the action comprises one or more of: sending instructions to the application to cause the application to block one or more connections of the container; generating and sending an alert to a user interface of a user associated with the application; sending, to a threat intelligence database, an indication of the malicious behavior and a library associated with a change in a SBOM of the container; or storing, in a vulnerability database associated with a network, the indication of the malicious behavior and the library associated with the change in the SBOM of the container.
  16. 16 . The system of claim 9 , wherein the second usage data is received in response to an event, the event comprising an update to the container or a new functionality or a new code being pushed to the container.
  17. 17 . One or more non-transitory computer-readable media storing computer-readable instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: receiving first usage data including a software bill of materials (SBOM) associated with an application; deploying the application to a container of a plurality of containers; generating a baseline associated with the container of the plurality of containers of the application, the baseline comprising a baseline behavior of the application and the SBOM; storing an updated SBOM associated with a software package deployed for the application; receiving, from the application, usage data associated with the container; identifying, based on the usage data, a change in behavior of the application from the baseline behavior of the application; determining that the change in the behavior of the application represents malicious behavior; using the updated SBOM that is stored, correlating the malicious behavior to a software component in the updated SBOM; performing, based on the malicious behavior, an action associated with the software component.
  18. 18 . The one or more non-transitory computer-readable media of claim 17 , wherein the application comprises a cloud-native application.
  19. 19 . The one or more non-transitory computer-readable media of claim 17 , wherein the baseline for the container comprises a baseline software bill of materials (SBOM) and one or more baseline behaviors associated with the container, the baseline SBOM being generated based on one or more SBOMs included in other usage data.
  20. 20 . The one or more non-transitory computer-readable media of claim 17 , wherein the usage data is received in response to an event, the event comprising an update to the container or a new functionality or a new code being pushed to the container.

Description

TECHNICAL FIELD The present disclosure relates generally to the field of computer networking, and more particularly to leveraging machine learning and behavior monitoring in cloud-native applications to effectively identify 0-day and supply chain attacks and other potentially malicious workloads in the runtime environment. BACKGROUND In a cloud-native architecture, cloud-native applications are each made up of multiple pieces (e.g., containers). Each container may have a particular function. Cloud-native applications may use software bill of materials (SBOM). SBOM is a formal record of the components and dependencies used in building software. SBOMs can help software developers, vendors, and consumers to improve security, compliance, and transparency of the software supply chain. However, there are security concerns associated with cloud-native applications, such as 0-day attacks, which can leave vulnerabilities in the application software and allow malicious actors to attack and/or have access to the data of the cloud native applications. For instance, existing SBOM tools generally only provide reporting on the software components, their sources, and links to known vulnerabilities, which are generally pulled from a variety of publicly available sources and are static. The implication is that SBOM vulnerability systems do not monitor software components behavior in real time, and rather rely on the static periodic updates. This gap leaves software applications exposed to 0-day or supply chain attacks that exploit vulnerabilities that are not known or updated into the public vulnerability data sources. Moreover, existing solutions fail to identify the source (e.g., library and/or database) where the software vulnerability came from. Thus, the mean time to remediate is critical for organizations to secure their applications and data. Additionally, once a workload package is deployed, current techniques do not continue to monitor the package to prevent 0-day or supply chain attacks. Accordingly, there is a need for a dynamic and intelligent way of monitoring behavior of cloud-native application workloads deployed in a runtime environment and identifying in real-time malicious behavior and the source of the malicious behavior, such that a system can prevent an attack, while dynamically updating threat intelligence. BRIEF DESCRIPTION OF THE DRAWINGS The detailed description is set forth below with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items. The systems depicted in the accompanying figures are not to scale and components within the figures may be depicted not to scale with each other. FIG. 1 illustrates a system-architecture diagram of an environment in which a system can identify and mitigate attacks in real-time in a runtime environment. FIG. 2 illustrates a component diagram of an example controller described in FIG. 1. FIGS. 3A-3D illustrate example environments corresponding to the system described in FIGS. 1 and 2. FIG. 4 illustrates a flow diagram of an example method for identifying and mitigating attacks in a runtime environment associated with the system described in FIGS. 1-3. FIG. 5. is a computer architecture diagram showing an illustrative computer hardware architecture for implementing a device that can be utilized to implement aspects of the various technologies presented herein. DESCRIPTION OF EXAMPLE EMBODIMENTS Overview The present disclosure relates generally to the field of computer networking, and more particularly to leveraging machine learning and behavior monitoring in cloud-native applications to effectively identify 0-day and supply chain attacks and other potentially malicious workloads in the run time environment. A method to perform the techniques described herein may be implemented by a controller. The method may include generating, based on first usage data, a baseline for a container of a plurality of containers associated with an application. The method may include receiving, from the application, second usage data associated with the container. The method may also include identifying, based on the second usage data, a change from the baseline associated with the container. The method may include determining that the container is exhibiting malicious behavior. The method may also include performing, based on the malicious behavior, an action. Additionally, any techniques described herein, may be performed by a system and/or device having non-transitory computer-readable media storing computer-executable instructions that, when executed by one or more processors, performs the method(s) described above and/or one or more non-transitory computer-readable media storing computer-readable instructions that, when executed by one or more processors, cause the one or more