• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The invention relates to a method for detecting vulnerabilities of a virtual production server (2) of a virtual or cloud computing system (1), said system comprising one or a plurality of virtual servers. The invention is characterized in that it comprises the following steps according to which: a system for analyzing vulnerabilities (4) of the virtual production servers (2) is provided; the vulnerability analysis system (4) connects to the virtual or cloud computing system (1); the vulnerability analysis system (4) requires the cloning of the production virtual server (2) to obtain a clone (10) or a disk copy of the production virtual server (2); the clone (10) or disk copy is created in the virtual or cloud computing system (1); the vulnerability analysis system (4) connects to the clone (10) or the disk copy; the vulnerability analysis system (4) analyzes the vulnerabilities of the clone (10) or the disk copy; the clone (10) or the disk copy is erased; a vulnerability analysis report of the clone (10) or the disk copy is generated.
    公开号:FR3042623A1
    申请号:FR1502184
    申请日:2015-10-16
    公开日:2017-04-21
    发明作者:Sergio Loureiro;Frederic Donnat
    申请人:Secludit;
    IPC主号:
    专利说明:

    METHOD FOR DETECTING VULNERABILITIES IN A VIRTUAL SERVER FOR PRODUCING A VIRTUAL COMPUTING SYSTEM
    OR IN CLOUD
    FIELD OF THE INVENTION
    The present invention relates to a method for detecting vulnerabilities of a virtual production server of a virtual or cloud computing system comprising one or a plurality of virtual servers.
    PRIOR ART
    The security of computer systems and, in particular, the security of virtual or cloud computing systems is addressed by means of a multitude of tools, among which the detection of vulnerabilities.
    Vulnerability detection of a virtual or cloud computing system involves testing the system against known vulnerabilities. In practice, these flaws are discovered regularly by researchers in the field of computer security or by the software vendors themselves. They are listed in public databases such as Common Vulnerabilities and Exposures (CVE) database maintained by an organization called Miter ™.
    Typically, vulnerability scans scan networks for open ports on production servers, identify software installed on those servers, and compare against the vulnerability database. Alternatively, the same function can be implemented by means of a software agent that is installed on the production server, and makes the comparison directly on the server.
    Such vulnerability searches, however, have different disadvantages.
    First, the detection of operating systems is generally difficult since hidden by the network layers of hypervisors.
    Second, the performance and availability of production servers (and their applications) is affected by vulnerability scans. Indeed, these searches consume important resources on the servers. As a result, in the prior art, the search for vulnerabilities is not automated, in the sense that they are engaged under human intervention. In addition, vulnerabilities are not searched for frequently, for example every day. However, new vulnerabilities are identified every day, so that production servers present potential risks in the period of time between two vulnerabilities searches.
    In addition, searching for deep vulnerabilities often requires production server administration rights, for example when an agent is installed on the production server. However, data owners on production servers do not want to communicate the administration keys of production servers to third parties, even when it comes to vulnerability research, which is essential for securing their data.
    Finally, some vulnerability research is likely to cause damage to the production servers. This is why the production server auditor, who conducts the research, avoids performing intrusive tests on servers, such as tests using SQL (Structured Query Language) or Cross Site Scripting or XSS with a discharge of the entire database, this discharge can impact server performance or even a shutdown. Thus, in the prior art, the search for vulnerabilities are searches that include tests without risk for the servers, but which are not exhaustive or close together over time, and which often lead to the identification of faults. positive.
    SUMMARY OF THE INVENTION
    In view of the foregoing, the invention relates to a method for detecting vulnerabilities in a virtual production server of a virtual or cloud computing system, which overcomes the aforementioned drawbacks of the prior art, for reduced costs.
    The proposed solution of the invention firstly relates to a method for detecting vulnerabilities of a virtual production server of a virtual or cloud computing system, said system comprising one or a plurality of virtual servers, characterized by what it comprises the following steps according to which: a vulnerability analysis system of the virtual server or servers of production is provided; - the vulnerability analysis system connects to the virtual computer system or cloud; the vulnerability analysis system requires the cloning of the production virtual server to obtain a clone or disk copy of the production virtual server; the clone or disk copy is created in the virtual computer system or in the cloud; - the vulnerability analysis system connects to the clone or disk copy; • the vulnerability analysis system analyzes the vulnerabilities of the clone or disk copy; - we erase the clone or the disk copy; - Generate a vulnerability analysis report of the clone or disk copy; from the vulnerability analysis of the clone or the disk copy, vulnerabilities are deduced in the production virtual server; - the vulnerability analysis report is used to mitigate the vulnerabilities of the production virtual server.
    Advantageously: the vulnerability analysis system uses cloning functionalities present in the virtual computer system or in the cloud for the cloning of the production virtual server; the cloning features present in the virtual computer system or in the cloud include, a hypervisor and a programming interface infrastructure; - the analysis system includes a scanner and a database relating to
    vulnerabilities and / or server test scripts and / or security policies, and / or historical analysis; for the connection, the IP address and / or the identifier of the server, and a key allowing the cloning of the server or, at least, a disk copy of the virtual disk (s) thereof, are provided to the system of the server; analysis, then the system generates at least one key for clone administration or attachment of the disk copy; - The connection is made with or without authentication, using a secure tunnel, or scripts copied to the clone; the clone, or disk copy, is placed in an isolated area of the cloud computing system; and - the vulnerabilities analyzed include the analysis of at least one of the following vulnerabilities: presence of viruses, presence of malware, hacking of the server, presence of non-integrity data, presence of logs, presence of intrusions, defect in the compliance with security policies, analysis of the existence of smart fraud, lack of code, presence of server trend changes; - we place on the clone a software sniffer; the method further comprises a step according to which vulnerabilities corrections are made on the clone; when a disk copy is made, viruses or malware of this disk copy are not in the execution state; and that it does not require, for its implementation, the administration keys of the production server.
    The second object is a vulnerability analysis system of a virtual production server of a virtual or cloud computing system for implementing the aforementioned method.
    BRIEF DESCRIPTION OF THE FIGURES The invention will be better understood on reading the nonlimiting description which follows, written with reference to the appended drawings, in which: FIG. 1 is a representative diagram of the means for implementing the method according to FIG. FIG. 2 represents various steps of the method according to the invention; and FIGS. 3A, 3B, 3C and 3D represent different modes of connection of the analysis system to the clone or the disk image, for the implementation of the method according to the invention.
    DETAILED DESCRIPTION OF THE INVENTION The invention relates to a method for detecting vulnerabilities of a virtual production server of a virtual or cloud computer system.
    A virtual or cloud computing system is a collection of hardware, network connections, and software that provides sophisticated services that can be accessed from anywhere in the world, over the Internet. The essential features of a virtual or cloud computing system are global self-service availability, elasticity, openness, pooling and pay-per-use. In particular, the resources are self-service, and automatically adapted to the demand. The storage capacity and computing power are automatically adapted to the needs of a consumer. The services are shared. It is possible to combine heterogeneous resources (hardware, software, network traffic) to serve multiple consumers to whom resources are automatically allocated. Pooling improves scalability and elasticity and automatically adapts resources to variations in demand. The payment is in use: the quantity of services consumed in the system is measured and has an impact on billing. A virtual computer system is a computer system, which includes a hypervisor and at least one virtual machine for virtualization of that system.
    A cloud computing system is shown in Figure 1, under the reference 1. It comprises a plurality of production virtual servers 2. Each production virtual server 2 is identified in the system by at least one server identifier. Moreover, each production virtual server 2 is associated with one or more virtual memory disks. Each virtual memory disk is materialized by one or more physical memory disks. These physical disks are not shown in the drawings. However, they are part of the physical layer of the system, unlike virtual instances, which are part of the virtualization layer. The virtualization that is used in cloud systems therefore consists of creating a software layer that abstracts from the hardware layer that contains the physical servers. For example, a real CPU (CPU) with four cores, perhaps transformed into four servers with a CPU in the simplest case, or a virtual server can be expected to consume 20% of a CPU, and the The remaining 80% can be used by another virtual server. Memory and disk can also be shared between different virtual servers.
    The cloud computing system 1 comprises a programming interface infrastructure (APIs) 3, which makes it possible in particular to ensure the creation and management of the virtual production servers 2 in the system 1.
    According to the invention, a vulnerability analysis system 4 is provided for the virtual production servers 2.
    Such an analysis system 4 comprises a scanner 5 and a database relating to the vulnerabilities 6, the server test scripts 7, the security policies 8, and the history of the analyzes carried out. vulnerabilities 6 is built using public databases, a technology watch and data retrieved from hacker websites (threat intelligence). The test scripts 7 are used to test vulnerabilities and exploit them. Such exploitation consists in continuing the tests to the limits of resistance of the server, which can not be carried out on servers in production, because of the associated risks. The security policies 8 make it possible to classify the servers and the tests to be carried out according to their critical aspect, the zone network and connection, the threats. For example, they define the depth and periodicity of the tests. The histories of the analyzes carried out are a history of all the tests carried out. This history is used to analyze trends in security indicators, such as the number of vulnerabilities.
    This system 4 has the following rights to list the virtual servers in the cloud computing system, to list the network topology for a duplication, and to clone or perform a disk copy.
    For the search for vulnerabilities in a production server 2 in a virtual computer system or in a cloud 1, the owner of the server 2 must provide the system 4 with the IP address and / or the identifier of this server, and a key allowing the cloning server 2 or at least a disk copy of the virtual disk (s) thereof. It does not have to provide an administration key for this server 2. For the provision of this key allowing the cloning (or the disk copy), the owner himself creates a key with a cloning (or copy) right. disk). This key is entered in the analysis system 4 according to the invention. This system 4 then generates at least one key, but practically a pair of public / private keys, for the administration of the clone. This procedure carried out for each search for vulnerabilities on a server 2, or once and for all, for the same server 2.
    According to the invention, the vulnerability analysis system 4 connects to the cloud computing system 1.
    Then, once the connection is made, the analysis system 4 uses an API present in the system 1, which clone the server 2 by means of the specific key with the right to clone (or copy disk The key is supplied to the cloud computing system and this system then creates a clone (or disk copy) of the virtual server 2. This clone is referenced 10 in the figure. 1. In practice, cloning is done by using the functions of the hypervisor, cloud computing system APIs, or container management system, using the cloning features found in virtualization systems, such as Vmware. VSphere ™ and Microsoft Hyper V ™, in cloud infrastructures, such as Amazon Web Services ™ and
    Openstack ™, and in container systems, such as Docker ™ and Kubernetes ™.
    The clone 10 is advantageously placed in an isolated network zone of the cloud computing system 1 so as to avoid the edge effects that could be caused during the execution of the vulnerability search tests.
    It should be noted that the making of the disk or clone copies does not normally have a performance impact on the servers of the system 1. This benefits the redundancy mechanisms, with copies for high availability, which are in place with these solutions. According to the invention, immediate access is given to a redundant copy and to provide new copies, without impact of performance.
    In a subsequent step of the method according to the invention, the vulnerability analysis system connects to the clone 10 of the virtual server 2. This connection is made with the new authentication data managed by the software, which are different from the data of the production machinery. It is performed using the private key previously generated by the analysis system 4, for the administration of the clone 10.
    In practice, this connection can be done without authentication, by means of a network scanner for example of the Nmap ™ type, or with authentication, according to the Telnet ™ or RDP (Remote Desktop) protocols - see Figure 3A. Moreover, the connection can be made by means of a secure tunnel of the SSH or Virtual Private Network (VPN) type - see Figure 3B, or scripts copied to the clone - see Figure 3C. When a disk image is created, then the performed operation is an attachment operation of a disk - see fig 3D.
    Then, the vulnerability analysis system 4 analyzes the vulnerabilities of the clone 10. It uses for this purpose, the data contained in the databases of the vulnerabilities 6, test scripts contained in the test script database 7, the security policies contained in the security policy database 8, and has access to the history of analyzes conducted previously for clones of the server 2 in particular. The analysis consists of performing tests and checking files on the clone 10. The tests are multiple. They are made with: conventional scanners such as Nessus ™ and OpenVAS ™, software elements that verify that the configuration files follow best practices, exploiting flaws like Metasploit ™. They include log file analysis, checking cryptographic checksums to detect changes, checking for the presence of malware or viruses. All tests can be performed, since they are performed on a clone and not on a production machine and, in particular intrusive tests, for example Metasploit ™, which may impact the performance and availability of servers and devices. applications they include. On the other hand, in the case of APTs (Advanced Persistent Threats), the analyzes consist in detecting weak signals that are abnormal when compared to the history. This analysis does not need to be done in real time, and can be done at regular intervals with a clone with a resource saving. Instead of running the analyzes when the logs arrive, the analysis system lets the logs accumulate in the production server or in a remote server.
    Eventually, sniffer software such as software distributed under the names tcpdump ™ or wireshark ™, can be placed in the clone to analyze all incoming and outgoing connections. The operation of such a sniffer software is dangerous on a production server is has a significant impact, in general, on the performance of this server. By doing this on the clone, the production server will not be impacted. In doing so, a fine analysis of the communications is implemented and it is possible to detect connections to dangerous IP addresses or black or gray lists, for example commands and controls (C & C), and to determine the control centers of mass attacks of zombie networks ("botnet") for example.
    Possibly, corrections of the identified vulnerabilities are made on the clone 10. In doing so, it is possible to predict the impact of the corrections on the production server and then decide if the corrections can be implemented on the server of production itself, and in what way. Optionally, after the application of the corrections on the clone 10, it can replace the production server.
    In the case of a disk image, the server is not in run mode. It is therefore not necessary to obtain additional CPU (central control unit) resources, and the analysis is therefore more economical (no CPU costs) and more secure since the virtual machine is infected. or contains viruses / malware, these viruses or malware are not running and possible countermeasures are not implemented.
    When the tests are completed, then the clone 10 or the disk copy are erased.
    Reports are built and dashboards are built with the state of virtual server security. These dashboards and tables are built with indicators on the security of virtual servers and, more generally, the cloud computing system (network, firewalls, applications, data). It can generate alerts when the analysis system identifies a critical vulnerability or an event that violates a security policy. The reports are generated with the history of tests performed, results and trends.
    This process can be implemented on demand. It can also be repeated automatically with a periodicity that is configurable, for example once a day, once a week or once a month. It is then possible to continuously monitor the vulnerabilities with reduced costs.
    The method according to the invention can advantageously replace virus detection systems, malware, or networks of machines controlled by hackers; systems for verifying the integrity of the data stored on the server; Log analysis and SIEM (System Information and Event Management) systems; intrusion detection systems; enforcement systems for security policies; threat analysis and processing systems; code analysis systems; trend detection and analysis systems; and systems for analyzing changes made on servers. It is not necessary, according to the invention, to install an agent on the server to carry out the aforementioned actions.
    权利要求:
    Claims (14)
    [1" id="c-fr-0001]
    A method for detecting vulnerabilities of a production virtual server (2) of a virtual or cloud computing system (1), said system comprising one or a plurality of virtual servers, characterized by the following steps according to which: - a vulnerability analysis system (4) of the virtual production server or servers (2) is provided; the vulnerability analysis system (4) connects to the virtual computer system or to the cloud (1) r the vulnerability analysis system (4) requires the cloning of the production virtual server (2) in order to obtain a clone (10) or a disk copy of the production virtual server (2); the clone (10) or the disk copy is created in the virtual or cloud computer system (1); the vulnerability analysis system (4) connects to the clone (10) or the disk copy; the vulnerability analysis system (4) analyzes the vulnerabilities of the clone (10) or the disk copy; the clone (10) or the disk copy is erased; a vulnerability analysis report of the clone (10) or the disk copy is generated; from the analysis of the vulnerabilities of the clone (10) or the disk copy, the vulnerabilities in the production virtual server (2) are deduced; - the vulnerability analysis report is used to mitigate the vulnerabilities of the production virtual server (2).
    [2" id="c-fr-0002]
    2. Method according to claim 1, characterized in that the vulnerability analysis system uses cloning functionalities present in the cloud computing system (1) for cloning the production virtual server (2).
    [3" id="c-fr-0003]
    3. Method according to claim 2, characterized in that the cloning functionalities present in the virtual computer system or in the cloud (1) comprise a hypervisor and a programming interface infrastructure.
    [4" id="c-fr-0004]
    4. Method according to one of the preceding claims, characterized in that the analysis system (4) comprises a scanner (5) and a database relating to vulnerabilities (6) and / or test scripts (7). servers (2) and / or security policies (8), and / or historical analysis (9).
    [5" id="c-fr-0005]
    5. Method according to one of the preceding claims, characterized in that, for the connection, the IP address and / or the identifier of the server (2), and a key for cloning the server (2) or, at least, a disk copy of the virtual disk (s) thereof, is provided to the analysis system (4), then the system (4) generates at least one key for the administration of the clone (10) or for the attachment of the disk copy.
    [6" id="c-fr-0006]
    6. Method according to one of the preceding claims, characterized in that the connection is made with or without authentication, by means of a secure tunnel, or scripts copied to the clone (10).
    [0007]
    Method according to one of the preceding claims, characterized in that the clone (10), or disk copy, is placed in an isolated area of the cloud computer system (1).
    [8" id="c-fr-0008]
    8. Method according to one of the preceding claims, characterized in that the vulnerabilities analyzed include the analysis of at least one of the following vulnerabilities: presence of viruses, presence of malicious software, hacking of the server, presence of non-integrity data. , presence of logs, presence of intrusions, defect in the respect of security policies, analysis of the existence of intelligent frauds, defect in the code, presence of changes of trend of the servers.
    [9" id="c-fr-0009]
    9. Method according to one of the preceding claims, characterized in that it is placed on the clone (10) a sniffer software.
    [10" id="c-fr-0010]
    10. Method according to one of the preceding claims, characterized in that it further comprises a step according to which vulnerabilities corrections are made on the clone (10).
    [11" id="c-fr-0011]
    11. Method according to one of the preceding claims, characterized in that the system (1) is a cloud computing system.
    [12" id="c-fr-0012]
    12. Method according to one of the preceding claims, characterized in that when a disk copy is made, viruses or malware of this disk copy are not in a state of execution.
    [13" id="c-fr-0013]
    13. Method according to one of the preceding claims, characterized in that it does not require, for its implementation, the administration keys of the production server.
    [14" id="c-fr-0014]
    14. Vulnerability analysis system (4) of a virtual production server (2) of a virtual or cloud computing system (1) for implementing the method according to one of the preceding claims.
    类似技术:
    公开号 | 公开日 | 专利标题
    US9531744B2|2016-12-27|In-line filtering of insecure or unwanted mobile device software components or communications
    US9197663B1|2015-11-24|Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
    US9774613B2|2017-09-26|Server drift monitoring
    US20200304528A1|2020-09-24|Enterprise network threat detection
    AU2019201137A1|2019-09-05|A cyber security appliance for a cloud infrastructure
    US8478708B1|2013-07-02|System and method for determining risk posed by a web user
    US10154066B1|2018-12-11|Context-aware compromise assessment
    EP3156931A1|2017-04-19|Method for detecting vulnerabilities in a virtual production server of a virtual or cloud-based computer system
    US11057405B2|2021-07-06|Automated malware family signature generation
    WO2015085244A1|2015-06-11|Distributed monitoring, evaluation, and response for multiple devices
    US20210256129A1|2021-08-19|Dynamic analysis techniques for applications
    US20170111391A1|2017-04-20|Enhanced intrusion prevention system
    Soares et al.2014|Cloud security: state of the art
    US20210216634A1|2021-07-15|Deferred malware scanning
    Sethia et al.2019|Malware capturing and analysis using dionaea honeypot
    US10771477B2|2020-09-08|Mitigating communications and control attempts
    WO2015063405A1|2015-05-07|Intrusion detection system in a device comprising a first operating system and a second operating system
    Thabit et al.2020|Exploration of Security Challenges in Cloud Computing: Issues, Threats, and Attacks with their Alleviating Techniques
    Bhuiyan et al.2018|API vulnerabilities: current status and dependencies
    Agrawal et al.2016|Analyzing and optimizing cloud-based antivirus paradigm
    US10963583B1|2021-03-30|Automatic detection and protection against file system privilege escalation and manipulation vulnerabilities
    US20210019412A1|2021-01-21|Generating models for performing inline malware detection
    US20210021611A1|2021-01-21|Inline malware detection
    US20220046030A1|2022-02-10|Simulating user interactions for malware analysis
    El Rab2008|Evaluation des systèmes de détection d'intrusion
    同族专利:
    公开号 | 公开日
    FR3042623B1|2018-03-16|
    US10412109B2|2019-09-10|
    US20170111384A1|2017-04-20|
    EP3156931A1|2017-04-19|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    EP2237181A2|2009-03-31|2010-10-06|Oracle America, Inc.|Virtual machine snapshotting and damage containment|
    US8924700B1|2011-05-06|2014-12-30|Symantec Corporation|Techniques for booting from an encrypted virtual hard disk|
    US8904525B1|2012-06-28|2014-12-02|Emc Corporation|Techniques for detecting malware on a mobile device|CN113347200A|2021-06-25|2021-09-03|东莞市汇学汇玩教育科技有限公司|Information prompting method based on internet behavior big data and cloud computing AI system|US8086845B2|2006-09-26|2011-12-27|Microsoft Corporation|Secure tunnel over HTTPS connection|
    US8302191B1|2009-03-13|2012-10-30|Symantec Corporation|Filtering malware related content|
    DE102009051129A1|2009-10-28|2011-06-01|Osram Opto Semiconductors Gmbh|Optoelectronic component and method for producing an optoelectronic component|
    US20120117383A1|2010-11-04|2012-05-10|Toshiba Tec Kabushiki Kaisha|System and Method for Secure Device Configuration Cloning|
    US8745744B2|2012-06-06|2014-06-03|Hitachi, Ltd.|Storage system and storage system management method|
    CN104009964B|2013-02-26|2019-03-26|腾讯科技(深圳)有限公司|Network linking detection method and system|
    US9594912B1|2014-06-06|2017-03-14|Fireeye, Inc.|Return-oriented programming detection|
    KR101568224B1|2014-12-26|2015-11-11|고려대학교 산학협력단|Analysis device and method for software security|US11165797B2|2016-04-22|2021-11-02|Sophos Limited|Detecting endpoint compromise based on network usage history|
    US11102238B2|2016-04-22|2021-08-24|Sophos Limited|Detecting triggering events for distributed denial of service attacks|
    US10592677B2|2018-05-30|2020-03-17|Paypal, Inc.|Systems and methods for patching vulnerabilities|
    法律状态:
    2016-10-26| PLFP| Fee payment|Year of fee payment: 2 |
    2017-04-21| PLSC| Publication of the preliminary search report|Effective date: 20170421 |
    2017-10-31| PLFP| Fee payment|Year of fee payment: 3 |
    2018-10-03| PLFP| Fee payment|Year of fee payment: 4 |
    2019-10-23| PLFP| Fee payment|Year of fee payment: 5 |
    2020-10-23| PLFP| Fee payment|Year of fee payment: 6 |
    2021-10-13| PLFP| Fee payment|Year of fee payment: 7 |
    优先权:
    申请号 | 申请日 | 专利标题
    FR1502184|2015-10-16|
    FR1502184A|FR3042623B1|2015-10-16|2015-10-16|METHOD FOR DETECTING VULNERABILITIES IN A VIRTUAL SERVER FOR PRODUCING A VIRTUAL OR CLOUD COMPUTING SYSTEM|FR1502184A| FR3042623B1|2015-10-16|2015-10-16|METHOD FOR DETECTING VULNERABILITIES IN A VIRTUAL SERVER FOR PRODUCING A VIRTUAL OR CLOUD COMPUTING SYSTEM|
    EP16192536.7A| EP3156931A1|2015-10-16|2016-10-06|Method for detecting vulnerabilities in a virtual production server of a virtual or cloud-based computer system|
    US15/291,776| US10412109B2|2015-10-16|2016-10-12|Method for detecting vulnerabilities in a virtual production server of a virtual or cloud computer system|
    [返回顶部]