MITIGATING SECURITY THREATS IN DAISY CHAINED SERVERLESS FaaS FUNCTIONS
원문보기
IPC분류정보
국가/구분
United States(US) Patent
공개
국제특허분류(IPC7판)
H04L-009/40
H04L-041/22
출원번호
17559164
(2021-12-22)
공개번호
20230208855
(2023-06-29)
발명자
/ 주소
Sheriff, Akram Ismail
Asati, Rajiv
Nainar, Nagendra Kumar
Shuper, Ariel
Bosch, Hendrikus G.P.
출원인 / 주소
Sheriff, Akram Ismail
인용정보
피인용 횟수 :
0인용 특허 :
0
초록▼
In one embodiment, a method comprises: receiving, by a process, an executed function flow of a daisy chained serverless function-as-a-service (FaaS) function, the executed function flow having been injected with a particular trace identifier in response to an initial event trigger and span identifie
In one embodiment, a method comprises: receiving, by a process, an executed function flow of a daisy chained serverless function-as-a-service (FaaS) function, the executed function flow having been injected with a particular trace identifier in response to an initial event trigger and span identifiers having been injected by each service that was executed; generating, by the process, a serverless flow graph associated with the particular trace identifier based on linking a path of serverless functions according to correlation of the span identifiers between the serverless functions; performing, by the process, a trace-based analysis of the serverless flow graph through comparison to a baseline of expectation; detecting, by the process, one or more anomalies in the serverless flow graph according to the trace-based analysis; and mitigating, by the process, the one or more anomalies in the serverless flow graph.
대표청구항▼
1. A method, comprising: receiving, by a process, an executed function flow of a daisy chained serverless function as a service (FaaS) function, the executed function flow having been injected with a particular trace identifier in response to an initial event trigger and span identifiers having been
1. A method, comprising: receiving, by a process, an executed function flow of a daisy chained serverless function as a service (FaaS) function, the executed function flow having been injected with a particular trace identifier in response to an initial event trigger and span identifiers having been injected by each service that was executed;generating, by the process, a serverless flow graph associated with the particular trace identifier based on linking a path of serverless functions according to correlation of the span identifiers between the serverless functions;performing, by the process, a trace-based analysis of the serverless flow graph through comparison to a baseline of expectation;detecting, by the process, one or more anomalies in the serverless flow graph according to the trace-based analysis; andmitigating, by the process, the one or more anomalies in the serverless flow graph. 2. The method as in claim 1, wherein mitigating comprises: establishing an allow-or-deny decision for future executions. 3. The method as in claim 1, wherein mitigating comprises: delinking one or more specific links in the serverless flow graph for future executions. 4. The method as in claim 1, wherein detecting one or more anomalies comprises: determining a cross correlation between a given function call and a given serverless flow call link. 5. The method as in claim 4, wherein mitigating is triggered based on a threshold of cross correlation. 6. The method as in claim 1, wherein detecting one or more anomalies comprises: determining that either an event source or an event destination is different than previously profiled baseline data. 7. The method as in claim 1, wherein detecting one or more anomalies comprises: identifying trends in traffic as the baseline of expectation; anddetecting anomalous trends according to the trace-based analysis of the serverless flow graph. 8. The method as in claim 7, wherein trends in traffic are based on one or more of processing time, processing utilization, memory load, bandwidth, and periodicity. 9. The method as in claim 1, wherein the particular trace identifier and span identifiers are injected as special hypertext transfer protocol headers. 10. The method as in claim 1, wherein the executed function flow is injected with the particular trace identifier in response to a hypertext transfer protocol Post reaching an initial application programming interface gateway for the daisy chained serverless function as a service (FaaS) function. 11. The method as in claim 1, wherein the baseline of expectation is based on correlation of one or more of: trace identifiers, span identifiers, source resource names, destination resource names, and one or more profiled metrics. 12. The method as in claim 1, wherein the serverless flow graph comprises a source event trigger, context, and metadata corresponding to the executed function flow. 13. A tangible, non-transitory, computer-readable medium having computer-executable instructions stored thereon that, when executed by a processor on a computer, cause the computer to perform a method comprising: receiving an executed function flow of a daisy chained serverless function as a service (FaaS) function, the executed function flow having been injected with a particular trace identifier in response to an initial event trigger and span identifiers having been injected by each service that was executed;generating a serverless flow graph associated with the particular trace identifier based on linking a path of serverless functions according to correlation of the span identifiers between the serverless functions;performing a trace-based analysis of the serverless flow graph through comparison to a baseline of expectation;detecting one or more anomalies in the serverless flow graph according to the trace-based analysis; andmitigating the one or more anomalies in the serverless flow graph. 14. The tangible, non-transitory, computer-readable medium as in claim 13, wherein mitigating comprises: establishing an allow-or-deny decision for future executions. 15. The tangible, non-transitory, computer-readable medium as in claim 13, wherein mitigating comprises: delinking one or more specific links in the serverless flow graph for future executions. 16. The tangible, non-transitory, computer-readable medium as in claim 13, wherein detecting one or more anomalies comprises: determining a cross correlation between a given function call and a given serverless flow call link. 17. The tangible, non-transitory, computer-readable medium as in claim 16, wherein mitigating is triggered based on a threshold of cross correlation. 18. The tangible, non-transitory, computer-readable medium as in claim 13, wherein detecting one or more anomalies comprises: determining that either an event source or an event destination is different than previously profiled baseline data. 19. The tangible, non-transitory, computer-readable medium as in claim 13, wherein detecting one or more anomalies comprises: identifying trends in traffic as the baseline of expectation; anddetecting anomalous trends according to the trace-based analysis of the serverless flow graph. 20. An apparatus, comprising: one or more network interfaces to communicate with a network;a processor coupled to the one or more network interfaces and configured to execute one or more processes; anda memory configured to store a process that is executable by the processor, the process, when executed, configured to: receive an executed function flow of a daisy chained serverless function as a service (FaaS) function, the executed function flow having been injected with a particular trace identifier in response to an initial event trigger and span identifiers having been injected by each service that was executed;generate a serverless flow graph associated with the particular trace identifier based on linking a path of serverless functions according to correlation of the span identifiers between the serverless functions;perform a trace-based analysis of the serverless flow graph through comparison to a baseline of expectation;detect one or more anomalies in the serverless flow graph according to the trace-based analysis; andmitigate the one or more anomalies in the serverless flow graph.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.