[특허]Method and system for improving security and reliability in a networked application environment

Method and system for improving security and reliability in a networked application environment 원문보기

IPC분류정보
국가/구분	United States(US) Patent 등록
국제특허분류(IPC7판)	H04L-029/06 G06F-021/60 H04L-012/26 G06F-017/30
출원번호	US-0703862 (2015-05-04)
등록번호	US-9953173 (2018-04-24)
발명자 / 주소	Tseitlin, Ariel Rapoport, Roy Chan, Jason
출원인 / 주소	NETFLIX, INC.
대리인 / 주소	Artegis Law Group, LLP
인용정보	피인용 횟수 : 0 인용 특허 : 41

초록 ▼

A security application manages security and reliability of networked applications executing collection of interacting computing elements within a distributed computing architecture. The security application monitors various classes of resources utilized by the collection of nodes within the distributed computing architecture and determine whether utilization of a class of resources is approaching a pre-determined maximum limit. The security application performs a vulnerability scan of a networked application to determine whether the networked application is prone to a risk of intentional or inadvertent breach by an external application. The security application scans a distributed computing architecture for the existence of access control lists (ACLs), and stores ACL configurations and configuration changes in a database. The security application scans a distributed computing architecture for the existence of security certificates, places newly discovered security certificates in a database, and deletes outdated security certificates. Advantageously, security and reliability are improved in a distributed computing architecture.

대표청구항 ▼

1. A computer-implemented method, comprising: discovering, via an administrative server coupled to a distributed computing architecture, a resource associated with a distributed application, wherein the distributed application executes on a plurality of compute nodes, and the resource is discovered and monitored within the distributed computing architecture;determining a classification for the resource based on one or more classification criteria;determining whether the classification corresponds to a record within a database, wherein the record includes a counter of a quantity of the resource deployed in the distributed computing architecture;if the classification corresponds to a record within the database, then: incrementing the counter associated with the record; orif the classification does not correspond to a record within the database, then: initializing another record within the database that corresponds to the classification, andinitializing another counter associated with the another record; andpublishing a notification when the counter indicates that a utilization associated with the classification exceeds a pre-determined limit. 2. The method of claim 1, wherein the resource comprises an instance of a software application executing within the distributed computing architecture. 3. The method of claim 1, further comprising generating a notification when the classification does not correspond to a record within the database. 4. The method of claim 1, further comprising retrieving a first threshold value associated with the record, and generating a notification when the counter exceeds the first threshold value. 5. The method of claim 4, wherein generating the notification comprises publishing a message to a publication/subscription system indicating that the counter exceeds the first threshold value. 6. The method of claim 1, further comprising retrieving a second threshold value associated with the record, and generating a second notification when the counter exceeds the second threshold value. 7. The method of claim 6, wherein at least one of the first threshold value and the second threshold value comprises a percentage of a maximum limit. 8. A non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to perform the steps of: scanning a distributed application that is executing on a plurality of compute nodes to detect a first security vulnerability, wherein the distributed application is stored within at least one memory element included in a distributed computing architecture;comparing the first security vulnerability against a database that includes a listing of previously-discovered security vulnerabilities; andif the first security vulnerability is not listed within the database, then: initializing a record within the database that corresponds to the first security vulnerability; orif the first security vulnerability is listed within the database, then:updating a record within the database that corresponds to the first security vulnerability to indicate that the first security vulnerability was detected;determining that the first security vulnerability is marked as being resolved; andgenerating a notification that the first security vulnerability was resolved. 9. The non-transitory computer-readable storage medium of claim 8, wherein the database includes an issue tracking system that is configured to track whether one or more security vulnerabilities have been resolved. 10. The non-transitory computer-readable storage medium of claim 8, wherein the operation further comprises generating a notification when the record corresponding to the first security vulnerability is initialized. 11. The non-transitory computer-readable storage medium of claim 8, wherein scanning the networked application further comprises generating a notification that the distributed computing architecture is being scanned for security vulnerabilities. 12. The non-transitory computer-readable storage medium of claim 11, wherein generating the notification comprises publishing a message to a publication/subscription system indicating that the distributed computing architecture is being scanned for security vulnerabilities. 13. The non-transitory computer-readable storage medium of claim 11, wherein generating a notification comprises generating an automatic email indicating that the distributed computing architecture is being scanned for security vulnerabilities. 14. An administration server, comprising: a memory storing a security application; anda processor coupled to the memory, wherein, when executed by the processor, the security application configures the processor to: discover an access control list (ACL) associated with a distributed application executing on a plurality of compute nodes, wherein the ACL is stored within at least one memory element included in a distributed computing architecture;determine whether the ACL corresponds to a first record within a database; andif the ACL corresponds to a first record within the database, then determine that a configuration of the ACL differs from a configuration of the first record; andinitialize a second record within the database that corresponds to the first record and has the configuration of the ACL; orif the ACL does not correspond to a first record within the database, then initialize a second record within the database that corresponds to the ACL and has the configuration of the ACL. 15. The system of claim 14, wherein the ACL comprises a security group that includes one or more source objects, one or more ports, and one or more destination objects. 16. The system of claim 15, wherein the one or more source objects are identifiable via an internet protocol (IP) address. 17. The system of claim 15, wherein the one or more source objects are identifiable based on the one or more source objects included in the security group. 18. The system of claim 15, wherein the processor is further configured to compute an exposure metric for the security group based on at least one of the number of source objects included in the security group, the number of ports included in the security group, and the number of destination objects included in the security group. 19. The system of claim 14, wherein the processor is further configured to analyze the ACL to determine whether the ACL is associated with a permission setting that permits the security group to access all routable addresses on the Internet. 20. The system of claim 14, wherein the processor is further configured to compute the number of instances of a software application that execute within the ACL.

이 특허에 인용된 특허 (41)

Massoudi, Arash, Accounting for usage and usage-based pricing of runtime engine.
상세보기
Pomerantz, Ori, Automatic defaults proxy for web-delivered services.
상세보기
Burrell,Jeffery O.; Hymel,Christopher H.; Ewing,Andy T.; Menkhaus,Susan H.; Brechtel,Carol A., Central inventory record reconciliation.
상세보기
Moloian, Armen; Ritchey, Ronald W., Computing resource inventory system.
상세보기
Le, Jian, Data warehouse system.
상세보기
Gertner, Yael; Herz, Frederick S. M.; Labys, Walter Paul, Distributed agent based model for security monitoring and response.
상세보기
Shiramizu Akira (Tokyo JPX) Nishiuchi Takashi (Tokyo JPX), Heavily loaded resource evaluation system.
상세보기
Andrew Dugan ; Allen M. Holmes ; Terence A. Robb ; Ajay P. Deo ; Sami Syed BE; Wendy T. Wong, Intelligent network.
상세보기
Gilbert, Mark David, Intercept vehicle for airborne nuclear, chemical and biological weapons of mass destruction.
상세보기
Lewis Stephen Gerard, Isochronal updating of data records.
상세보기
Etchegoyen, Craig S., License auditing for distributed applications.
상세보기
Burnley, Christopher; Gerhold, Brian; Zheng, Wei; Day, Pamela; Sherman, Mike, Method and apparatus for managing resources.
상세보기
Kumar, Dileep, Method and apparatus for the detection and prevention of intrusions, computer worms, and denial of service attacks.
상세보기
Kobozev, Alexey; Zavalkovsky, Arthur; Frenkel, Ilan, Method and apparatus for verifying revocation status of a digital certificate.
상세보기
Kobozev,Alexey; Zavalkovsky,Arthur; Frenkel,Ilan, Method and apparatus for verifying revocation status of a digital certificate.
상세보기
Zobel,Robert David; Dodd,Timothy David; Millar,Sharon A.; Nesfeder, Jr.,David Gerald; Singer,Christopher S., Method and system for configuring and scheduling security audits of a computer network.
상세보기
Toudeh-Fallah, Farzam; Mize, Eric Kenneth; Delamatre, Timothy J., Method and system for implementing a network analysis tool for endpoints deployments.
상세보기
Jang,Sung Kyung, Method and system for polling PDU of radio link control layer.
상세보기
Hasha, Richard, Method and system for tracking software components.
상세보기
Kulkarni, Shantanu, Method and system to visually represent the status of a data center.
상세보기
Bass Brian Mitchell ; Siegel Michael Steven ; Strole Norman Clark, Methods, systems and computer program products for suppressing multiple destination traffic in a computer network.
상세보기
Bass, Brian Mitchell; Siegel, Michael Steven; Strole, Norman Clark, Methods, systems and computer program products for suppressing multiple destination traffic in a computer network.
상세보기
Chan, Victor; Hubbard, Mark W.; Lakhani, Aalim; Tan, Daisy; Wang, Fen, Multi-tier inventory visibility.
상세보기
Makris,Stefanos Michail; Gopalakrishnan,Sankarganesh; Ganfsan,Elango; Chan,Eng Guan, Network distributed product manager system.
상세보기
Rhodes, Christina L.; Yalovsky, Mark; Ebeling, Rolf A.; Morgan, John Corey; Woods, Shawn M.; Hurst, Ryan M.; Au, Jonathan M.; Ponomarev, Peter Seraphim; Hendrickson, Jason C.; Alla, Hemchand; Chin, Yau N.; Sechrest, Stuart; Iyigun, Mehmet; Bak, Yevgeniy; Ismail, Ishfaq M.; Fuller, Jeffrey C.; Ratanchandani, Prashant, Process management views.
상세보기
Pannell, Donald, Quality of service half-duplex media access controller.
상세보기
Pannell, Donald, Quality of service half-duplex media access controller.
상세보기
Seidenberg, Benjamin E.; Roth, Gregory B.; Baer, Graeme D., Secure proxying using network intermediaries.
상세보기
Unnikrishnan, Umesh; Jerath, Kshamta; Taylor, William D., Service-based endpoint discovery for client-side load balancing.
상세보기
Prince, Matthew Browning; Holloway, Lee Hahn; Rao, Srikanth N.; Pye, Ian Gerald, Supporting secure sessions in a cloud-based proxy service.
상세보기
Vaughan, Richard A.; Brinker, Jeffrey T.; Matos, Tomas A. D., System and method for managing inventory.
상세보기
Vaughan, Richard A.; Siegal, Seth L., System and method for managing reservation requests for one or more inventory items.
상세보기
Johnson, Eric Wendell; Lamoreaux, Richard J.; Dinsel, Jeremy; Gummadi, Ajay K., System and method for managing the application of access control lists on network devices.
상세보기
Cole, David M.; Hanzlik, Dennis J.; Caso, Erik, System and method for network vulnerability detection and reporting.
상세보기
Elder, Matthew Cruz; Kienzle, Darrell Martin; Manadhata, Pratyusa K.; Persaud, Ryan Kumar, System and method for vulnerability risk analysis.
상세보기
Andres, Steven G.; Cole, David M.; Cummings, Thomas Gregory; Garcia, Roberto Ramon; Kenyon, Brian Michael; Kurtz, George R.; McClure, Stuart Cartier; Moore, Christopher William; O'Dea, Michael J.; Saruwatari, Ken D., System and method of managing network security risks.
상세보기
Kingsford, Bryan; McQueen, Stan; Thrower, Woody, System for penetrating computer or computer network.
상세보기
Schultz, Matthew G.; Eskin, Eleazar; Zadok, Erez; Bhattacharyya, Manasi; Salvatore J., Stolfo, Systems and methods for detection of new malicious executables.
상세보기
Eicken, Thorsten von; Gonzalez, Jose Maria Blanquer; Simon, Raphael George Jacques, Systems and methods for establishing cloud-based instances with independent permissions.
상세보기
Kennedy, Scott Cruickshanks; Ayers, II, Carleton Royse; Godinez, Javier; Banks, Susan Fichera; Spencer, Myoki Elizabeth, Systems and methods for implementing and scoring computer network defense exercises.
상세보기
Williams, Michael W.; Dodd, James M.; Pollard, II, Lloyd L; Gupte, Nitin B, Weighted throttling mechanism with rank based throttling for a memory system.
상세보기

IPC	Description
A	생활필수품
A62	인명구조; 소방(사다리 E06C)
A62B	인명구조용의 기구, 장치 또는 방법(특히 의료용에 사용되는 밸브 A61M 39/00; 특히 물에서 쓰이는 인명구조 장치 또는 방법 B63C 9/00; 잠수장비 B63C 11/00; 특히 항공기에 쓰는 것, 예. 낙하산, 투출좌석 B64D; 특히 광산에서 쓰이는 구조장치 E21F 11/00)
A62B-1/08	.. 윈치 또는 풀리에 제동기구가 있는 것

내보내기 구분	파일저장 인쇄 메일전송
구성항목	기본정보 상세정보 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표IPC 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 공고번호, 공고일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표출원인, 출원인국적, 출원인주소, 발명자, 발명자E, 발명자코드, 발명자주소, 발명자 우편번호, 발명자국적, 대표IPC, IPC코드, 요약, 미국특허분류, 대리인주소, 대리인코드, 대리인(한글), 대리인(영문), 국제공개일자, 국제공개번호, 국제출원일자, 국제출원번호, 우선권, 우선권주장일, 우선권국가, 우선권출원번호, 원출원일자, 원출원번호, 지정국, Citing Patents, Cited Patents
저장형식	Text(ASCII format) Excel format PIAS분석(.xls)
메일정보	받는사람 (필수) @ 보내는사람 (선택) @ 제목 내용 KISTI 검색결과 이메일 서비스
안내	총 건의 자료가 검색되었습니다. 다운받으실 자료의 인덱스를 입력하세요. (1-10,000) 검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다. 데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요) 다운로드 파일은 UTF-8 형태로 저장됩니다. 파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오. ~ Text(ASCII format) Excel format

연합인증

Method and system for improving security and reliability in a networked application environment 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

이 특허에 인용된 특허 (41)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트

연합인증

Method and system for improving security and reliability in a networked application environment 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

전체(0) 논문(0) 특허(0) 보고서(0)

전체(0) 논문(0) 특허(0) 보고서(0)

이 특허에 인용된 특허 (41)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트