FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION
(See Section 10 and Rule 13)
Title of invention:
METHOD AND SYSTEM FOR DETECTING ANOMALOUS CONFIGURATIONS IN CLOUD ENVIRONMENT
Applicant
Tata Consultancy Services Limited
A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India
Preamble to the description:
The following specification particularly describes the invention and the manner in which it is to be performed.
2
TECHNICAL FIELD
[001]
The disclosure herein generally relates to the field of cloud data privacy and, more particularly, to a method and system for detecting anomalous configurations in cloud environment.
BACKGROUND 5
[002]
Cloud policies are guidelines in which companies operate in cloud. The policies are made to ensure the integrity and privacy of company owned information, and for financial management like, cost optimization, performance management and network security. Recently, misconfigurations of cloud services have led to major security incidents and large-scale data breaches. Cloud 10 misconfiguration refers to any glitches, gaps, or errors that could expose cloud environment to risk during cloud adoption. Due to the dynamic and complex nature of cloud environments, misconfiguration of access policies can be easily introduced and often go undetected for a long period of time. Therefore, it is critical to identify any potential misconfigurations before they can be abused. 15
[003]
Conventional cloud security technologies face several challenges in effectively identifying access policy misconfigurations and unnecessary or anomalous privilege assignments. One major problem is the lack of efficient and automated anomaly detection methods within Identity Access Management (IAM) policies and configurations. Many current solutions rely on manual auditing, which 20 is time consuming and error prone. Some tools provide basic checks for policy compliance, but they often lack the ability to contextually analyze policies. Some other rule based system also exist, where anomalies are defined as rules in the solution and are searched in the policies. The challenges also include inability to proactively detect anomalies in access policies among peers, difficulty in 25 identifying unauthorized privileges and limited remediation capabilities. The current solutions are often reactive and learn from the events that have already happened to find anomalies. Hence, no system is available that is adaptable to multiple cloud vendors, which is proactive and preventive in discovering access policy misconfiguration. 30
3
SUMMARY
[004]
Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one 5 embodiment, a method for detecting anomalous configurations in cloud environment is provided. The method includes receiving, by one or more hardware processors, a data pertaining to a target cloud resource associated with a cloud environment, wherein the data comprises a plurality of cloud resources, a plurality of cloud users and a plurality of relationships associated with the plurality of cloud 10 resources and a plurality of cloud users represented as an entity relationship graph. Further, the method includes identifying, by the one or more hardware processors, a plurality of target policies from among a plurality of policies associated with the cloud environment with the target value equal to the target cloud resource. Furthermore, the method includes identifying, by the one or more hardware 15 processors, a plurality of potential peer resources from among the plurality of cloud resources based on a comparison between a plurality of attributes associated with the target cloud resource and a plurality of attributes corresponding to each of the plurality of cloud resources. Furthermore, the method includes identifying, by the one or more hardware processors, a plurality of peer resources from among the 20 plurality of potential peer resources based on a quantile score, wherein the plurality of potential peer resources with the quantile score above a predefined threshold are identified as the plurality of peer resources. Furthermore, the method includes obtaining, by the one or more hardware processors, a plurality of combined policies by merging the plurality of policies associated with each of the plurality of peer 25 resources and the target cloud resource. Furthermore, the method includes generating, by the one or more hardware processors, a plurality of components for the target cloud resource by segmenting the plurality of combined policies, wherein each of the plurality of components comprises a plurality of objects, wherein each nested object in Java Script Object Notation (JSON) formatted policy is identified 30 as a component. Furthermore, the method includes obtaining, by the one or more hardware processors, a plurality of target policy components from among the
4
plurality of components generated for the target resource based on a type
-value mapping between the key-value pairs of the objects in each of the plurality of components. Furthermore, the method includes obtaining, by the one or more hardware processors, a plurality of peer policy components from among the plurality of components based on the type-value mapping between the key-value 5 pairs of the objects in the plurality of components. Furthermore, the method includes identifying, by the one or more hardware processors, a plurality of anomalous components based on the plurality of target policy components, the plurality of peer policy components and an anomaly context score. Furthermore, the method includes identify, by the one or more hardware processors, a plurality 10 of users associated with the identified plurality of anomalous components, wherein each of the plurality of users are associated with a plurality of user attributes. Furthermore, the method includes identifying, by the one or more hardware processors, a plurality of peer users associated with each of the plurality of users based on the plurality of user attributes. Furthermore, the method includes 15 extracting, by the one or more hardware processors, a plurality of access privileges associated with each of the plurality of users and a corresponding plurality of peer users, wherein each of the plurality of access privilege comprises a plurality of permission values and a plurality of resource values. Finally, the method includes identifying, by the one or more hardware processors, a plurality of abnormal 20 configuration from among the plurality of access privileges associated with each of the plurality of users based on a comparison between the access privileges associated with the plurality of peer users and the access privileges associated with the plurality of users.
[005]
In another aspect, a system for detecting anomalous configurations 25 in cloud environment is provided. The system includes at least one memory storing programmed instructions, one or more Input /Output (I/O) interfaces, and one or more hardware processors operatively coupled to the at least one memory, wherein the one or more hardware processors are configured by the programmed instructions to receive a data pertaining to a target cloud resource associated with 30 a cloud environment, wherein the data comprises a plurality of cloud resources, a
5
plurality of cloud users and a plurality of relationships associated with the plurality
of cloud resources and a plurality of cloud users represented as an entity relationship graph. Further, the one or more hardware processors are configured by the programmed instructions to identify, a plurality of target policies from among a plurality of policies associated with the cloud environment with the target value 5 equal to the target cloud resource. Furthermore, the one or more hardware processors are configured by the programmed instructions to identify a plurality of potential peer resources from among the plurality of cloud resources based on a comparison between a plurality of attributes associated with the target cloud resource and a plurality of attributes corresponding to each of the plurality of cloud 10 resources. Furthermore, the one or more hardware processors are configured by the programmed instructions to identify a plurality of peer resources from among the plurality of potential peer resources based on a quantile score, wherein the plurality of potential peer resources with the quantile score above a predefined threshold are identified as the plurality of peer resources. Furthermore, the one or more hardware 15 processors are configured by the programmed instructions to obtain a plurality of combined policies by merging the plurality of policies associated with each of the plurality of peer resources and the target cloud resource. Furthermore, the one or more hardware processors are configured by the programmed instructions to generate a plurality of components for the target cloud resource by segmenting the 20 plurality of combined policies, wherein each of the plurality of components comprises a plurality of objects, wherein each nested object in Java Script Object Notation (JSON) formatted policy is identified as a component. Furthermore, the one or more hardware processors are configured by the programmed instructions to obtain a plurality of target policy components from among the plurality of 25 components generated for the target resource based on a type-value mapping between the key-value pairs of the objects in each of the plurality of components. Furthermore, the one or more hardware processors are configured by the programmed instructions to obtain a plurality of peer policy components from among the plurality of components based on the type-value mapping between the 30 key-value pairs of the objects in the plurality of components. Furthermore, the one
6
or more hardware processors are configured by the programmed instructions to
identify a plurality of anomalous components based on the plurality of target policy components, the plurality of peer policy components and an anomaly context score. Furthermore, the one or more hardware processors are configured by the programmed instructions to identify a plurality of users associated with the 5 identified plurality of anomalous components, wherein each of the plurality of users are associated with a plurality of user attributes. Furthermore, the one or more hardware processors are configured by the programmed instructions to identify a plurality of peer users associated with each of the plurality of users based on the plurality of user attributes. Furthermore, the one or more hardware processors are 10 configured by the programmed instructions to extract a plurality of access privileges associated with each of the plurality of users and a corresponding plurality of peer users, wherein each of the plurality of access privilege comprises a plurality of permission values and a plurality of resource values. Finally, the one or more hardware processors are configured by the programmed instructions to 15 identify by the one or more hardware processors, a plurality of abnormal configuration from among the plurality of access privileges associated with each of the plurality of users based on a comparison between the access privileges associated with the plurality of peer users and the access privileges associated with the plurality of users. 20
[006]
In yet another aspect, a computer program product including a non-transitory computer-readable medium having embodied therein a computer program for detecting anomalous configurations in cloud environment is provided. The computer readable program, when executed on a computing device, causes the computing device to receive a data pertaining to a target cloud resource associated 25 with a cloud environment, wherein the data comprises a plurality of cloud resources, a plurality of cloud users and a plurality of relationships associated with the plurality of cloud resources and a plurality of cloud users represented as an entity relationship graph. Further, the computer readable program, when executed on a computing device, causes the computing device to identify, a plurality of target 30 policies from among a plurality of policies associated with the cloud environment
7
with the target value equal to the target cloud resource. Furthermore, the
computer readable program, when executed on a computing device, causes the computing device to identify a plurality of potential peer resources from among the plurality of cloud resources based on a comparison between a plurality of attributes associated with the target cloud resource and a plurality of attributes corresponding 5 to each of the plurality of cloud resources. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to identify a plurality of peer resources from among the plurality of potential peer resources based on a quantile score, wherein the plurality of potential peer resources with the quantile score above a predefined threshold are identified as the plurality 10 of peer resources. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to obtain a plurality of combined policies by merging the plurality of policies associated with each of the plurality of peer resources and the target cloud resource. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to 15 generate a plurality of components for the target cloud resource by segmenting the plurality of combined policies, wherein each of the plurality of components comprises a plurality of objects, wherein each nested object in Java Script Object Notation (JSON) formatted policy is identified as a component. Furthermore, the computer readable program, when executed on a computing device, causes the 20 computing device to obtain a plurality of target policy components from among the plurality of components generated for the target resource based on a type-value mapping between the key-value pairs of the objects in each of the plurality of components. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to obtain a plurality of peer policy 25 components from among the plurality of components based on the type-value mapping between the key-value pairs of the objects in the plurality of components. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to identify a plurality of anomalous components based on the plurality of target policy components, the plurality of peer 30 policy components and an anomaly context score. Furthermore, the computer
8
readable program, when executed on a computing device, causes the computing
device to identify a plurality of users associated with the identified plurality of anomalous components, wherein each of the plurality of users are associated with a plurality of user attributes. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to identify a plurality 5 of peer users associated with each of the plurality of users based on the plurality of user attributes. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to extract a plurality of access privileges associated with each of the plurality of users and a corresponding plurality of peer users, wherein each of the plurality of access privilege comprises 10 a plurality of permission values and a plurality of resource values. Finally, the computer readable program, when executed on a computing device, causes the computing device to identify by the one or more hardware processors, a plurality of abnormal configuration from among the plurality of access privileges associated with each of the plurality of users based on a comparison between the access 15 privileges associated with the plurality of peer users and the access privileges associated with the plurality of users.
[007]
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed. 20
BRIEF DESCRIPTION OF THE DRAWINGS
[008]
The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles: 25
[009]
FIG. 1 is a functional block diagram of a system for detecting anomalous configurations in cloud environment, in accordance with some embodiments of the present disclosure.
[0010]
FIG. 2 (FIG. 2A and FIG. 2B) illustrates a flow diagram for a processor implemented method for detecting anomalous configurations in cloud 30 environment, in accordance with some embodiments of the present disclosure.
9
[0011]
FIG. 3 illustrates a cloud environment for the processor implemented method for detecting anomalous configurations in cloud environment, in accordance with some embodiments of the present disclosure.
[0012]
FIG. 4 illustrates an example plurality of policies for the processor implemented method for detecting anomalous configurations in cloud environment, 5 in accordance with some embodiments of the present disclosure.
[0013]
FIG. 5 illustrates an example plurality of components associated with policies for the processor implemented method for detecting anomalous configurations in cloud environment, in accordance with some embodiments of the present disclosure. 10
DETAILED DESCRIPTION OF EMBODIMENTS
[0014]
Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever 15 convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the spirit and scope of the disclosed embodiments.
[0015]
Recently, misconfigurations in cloud services have led to major 20 security incidents and large-scale data breaches. Cloud misconfiguration refers to any glitches, gaps, or errors that could expose cloud environment to risk during cloud adoption. Due to the dynamic and complex nature of cloud environments, misconfiguration of access policies can be easily introduced and often go undetected for a long period of time. Therefore, it is critical to identify any 25 potential misconfigurations before they can be abused.
[0016]
One conventional method identifies policy misconfiguration in a datacenter based on flow data received for a plurality of data compute nodes (DCNs) in the datacenter. The method uses (i) the received flow data for the particular DCN and (ii) a set of recent policy configuration changes to 30 determine policy configuration changes that contributed to the anomalous
10
amount
of dropped data traffic relating to the particular DCN. The method generates an alert for presentation to a user indicating the anomalous amount of data traffic and the contributing policy configuration changes. Another conventional method focused on generating a graph based on access polices and utilizing an anomaly detection model to discover anomalous misconfigurations 5 based on the number of connections for each resource in the graph. The said method focuses on determining relationships between the resources to determine the impact of any misconfigured resources or due to an incident. It mainly focused on analyzing the impact of a misconfigured or a compromised resource. Another method generates a graph based on relationships discovered for the impacted 10 resources to analyze the impact of an incident. However, no system is available that is adaptable to multiple cloud vendors, which is proactive and preventive in discovering access policy misconfiguration.
[0017]
To overcome the challenges of the conventional approaches, embodiments herein provide a method and system to address the critical problem 15 of identifying access misconfigurations and anomalous bindings within Identity Access Management (IAM) policies in cloud environments. Specifically, the present disclosure focuses on the problem of access policy misconfiguration and anomalous bindings within IAM policies. These misconfigurations can lead to unauthorized access, security breaches, and compliance violations which pose 20 substantial risks to businesses operating in the cloud.
[0018]
Further, the present disclosure is designed to tackle the issue of policy misconfigurations and anomalous bindings within cloud IAM policies. It includes three main components namely (i) Policy structure analysis which dissects policies related to the target resource and its peer resources, segmenting them to 25 compartments of type-value mappings and analyze these mappings to discover structural anomalies (ii) Peer privilege analysis focuses on identifying unusual or abnormal privilege assignments based on the privileges allocated to peer users and (iii) Self-learning based anomalous configuration discovery which employs self-learning mechanisms to proactively detect and prevent future anomalous 30 configurations.
11
[0019]
Policy structure analysis based anomalous configuration detection module is used for detecting anomalous configurations for two types of entities like users/principals and resources. First, all the policies related to the entity under analysis are discovered. Then, each policy is segregated into a set of components with each component defined as a set of type-value mappings. Further, all the 5 segregated components and mappings are then combined into one super set of mappings. Then, such mappings of different policy sets related to different resources of peer types are analyzed to discover anomalous configurations.
[0020]
Peer privilege analysis: In this module, all the access permissions assigned to a user are analyzed for potential misconfigurations by analyzing and 10 comparing with peer principals/users. A huge spike in access assigned to a user maybe considered an anomalous access and the corresponding configuration is termed anomalous configuration.
[0021]
Self-learning based anomalous configurations discovery module discovers anomalous bindings and assignments along with the type, security level 15 and other properties of the involving entities are stored, over which a self-learning anomaly detection system may be trained so that it can detect such configurations in further processing. The present disclosure is applicable to any cloud environment or on-prem environment to discover abnormal or anomalous configurations in the access policies. This is a proactive approach as opposed to the currently available 20 reactive approaches where the anomalies are discovered only after the fact or event.
[0022]
Referring now to the drawings, and more particularly to FIG. 1 through FIG. 5, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments, and these embodiments are described in the context of the following exemplary system 25 and/or method.
[0023]
FIG. 1 is a functional block diagram of a system 100 for detecting anomalous configurations in cloud environment, in accordance with some embodiments of the present disclosure. The system 100 includes or is otherwise in communication with hardware processors 102, at least one memory such as a 30 memory 104, an Input /Output (I/O) interface 112. The hardware processors 102,
12
memory 104, and
the I/O interface 112 may be coupled by a system bus such as a system bus 108 or a similar mechanism. In an embodiment, the hardware processors 102 can be one or more hardware processors.
[0024]
The I/O interface 112 may include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and 5 the like. The I/O interface 112 may include a variety of software and hardware interfaces, for example, interfaces for peripheral device(s), such as a keyboard, a mouse, an external memory, a printer and the like. Further, the I/O interface 112 may enable the system 100 to communicate with other devices, such as web servers, and external databases. 10
[0025]
The I/O interface 112 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, local area network (LAN), cable, etc., and wireless networks, such as Wireless LAN (WLAN), cellular, or satellite. For the purpose, the I/O interface 112 may include one or more ports for connecting several computing systems with one 15 another or to another server computer. The I/O interface 112 may include one or more ports for connecting several devices to one another or to another server.
[0026]
The one or more hardware processors 102 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, node machines, logic circuitries, and/or any 20 devices that manipulate signals based on operational instructions. Among other capabilities, the one or more hardware processors 102 is configured to fetch and execute computer-readable instructions stored in memory 104.
[0027]
The memory 104 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random 25 access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. In an embodiment, memory 104 includes a plurality of modules 106. Memory 104 also includes a data repository (or repository) 110 for storing data processed, received, 30 and generated by the plurality of modules 106.
13
[0028]
The plurality of modules 106 includes programs or coded instructions that supplement applications or functions performed by the system 100 for detecting anomalous configurations in cloud environment. The plurality of modules 106, amongst other things, can include routines, programs, objects, components, and data structures, which perform particular tasks or implement 5 particular abstract data types. The plurality of modules 106 may also be used as, signal processor(s), node machine(s), logic circuitries, and/or any other device or component that manipulates signals based on operational instructions. Further, the plurality of modules 106 can be used by hardware, by computer-readable instructions executed by the one or more hardware processors 102, or by a 10 combination thereof. The plurality of modules 106 can include various sub-modules (not shown). The plurality of modules 106 may include computer-readable instructions that supplement applications or functions performed by the system 100 for detecting anomalous configurations in cloud environment.
[0029]
The data repository (or repository) 110 may include a plurality of 15 abstracted pieces of code for refinement and data that is processed, received, or generated as a result of the execution of the plurality of modules in the module(s) 106.
[0030]
Although the data repository 110 is shown internal to the system 100, it will be noted that, in alternate embodiments, the data repository 110 can also 20 be implemented external to the system 100, where the data repository 110 may be stored within a database (repository 110) communicatively coupled to the system 100. The data contained within such an external database may be periodically updated. For example, new data may be added into the database (not shown in FIG. 1) and/or existing data may be modified and/or non-useful data may be deleted from 25 the database. In one example, the data may be stored in an external system, such as a Lightweight Directory Access Protocol (LDAP) directory and a Relational Database Management System (RDBMS). The working of the components of the system 100 are explained with reference to the method steps depicted in FIG. 2.
[0031]
FIG. 2 is an exemplary flow diagrams illustrating a method 200 for 30 detecting anomalous configurations in cloud environment implemented by the
14
system of FIG. 1 according to some embodiments of the present disclosure.
In an embodiment, the system 100 includes one or more data storage devices or the memory 104 operatively coupled to the one or more hardware processor(s) 102 and is configured to store instructions for execution of steps of the method 200 by the one or more hardware processors 102. The steps of method 200 of the present 5 disclosure will now be explained with reference to the components or blocks of system 100 as depicted in FIG. 1 and the steps of flow diagram as depicted in FIG. 2. The method 200 may be described in the general context of computer executable instructions. Generally, computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, functions, 10 etc., that perform particular functions or implement particular abstract data types. Method 200 may also be practiced in a distributed computing environment where functions are performed by remote processing devices that are linked through a communication network. The order in which the method 200 is described is not intended to be construed as a limitation, and any number of the described method 15 blocks can be combined in any order to implement the method 200, or an alternative method. Furthermore, the method 200 can be implemented in any suitable hardware, software, firmware, or combination thereof.
[0032]
At step 202 of method 200, one or more hardware processors 102 are configured by the programmed instructions to receive a data pertaining to a 20 target cloud resource associated with a cloud environment. The data is represented as an entity relationship graph comprising a plurality of cloud resources, a plurality of cloud users and a plurality of relationships associated with the plurality of cloud resources and a plurality of cloud users. Considering a cloud scenario as shown in FIG. 3, including the plurality of users, the plurality of cloud resources and 25 associated plurality of policies. For example, the target cloud resource is “Prod Bucket3”.
[0033]
At step 204 of the method 200, the one or more hardware processors 102 are configured by the programmed instructions to identify a plurality of target policies associated with the cloud environment from among a plurality of policies 30 with a target value equal to the target cloud resource.
15
[0034]
At step 206 of the method 200, the one or more hardware processors 102 are configured by the programmed instructions to identify a plurality of potential peer resources from among the plurality of cloud resources based on a comparison between a plurality of attributes associated with the target cloud resource and a plurality of attributes corresponding to each of the plurality of cloud 5 resources. For example, the plurality of attributes includes a resource type, a resource parent, scope of the resource, confidentiality level of the resource and the like.
[0035]
At step 208 of the method 200, the one or more hardware processors 102 are configured by the programmed instructions to identify a plurality of peer 10 resources from among the plurality of potential peer resources based on a quantile score, wherein the plurality of potential peer resources with the quantile score above a predefined threshold are identified as the plurality of peer resources.
[0036]
For example, the resources having at least 75% (can be modified by the administrator) of the attributes as similar to that of the target resource are 15 considered as equivalent/peer resources for the target resource.
[0037]
At step 210 of the method 200, the one or more hardware processors 102 are configured by the programmed instructions to obtain a plurality of combined polices by merging the plurality of policies associated with each of the plurality of peer resources and the target cloud resource. For example, if there are 20 multiple policies received for a resource, then the plurality of policies associated with each of the plurality of peer resources are merged to form a single policy.
[0038]
Each policy is made of a set of rules. Each rule may have an at most combination of users, role, and conditions. Each rule is a component in the policy. Policies are dissected into such components. Here, one component in each of the 25 policy of the peers and two components in the target policy are shown for illustration purpose as shown in FIG. 4.
[0039]
At step 212 of the method 200, the one or more hardware processors 102 are configured by the programmed instructions to generate a plurality of components for the target cloud resource by segmenting the plurality of combined 30 polices, wherein each of the plurality of components comprises a plurality of
16
objects, wherein each nested object in Java Script Object Notation (JSON)
formatted policy is identified as a component. FIG. 5 illustrates example components.
[0040]
At step 214 of the method 200, one or more hardware processors 102 are configured by the programmed instructions to obtain a plurality of target 5 policy components from among the plurality of components generated for the target resource based on a type-value mapping between key-value pairs of the objects in each of the plurality of components.
[0041]
At step 216 of the method 200, one or more hardware processors 102 are configured by the programmed instructions to obtain a plurality of peer 10 policy components (shown in FIG. 5) from among the plurality of components based on the type-value mapping between the key-value pairs of the objects in the plurality of components.
[0042]
At step 218 of the method 200, one or more hardware processors 102 are configured by the programmed instructions to identify a plurality of 15 anomalous components based on the plurality of target policy components, the plurality of peer policy components and an anomaly context score.
[0043]
The steps of identifying the plurality of anomalous components based on the plurality of target policy components, the plurality of peer policy components and the anomaly context score is described as follows: Initially, a 20 plurality of potential anomalous components are identified based on a comparison between the plurality of target policy components and the plurality of peer policy components. Further, an anomaly context score is computed for each of the plurality of potential anomalous components by analyzing a contextual relevance of each of the plurality of anomalous components and the target cloud source. Finally, a 25 plurality of anomalous components is identified from among the plurality of potential anomalous components based on a corresponding anomaly context score. The plurality of potential anomalous components with the anomaly context scores greater than a predefined context threshold is identified as plurality of anomalous components. 30
17
[0044]
For example, the steps of computing the anomaly context score for each of the plurality of anomalous components by analyzing the contextual relevance of each of the plurality of anomalous components and the target cloud source is described as follows: Initially, a component permission type associated with each of the plurality of anomalous components are identified. The component 5 permission type includes a read permission, a write permission and an admin permission. Each component’s permission type is associated with a corresponding permission weight as shown in Table I. Further, a user permission type associated with each of the plurality of users associated with each of the plurality of anomalous components are identified. The user permission type includes a regular permission, 10 an admin permission, a service account and a system account, wherein each user permission types is associated with a corresponding user permission weight.
[0045]
After identifying the user permission type, a secrecy level of the target resource is identified from among a plurality of secrecy levels and a security level of the plurality of users from among a plurality of security levels, wherein 15 each of the plurality of secrecy levels are associated with a corresponding secrecy weight and each of the plurality security levels are associated with a corresponding security weight. For example, the secrecy levels comprise “confidential”, “internal”, “public”, “private”. Similarly, example for security levels comprises “Basic”, “Low”, “Medium”, “High”. 20
[0046]
Furthermore, a scope value of permission associated with the plurality of anomalous components is identified, wherein the scope value of a permission defines a number of activities performed with a permission, wherein the scope value is proportional to the number of activities performed with the permission and, wherein a weight is assigned to each permission based on the scope 25 value. For example, a user with permission "storage.admin.get" over a bucket A, and permission has X activities, then scope value of permission "storage.admin.get" is X.
[0047]
After identifying the scope value of the permission, a plurality of anomalous permissions associated with the plurality of anomalous components are 30 identified based on a frequency value associated with each permission type using
18
an anomaly detection model, wherein a frequency based weight is assigned to each
permission, wherein a role based weight is assigned to each of the plurality of users based on role hierarchy. Finally, the anomaly context score is computed based on the secrecy level of the target resource, the security level of the plurality of users, the scope value of permission, the plurality of anomalous permissions. 5
[0048]
Table 1 illustrates example values for context anomaly score attributes of a component. For example, the combined weightage i.e., sum of the score of each parameter of i.e., a score 4.5/6. Here, 6 is the total number of context anomaly score attributes and 4.5 is the sum of values associated with the total number of context anomaly score attributes. Assuming the threshold weightage is 10 at 2, then, the anomaly context score of this component is 4.5 and is marked an anomaly. The anomalous component, the properties of the component (its type-value components, above parameter details) and the anomaly context score is sent to the anomaly detection model so that model uses this information for learning the anomalous configurations. 15
Table 1
Permission type
Admin (high: 1)
Type of user
Regular (low: 0.25)
Confidentiality level of resource, security level of user
Assuming low & low, so, an average of 0.5
Scope of the permission over the resource
Complete access (high: 1)
Frequency of the permission in the flagged component across the equivalent/peer resources’ policies.
Never found (high: 1)
User role in the organizational/enterprise hierarchy
Developer (high: 0.75)
[0049]
At step 220 of the method 200, one or more hardware processors 102 are configured by the programmed instructions to identify a plurality of users associated with the identified plurality of anomalous components, wherein each of the plurality of users are associated with a plurality of user attributes. 20
19
[0050]
At step 222 of the method 200, one or more hardware processors 102 are configured by the programmed instructions to identify a plurality of peer users associated with each of the plurality of users based on the plurality of user attributes. For example, consider the target user, user E of FIG. 5 (obtained from the anomalous component discovered above). The users that match with the meta-5 data and properties available for the User E in the entity graph are discovered. Some of these properties can be user type, parent entity, user security level, user role in the organizational hierarchy. The users that have similar values with that of the target user are called “peer users”.
[0051]
At step 224 of the method 200, one or more hardware processors 10 102 are configured by the programmed instructions to extract a plurality of access privileges associated with each of the plurality of users and a corresponding plurality of peer users, wherein each of the plurality of access privilege comprises a plurality of permission values and a plurality of resource values. One can utilize the APIs provided by the cloud provider for this process or can follow the following 15 process: Discover the components where the user appears in a policy. Then, the permissions given over a resource for this user is obtained from the component.
[0052]
At step 226 of the method 200, one or more hardware processors 102 are configured by the programmed instructions to identify a plurality of abnormal configuration from among the plurality of access privileges associated 20 with each of the plurality of users based on a comparison between the access privileges associated with the plurality of peer users and the access privileges associated with the plurality of users.
[0053]
For example, the privileges with the frequency of a certain permission are lowest or almost zero among the peers are identified. Further, it is 25 checked whether if the scope and type of the resource is different from the resources mapped to the peer users. Also, it is checked if the scope of the permission is different from that of the peers. Any unique privilege assignments thus found are considered anomalous privilege assignments. For example, a private document is allowed for the user E with permissions Document Owner and Document Admin. 30
20
Even though this document is not found among the peer users, its scope is limited
to the user, and it cannot be deemed an anomalous privilege assignment.
[0054]
The identified anomalous configurations and anomalous assignments are in the anomaly detection model, which is a self-learning model. The detection model then correlates this information with the user meta-data, roles, 5 groups, and other data found for these entities in the entity graph. This information is then used by the self-learning model to train itself to discover future anomalous misconfigurations.
[0055]
The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the 10 subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims. 15
[0056]
The embodiments of present disclosure herein address the unresolved problem of detecting anomalous configurations in cloud environment. The present disclosure works on zero-knowledge principle where it is not trained on all the access policies thereby ensuring the security and privacy of the data and policies. The initial training is performed using the known rules, best practices, and 20 other information publicly available or organizational security practices. Further, the present disclosure provides a fine-grained policy segmentation, granular division of policies into type-value mappings allows for a more detailed and precise analysis. Further, contextual privilege analysis and peer privilege analysis introduces a contextual approach to privilege assessment over basic privilege 25 checking methods. The self-learning mechanism helps to improve future detection. The present disclosure creatively combines multiple distinct techniques such as segmentation of policies, contextual peer privilege analysis and self-learning mechanisms.
[0057]
It is to be understood that the scope of the protection is extended to 30 such a program and in addition to a computer-readable means having a message
21
therein such computer
-readable storage means contain program-code means for implementation of one or more steps of the method when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g., any kind of computer like a server or a personal computer, or the like, or any combination 5 thereof. The device may also include means which could be e.g., hardware means like e.g., an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means can include both hardware means, and 10 software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g., using a plurality of CPUs, GPUs and edge computing devices.
[0058]
The embodiments herein can comprise hardware and software 15 elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various modules described herein may be implemented in other modules or combinations of other modules. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, 20 communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of 25 illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will 30 be apparent to persons skilled in the relevant art(s) based on the teachings contained
22
herein. Such alternatives fall within the scope and spirit of the disclosed
embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items or meant to be limited to 5 only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise. Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type 10 of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include 15 tangible items and exclude carrier waves and transient signals, i.e. non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
[0059]
It is intended that the disclosure and examples be considered as 20 exemplary only, with a true scope of disclosed embodiments being indicated by the following claims.WE CLAIM:
1. A processor-implemented method (200), the method comprising:
receiving (202), by one or more hardware processors, a data pertaining to a target cloud resource associated with a cloud environment, wherein the data comprises a plurality of cloud resources, a plurality of cloud users and a plurality of relationships associated with the plurality of cloud resources and a plurality of cloud users represented as an entity relationship graph;
identifying (204), by the one or more hardware processors, a plurality of target policies from among a plurality of policies associated with the cloud environment with the target value equal to the target cloud resource;
identifying (206), by the one or more hardware processors, a plurality of potential peer resources from among the plurality of cloud resources based on a comparison between a plurality of attributes associated with the target cloud resource and a plurality of attributes corresponding to each of the plurality of cloud resources;
identifying (208), by the one or more hardware processors, a plurality of peer resources from among the plurality of potential peer resources based on a quantile score, wherein the plurality of potential peer resources with the quantile score above a predefined threshold are identified as the plurality of peer resources;
obtaining (210), by the one or more hardware processors, a plurality of combined policies by merging the plurality of policies associated with each of the plurality of peer resources and the target cloud resource;
generating (212), by the one or more hardware processors, a plurality of components for the target cloud resource by segmenting the plurality of combined policies, wherein each of the plurality of components comprises a plurality of objects, wherein each nested object in Java Script Object Notation (JSON) formatted policy is identified as a component;

obtaining (214), by the one or more hardware processors, a plurality of target policy components from among the plurality of components generated for the target resource based on a type-value mapping between a key-value pairs of the objects in each of the plurality of components;
obtaining (216), by the one or more hardware processors, a plurality of peer policy components from among the plurality of components based on the type-value mapping between the key-value pairs of the objects in the plurality of components;
identifying (218), by the one or more hardware processors, a plurality of anomalous components based on the plurality of target policy components, the plurality of peer policy components and an anomaly context score;
identifying (220), by the one or more hardware processors, a plurality of users associated with the identified plurality of anomalous components, wherein each of the plurality of users are associated with a plurality of user attributes;
identifying (222), by the one or more hardware processors, a plurality of peer users associated with each of the plurality of users based on the plurality of user attributes;
extracting (224), by the one or more hardware processors, a plurality of access privileges associated with each of the plurality of users and a corresponding plurality of peer users, wherein each of the plurality of access privilege comprises a plurality of permission values and a plurality of resource values; and
identifying (226), by the one or more hardware processors, a plurality of abnormal configuration from among the plurality of access privileges associated with each of the plurality of users based on a comparison between the access privileges associated with the plurality of peer users and the access privileges associated with the plurality of users. 2. The method (200) as claimed in claim 1, wherein the steps of identifying the plurality of anomalous components based on the plurality of target

policy components, the plurality of peer policy components and the anomaly context score comprises:
identifying a plurality of potential anomalous components based on a comparison between the plurality of target policy components and the plurality of peer policy components;
computing an anomaly context score for each of the plurality of potential anomalous components by analyzing a contextual relevance of each of the plurality of anomalous components and the target cloud source; and
identifying a plurality of anomalous components from among the plurality of potential anomalous components based on a corresponding anomaly context score, wherein a plurality of potential anomalous components with the anomaly context scores greater than a predefined context threshold are identified as plurality of anomalous components. 3. The method (200) as claimed in claim 2, wherein steps of computing the anomaly context score for each of the plurality of anomalous components by analyzing the contextual relevance of each of the plurality of anomalous components and the target cloud source comprises:
identifying a component permission type associated with each of the plurality of anomalous components, wherein the component permission type comprises a read permission, a write permission, and an admin permission and, wherein each component permission type is associated with a corresponding component permission weight;
identifying a user permission type associated with each of the plurality of users associated with each of the plurality of anomalous components, wherein the user permission type comprises a regular permission, an admin permission, a service account, and a system account, wherein each user permission types is associated with a corresponding user permission weight;
identifying a secrecy level of the target resource from among a plurality of secrecy levels and a security level of the plurality of users from

among a plurality of security levels, wherein each of the plurality of secrecy levels are associated with a corresponding secrecy weight and each of the plurality security levels are associated with a corresponding security weight;
identifying a scope value of permission associated with the plurality of anomalous components, wherein the scope value of a permission defines a number of activities performed with a permission, wherein the scope value is proportional to the number of activities performed with the permission and, wherein a weight is assigned to each permission based on the scope value;
identifying a plurality of anomalous permissions associated with the plurality of anomalous components based on a frequency value associated with each permission type using an anomaly detection model, wherein a frequency based weight is assigned to each permission, wherein a role based weight is assigned to each of the plurality of users based on role hierarchy; and
computing the anomaly context score based on the secrecy level of the target resource, the security level of the plurality of users, the scope value of permission, the plurality of anomalous permissions.
4. The method (200) as claimed in claim 1, wherein the identified plurality of abnormal configurations is updated in the anomaly detection model.
5. A system (100) comprising:
at least one memory (104) storing programmed instructions; one or more Input /Output (I/O) interfaces (112); and one or more hardware processors (102) operatively coupled to the at least one memory (104), wherein the one or more hardware processors (102) are configured by the programmed instructions to:
receive a data pertaining to a target cloud resource associated with a cloud environment, wherein the data comprises a plurality of cloud resources, a plurality of cloud users and a plurality of relationships associated with the plurality of cloud resources and a plurality of cloud users represented as an entity relationship graph;

identify a plurality of target policies from among a plurality of policies associated with the cloud environment with the target value equal to the target cloud resource;
identify a plurality of potential peer resources from among the plurality of cloud resources based on a comparison between a plurality of attributes associated with the target cloud resource and a plurality of attributes corresponding to each of the plurality of cloud resources;
identify a plurality of peer resources from among the plurality of potential peer resources based on a quantile score, wherein the plurality of potential peer resources with the quantile score above a predefined threshold are identified as the plurality of peer resources;
obtain a plurality of combined policies by merging the plurality of policies associated with each of the plurality of peer resources and the target cloud resource;
generate a plurality of components for the target cloud resource by segmenting the plurality of combined policies, wherein each of the plurality of components comprises a plurality of objects, wherein each nested object in Java Script Object Notation (JSON) formatted policy is identified as a component;
obtain a plurality of target policy components from among the plurality of components generated for the target resource based on a type-value mapping between the key-value pairs of the objects in each of the plurality of components;
obtain a plurality of peer policy components from among the plurality of components based on the type-value mapping between the key-value pairs of the objects in the plurality of components;
identify a plurality of anomalous components based on the plurality of target policy components, the plurality of peer policy components and an anomaly context score;

identify a plurality of users associated with the identified plurality of anomalous components, wherein each of the plurality of users are associated with a plurality of user attributes;
identify a plurality of peer users associated with each of the plurality of users based on the plurality of user attributes;
extract a plurality of access privileges associated with each of the plurality of users and a corresponding plurality of peer users, wherein each of the plurality of access privilege comprises a plurality of permission values and a plurality of resource values; and
identify a plurality of abnormal configuration from among the plurality of access privileges associated with each of the plurality of users based on a comparison between the access privileges associated with the plurality of peer users and the access privileges associated with the plurality of users. 6. The system of claim 5, wherein the steps of identifying the plurality of anomalous components based on the plurality of target policy components, the plurality of peer policy components and the anomaly context score comprises:
identifying a plurality of potential anomalous components based on a comparison between the plurality of target policy components and the plurality of peer policy components;
computing an anomaly context score for each of the plurality of potential anomalous components by analyzing a contextual relevance of each of the plurality of anomalous components and the target cloud source; and
identifying a plurality of anomalous components from among the plurality of potential anomalous components based on a corresponding anomaly context score, wherein a plurality of potential anomalous components with the anomaly context scores greater than a predefined context threshold are identified as plurality of anomalous components.

7. The system of claim 6, wherein steps of computing the anomaly context score for each of the plurality of anomalous components by analyzing the contextual relevance of each of the plurality of anomalous components and the target cloud source comprises:
identifying a component permission type associated with each of the plurality of anomalous components, wherein the component permission type comprises a read permission, a write permission, and an admin permission and, wherein each component permission type is associated with a corresponding component permission weight;
identifying a user permission type associated with each of the plurality of users associated with each of the plurality of anomalous components, wherein the user permission type comprises a regular permission, an admin permission, a service account, and a system account, wherein each user permission types is associated with a corresponding user permission weight;
identifying a secrecy level of the target resource from among a plurality of secrecy levels and a security level of the plurality of users from among a plurality of security levels, wherein each of the plurality of secrecy levels are associated with a corresponding secrecy weight and each of the plurality security levels are associated with a corresponding security weight;
identifying a scope value of permission associated with the plurality of anomalous components, wherein the scope value of a permission defines a number of activities performed with a permission, wherein the scope value is proportional to the number of activities performed with the permission and, wherein a weight is assigned to each permission based on the scope value;
identifying a plurality of anomalous permissions associated with the plurality of anomalous components based on a frequency value associated with each permission type using an anomaly detection model, wherein a frequency based weight is assigned to each permission, wherein a role based

weight is assigned to each of the plurality of users based on role hierarchy; and
computing the anomaly context score based on the secrecy level of the target resource, the security level of the plurality of users, the scope value of permission, the plurality of anomalous permissions. 8. The system of claim 5, wherein the identified plurality of abnormal configurations is updated in the anomaly detection model.