DESC:FORM 2

THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003

COMPLETE SPECIFICATION
(See Section 10 and Rule 13)

Title of invention:
SYSTEM AND METHOD FOR DYNAMIC IDENTIFICATION OF ROGUE APPLICATION USING TIME STAMPING TECHNIQUES

Applicant

Tata Consultancy Services Limited
A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India

The following specification particularly describes the invention and the manner in which it is to be performed.

CROSS-REFERENCE TO RELATED APPLICATIONS AND PRIORITY
The present application claims priority from Indian patent application number 201821003000, filed on January 25, 2018 the complete disclosure of which, in its entirety is herein incorporated by reference.

TECHNICAL FIELD
The disclosure herein generally relates to the field of system security and, more particularly, but not specifically, to provide security to system against one or more rogue applications.

BACKGROUND
Attack or threat from malicious application against a system is critical problem that needs to be addressed. Malware attacks due to such malicious applications are capable of stealing or changing data or information stored in the system, effectively resulting in unauthorized access of information. These malware applications interfere with smooth operation of the system and lead to significant degradation of the system performance and also may lead to complete collapse or crashing of the system.

Existing methods employ security systems such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to identify and stop the malware applications. The IDS and IPS solutions can block external source of an intrusion (malware application) originating from outside the system. The existing security systems (IDS and IPS) can successfully block the external source of intrusion, however cannot anticipate or expect that the source of a threat may be within the system that is being protected. A rogue application is a form of internal security threat which is difficult to detect and prevent. The rogue application is capable of crashing an entire system and the containers executing on it. The rogue application triggers creation of more containers and overloads the system by excessive consumption of the system’s resource, which results in crashing the system, by rapidly consuming all the system resources.

The traditional security system’s threat scanning technology has few limitations when attempting to identify rogue application. One of limitation is that the system security cannot differentiate between the genuine application and rogue applications which may result in killing of genuine application or retaining of the rogue application. Further, another limitation of few of exiting security systems is that they also lack real time or dynamic identification of the rogue applications.

Thus, solutions or platforms that ensures a disruption free transition of customer information, account particulars and transaction history only after consensus is built, so as to accommodate current and future transactions, without the need of informing any of the counterparties.

SUMMARY
Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one embodiment, a method and a system for providing dynamic identification of rogue container application using time stamping techniques is disclosed.

Moreover, the system, alternatively referred as a rogue application detection system, continuously monitors resources or infrastructure to collect the usage information or data of various activities such as Central Processing Unit (CPU) usage, Random access memory (RAM) usage, and so on. It should be noted that the collected information is time stamped and the time stamped information is analyzed to identify the existence of a predefined pattern. Presence of the predefined pattern may be indicative of presence of rouge application, while randomness or no pattern may be indicative of presence of a genuine application. Any rogue application, if identified will be removed. However, if the application is identified as a genuine application it is further monitored for longer duration. The monitoring for longer duration enables detection of presence of any long term predefined pattern, which can then be identified as rouge application else can be confirmed to be the genuine application requiring additional system resources. Further for the application once confirmed as genuine application, control for the application is passed on to the auto-scaling module of the system to spawn another instance of the application or container to ensure the performance of the system does not degrade.

In another embodiment, the processor-implemented method to provide a dynamic identification of rogue container application using time stamping techniques. The method comprising one or more steps as follows. Initially, monitoring one or more resources of a platform to collect information of usage of one or more activities of the one or more resources of the platform. It should be appreciated that the collected information is time stamped. A time series data is generated from the collected information of usage of the one or more activities of the one or more resources of the platform and the generated time series data is analyzed to identify a rogue application. The analysis of the generated time series data comprising collecting an existence of a predefined pattern, wherein the existence of the predefined pattern is an indicative of a rogue application in the one or more resources, collecting an absence of the predefined pattern, wherein the absence of the predefined pattern is the indicative of a genuine application in the one or more resources, and further monitoring the genuine application for a predefined longer duration, wherein the predefined longer duration monitoring enables to identify the existence of a predefined pattern, wherein the existence of the predefined pattern is indicative of the rogue application.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles:

FIG. 1 illustrates an overview of a rogue application detection system for dynamic identification of rogue application using time stamping techniques, according to some embodiments of the present disclosure; and

FIG.2 is a flow diagram illustrating a method for dynamic identification of rogue application using time stamping techniques, in accordance with some embodiments of the present disclosure;

It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative systems and devices embodying the principles of the present subject matter. Similarly, it will be appreciated that any flow charts, flow diagrams, and the like represent various processes which may be substantially represented in computer readable medium and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.

DETAILED DESCRIPTION OF EMBODIMENTS
Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the spirit and scope of the disclosed embodiments. It is intended that the following detailed description be considered as exemplary only, with the true scope and spirit being indicated by the following claims.

The embodiments herein provide a method and a system for providing dynamic identification of rogue application using a time stamping techniques. The system provides a continuous or seamless monitoring platform for identifying a rogue application dynamically by utilizing time stamping techniques.

It is to be noted that the system dynamically identifies one or more rogue applications using time stamping techniques. The system continuously monitors resources or infrastructure, to collect the usage information or data of various activities such as CPU usage, RAM usage, and so on. The collected information is time stamped, and it is analyzed to identify the existence of any predefined pattern. Presence of the predefined rogue pattern may be indicative of presence of a rouge application, while predefined randomness or no pattern may be indicative of presence of a genuine application. Whenever the rogue application is identified, the rogue application is removed from said resources or infrastructure. However, if the application is identified as a predefined genuine application it is further monitored for a predefined longer duration. The monitoring for the predefined longer duration enables detection of presence of any predefined long term pattern, which can then be identified as the predefined rouge application else can be confirmed to be the predefined genuine application which would require additional resources. Furthermore, during the monitoring phase, in case of identification of the predefined rogue pattern the application is removed, while in case of absence of any predefined rogue pattern, the control is passed on to the auto-scaling arrangement to spawn another instance of the application or container to ensure the performance of the resources does not degrade.

Referring now to the drawings, and more particularly to FIG. 1 through FIG. 2, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.

Referring FIG. 1, a system (100) for providing a dynamic identification of a rogue container application using a time stamping. The system is configured for dynamic identification of the predefined rogue application using a time stamping technique and by considering a Linux container as a use case, according to some embodiments of the disclosure. It would be appreciated that the predefined rogue application is an application which consumes the infrastructural resources in a specific pattern. The specific pattern could be a constant periodic interval. For instance, the rogue application consumes or requests for infrastructural resources such as RAM, storage etc. in an attempt to consume most of the available resources, hampering the performance of other applications.

The rouge application requests for one or more infrastructural resources that could be identified with the frequency at which these requests are made. For instance there exists a specific pattern in the request for resources. That pattern may be plotted in a time series graph. To be more specific, the rouge application might request for an amount of RAM for every one hour, despite the absence of load on the application. The subsequent requests made could then be identified based on the time stamps at which these requests are made.

In the preferred embodiment, the system (100) comprises at least one memory (102) with a plurality of instructions and one or more hardware processors (104) which are communicatively coupled with the at least one memory (102) to execute modules therein. The system comprises a monitoring module (106), a generation module (108), an analyzing module (110) and an identification module (112).

It is to be noted that the system (100) is explained with reference to a Linux container. The Linux container comprises a server infrastructure, a predefined rogue application detection model, and a run time model such as Docker, LXC, and Rocket, wherein the Docker orchestrator includes Kubernetes, and Docker Swarm.

In one aspect, the Kubernetes for the orchestrator, also includes an auto-scaling application. The server infrastructure includes hardware components operating model and the Docker. Further, the hardware components comprises a CPU, a RAM, a disk, and a net interface. The service infrastructure is continuously monitored at real time by the rogue application detection model.

In the preferred embodiment of the disclosure, the monitoring module (106) of the system (100) is configured to continuously monitor the infrastructure or resources to collect the usage information or data of one or more activities. The one or more activities include a CPU usage, and a RAM usage.

In the preferred embodiment of the disclosure, the generation module (108) of the system (100) is configured to generate a time series data using the collected usage information of the infrastructure or resources. Alternatively, it would be appreciated that the collected usage information is time stamped, which leads to the generation of a time series data.

In the preferred embodiment of the disclosure, the analyzing module (110) of the system (100) is configured to analyze the generated time series data. Wherein, the analysis is to identify the presence of a predefined rogue pattern. It is to be noted that the identified rogue pattern is categorized into a predefined genuine container application and a predefined rogue container application.

It would be appreciated that a pattern to predefined genuine container application does not follow the pattern to a rogue container application. For instance, the requests for additional infrastructural resources need not be at constant intervals or the requests could be tagged against the increase in application load. Whereas, the infrastructural consumption pattern to the predefined rogue container application may follow a pattern for additional resources might be at a regular interval.

In the preferred embodiment of the disclosure, the container identification module (112) of the system (100) is configured to tag a container application based on the identified rogue pattern. Where the identified rogue pattern matches a pattern of the container application, then the container is tagged as a rogue container application. Further, if the identified rogue pattern does not matches a pattern of the container application, then the system continues to monitor the container application to ensure that it is not a deceiving rogue application.

In one example, wherein the identification of a rogue pattern the Kubernetes platform sends out a signal to remove the application/container. Further then, during the monitoring process if the rogue application detection system does not identify any rogue pattern, the control is passed on to an auto-scaling system such as Horizontal pod auto scaling application inside Kubernetes with instructions to spawn another instance of the application or container (in case of a Linux container infrastructure) to ensure the performance of the system does not degrade.

It would be appreciated that the system is configured to remove the tagged rogue container application by a Kubernetes platform.

FIG. 2 is a flow diagram illustrating a method (200) for dynamic identification of rogue application using time stamping techniques, in accordance with some embodiments of the present disclosure.

In the preferred embodiment of the disclosure, initially at step (202), monitoring one or more resources of a platform to collect an information of usage of one or more activities of the one or more resources of the platform, wherein the collected information is time stamped.

In one embodiment, monitoring resources or infrastructure to collect the usage information or data of various activities such as Central Processing Unit (CPU) usage, Random access memory (RAM) usage, and so on. It should be noted that the collected information is time stamped and the time stamped information is analyzed to identify the existence of a predefined pattern. Presence of the predefined pattern may be indicative of presence of rouge application, while randomness or no pattern may be indicative of presence of a genuine application. Any rogue application, if identified will be removed. However, if the application is identified as a genuine application it is further monitored for longer duration. The monitoring for longer duration enables detection of presence of any long term predefined pattern, which can then be identified as rouge application else can be confirmed to be the genuine application requiring additional system resources. Further for the application once confirmed as genuine application, control for the application is passed on to the auto-scaling module of the system to spawn another instance of the application or container to ensure the performance of the system does not degrade.

In the preferred embodiment of the disclosure, at the step (204), a time series data is generated from the collected information of usage of the one or more activities of the one or more resources of the platform. For instance there exists a specific pattern in the request for resources. That pattern may be plotted in a time series graph. To be more specific, the rouge application might request for an amount of RAM for every one hour, despite the absence of load on the application. The subsequent requests made could then be identified based on the time stamps at which these requests are made.

In the preferred embodiment of the disclosure, at the step (206), the generated time series data is analyzed to identify a rogue application. The analyzing comprising one or more steps as collecting an existence of a predefined pattern, wherein the existence of the predefined pattern is an indicative of a rogue application in the one or more resources. Further, it collects an absence of the predefined pattern and the absence of the predefined pattern is the indicative of a genuine application in the one or more resources.

Furthermore, the analysis includes continual monitoring of the container application to ensure it’s not a deceiving rogue application/container and keep a watch for any rogue application/container. It is to be noted that the continuous monitoring the genuine application for a predefined longer duration, enables to identify the existence of a predefined pattern. Once the existence of the predefined pattern is identified, that is indicative of the rogue application.

In one example, considering a use case for rogue pattern identification as fork bomb rogue application, wherein fork bomb attack follows a polynomial expression with respect to its system/infrastructure resource (RAM usage, CPU usage and so on )consumption as shown below;
F_CPU or F_RAM= ?_(n=0)^8¦?K_n t^n ?

Where
F is a fraction of resource usage of the system/infrastructure
n is an integer,
K is a constant and
t is time.

In another example, a memory leak attack, wherein the application continuously generates unallocated memory in the system, thus depleting the latter’s memory. The memory leak attack may be represented by a linear relationship as shown below.
F_RAM= Kt
Hence a generic equation for variation of CPU and RAM resources in a generic attack may be represented as a function of time, as a pattern shown below;
F_CPU or F_RAM=f(t)

Where
f(t) is a function of time.
Thus every generic attack may be represented as a function of time.

In the preferred embodiment of the disclosure, at the final step (208), tagging the identified application as a rogue application and passing on the control an auto-scaling arrangement such as horizontal pod auto scaling application with instructions to spawn another instance of the application or container to ensure the performance of the system does not degrade.

In another aspect, the method (200) includes identification of a rogue pattern, wherein the identified rogue container/application is tagged as rogue application and a kill signal is generated by a Kubernetes system. Upon generation of the kill signal, the identified rogue container is killed.

The illustrated steps of method (200) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development may change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation.

Hence the system and method provides a continuous/dynamic monitoring platform for accurate and highly efficient technique to identify rogue applications. The system uses time stamping techniques, wherein time series data collected by continuously monitoring the infrastructure is analyzed to identify rogue application pattern.

The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.

It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g. hardware means like e.g. an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g. using a plurality of CPUs.

The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various modules described herein may be implemented in other modules or combinations of other modules. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.

The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.

Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.

It is intended that the disclosure and examples be considered as exemplary only, with a true scope and spirit of disclosed embodiments being indicated by the following claims.
,CLAIMS:
1. A system for providing a dynamic identification of a rogue container application using a time stamping, the system comprising:
at least one memory storing a plurality of instructions;
one or more hardware processors communicatively coupled with the at least one memory, wherein the one or more hardware processors are configured to execute one or more modules;
a monitoring module configured to monitor one or more resources of a platform to collect a plurality of information of usage of the one or more activities of the monitored one or more resources of the platform;
a generating module configured to generate a time series data from the collected information of usage;
an analyzing module configured to analyze the time series data to identify a rogue pattern; and
a container identification module configured to tag a container application based on the identified rogue pattern, wherein the identified rogue pattern matches a pattern of the container application, then the container is tagged as a rogue container application.

2. The system claimed in claim 1, wherein the one or more resources include random access memory (RAM), central processing unit (CPU) cores, and block storage.

3. The system claimed in claim 1, wherein the rogue container application which consumes one or more infrastructural resources in a predefined pattern.

4. The system claimed in claim 1, wherein the predefined pattern includes a constant periodic interval.
5. The system claimed in claim 1, wherein the generation of a time series data from the collected information of usage is a frequency at which the rogue application is requesting for one or more infrastructural resources.

6. The system claimed in claim 1, wherein the tagging a rouge container is based on the identified frequency at which the rogue application is requesting for one or more infrastructural resources.

7. A processor-implemented method for providing a dynamic identification of a rogue container application using a time stamping, the processors-implemented method comprising one or more steps of:
monitoring, via a hardware processor, one or more resources of a system to collect an information of usage of one or more activities of the one or more resources of the system, wherein the collected information is time stamped;
generating, via a hardware processor, a time series data from the collected information of usage of the one or more activities of the one or more resources of the system;
analyzing, via a hardware processor, the generated time series data to identify a rogue pattern; and

tagging a container application based on the identified rogue pattern, wherein the identified rogue pattern matches a pattern of the container application, then the container is tagged as a rogue container application.

8. The method claimed in claim 7, wherein the analysis of the generated time series data comprising one or more steps of:
collecting an existence of a predefined pattern, wherein the existence of the predefined pattern is an indicative of a rogue application in the one or more resources;
collecting an absence of the predefined pattern, wherein the absence of the predefined pattern is the indicative of a genuine application in the one or more resources; and
further monitoring the genuine application for a predefined longer duration, wherein the predefined longer duration monitoring enables to identify the existence of a predefined pattern, wherein the existence of the predefined pattern is indicative of the rogue application.

9. The method claimed in claim 7, wherein the rogue container application is an application which consumes one or more infrastructural resources in a predefined pattern.

10. The method claimed in claim 7, wherein the predefined pattern includes a constant periodic interval.

11. The method claimed in claim 7, wherein the generation of a time series data from the collected information of usage is a frequency at which the rogue application is requesting for one or more infrastructural resources.

12. The method claimed in claim 7, wherein the tagging a rouge container is based on the identified frequency at which the rogue application is requesting for one or more infrastructural resources.