Providing product recommendations based on user interactions
US-9818145-B1 · Nov 14, 2017 · US
Sensitive data usage detection using static analysis
US10248532B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-10248532-B1 |
| Application number | US-201514855139-A |
| Country | US |
| Kind code | B1 |
| Filing date | Sep 15, 2015 |
| Priority date | Sep 15, 2015 |
| Publication date | Apr 2, 2019 |
| Grant date | Apr 2, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods, systems, and computer-readable media for implementing sensitive data usage detection using static analysis are disclosed. A specification of one or more operations exposed by a service in a service-oriented system is obtained from a repository. The names of the one or more operations are determined in the specification. The names of one or more parameters of the one or more operations are determined in the specification. The names of the one or more operations and the names of the one or more parameters are checked against a dictionary of sensitive terms. One or more sensitive operations are determined among the one or more operations. One or more consumers of the one or more sensitive operations are determined.
First claim
Opening claim text (preview).
What is claimed is: 1. A system, comprising: a plurality of computing devices configured to implement a sensitive data detection system and a service-oriented system, wherein the service-oriented system comprises a plurality of services including a particular service, and wherein the sensitive data detection system is configured to: retrieve a service model specifying one or more operations exposed by the particular service, wherein the service model is retrieved based at least in part on a name of the particular service; extract names of the one or more operations from the service model; extract names of one or more parameters of the one or more operations from the service model; identify one or more sensitive operations among the one or more operations, wherein the names of the one or more operations and the names of the one or more parameters are checked against a dictionary of sensitive terms; identify one or more consumers of the particular service using a metadata repository, wherein the metadata repository specifies a dependency of the one or more consumers on one or more client-side packages of the particular service; identify one or more of the sensitive operations called by the consumers in source code for the one or more consumers, wherein the source code for the one or more consumers is retrieved from a source code repository; and responsive to identification of a particular called sensitive operation, implement one or more security measures to enhance security of data to be processed by the particular called sensitive operation, wherein the one or more security measures include at least one of: generation of a directed graph representing flow of sensitive data through one or more of the services, wherein the data to be processed by the particular sensitive operation comprises the sensitive data, modification of source code of the service, or migration of the service from a current deployment environment to another deployment environment that is more secure than the current deployment environment. 2. The system as recited in claim 1 , wherein the sensitive data detection system is configured to: validate a relationship of the service model to the particular service based at least in part on source code for the particular service, wherein the source code for the particular service is retrieved from the source code repository, and wherein, in validating the relationship, the static analysis system is configured to match the names of the one or more operations in the service model to names of the one or more operations in the source code. 3. The system as recited in claim 1 , wherein the sensitive data detection system is configured to: generate a map of service interactions in the service-oriented system, wherein service interactions associated with the one or more sensitive operations are emphasized in the map. 4. The system as recited in claim 1 , wherein the sensitive data detection system is configured to: perform an action to secure sensitive data used by the one or more sensitive operations. 5. A computer-implemented method, comprising: performing, by a data detection system implemented on one or more computing devices: obtaining a specification of one or more operations exposed by a service in a service-oriented system; determining names of the one or more operations in the specification; determining names of one or more parameters of individual ones of the one or more operations in the specification; determining one or more sensitive operations among the one or more operations, wherein the names of the one or more operations and the names of the one or more parameters are checked against a dictionary of sensitive terms; determining one or more consumers of the one or more sensitive operations; and responsive to determining one or more sensitive operations, implementing one or more security measures to enhance security of data to be processed by one of the one or more sensitive operations, wherein the one or more security measures include at least one of: generating a directed graph representing flow of sensitive data through one or more of the services, wherein the data to be processed by one of the one or more sensitive operations comprises the sensitive data, modifying source code of the service in order to increase security of the service, or migrating the service from a current deployment environment to another deployment environment that is more secure than the current deployment environment. 6. The method as recited in claim 5 , further comprising: validating a relationship of the specification to the service based at least in part on source code for the service, wherein validating the relationship comprises matching the names of the one or more operations in the specification to names of the one or more operations in the source code. 7. The method as recited in claim 6 , wherein the source code for the service is obtained from a source code repository, and wherein the source code repository stores source code for a plurality of services of the service-oriented system. 8. The method as recited in claim 5 , wherein the specification is obtained from a source code repository based at least in part on a name of the service, and wherein a name of the specification comprises the name of the service. 9. The method as recited in claim 5 , wherein determining the one or more consumers of the one or more sensitive operations comprises: identifying one or more consumers of the service using a metadata repository, wherein the metadata repository specifies a dependency of the one or more consumers on one or more client-side packages of the service; and identifying one or more of the sensitive operations called by the consumers in source code for the one or more consumers, wherein the source code for the one or more consumers is obtained from a source code repository. 10. The method as recited in claim 5 , further comprising: generating a map of service interactions in the service-oriented system, wherein service interactions associated with the one or more sensitive operations are emphasized in the map. 11. The method as recited in claim 5 , further comprising: performing an action to secure sensitive data used by the one or more sensitive operations. 12. The method as recited in claim 5 , further comprising: prioritizing a security review for the particular service based at least in part on the one or more sensitive operations. 13. The method as recited in claim 5 , wherein the one or more parameters comprise one or more complex data structures, and wherein names of one or more internal parameters of the one or more complex data structures are checked against the dictionary of sensitive terms. 14. A non-transitory computer-readable storage medium storing program instructions computer-executable to perform: obtaining a service model specifying one or more operations exposed by a service in a service-oriented system, wherein the service model is obtained from a source code repository storing service models for a plurality of services in the service-oriented system; extracting names of the one or more operations from the service model; extracting names of one or more parameters of the one or more operations from the service model; identifying one or more sensitive operations among the one or more operations, wherein the names of the one or more operations and the names of the one or more parameters are checked against a dictionary of sensitive terms; identifying one or more consumers of the one or more sensitive operations; and implementing one or more security measures to en
Assignees
Inventors
Classifications
Entity relationship models · CPC title
Extracting rules from data · CPC title
- G06F11/3452Primary
Performance evaluation by statistical analysis · CPC title
Physics · mapped topic
Physics · mapped topic
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10248532B1 cover?
- Methods, systems, and computer-readable media for implementing sensitive data usage detection using static analysis are disclosed. A specification of one or more operations exposed by a service in a service-oriented system is obtained from a repository. The names of the one or more operations are determined in the specification. The names of one or more parameters of the one or more operations …
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F11/3452. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Apr 02 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).