What technology area does this patent fall under?

Primary CPC classification G06F9/455. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Feb 11 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Cloud native virtual machine runtime protection

US12223337B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12223337-B2
Application number	US-202318464799-A
Country	US
Kind code	B2
Filing date	Sep 11, 2023
Priority date	Jul 19, 2018
Publication date	Feb 11, 2025
Grant date	Feb 11, 2025

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A system and method for cloud native virtual machine (VM) runtime protection. The method includes creating a normal behavior model for a cloud native VM by training a machine learning model using a training data set including training activities performed by the cloud native VM, the cloud native VM being configured to provide at least one service, wherein the normal behavior model defines at least one capability of each service based on a set of capabilities for respective known services stored within a library of service-to-capability mappings, wherein each capability of a service indicates a plurality of discrete behaviors required by the service; and monitoring an execution of the cloud native VM to detect a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the services that is not among the discrete behaviors defined in capabilities for the service.

First claim

Opening claim text (preview).

The invention claimed is: 1. A method comprising: training a machine learning model to detect normal behavior of one or more services running on a cloud native virtual machine (VM), wherein the machine learning model is trained to detect normal behavior on training data comprising a plurality of discrete behaviors of the one or more services and indications of whether each of the plurality of discrete behaviors corresponds to normal or abnormal behavior; defining capabilities that indicate at least one of allowed behaviors and denied behaviors for each of the one or more services based, at least in part, on behaviors for the one or more services that the trained machine learning model has detected as normal or abnormal; generating a normal behavior model according to the defined capabilities and the trained machine learning model; and detecting a behavior at the cloud native VM that deviates from the normal behavior model, wherein detecting a behavior that deviates from the normal behavior model comprises at least one of, detecting the behavior as an abnormal behavior with the trained machine learning model, detecting the behavior as not corresponding to an allowed behavior for a defined capability, and detecting the behavior as corresponding to a denied behavior for a defined capability. 2. The method of claim 1 , wherein defining the capabilities comprises defining the capabilities according to hierarchical relationships, wherein the hierarchical relationships define associations between the cloud native VM, the one or more services running on the cloud native VM, the defined capabilities of the one or more services, and behaviors allowed and denied by the defined capabilities. 3. The method of claim 1 , wherein the defined capabilities comprise one or more behavioral rules that define at least one of allowed and denied behaviors for the one or more services. 4. The method of claim 1 , wherein the plurality of discrete behaviors includes at least one of running a process, using an input argument for a process, and accessing a file path. 5. The method of claim 1 , wherein creating the normal behavior model further comprises, correlating behaviors among the plurality of discrete behaviors for the one or more services with respect to at least one of a parameter used for a process executed as part of the plurality of discrete behaviors, a socket used as part of the plurality of discrete behaviors, and a type of file created as part of the plurality of discrete behaviors; and indicating correlated discrete behaviors in capabilities for corresponding ones of the one or more services. 6. The method of claim 1 , further comprising uploading the normal behavior model to a cloud service, wherein the normal behavior model is accessible to installations accessing the cloud service when uploaded to the cloud service. 7. The method of claim 6 , further comprising enhancing defined capabilities of the normal behavior model with behavioral rules indicating allowed and denied behaviors at runtime execution of the normal behavior model by the installations accessing the cloud service. 8. A non-transitory machine-readable medium having program code stored thereon, the program code comprising instructions to: train a machine learning model to detect normal behavior of one or more services running on a cloud native virtual machine (VM), wherein the machine learning model is trained to detect normal behavior on training data comprising a plurality of discrete behaviors of the one or more services and indications of whether each of the plurality of discrete behaviors corresponds to normal or abnormal behavior; generate a normal behavior model according to defined capabilities for the one or more services and the trained machine learning model, wherein the defined capabilities indicate at least one of allowed behaviors and denied behaviors for each of the one or more services, further wherein defined capabilities are defined based, at least in part, behaviors for the one or more services that the machine learning model has detected as normal or abnormal; and detect a behavior that deviates from the normal behavior model, wherein the program code to detect a behavior that deviates from the normal behavior model comprises instructions to at least one of, detect the behavior as an abnormal behavior with the trained machine learning model, detect the behavior as not corresponding to an allowed behavior for a defined capability, and detect the behavior as corresponding to a denied behavior for a defined capability. 9. The non-transitory machine-readable medium of claim 8 , wherein the program code to define the capabilities comprises instructions to define the capabilities according to hierarchical relationships, wherein the hierarchical relationships define associations between the cloud native VM, the one or more services running on the cloud native VM, the defined capabilities of the one or more services, and behaviors allowed and denied by the defined capabilities. 10. The non-transitory machine-readable medium of claim 8 , wherein the defined capabilities comprise one or more behavioral rules that define at least one of allowed and denied behaviors for the one or more services. 11. The non-transitory machine-readable medium of claim 8 , wherein the plurality of discrete behaviors includes at least one of running a process, using an input argument for a process, and accessing a file path. 12. The non-transitory machine-readable medium of claim 8 , wherein the program code to create the normal behavior model further comprises instructions to: correlate behaviors among the plurality of discrete behaviors for the one or more services with respect to at least one of a parameter used for a process executed as part of the plurality of discrete behaviors, a socket used as part of the plurality of discrete behaviors, and a type of file created as part of the plurality of discrete behaviors; and indicate correlated discrete behaviors in capabilities for corresponding ones of the one or more services. 13. The non-transitory machine-readable medium of claim 8 , wherein the program code further comprises instructions to upload the normal behavior model to a cloud service, wherein the normal behavior model is accessible to installations accessing the cloud service when uploaded to the cloud service. 14. The non-transitory machine-readable medium of claim 13 , wherein the program code further comprises instructions to enhance defined capabilities of the normal behavior model with behavioral rules indicating allowed and denied behaviors at runtime execution of the normal behavior model by the installations accessing the cloud service. 15. An apparatus comprising: a processor; and a machine-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to, train a machine learning model to detect normal behavior of one or more services running on a cloud native virtual machine (VM), wherein the machine learning model is trained to detect normal behavior on training data comprising a plurality of discrete behaviors of the one or more services and indications of whether each of the plurality of discrete behaviors corresponds to normal or abnormal behavior; generate a normal behavior model according to defined capabilities for the one or more services and the trained machine learning model, wherein the defined capabilities indicate at least one of allowed behaviors and denied behaviors for each of the one or more services, further wherein defined capabilities are defined based, at least in part, b

Assignees

Palo Alto Networks Inc

Inventors

Classifications

G06F18/214
Generating training patterns; Bootstrap methods, e.g. bagging or boosting · CPC title
G06F21/54
by adding security routines or objects to programs · CPC title
G06F21/51
at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability · CPC title
G06F9/44505
Configuring for program initiating, e.g. using registry, configuration files · CPC title
G06F21/53
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title

Patent family

Related publications grouped by family.

View patent family 69161293

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12223337B2 cover?: A system and method for cloud native virtual machine (VM) runtime protection. The method includes creating a normal behavior model for a cloud native VM by training a machine learning model using a training data set including training activities performed by the cloud native VM, the cloud native VM being configured to provide at least one service, wherein the normal behavior model defines at le…
Who is the assignee on this patent?: Palo Alto Networks Inc
What technology area does this patent fall under?: Primary CPC classification G06F9/455. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Feb 11 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).