Serverless Application Center for Multi-Cloud Deployment of Serverless Applications
US-2021099459-A1 · Apr 1, 2021 · US
Securing application behavior in serverless computing
US12225013B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12225013-B2 |
| Application number | US-202318353238-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 17, 2023 |
| Priority date | Feb 20, 2019 |
| Publication date | Feb 11, 2025 |
| Grant date | Feb 11, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the authorized components are selected based on access requirements dictated by the one or more intended usage flows.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method comprising: determining components of a serverless application; learning intended behavior of the serverless application, wherein learning intended behavior of the serverless application comprises determining a set of one or more usage flows among the components of the serverless application; and creating a set of one or more security policies to restrict behavior of the serverless application to the intended behavior, wherein creating the set of one or more security policies is based, at least in part, on the set of one or more usage flows. 2. The method of claim 1 , wherein determining the set of one or more usage flows comprises at least one of observing runtime application behavior of the serverless application with instrumentation and analyzing application log files. 3. The method of claim 1 , wherein learning the intended behavior of the serverless application is while running the serverless application during an initial or calibration phase. 4. The method of claim 1 , wherein the set of security policies comprise at least one runtime protection policy and at least one identity and access management policy. 5. The method of claim 4 , wherein enforcing the runtime protection policy comprises verifying that order-sequence identifiers added to data and/or events of the serverless application conform to one of the set of usage flows. 6. The method of claim 1 , wherein the components of the serverless application comprise a serverless function and a resource. 7. The method of claim 6 , wherein the components further comprise at least one of a cloud service, a security permission, and a configuration file. 8. The method of claim 1 , wherein creating the set of one or more security policies comprises creating at least one security policy for each component that is a serverless function and each component that is a resource, based on the set of usage flows. 9. The method of claim 1 , wherein a usage flow indicates at least one invocation of at least one serverless function and/or at least one access of at least one resource. 10. A non-transitory, machine-readable medium having program code stored thereon, the program code comprising instructions to: determine components of a serverless application; learn intended behavior of the serverless application, wherein the instructions to learn intended behavior of the serverless application comprise instructions to determine a set of one or more usage flows among the components of the serverless application; and create a set of one or more security policies to restrict behavior of the serverless application to the intended behavior, wherein creation of the set of one or more security policies is based, at least in part, on the set of one or more usage flows. 11. The non-transitory, machine-readable medium of claim 10 , wherein the instructions to determine the set of one or more usage flows comprise at least one of instructions to observe runtime application behavior of the serverless application and instructions to analyze application log files. 12. The non-transitory, machine-readable medium of claim 10 , wherein the instructions to learn the intended behavior of the serverless application comprise instructions to run the serverless application in an initial or calibration phase. 13. The non-transitory, machine-readable medium of claim 10 , wherein the set of security policies comprise at least one runtime protection policy and at least one identity and access management policy. 14. The non-transitory, machine-readable medium of claim 13 further comprising instructions to verify that order-sequence identifiers added to data and/or events of the serverless application conform to one of the set of usage flows for enforcement of the runtime protection policy. 15. The non-transitory, machine-readable medium of claim 10 , wherein the components of the serverless application comprise a serverless function and a resource and wherein a usage flow indicates at least one invocation of at least one serverless function and/or at least one access of at least one resource. 16. The non-transitory, machine-readable medium of claim 10 , wherein the instructions to create the set of one or more security policies comprise instructions to create at least one security policy for each component that is a serverless function and each component that is a resource, based on the set of usage flows. 17. An apparatus comprising: a processor; and a machine-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to, determine components of a serverless application; learn intended behavior of the serverless application, wherein the instructions to learn intended behavior of the serverless application comprise instructions to determine a set of one or more usage flows among the components of the serverless application; and create a set of one or more security policies to restrict behavior of the serverless application to the intended behavior, wherein creation of the set of one or more security policies is based, at least in part, on the set of one or more usage flows. 18. The apparatus of claim 17 , wherein the machine-readable medium further has stored thereon instructions executable by the processor to cause the apparatus to: associate cryptographic keys with a first of the components that accesses data generated by a second of the components, wherein the instructions to create the security policies comprise instructions executable by the processor to cause the apparatus to include the cryptographic keys in the security policies of the first and second components for the second component to digitally sign data generated by the second component and the first component to validate the cryptographic signature and corresponding data. 19. The apparatus of claim 17 , wherein the instructions to determine the set of one or more usage flows comprise at least one of instructions to observe runtime application behavior of the serverless application and instructions to analyze application log files. 20. The apparatus of claim 17 , wherein the instructions to create the set of one or more security policies comprise instructions executable by the processor to cause the apparatus to create at least one security policy for each component that is a serverless function and each component that is a resource, based on the set of usage flows.
Assignees
Inventors
Classifications
Machine learning · CPC title
- H04L9/3247Primary
involving digital signatures · CPC title
Inference or reasoning models · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved (negotiation of communication capabilities H04L69/24) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12225013B2 cover?
- A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the author…
- Who is the assignee on this patent?
- Palo Alto Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3247. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 11 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).