Cloud computing environments often implement security systems to protect against intrusion and/or infection. For example, a cloud computing environment may include multiple physical hosts that facilitate the execution of Virtual Machines (VMs). In this example, the cloud computing environment may implement a Host-based Intrusion Detection System (HIDS) and/or a Host-based Intrusion Prevention System (HIPS) that protects the physical or virtual hosts from intrusion and/or infection. The protection of the HIDS and/or the HIPS may be controlled by certain policies defined by an administrator of the cloud computing environment.
Unfortunately, the process of investigating the security needs of the cloud computing environment and then defining the HIDS and/or HIPS policies for the cloud computing environment may be cumbersome and/or time-intensive. As a result, the administrator may be unable to properly address those security needs and/or other cloud computing tasks due to his or her limited human resources. For example, a VM may launch on a physical host within the cloud computing environment and then quickly shut down in a fairly short amount of time. In this example, the administrator may be unable to determine the security needs of the VM and then define an HIDS and/or HIPS policy for the VM within that short amount of time.
As another example, the administrator may be handling other cloud computing tasks when a VM launches on a physical host within the cloud computing environment. In this example, the administrator may be unable to determine the security needs of the VM and then define an IDS and/or IPS policy for the VM since he or she was handling the other cloud computing tasks when the VM launched. As a result, the security of the cloud computing environment may have certain deficiencies, potentially leaving the cloud computing environment vulnerable to security threats. The instant disclosure, therefore, identifies and addresses a need for additional and improved systems and methods for detecting security anomalies in a public cloud environment using network activity monitoring, application profiling, and self-building host mapping.
As a further example, an infected VM may have access to its peer VM instances within the same auto-scaling or subnet group but have no access to other peer VM instances outside of that auto-scaling or subnet group. In this example, the administrator may be unaware of the overall communication topology and/or overall access pattern of a new VM instance within that auto-scaling or subnet group. As a result, the administrator may be unable to determine the security needs of the new VM instance and/or which access privileges to grant to the new VM instance. Accordingly, the security of the new VM instance and/or the auto-scaling or subnet group may have certain deficiencies, potentially leaving them vulnerable to security threats.
The instant disclosure, therefore, identifies and addresses a need for additional and improved systems and methods for detecting security anomalies in a public cloud environment using network activity monitoring, application profiling, and self-building host mapping.