US 12,265,616 B2
Detect anomalous container deployment at a container orchestration service
Amit Magen Medina, Netanya (IL); Dotan Patrich, Kfar Saba (IL); Josef Weizman, Haifa (IL); and Idan Hen, Tel Aviv (IL)
Assigned to Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed by Microsoft Technology Licensing, LLC., Redmond, WA (US)
Filed on Nov. 29, 2021, as Appl. No. 17/536,995.
Prior Publication US 2023/0169168 A1, Jun. 1, 2023
Int. Cl. G06F 21/56 (2013.01); G06N 7/01 (2023.01); G06N 20/00 (2019.01)
CPC G06F 21/56 (2013.01) [G06N 7/01 (2023.01); G06N 20/00 (2019.01); G06F 2221/034 (2013.01)] 15 Claims
OG exemplary drawing
 
1. A computing system comprising:
one or more processors; and
one or more computer-readable hardware storage devices having stored thereon computer-executable instructions that are structured such that, when executed by the one or more processors, the computer-executable instructions cause a computing system to perform at least:
detect a request for a deployment of a container at a container orchestration service;
collect one or more datasets associated with the deployment of the container;
extract a plurality of features based on the one or more datasets;
generate a probability score based on the plurality of features, using one or more machine-learning models trained on datasets associated with historical deployments of containers that have been performed via the container orchestration service, the probability score indicating a probability that the deployment of the container is anomalous compared to the historical deployments of containers;
determine the deployment of the container is anomalous when the probability score is greater than a threshold;
generate a first probability score based on the plurality of features, using a first machine learning model trained on a first set of historical data;
generate a second probability score based on the plurality of features, using a second machine learning model trained on a second set of historical data;
wherein the first set of historical data and the second set of historical data are in different hierarchies, and the first set of historical data is a subset of the second set of historical data;
wherein the first set of historical data is associated with historical deployments of containers within a cluster and the second set of historical data is associated with historical deployments of containers within a subscription or a tenant that includes the cluster;
generate an overall score based on the first probability score and the second probability score,
wherein generating the overall score includes:
assigning a first weight to the first probability score;
assigning a second weight to the second probability score; and
generating a weighted overall probability score based on the first probability score, the first weight, the second probability score, and the second weight; and
in response to determining that the overall score is greater than a predetermined threshold, performing at least one of (1) generate a security alert, (2) reject the request for the deployment of the container, or (3) terminate the container that has been deployed.