US 12,277,446 B2
Runtime container protection
John David White, Knoxville, TN (US); Steven Joseph Rich, Maryville, TN (US); William Michael Hudson, Jr., Hampstead, NC (US); and Chris Allen Shenefiel, Williamsburg, VA (US)
Assigned to CISCO TECHNOLOGY, INC., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Mar. 16, 2021, as Appl. No. 17/202,447.
Prior Publication US 2022/0300330 A1, Sep. 22, 2022
Int. Cl. G06F 9/50 (2006.01); G06F 12/02 (2006.01); G06F 12/14 (2006.01); G06F 21/57 (2013.01); G06F 21/62 (2013.01); G06F 21/78 (2013.01)
CPC G06F 9/5016 (2013.01) [G06F 12/0292 (2013.01); G06F 12/145 (2013.01); G06F 21/577 (2013.01); G06F 21/6272 (2013.01); G06F 21/78 (2013.01)] 16 Claims
OG exemplary drawing
 
1. A system, the system comprising:
one or more processors; and
one or more computer-readable non-transitory storage media, the one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising:
monitoring a request for use of memory, the request for use of memory requested by a container manager application on behalf of a given container during runtime of the given container, the given container corresponding to one of a plurality of containers managed by the container manager application;
determining that the request for use of memory has caused an exception, the exception indicating that the request for use of memory requests an invalid operation on a memory table or that the request for use of memory requests a previously not seen memory table; and
in response to determining that the request for use of memory has caused the exception, determining an action to perform, the action depending on both first trustworthiness information associated with the given container and second trustworthiness information associated with the given container, the first trustworthiness information obtained from a Third Party Reputation Service (TPRS) and the second trustworthiness information obtained based on monitoring runtime behavior of the given container;
wherein the first trustworthiness information comprises a first score, the second trustworthiness information comprises a second score, and determining the action to perform comprises:
adding the first score and the second score to yield a composite score;
comparing the composite score to a trustworthiness threshold; and
stopping one or more processes associated with the given container in response to determining that the composite score fails to satisfy the trustworthiness threshold.