	US 12,353,547 B2
	Allow list of container images based on deployment configuration at a container orchestration service
Idan Hen, Tel-Aviv (IL); Eran Goldstein, Herzliya (IL); and Dotan Patrich, Kfar Saba (IL)
Assigned to Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed by MICROSOFT TECHNOLOGY LICENSING, LLC, Redmond, WA (US)
Filed on Jun. 16, 2022, as Appl. No. 17/807,234.
Claims priority of provisional application 63/365,360, filed on May 26, 2022.
Prior Publication US 2023/0409710 A1, Dec. 21, 2023
Int. Cl. G06F 21/56 (2013.01); G06F 8/61 (2018.01); G06F 21/55 (2013.01)

CPC G06F 21/562 (2013.01) [G06F 8/63 (2013.01); G06F 21/554 (2013.01); G06F 2221/033 (2013.01)]

15 Claims

8. A method implemented at a computing system for detecting anomalies in deployment configurations of container images at a container network, the method comprising:

collecting one or more datasets associated with one or more deployment configurations of a container image via a container orchestration service;

extracting a plurality of features based on the one or more datasets for an identification (ID) of the container image;

generating a probability score based on the plurality of features, using one or more machine-learning models trained on datasets associated with one or more historical deployment configurations of the container image that have been performed via the container orchestration service, the probability score indicating a probability of whether the one or more deployment configurations of the container image are anomalous or not anomalous when compared to a predetermined threshold that is indicative of whether the one or more deployment configurations of the container image are anomalous or not anomalous when compared to the one or more historical deployment configurations of the container image, wherein generating the probability score comprises:

generating a first probability score based on the plurality of features, using a first machine learning model trained on a first set of historical data associated with an ID of a specific version of the container image;

generating a second probability score based on the plurality of features, using a second machine learning model trained on a second set of historical data associated with an ID of all versions of the container image; and

generating an overall consistency score based on the first probability score and the second probability score; and

in response to determining that the overall consistency score is greater than the predetermined threshold, performing at least one of (1) add the container image to an allow list that includes container images and their respective IDs that have one or more deployment configurations that are not anomalous or (2) generate a security alert.