Patents by Inventor Hirokuni Kitahara
Hirokuni Kitahara has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11960578Abstract: A method is provided for determining command-to-process correspondence. The method includes identifying, by the hardware processor, initial processes resulting from executions of container immutability change events for each of multiple initially mutable containers in a cluster, based on an execution time, a process identifier and a process group identifier for each of the container immutability change events. The method also includes designating, by the hardware processor, a particular external command, from among external container commands stored in a database, as having a correspondence to an initial process, responsive to the initial process matching at least one respective process resulting from executing the particular external command.Type: GrantFiled: November 3, 2022Date of Patent: April 16, 2024Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Hirokuni Kitahara, Yuji Watanabe, Fumiko Akiyama
-
Publication number: 20240095075Abstract: A computer-implemented method for determining container information associated with detected container mutation events is disclosed. The computer-implemented method includes: determining that a system call event to a host operating system includes a call to join a namespace and execute a parent process inside the namespace; determining that the namespace is associated with an existing container; responsive to determining that the namespace is associated with an existing container, determining that the system call event further includes a call to execute a child process inside the namespace; and responsive to determining that the system call event further includes a call to execute a child process inside the namespace: designating the child process as a mutation event to the existing container, and determining container information associated with the mutation event to the existing container. A corresponding computer system and computer program product are also disclosed.Type: ApplicationFiled: September 21, 2022Publication date: March 21, 2024Inventors: Hirokuni Kitahara, Yuji Watanabe, Kugamoorthy Gajananan, Ruriko Kudo
-
Patent number: 11914755Abstract: Methods and systems for verifying a resource definition include simulating an original resource definition to identify at least one change that is made to the original resource definition by a management service. A signature of a received resource definition is generated, omitting portions of the received resource definition that correspond to the at least one identified change. The signature of the received resource definition is compared to a signature of the original resource definition to find a match and to verify the received resource definition. The received resource definition is implemented, responsive to finding the match.Type: GrantFiled: February 4, 2021Date of Patent: February 27, 2024Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Hirokuni Kitahara, Ruriko Kudo, Kugamoorthy Gajananan, Yuji Watanabe
-
Patent number: 11809534Abstract: A system for controlling access to cluster resources is provided. The system includes one or more processors; and memory operatively coupled to the one or more processors, wherein the one or more processors and the memory form a cluster of computer resources that includes an admission controller configured to receive requests and determine if the request is authorized, a request history database that stores the request information received by the admission controller from a plurality of users, a role design advisor that is configured to adjust permissions for the plurality of users based on a pattern of usage identified from the request history database, and an alert system that communicates an alert to an administrator that a request outside the pattern of requests for the user has been received by the admission controller, wherein the admission controller, request history database, and role design advisor control access to the cluster resources.Type: GrantFiled: April 22, 2021Date of Patent: November 7, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Yuji Watanabe, Ruriko Kudo, Hirokuni Kitahara, Kugamoorthy Gajananan
-
Patent number: 11704413Abstract: A computer-implemented method for assessing latent security risks in Kubernetes clusters is provided including selecting a service account from a plurality of service accounts defined in namespaces of a cluster, binding a role to the selected service account based on predetermined role-binding data, and determining if the role meets at least one of a first, second, and third conditions based on predetermined role data defining permitted operations for roles, the first condition being that the role can receive secret tokens for pods within a namespace of the namespaces, the second condition being that the role can perform execution operation to other pods, and the third condition being that the role can create DaemonSet, Deployment, StatefulSet, and additional pods on the namespace.Type: GrantFiled: April 22, 2021Date of Patent: July 18, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Yuji Watanabe, Ruriko Kudo, Kugamoorthy Gajananan, Hirokuni Kitahara
-
Publication number: 20230054683Abstract: A method is provided for determining command-to-process correspondence. The method includes identifying, by the hardware processor, initial processes resulting from executions of container immutability change events for each of multiple initially mutable containers in a cluster, based on an execution time, a process identifier and a process group identifier for each of the container immutability change events. The method also includes designating, by the hardware processor, a particular external command, from among external container commands stored in a database, as having a correspondence to an initial process, responsive to the initial process matching at least one respective process resulting from executing the particular external command.Type: ApplicationFiled: November 3, 2022Publication date: February 23, 2023Inventors: Hirokuni Kitahara, Yuji Watanabe, Fumiko Akiyama
-
Patent number: 11580199Abstract: A method is provided for determining command-to-process correspondence. The method includes identifying, by the hardware processor, initial processes resulting from executions of container immutability change events for each of multiple containers in a cluster, based on an execution time, a process identifier and a process group identifier for each of the container immutability change events. The method further includes checking, by the hardware processor, if an initial process from among the identified initial processes matches an entry in a database that stores external container commands and at least one respective process resulting from executing each of the external container commands.Type: GrantFiled: September 20, 2019Date of Patent: February 14, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Hirokuni Kitahara, Yuji Watanabe, Fumiko Akiyama
-
Patent number: 11526599Abstract: One or more computer processors collect logs containing one or more admission requests associated with a new application installation in an empty namespace, wherein the empty namespace is a sandbox representative of a production environment. The one or more computer processors classify the one or more admission requests according to a set of conditions indicating respective levels of trust. The one or more computer processors create a set of candidates for signing containing admissions requests that are classified unsigned. The one or more computer processors generate a security policy for each candidate for signing in the set of candidates for signing.Type: GrantFiled: April 19, 2021Date of Patent: December 13, 2022Assignee: International Business Machines CorporationInventors: Ruriko Kudo, Hirokuni Kitahara, Kugamoorthy Gajananan, Yuji Watanabe
-
Publication number: 20220342997Abstract: A computer-implemented method for assessing latent security risks in Kubernetes clusters is provided including selecting a service account from a plurality of service accounts defined in namespaces of a cluster, binding a role to the selected service account based on predetermined role-binding data, and determining if the role meets at least one of a first, second, and third conditions based on predetermined role data defining permitted operations for roles, the first condition being that the role can receive secret tokens for pods within a namespace of the namespaces, the second condition being that the role can perform execution operation to other pods, and the third condition being that the role can create DaemonSet, Deployment, StatefulSet, and additional pods on the namespace.Type: ApplicationFiled: April 22, 2021Publication date: October 27, 2022Inventors: Yuji Watanabe, Ruriko Kudo, Kugamoorthy Gajananan, Hirokuni Kitahara
-
Publication number: 20220342965Abstract: A system for controlling access to cluster resources is provided. The system includes one or more processors; and memory operatively coupled to the one or more processors, wherein the one or more processors and the memory form a cluster of computer resources that includes an admission controller configured to receive requests and determine if the request is authorized, a request history database that stores the request information received by the admission controller from a plurality of users, a role design advisor that is configured to adjust permissions for the plurality of users based on a pattern of usage identified from the request history database, and an alert system that communicates an alert to an administrator that a request outside the pattern of requests for the user has been received by the admission controller, wherein the admission controller, request history database, and role design advisor control access to the cluster resources.Type: ApplicationFiled: April 22, 2021Publication date: October 27, 2022Inventors: Yuji Watanabe, Ruriko Kudo, Hirokuni Kitahara, Kugamoorthy Gajananan
-
Publication number: 20220335119Abstract: One or more computer processors collect logs containing one or more admission requests associated with a new application installation in an empty namespace, wherein the empty namespace is a sandbox representative of a production environment. The one or more computer processors classify the one or more admission requests according to a set of conditions indicating respective levels of trust. The one or more computer processors create a set of candidates for signing containing admissions requests that are classified unsigned. The one or more computer processors generate a security policy for each candidate for signing in the set of candidates for signing.Type: ApplicationFiled: April 19, 2021Publication date: October 20, 2022Inventors: RURIKO KUDO, HIROKUNI KITAHARA, Kugamoorthy Gajananan, YUJI WATANABE
-
Patent number: 11477236Abstract: A computer-implemented method is provided for identifying words likely to be used in new combo-squatted domains of a target domain. The method includes selecting the target domain. The method further includes storing, in a memory device, a sequence of previously detected combo-squatted domains from period [t-W, t-1]. The sequence includes a set of words W. The method also includes obtaining trends associated with the target domain at time t. The method additionally includes obtaining, by a hardware processor responsive to the trends, a trend distribution associated with the target domain at time t. The method further includes ranking, by a likelihood, a set of words E that have been extracted from the trend distribution and are expected to be used in the future in the new combo-squatting domains, responsive to the set of words W.Type: GrantFiled: May 27, 2020Date of Patent: October 18, 2022Assignee: International Business Machines CorporationInventors: Pablo Salvador Loyola Heufemann, Kugamoorthy Gajananan, Hirokuni Kitahara, Yuji Watanabe, Fumiko Akiyama
-
Publication number: 20220245285Abstract: Methods and systems for verifying a resource definition include simulating an original resource definition to identify at least one change that is made to the original resource definition by a management service. A signature of a received resource definition is generated, omitting portions of the received resource definition that correspond to the at least one identified change. The signature of the received resource definition is compared to a signature of the original resource definition to find a match and to verify the received resource definition. The received resource definition is implemented, responsive to finding the match.Type: ApplicationFiled: February 4, 2021Publication date: August 4, 2022Inventors: Hirokuni Kitahara, Ruriko Kudo, Kugamoorthy Gajananan, Yuji Watanabe
-
Patent number: 11403401Abstract: A method for checking an integrity of an object to be deployed to a cluster is provided. The method detects a resource creation request. The method, responsive to the request being an initial resource creation request for the object, verifies the integrity of the object based on properties in the request to create a release secret in the cluster for a positive integrity verification result for the object. The release secret represents a specific deployment configuration of the object on the cluster. The method, responsive to the request being other than the initial resource request, checks if the request corresponds to the specific deployment configuration of the object by checking against the release secret in the cluster. The method, responsive to the request corresponding to a deployment of the object and the release secret being present in the cluster, creates a resource requested by the request in the cluster.Type: GrantFiled: June 19, 2020Date of Patent: August 2, 2022Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Kugamoorthy Gajananan, Hirokuni Kitahara, Yuji Watanabe, Ruriko Kudo
-
Publication number: 20210397712Abstract: A method for checking an integrity of an object to be deployed to a cluster is provided. The method detects a resource creation request. The method, responsive to the request being an initial resource creation request for the object, verifies the integrity of the object based on properties in the request to create a release secret in the cluster for a positive integrity verification result for the object. The release secret represents a specific deployment configuration of the object on the cluster. The method, responsive to the request being other than the initial resource request, checks if the request corresponds to the specific deployment configuration of the object by checking against the release secret in the cluster. The method, responsive to the request corresponding to a deployment of the object and the release secret being present in the cluster, creates a resource requested by the request in the cluster.Type: ApplicationFiled: June 19, 2020Publication date: December 23, 2021Inventors: Kugamoorthy Gajananan, Hirokuni Kitahara, Yuji Watanabe, Ruriko Kudo
-
Publication number: 20210377306Abstract: A computer-implemented method is provided for identifying words likely to be used in new combo-squatted domains of a target domain. The method includes selecting the target domain. The method further includes storing, in a memory device, a sequence of previously detected combo-squatted domains from period [t-W, t-1]. The sequence includes a set of words W. The method also includes obtaining trends associated with the target domain at time t. The method additionally includes obtaining, by a hardware processor responsive to the trends, a trend distribution associated with the target domain at time t. The method further includes ranking, by a likelihood, a set of words E that have been extracted from the trend distribution and are expected to be used in the future in the new combo-squatting domains, responsive to the set of words W.Type: ApplicationFiled: May 27, 2020Publication date: December 2, 2021Inventors: Pablo Salvador Loyola Heufemann, Kugamoorthy Gajananan, Hirokuni Kitahara, Yuji Watanabe, Fumiko Akiyama
-
Patent number: 11178175Abstract: A computer-implemented method for linking combo-squatting domains is provided. The method includes grouping domain names into nameserver groups based on a nameserver for each of the domains. Each of the domain names contain valued words. The method also includes splitting words in each domain name and generating a wordlist for each of the nameserver groups. The method further includes finding feature words among the nameserver groups, and extracting malicious domain names which contain the feature words in each of the nameserver groups. The method further includes outputting, for each of the nameserver groups, the malicious domain names and corresponding registrant identifying data based on the feature words.Type: GrantFiled: August 16, 2019Date of Patent: November 16, 2021Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Hirokuni Kitahara, Yuji Watanabe, Fumiko Akiyama, Alisa Arno
-
Patent number: 11163635Abstract: Methods and systems for detecting mutation events include collecting change event pattern counts from one or more processing nodes. Unintended change events are identified based on the collected change event pattern counts. A corrective action is performed for the unintended change events.Type: GrantFiled: September 23, 2019Date of Patent: November 2, 2021Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Hirokuni Kitahara, Yuji Watanabe, Pablo Salvador Loyola Heufemann, Kugamoorthy Gajananan
-
Patent number: 11144418Abstract: A computer-implemented method includes generating one or more process trees based on one or more processes associated with one or more change events within a cluster computing system, performing mutation event detection by comparing a root of each of the one or more process trees with one or more external commands, and generating a mutation event report based on the comparison.Type: GrantFiled: September 23, 2019Date of Patent: October 12, 2021Assignee: International Business Machines CorporationInventors: Hirokuni Kitahara, Yuji Watanabe, Fumiko Akiyama
-
Publication number: 20210089420Abstract: A computer-implemented method includes generating one or more process trees based on one or more processes associated with one or more change events within a cluster computing system, performing mutation event detection by comparing a root of each of the one or more process trees with one or more external commands, and generating a mutation event report based on the comparison.Type: ApplicationFiled: September 23, 2019Publication date: March 25, 2021Inventors: Hirokuni Kitahara, Yuji Watanabe, Fumiko Akiyama