KR20230062207A - Method for automatic blocking through monitoring and abnormality detection of dynamically changing resources in cloud and container environments and apparatus thereof - Google Patents

Abstract

A method for operating a device that performs resource management, comprising: obtaining information about changes in resources in a cloud or container infrastructure environment; identifying the resource based on tagging and predefined rules; If the resource is not identified, performing a notification to a manager; classifying the resource as an abnormal asset when there is no additional response from the manager; and stopping or deleting the resource classified as the abnormal asset, wherein the step of identifying the resource based on the tagging and a predefined rule: whether a tag value assigned to the resource exists determining; Further comprising determining whether the resource is a non-predefined resource based on the predefined rule, and if the resource is not identified, the tag value does not exist for the resource and the resource is previously A method including the case of an undefined resource is provided.

Description

Automatic blocking method through monitoring and anomaly detection for dynamically changing resources in cloud and container environments, and device supporting the same

The present invention relates to an automatic blocking method through monitoring and anomaly detection for dynamically changing resources in a cloud and container environment.

In the case of a public cloud, there is an application programming interface (API) for creating/changing/deleting resources. The cloud service provider also provides a function of inquiring usage of CPU (central processing unit)/MEM (memory)/DISK to measure usage of each resource.

In addition, some clouds provide an API interface to connect to a remote server for development convenience.

When resources are dynamically changed in a cloud or container environment, a method for efficiently monitoring and anomaly detection is needed.

US Patent Application Publication No. US2014/302682, 2014.06.12 US Patent Application Publication No. US2016/143424, 2018.09.26

In a cloud environment or container environment, various resources are created by a user, by system redundancy, or by an automated expansion function such as an auto-scaling function. Various resources are created through system programming by people, predefined rules, or API keys.

In this situation, resources unknown to the user (administrator) can be created in various ways due to hacker's malicious attack and infiltration or key exposure due to misuse of API Key, and backdoor accounts are also created due to the keys exposed in this way. It can be.

Accordingly, an object to be solved by the present invention is to propose a method for anomaly detection for numerous resources that are dynamically created or deleted in a cloud environment.

In addition, an object to be solved by the present invention is to propose a method of detecting and automatically deleting unintended resources from the system when they are created.

The problems to be solved by the present invention are not limited to the problems mentioned above, and other problems not mentioned will be clearly understood by those skilled in the art from the description below.

According to an embodiment of the present invention for solving the above problems, a method for operating a device for resource management is provided.

The method may include acquiring information about changes in resources in a cloud or container infrastructure environment; identifying the resource based on tagging and predefined rules; If the resource is not identified, performing a notification to a manager; classifying the resource as an abnormal asset when there is no additional response from the manager; and stopping or deleting the resource classified as the abnormal asset.

Identifying the resource based on the tagging and a predefined rule may include: determining whether a tag value assigned to the resource exists; The method further includes determining whether the resource is a non-predefined resource based on the predefined rule.

The case where the resource is not identified includes a case where the tag value does not exist for the resource and the resource is a resource not defined in advance.

Determining whether the resource is a non-predefined resource based on the predefined rule may include: classifying a manager into a specific department and a specific person based on the predefined rule; mapping a specific resource type, resource itself, and an allocation manager for a specific region to the specific department and specific person; and determining whether the change to the resource is a change made by an allocation manager that is not mapped to the specific department or specific person.

The tagging type may be one of a type directly marked on cloud assets and a type separately managed by an internal inspection system.

The method may further include collecting and monitoring at least one of cost, type, property, or region of the asset of the infrastructure based on the obtained information.

The step of collecting and monitoring the cost of the asset of the infrastructure based on the obtained information is: Based on the acquired information, through an artificial intelligence learning engine, querying whether the amount of change in billing is based on an appropriate threshold step; predicting monthly usage based on daily usage with respect to assets of the infrastructure; and when the predicted monthly usage exceeds the previous month's usage, notifying a manager.

The step of collecting and monitoring at least one of the type, attribute, or region of the asset of the infrastructure based on the acquired information: Based on the acquired information, the information about the asset of the infrastructure through an artificial intelligence learning engine. learning the type, property, or region repeatedly a predetermined number of times; extracting data from the learning repeated a predetermined number of times; and determining whether the type, property, or region of the resource is the type, property, or region used by a manager based on the data, wherein the type, property, or region of the resource is not used. When it is determined to be a region, a step of notifying an administrator may be further included.

Acquiring the information on the resource may include: acquiring a notification of a change in the resource through the interface, when the device includes an interface providing a notification function for a change history; and if the device does not include the interface providing a notification function for a change history, periodically collecting and obtaining information on the resource through an information collection interface.

The interface providing a notification function for the change history provides a Webhook or Watcher function, and the information collection interface may be any one of an API, a LOG collector, a simple systems manager (SSM) interface, and a secure shell (SSH) interface. there is.

The method includes creating a replicated resource by replicating the resource by auto-scaling; It may include tracking and tagging the duplicated resource.

The duplicated resource may inherit a tag value from an upper inheritor.

According to an embodiment according to the present invention, an apparatus for collecting and processing information can be provided.

The device includes an input/output module; a memory configured to store data; and one or more processors connected to the memory.

The one or more processors: obtain information about changes in resources in a cloud or container infrastructure environment; identify the resource based on tagging and predefined rules; If the resource is not identified, performing a notification to a manager; if there is no further response from the manager, classify the resource as an abnormal asset; and to stop or delete the resource classified as the abnormal asset.

Where the processor is configured to identify the resource based on the tagging and predefined rules: determine whether there is an assigned tag value for the resource; The method may further include determining whether the resource is a non-predefined resource based on the predefined rule.

According to one embodiment according to the present invention, a non-transitory processor-readable medium storing one or more instructions that cause one or more processors to perform operations. can provide.

The operation may include: acquiring information about changes in resources in a cloud or container infrastructure environment; identify the resource based on tagging and predefined rules; If the resource is not identified, performing a notification to a manager; if there is no further response from the manager, classify the resource as an abnormal asset; and stopping or deleting the resource classified as the abnormal asset.

Other specific details of the invention are included in the detailed description and drawings.

According to the present invention, by providing a method for detecting an unwanted resource among dynamically changing resources in a cloud or container environment, that is, detecting anomaly, it is possible to more easily identify anomaly detection for a resource that is difficult to identify. there is.

In addition, according to the present invention, if a resource dynamically changed in a cloud or container environment is an unwanted resource, it is possible to prevent potential threats in the cloud/container environment in advance by automatically deleting the resource.

The effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the description below.

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included as part of the detailed description to aid in the understanding of the present invention, provide various embodiments and, together with the detailed description, describe technical features of the various embodiments.
1 shows an example of a cloud and container infrastructure environment.
2 shows an asset management system in a cloud infrastructure environment according to the present invention.
3 is a conceptual diagram of a module providing resource identification and anomaly detection functions in a cloud environment according to the present invention.
4 is a diagram illustrating a resource processing method according to dynamically changing resource identification and manager correspondence in a cloud environment according to the present invention.
5 is a diagram illustrating a method of identifying a resource based on a dictionary rule according to the present invention.
6 illustrates a block configuration diagram of a device according to an embodiment of the present invention.

Advantages and features of the present invention, and methods of achieving them, will become clear with reference to the detailed description of the following embodiments taken in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in various different forms, only these embodiments are intended to complete the disclosure of the present invention, and are common in the art to which the present invention belongs. It is provided to fully inform the person skilled in the art of the scope of the invention, and the invention is only defined by the scope of the claims.

Terminology used herein is for describing the embodiments and is not intended to limit the present invention. In this specification, singular forms also include plural forms unless specifically stated otherwise in a phrase. As used herein, "comprises" and/or "comprising" does not exclude the presence or addition of one or more other elements other than the recited elements. Like reference numerals throughout the specification refer to like elements, and “and/or” includes each and every combination of one or more of the recited elements. Although "first", "second", etc. are used to describe various components, these components are not limited by these terms, of course. These terms are only used to distinguish one component from another. Accordingly, it goes without saying that the first element mentioned below may also be the second element within the technical spirit of the present invention.

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used with meanings commonly understood by those skilled in the art to which the present invention belongs. In addition, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless explicitly specifically defined.

The spatially relative terms "below", "beneath", "lower", "above", "upper", etc. It can be used to easily describe a component's correlation with other components. Spatially relative terms should be understood as including different orientations of elements in use or operation in addition to the orientations shown in the drawings. For example, if you flip a component that is shown in a drawing, a component described as "below" or "beneath" another component will be placed "above" the other component. can Thus, the exemplary term “below” may include directions of both below and above. Components may also be oriented in other orientations, and thus spatially relative terms may be interpreted according to orientation.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The detailed description set forth below in conjunction with the accompanying drawings is intended to describe exemplary embodiments of various embodiments, and is not intended to represent a single embodiment.

Definitions of terms used in the present invention are as follows.

Infrastructure: The infrastructure used in the present invention means an information technology (IT) infrastructure. IT infrastructure is a component necessary to operate and manage an enterprise IT environment. The IT infrastructure can be deployed on cloud computing systems or inside an organization's own facilities. These components include hardware, software, networking components, operating systems, and data storage, all of which are used to deliver IT services and solutions.

IT infrastructure products are available as downloadable software applications that run on existing IT resources, such as software-defined storage, or as online solutions provided by service providers, such as Infrastructure-as-a-Service (IaaS). do.

Cloud: A cloud is an IT environment that abstracts, pools, and shares scalable resources across a network. The cloud supports cloud computing, the act of running workloads within a cloud environment.

A cloud consists of a front-end platform, a back-end platform, and a delivery network that connects these platforms. A front-end platform can be an end-user device (such as a PC, tablet, or mobile phone) or a computer network. A backend platform is a software application accessed through a physical infrastructure or delivery network (typically the Internet, but sometimes an intranet).

Clouds can be classified into four types as follows.

(1) Private cloud: A private cloud is, generally defined, a cloud environment dedicated to end users, usually within the user's firewall and sometimes on-premise.

(2) Public cloud: A public cloud is a cloud environment that can be created from resources not owned by end users and redistributed to other tenants. Specifically, public clouds are pools of virtual resources developed on hardware owned and managed by third-party vendors, which are automatically provisioned and allocated among multiple clients through a self-service interface.

(3) Hybrid cloud: A hybrid cloud is a cloud that includes a private cloud and a public cloud, and provides technology to share data and applications between the private cloud and the public cloud. In other words, hybrid clouds can allow data and applications to move between private and public clouds, providing some degree of workload portability, orchestration and management capabilities.

(4) Multicloud: A multicloud is an IT system that includes two or more clouds (public or private) regardless of network connectivity.

Container: A container is a software execution unit in which application code is packaged together with its libraries and dependencies so that it can run anywhere, whether on the desktop, in traditional IT, or in the cloud.

To do this, containers leverage the capabilities of the OS (namespaces and cgroups primitives, in the case of the Linux kernel) to isolate processes and control the amount of CPU, memory, and disk that processes can access. Utilize some form of virtualization.

API (application programming interface): An API is an interface that allows you to control functions provided by an operating system or programming language so that applications can use them. The API mainly provides interfaces for file control, window control, image processing, text control, and the like. APIs allow products or services to communicate with each other without knowing how they are implemented, and can save time and money by simplifying application development.

APIs provide access to resources, allow you to maintain security and control, and determine how and to whom access is granted. API security means good management of APIs. Connecting to APIs and creating applications that use the data or functionality exposed by APIs can be done through a decentralized integration platform that connects any environment, including legacy systems and the Internet of Things (IoT).

There are several authentication methods for APIs, and each method has a different security level and implementation difficulty. Therefore, it is necessary to understand the pros and cons of each method and select an appropriate API authentication method suitable for the service level. Authentication methods for the following two APIs are disclosed, and there are various authentication methods in addition to the following two methods.

(1) API key method: This is the most basic method, and an API key is a kind of string that only a specific user can know.

(2) API token method: The method of issuing an API token is a method of authenticating a user with an ID, password, etc., and then issuing an API token with a valid period for the user to use for API calls to authenticate the user with the API token. am.

1 shows an example of a cloud and container infrastructure environment.

1 shows various cloud and container infrastructure environments commonly used in the industry. Depending on the cloud provider (e.g. AWS, GCP, Azure), the specifications differ for each interface, and the container infrastructure environment also varies depending on the manufacturer and version.

Figure 1(a) illustrates for a public cloud and/or private cloud environment.

1(a) illustrates a cloud environment by taking examples of cloud service providers (CSP-A, CSP-B, and CSP-C). CSP stands for cloud service provider, which means a company that provides public cloud infrastructure and platform services.

Referring to FIG. 1(b), clusters A and B exist in a container environment.

A container refers to a modular and isolated computing space or computing environment, that is, a space in which an environment for running an application is isolated. The container that runs your application uses the necessary libraries, dependencies and files, so your application can go into production seamlessly. The illustrated cluster is a set of node machines for running containers.

1(c) is a conceptual diagram for a hybrid cloud container environment, in detail, in which a container environment is built in various multi-cloud environments to provide services by converging assets.

A hybrid cloud is a cloud computing model that combines one or more public and private cloud environments through a network connection, allowing data and applications to be shared between the different cloud environments. Each cloud in FIG. 1(c) includes one or more clusters.

2 shows an asset management system in a cloud infrastructure environment according to the present invention.

Referring to FIG. 2 , information on resources (resources) in a cloud or container infrastructure environment is detected through an information collection interface 201 and collected by an information collection unit 202 . The asset management unit 203 identifies assets and monitors the collected assets. When an unidentified resource is created based on the collected information, the anomaly detection unit 204 serves to inform an administrator or delete the corresponding resource.

Although FIG. 2 does not show the cloud environment and the container environment, information on dynamically changing resources in the cloud environment or container environment shown in FIG. 1 is used. In addition, the cloud/container environment or type is not limited to FIG. 1 and the present invention is applicable to various embodiments of public cloud, private cloud, and hybrid cloud. Hereinafter, FIG. 2 will be described in detail.

Information can be collected through various information collection interfaces 201 from various cloud and container infrastructure environments. The information collection interface includes an API interface and a LOG collector tailored to the cloud environment, and may include a simple systems manager (SSM) interface provided only by a specific provider or a secure shell (SSH) interface that can be used universally.

The information collection unit 202 receives notification of changes in resources through a Webhook or Watcher interface when a notification function (notification hook) for change history exists. Specifically, if a notification hook (webhook or watcher) is provided in the cloud/container system interface, system changes are monitored by hooking to the corresponding interface.

When the corresponding interface does not exist, the information collection unit 202 periodically collects resources through the information collection interface. In an exemplary embodiment, the information collection unit may periodically monitor system (or system resource) changes through a polling method through an API. Polling is a method in which one device (or program) periodically checks the status of another device (or program) for the purpose of collision avoidance or synchronization processing, and performs data processing such as transmission and reception when certain conditions are satisfied. .

The asset management unit 203 identifies assets by users (managers).

In an exemplary embodiment, the asset management unit refers to the type of specific resource and the allocation manager for the resource itself as “a specific department” and “a specific person”, and identifies the asset by a preliminary rule of the anomaly detection unit 204 and tags it (Tagging)

Basically, all resources in the infrastructure environment are assigned a special tag value specified by the management entity, and resources that are not assigned this value are classified as abnormal resources and included in the monitoring target.

In addition, the asset management unit 203 may monitor the cost of the collected infrastructure assets.

Based on the collected information, the anomaly detection unit 204 inquires whether the amount of change in billing is based on an appropriate threshold through an artificial intelligence learning engine. The anomaly detection unit predicts monthly usage based on daily usage, predicts the size of asset cost compared to the previous one, and notifies the manager if the size of the asset cost is large compared to the previous one.

In an exemplary embodiment, based on the collected information, the anomaly detection unit 204 may machine learn additional information such as the type, attribute, region, and the like of an infrastructure asset through an artificial intelligence learning engine. Through machine learning, the type, property, and region of the infrastructure asset used by the administrator are repeated and learned a predetermined number of times to create related data. Using the learned and created data, the anomaly detection unit may notify a manager when it is determined that a resource related to a resource change of a resource type, unused property, or region is generated.

When an unintended (unknown) resource is newly created, the anomaly detection unit 204 informs the user of an alarm. If the user does not respond to this alert after a certain period of time according to a predefined rule, the anomaly detection unit 204 automatically deletes the resource to block potential threat resources and changes in the cloud environment in advance. do.

The anomaly detection unit 204 specifies the management department and manager for the resource through a dictionary rule, manages users who can manage access within the infrastructure based on this tagging information, and prevents unwanted users (or departments) from accessing specific resources. When a change is made to the system, it is detected and the threat is notified to the administrator.

Therefore, by using manual techniques (based on user rules) and automatic techniques (based on anomalies by learning) to detect abnormalities in resources in the cloud and/or container environment that are difficult to identify through the above process, administrators (users) can If an unwanted (unintended) resource is detected, it can be automatically deleted.

3 is a conceptual diagram of a module providing resource identification and anomaly detection functions in a cloud environment according to the present invention.

Changes in resources are detected through the API 301 of the cloud. Although only API is shown in FIG. 3 , changes in resources may be detected through an SSM interface, an SSH interface, or a LOG collector in exemplary embodiments to which the present invention is applicable.

The API module (connection API for development) 302 collects various information from resources. In addition, the API module can access the detected resources periodically (regularly) to inquire resource information (Active Scan).

The tagging technique according to the present invention for identifying resources is 1) an asset identification technique by tagging cloud information, 2) an anomaly detection technique that determines whether an asset is abnormal according to the presence or absence of a tag, and 3) an automatic resource expansion technique. It includes a tagging technique.

In an exemplary embodiment, the API module 302 identifies and marks assets through a tagging technique for resources managed by the developer/operations team.

Tagging is divided into two types: one that is directly marked on cloud assets (TAG assignment) and one that is separately managed in the internal inspection system (TAG management). TAG allocation is performed by the API module 302 and TAG management is performed by the Asset and Tag Management module 303 .

In an exemplary embodiment, when an unidentified resource is created (a resource with no tag at all), the asset and tag management module notifies the organization (department/person in charge). If the administrator does not take further action (approve/reject) after a certain amount of time, the anomaly detection engine in the API module classifies this resource as an anomalous asset and sends an automatic shutdown or delete command to automatically remove (restrict) the corresponding change. ) (Action).

In an exemplary embodiment, based on an anomaly detection rule (preliminary rule), when a change to an undefined resource and region (data center providing a cloud) occurs in a department not authorized in advance, assets and The tag management module 303 identifies this and sends a notification to the manager. If the administrator does not take further action (approve or reject) within the specified time, the anomaly detection engine of the API module 302 classifies this resource as an anomalous asset and sends an automatic shutdown or delete command to automatically remove ( limit) (Action).

Assets can be automatically tagged according to resource expansion.

In an exemplary embodiment, when a resource is duplicated and created through auto-scaling, etc., this is also tracked, a tag value is inherited from an upper inheritor, or an asset is monitored based on the parent and child relationship of instance resources.

4 is a diagram illustrating a resource processing method according to dynamically changing resource identification and manager correspondence in a cloud environment according to the present invention.

A change in a resource is detected by the cloud API and information about the resource is acquired (S401).

A resource type is identified based on tagging and dictionary rules (S403).

In an exemplary embodiment, a special tag value specified by a management entity is assigned to a resource within the infrastructure, and a manager is notified of a resource to which a tag value is not assigned.

In an exemplary embodiment, if a change to a resource and region not previously defined in a department not authorized in advance occurs (ie, an unintended resource is created) based on a prior rule, it is identified and an administrator send a notification to

As reviewed in step S403, the manager is notified (alarmed) about the unidentified resource, and the resource may or may not be classified as an abnormal asset based on the manager's additional response (approval or rejection) (S405). .

If there is a notification function (Webhook or Watcher) for the change history, the administrator receives notification of the change through the corresponding interface.

If there is no notification function for change history, the administrator can receive notification of changes through the information collection interface. The information collection interface may be any one of an API, a LOG collector, a simple systems manager (SSM) interface, and a secure shell (SSH) interface.

If there is no additional response from the manager, the resource is classified as an abnormal asset (S407).

In detail, if the manager does not approve or reject the unidentified resource even after a specific time elapses after the manager is notified of the unidentified resource, the anomaly detection engine classifies the unidentified resource as an abnormal asset.

Resources classified as abnormal assets may be automatically stopped or deleted (S409).

Specifically, changes to resources classified as abnormal assets are automatically removed (limited) by an automatic shutdown or delete command.

When the manager makes an additional response, the resource is processed according to the manager's response. If the manager's response is approval, the alarm is canceled and the corresponding resource may be stored in a DB (database) (S411). If the administrator's response is rejection, the rejected resource may be deleted.

5 is a diagram illustrating a method of identifying a resource based on a dictionary rule according to the present invention.

The asset management unit classifies managers (users) into specific departments and specific people based on prior rules (S501).

The asset management unit maps a specific resource, a specific department and a specific person classified for the specific resource (S503).

This is to define an asset-specific manager for a specific resource and a specific region. Management departments and administrators for resources are specified through dictionary rules, which can be managed with tagging information.

When a change occurs in the resource, the anomaly detection unit checks whether the asset management unit is a specific department and a specific person mapped to the changed resource (S505).

In the case of departments and administrators who do not correspond to the changed resources, that is, when changes to resources and regions that are not defined in advance occur in departments that have not been authorized in advance. That is, assets can be identified and tagged by users based on prior rules.

The information collection unit notifies (alarms) the manager when it is not a specific department and a specific person mapped to the changed resource (S507).

You can notify the manager through the notification hook of the information collection unit or notify the manager through API polling.

Through the above process, administrators (users) capable of managing access within the infrastructure can be managed, and when an unwanted user (or department) changes to a specific resource, it is detected and the threat is notified to the administrator.

6 illustrates a block configuration diagram of a device according to an embodiment of the present invention.

Referring to FIG. 6 , a device 600 includes a processor 610 , a memory 620 , an input/output module 630 , a display module 640 and a user interface module 650 .

The device 600 is shown for convenience of explanation, and some modules may be omitted. In addition, the device 600 may further include necessary modules. Also, some modules in the device 600 may be divided into more subdivided modules.

Processor 610 is configured to perform an operation according to an embodiment of the present invention illustrated with reference to the drawings. Specifically, detailed operations of the processor 610 may refer to the contents described in FIGS. 1 to 5, and the processor 610 includes an information collection unit 611, an asset management unit 612, and an anomaly detection unit 613. include

The memory 620 is connected to the processor 610 and stores an operating system, applications, program codes, data, and the like.

The input/output module 630 is connected to the processor 610 and is composed of a peripheral interface for communicating data with input/output devices such as a keyboard and a printer, or an input/output communication interface for communicating data from a remote location through a communication line.

More specifically, according to the present invention, the information collection interface may be included in the input/output module. The information collection interface may periodically collect and obtain information about resources in a cloud or container environment. Administrators can be notified of changes through the information collection interface. The information collection interface may include an application programming interface (API), a LOG collector, a simple systems manager (SSM) interface, and a secure shell (SSH) interface.

The display module 640 is connected to the processor 610 and displays various information. The display module 640 is not limited thereto, but well-known elements such as liquid crystal displays (LCDs), light emitting diodes (LEDs), and organic light emitting diodes (OLEDs) may be used.

The UI module 650 is connected to the processor 610 and may be composed of a combination of well-known user interfaces such as a keypad and a touch screen. Through the UI module, the user (manager) can identify the asset by tagging the asset in the asset management unit included in the processor.

The processor 610 of the present invention may functionally include an information collection unit 611 , an asset management unit 612 , and an anomaly detection unit 613 . Since each functional detailed operation of the processor 610 has been described above, detailed operations of each functional configuration will be omitted.

The processor 610 may obtain information about changes in resources in a cloud or container infrastructure environment.

In detail, when the processor 610 includes an interface providing a notification function for a change history, notification of a change in a resource may be obtained through the corresponding interface.

In addition, when the processor 610 does not include the interface providing a notification function for the change history, monitoring is possible by periodically collecting and obtaining information on resources through an information collection interface.

The processor 610 may collect and monitor costs for infrastructure assets based on the acquired information. In detail, the processor 610 inquires whether the amount of change in billing is based on an appropriate threshold value through an artificial intelligence learning engine based on the acquired information, and calculates the monthly usage based on the daily usage in relation to the assets of the infrastructure. is predicted, and if the predicted monthly usage exceeds the previous month's usage, a notification may be performed to the manager.

In addition, the processor 610 may collect at least one of the type, property, or region of the asset of the infrastructure based on the acquired information and perform monitoring. In detail, based on the acquired information, the processor 610 repeatedly learns the type, attribute, or region of an asset of the infrastructure through an artificial intelligence learning engine a predetermined number of times, and extracts data from the learning repeated a predetermined number of times. do. Based on the data learned and extracted in this way, the processor 610 determines whether the type, attribute or region of the resource is the type, attribute or region used by the manager. As a result of the determination, if the type, property or region of the resource is a type, property or region not used by the manager, the manager is notified.

An interface that provides a notification function for change history to an administrator may provide a Webhook or Watcher function.

An information collection interface for collecting information may be determined to be any one of an application programming interface (API), a LOG collector, a simple systems manager (SSM) interface, and a secure shell (SSH) interface.

Also, the processor 610 may identify resources based on tagging and predefined rules. In detail, the processor 610 may identify a resource by determining whether there is a tag value assigned to the resource and determining whether the resource is a non-predefined resource based on a predefined rule. .

Here, the type of tagging may be any one of a type directly marked on a cloud asset and a type separately managed by an internal inspection system.

If the resource is not identified, the processor 610 may perform a notification to the manager. In detail, the processor 610 may determine that the resource is not identified when there is no tag value for the resource and the resource is an undefined resource.

Also, when the processor 610 determines that a change to a resource is a change made by an allocation manager that is not mapped to a specific department or person, the processor 610 determines that the corresponding resource is a resource that has not been defined in advance. To this end, the processor 610 designates and classifies administrators into specific departments and specific people based on predefined rules, and maps allocation managers for the type of specific resource, resource itself, and specific region to the specific department and specific person. can be done

When the resource is not identified, the processor 610 notifies the manager.

The processor 610 classifies the resource as an abnormal asset when there is no additional response from the manager even when the manager is notified that the resource is not identified.

Then, the processor 610 suspends or deletes the resource classified as an abnormal asset.

The processor 610 may create a duplicated resource by duplicating the resource by auto-scaling, and may track and tag the duplicated resource. Cloned resources inherit tag values from their parent heirs.

The embodiments described above are those in which elements and features of the present invention are combined in a predetermined form. Each component or feature should be considered optional unless explicitly stated otherwise. Each component or feature may be implemented in a form not combined with other components or features. It is also possible to configure an embodiment of the present invention by combining some components and/or features. The order of operations described in the embodiments of the present invention may be changed. Some components or features of one embodiment may be included in another embodiment, or may be replaced with corresponding components or features of another embodiment. It is obvious that claims that do not have an explicit citation relationship in the claims can be combined to form an embodiment or can be included as new claims by amendment after filing.

Steps of a method or algorithm described in connection with the embodiments disclosed herein may be directly implemented as hardware executed by a processor, a software module, or a combination of the two. A software module may reside in a storage medium (ie, memory and/or storage) such as RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM.

An exemplary storage medium is coupled to the processor, and the processor can read information from, and write information to, the storage medium. Alternatively, the storage medium may be integral with the processor. The processor and storage medium may reside within an application specific integrated circuit (ASIC). An ASIC may reside within a user terminal. Alternatively, the processor and storage medium may reside as separate components within a user terminal.

Specifically, the present invention provides a non-transitory processor-readable method that stores one or more instructions that, when executed by at least one processor, cause the at least one or more processors to perform operations. It may be implemented as a medium (processor-readable medium), and the operations may obtain information about changes in resources in a cloud or container infrastructure environment based on a user input through an application loaded on the device, and tagging ( tagging) and predefined rules to identify the resource, if the resource is not identified, a notification is performed to a manager, and if there is no additional response from the manager, the resource is classified as an abnormal asset and stopping or deleting the resource classified as the abnormal asset.

Although the embodiments of the present invention have been described with reference to the accompanying drawings, those skilled in the art to which the present invention pertains can be implemented in other specific forms without changing the technical spirit or essential features of the present invention. you will be able to understand Therefore, it should be understood that the embodiments described above are illustrative in all respects and not restrictive.

201: information collection interface
202: information collection department
203: asset management department
204: anomaly detection unit
301: Cloud API
302: API module
303: Asset and tag management module
600: device
601: processor
611: information collection department
612: asset management department
613: anomaly detection unit
620: memory
630: I/O module
640: display module
650: UI module

Claims (11)

A method in which a device for performing resource management operates,
Acquiring information about changes in resources in a cloud or container infrastructure environment;
identifying the resource based on tagging and predefined rules;
If the resource is not identified, performing a notification to a manager;
classifying the resource as an abnormal asset when there is no additional response from the manager; and
Including the step of stopping or deleting the resource classified as the abnormal asset,
Identifying the resource based on the tagging and predefined rules comprises:
determining whether there is a tag value assigned to the resource;
Further comprising determining whether the resource is a non-predefined resource based on the predefined rule,
The case where the resource is not identified includes a case where the tag value does not exist for the resource and the resource is a resource not previously defined. According to claim 1,
Determining whether the resource is a non-predefined resource based on the predefined rule:
classifying a manager into a specific department and a specific person based on the predefined rule;
mapping a specific resource type, resource itself, and an allocation manager for a specific region to the specific department and specific person; and
And determining whether the change to the resource is a change made by an allocation manager that is not mapped to the specific department or specific person. According to claim 1,
The tagging type is further characterized in that any one of a type directly marked on a cloud asset and a type separately managed by an internal inspection system. According to claim 1,
Further comprising collecting and monitoring at least one of cost, type, attribute, and region for the asset of the infrastructure based on the obtained information. According to claim 4,
Collecting and monitoring costs for assets of the infrastructure based on the obtained information includes:
Based on the obtained information, through an artificial intelligence learning engine, inquiring whether the amount of change in billing is based on an appropriate threshold value;
Estimating monthly usage based on daily usage in relation to the assets of the infrastructure;
Further comprising notifying a manager when the predicted monthly usage exceeds the previous month's usage. According to claim 4,
The step of collecting and monitoring at least one of the type, property, or region of the asset of the infrastructure based on the acquired information:
Based on the acquired information, learning the type, property, or region of the asset of the infrastructure by repeating a predetermined number of times through an artificial intelligence learning engine;
extracting data from the learning repeated a predetermined number of times; and
Determining whether the type, property or region of the resource is the type, property or region used by a manager based on the data;
When the type, property or region of the resource is determined to be an unused type, property or region, further comprising the step of notifying a manager. According to claim 1,
The step of obtaining information about the resource is:
obtaining a notification of a change in the resource through the interface, when the device includes an interface providing a notification function for a change history; and
The method further comprises periodically collecting and obtaining information on the resource through an information collection interface when the device does not include the interface providing a notification function for a change history. According to claim 7,
The interface providing a notification function for the change history provides a Webhook or Watcher function,
Characterized in that the information collection interface is any one of an application programming interface (API), a LOG collector, a simple systems manager (SSM) interface, and a secure shell (SSH) interface. According to claim 1,
Creating a replicated resource by replicating the resource by auto-scaling;
Including tracking and tagging the replicated resource,
Further characterized in that the cloned resource inherits a tag value from an upper inheritor. In a device that performs information collection and processing
I/O module;
a memory configured to store data; and
one or more processors coupled with the memory;
The one or more processors:
obtain information about changes in resources within the cloud or container infrastructure environment;
identify the resource based on tagging and predefined rules;
If the resource is not identified, performing a notification to a manager;
if there is no further response from the manager, classify the resource as an abnormal asset; and
It is configured to stop or delete the resource classified as the abnormal asset,
Where the processor is configured to identify the resource based on the tagging and predefined rules:
determine whether there is an assigned tag value for the resource;
Further comprising determining whether the resource is a non-predefined resource based on the predefined rule,
The case where the resource is not identified includes a case where the tag value does not exist for the resource and the resource is an undefined resource. A non-transitory processor-readable medium storing one or more instructions that cause one or more processors to perform operations, the operations comprising:
obtain information about changes in resources within the cloud or container infrastructure environment;
identify the resource based on tagging and predefined rules;
If the resource is not identified, performing a notification to a manager;
if there is no further response from the manager, classify the resource as an abnormal asset; and
Including stopping or deleting the resource classified as the abnormal asset,
Identifying the resource based on the tagging and predefined rules:
determine whether there is an assigned tag value for the resource;
Further comprising determining whether the resource is a non-predefined resource based on the predefined rule,
When the resource is not identified, the tag value does not exist for the resource and the resource is a non-predefined resource. Non-transitory processor-readable medium.

Images