Preventing application-level denial-of-service in a multi-tenant system

摘要

Denial-of-service attacks are prevented or mitigated in a cloud compute environment, such as a multi-tenant, collaborative SaaS system. This is achieved by providing a mechanism by which characterization of “legitimate” behavior is defined for accessor classes, preferably along with actions to be taken in the event an accessor exceeds those limits. A set of accessor “usage profiles” are generated. Typically, a profile comprises information, such as a “request time window,” one or more “constraints,” and one or more “actions.” A request time window defines a time period over which request usage is accumulated and over which constraints are applied. A constraint may be of various types (e.g., number of transactions, defined resource usage limits, etc.) to be applied for the usage monitoring An action defines how the system will respond if a particular constraint is triggered. By applying the constraints to accessor requests, over-utilization of compute resources is enabled.

主权项

1. A method of preventing application-level denial-of-service with respect to compute resources in a multi-tenant shared infrastructure, wherein a set of tenant applications available in the multi-tenant shared infrastructure are accessible by one or more accessors, the method comprising:
providing a set of usage profiles, at least one usage profile defining a time period, and at least one usage constraint; upon receipt from an accessor of a request to access a given application in the multi-tenant shared infrastructure, selecting a given usage profile from the set of usage profiles; applying the at least usage constraint in the selected usage profile with respect to the defined time period to determine whether the request to access the given application should proceed; if permitting the request to access triggers the at least one usage constraint in the selected usage profile with respect to the defined time period, providing the given application a notification.