公开(公告)号：US11689545B2

公开(公告)日：2023-06-27

申请号：US17151142

申请日：2021-01-16

Applicant: VMware, Inc.

Inventor： Zhen Mo ,  Ereli Eran ,  Barak Raz ,  Vijay Ganti

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/0263 ,  H04L63/1441 ,  H04L63/20

Abstract: The disclosure herein describes automatically performing security operations associated with a client system based on aggregated event impact scores of computing events during a rolling time interval. Event data is obtained, wherein the event data is from a plurality of computing devices of the client system associated with computing events occurring during a time interval after an endpoint of the rolling time interval. Event impact scores are calculated for the computing events of the obtained event data over the time interval based at least on cardinality estimation. The calculated event impact scores are merged into the set of aggregated event impact scores associated with the rolling time interval and event impact scores associated with an expired time interval are removed from the set of aggregated event impact scores. Based on the set of aggregated event impact scores, at least one security operation is performed for at least one computing event.

公开(公告)号：US11645339B2

公开(公告)日：2023-05-09

申请号：US16502768

申请日：2019-07-03

Applicant: VMware, Inc.

Inventor： Barak Raz ,  Vamsi Akkineni

IPC: G06F16/906 ,  G06F9/455

CPC classification number: G06F16/906 ,  G06F9/45558

Abstract: Certain aspects of the present disclosure relate to methods and systems for evaluating a first command line interface (CLI) input of a process. The method comprises examining the first CLI input and selecting a first clustering model corresponding to the process, wherein the first clustering model is created based on a first clustering configuration and a first feature type combination. The method further comprises creating a first feature combination for the first CLI input based on the first feature type combination, evaluating the first CLI input using the first clustering model and the first feature combination, wherein the evaluating further comprises determining a similarity score corresponding to a similarity between the first feature combination and the one or more clusters, and determining whether or not the first CLI input corresponds to normal behavior based on the similarity score.

公开(公告)号：US11729207B2

公开(公告)日：2023-08-15

申请号：US16900240

申请日：2020-06-12

Applicant: VMware, Inc.

Inventor： Zhen Mo ,  Vijay Ganti ,  Debessay Fesehaye Kassa ,  Barak Raz ,  Honglei Li

IPC: H04L9/40

CPC classification number: H04L63/1441 ,  H04L63/0236 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/20

Abstract: The disclosure provides an approach for detecting and preventing attacks in a network. Embodiments include determining a plurality of network behaviors of a process by monitoring the process. Embodiments include generating a plurality of intended states for the process based on subsets of the plurality of network behaviors. Embodiments include determining a plurality of intended state clusters by applying a clustering technique to the plurality of intended states. Embodiments include determining a state of the process. Embodiments include identifying a given cluster of the plurality of intended state clusters that corresponds to the state of the process. Embodiments include selecting a novelty detection technique based on a size of the given cluster. Embodiments include using the novelty detection technique to determine, based on the given cluster and the state of the process, whether to generate a security alert for the process.