公开(公告)号：US20150339475A1

公开(公告)日：2015-11-26

申请号：US14286010

申请日：2014-05-23

Applicant: VMware, Inc.

Inventor： Azeem Feroz ,  Binyuan Chen ,  Prasad Sharad Dabak

IPC: G06F21/53 ,  G06F21/57 ,  G06F21/55

CPC classification number: G06F21/53 ,  G06F21/566

Abstract: Methods and systems for protecting a virtual machine network are disclosed. In an embodiment, a method involves storing an application whitelist including application-to-user associations in memory such that the application whitelist is immutable by a guest virtual machine, receiving a request to execute an application including an application identifier and a user identifier, comparing the application identifier and the user identifier of the request with the application whitelist, and generating an execution decision indicating whether the requested application can execute on the guest virtual machine.

Abstract translation: 公开了用于保护虚拟机网络的方法和系统。 在一个实施例中，一种方法涉及将包括应用程序到用户关联的应用白名单存储在存储器中，使得应用白名单不可由客体虚拟机访问，接收执行包括应用标识符和用户标识符的应用的请求，比较 应用程序标识符和具有应用程序白名单的请求的用户标识符，并且生成指示所请求的应用是否可以在客户虚拟机上执行的执行决定。

公开(公告)号：US10454895B2

公开(公告)日：2019-10-22

申请号：US15262861

申请日：2016-09-12

Applicant: VMware, Inc.

Inventor： Azeem Feroz ,  Binyuan Chen ,  Amit Chopra

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/44

Abstract: A method for enforcing a network policy is described herein. In the method, a network socket event request from an application executing in a first context is intercepted by an agent prior to the request reaching a transport layer in the first context. A context refers to virtualization software, a physical computer, or a combination of virtualization software and physical computer. In response to the interception of the request, the agent requests a decision on whether to allow or deny the network socket event request to be communicated to a security server executing in a second context that is distinct from the first context. The request for a decision includes an identification of the application. The agent then receives from the security server either an allowance or a denial of the network socket event request, the allowance or denial being based at least in part on the identification of the application and a security policy. The agent blocks the network socket event from reaching the transport layer when the denial is received from the security server. In one embodiment, the method is implemented using a machine readable medium embodying software instructions executable by a computer.

公开(公告)号：US10726119B2

公开(公告)日：2020-07-28

申请号：US14564062

申请日：2014-12-08

Applicant: VMware, Inc.

Inventor： Azeem Feroz ,  Binyuan Chen

IPC: G06F21/53 ,  G06F9/455

Abstract: In a virtualized computer system, gray applications that are selected to be executed in a first virtual computing instance are executed and monitored in a second virtual computing instance that is a clone of the first virtual computing instance, and classified according to their monitored behavior. This process is conducted in real-time, in response to a notification that a gray application has been selected for execution in the first virtual computing instance. The execution of the gray application in the first virtual computing instance is delayed until the first virtual computing instance receives a notification from an application admission control manager that the gray application is safe to be executed in the first virtual computing instance. Although the execution of the gray application in the first virtual computing instance is delayed, all other processes running in the first virtual computing instance continue to their execution so that a user accessing the first virtual computing instance will not experience any downtime.

公开(公告)号：US20160380972A1

公开(公告)日：2016-12-29

申请号：US15262861

申请日：2016-09-12

Applicant: VMware, Inc.

Inventor： Azeem Feroz ,  Binyuan Chen ,  Amit Chopra

IPC: H04L29/06

CPC classification number: H04L63/0263 ,  G06F21/44 ,  G06F21/554 ,  H04L63/0218 ,  H04L63/10 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/166 ,  H04L63/168 ,  H04L63/20

Abstract: A method for enforcing a network policy is described herein. In the method, a network socket event request from an application executing in a first context is intercepted by an agent prior to the request reaching a transport layer in the first context. A context refers to virtualization software, a physical computer, or a combination of virtualization software and physical computer. In response to the interception of the request, the agent requests a decision on whether to allow or deny the network socket event request to be communicated to a security server executing in a second context that is distinct from the first context. The request for a decision includes an identification of the application. The agent then receives from the security server either an allowance or a denial of the network socket event request, the allowance or denial being based at least in part on the identification of the application and a security policy. The agent blocks the network socket event from reaching the transport layer when the denial is received from the security server. In one embodiment, the method is implemented using a machine readable medium embodying software instructions executable by a computer.

Abstract translation: 本文描述了一种用于执行网络策略的方法。 在该方法中，来自在第一上下文中执行的应用的网络套接字事件请求在请求到达第一上下文中的传输层之前由代理截获。 上下文是指虚拟化软件，物理计算机或虚拟化软件和物理计算机的组合。 响应于该请求的截取，代理请求关于是否允许或拒绝网络套接字事件请求被传送到在与第一上下文不同的第二上下文中执行的安全服务器的决定。 决定的请求包括应用程序的标识。 代理然后从安全服务器接收对网络套接字事件请求的允许或拒绝，所述允许或拒绝至少部分地基于应用的标识和安全策略。 当从安全服务器接收到拒绝时，代理阻止网络套接字事件到达传输层。 在一个实施例中，该方法使用体现可由计算机执行的软件指令的机器可读介质实现。

公开(公告)号：US09760712B2

公开(公告)日：2017-09-12

申请号：US14286010

申请日：2014-05-23

Applicant: VMware, Inc.

Inventor： Azeem Feroz ,  Binyuan Chen ,  Prasad Sharad Dabak

IPC: H04L29/06 ,  G06F21/53 ,  G06F21/56

CPC classification number: G06F21/53 ,  G06F21/566

Abstract: Methods and systems for protecting a virtual machine network are disclosed. In an embodiment, a method involves storing an application whitelist including application-to-user associations in memory such that the application whitelist is immutable by a guest virtual machine, receiving a request to execute an application including an application identifier and a user identifier, comparing the application identifier and the user identifier of the request with the application whitelist, and generating an execution decision indicating whether the requested application can execute on the guest virtual machine.