公开(公告)号：US20210029050A1

公开(公告)日：2021-01-28

申请号：US16520220

申请日：2019-07-23

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Russell Lu ,  Ly Loi ,  Rick Lund ,  Sushruth Gopal

IPC: H04L12/891 ,  H04L12/851 ,  H04L12/26

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Each host computer, in some embodiments, is responsible for collecting and reporting attributes of data flows associated with machines executing on a host computer. In some embodiments, the host computer includes a flow exporter that processes and publishes flow data to the analysis appliance, a set of agents for collecting context data relating to the flows from machines executing on the host, a set of additional modules that provide additional context data, an anomaly detection engine that analyzes flow data and context data and provides additional context data, and a context exporter for processing and publishing context data to the analysis appliance.

公开(公告)号：US12034700B2

公开(公告)日：2024-07-09

申请号：US16841962

申请日：2020-04-07

Applicant: VMware, Inc.

Inventor： Sushruth Gopal ,  Jayant Jain ,  Davide Celotto ,  Josh Swerdlow

IPC: H04L29/06 ,  G06F9/455 ,  H04L9/40

CPC classification number: H04L63/0263 ,  G06F9/45558 ,  H04L63/0236 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: A method comprises: in response to detecting a new expression in a policy rule, updating a global version number to a new value; identifying a particular IP address that corresponds to an FQDN matching on the new expression; storing an entry comprising the particular IP address, the new expression, and an entry version number in a first data structure, the entry version number being assigned the new value; in response to detecting a new connection to a destination IP address: finding a matching entry in the first data structure corresponding to the destination IP address; determining whether the global version number matches the entry version number for the matching entry; and in response to determining that the global version number does not match the entry version number for the matching entry, sending update information to a slowpath process that associates an updated configuration information for the matching entry.

公开(公告)号：US11539718B2

公开(公告)日：2022-12-27

申请号：US16739572

申请日：2020-01-10

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L29/06 ,  H04L9/40 ,  G06F16/901 ,  G06F9/54 ,  G06F9/455

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US11436075B2

公开(公告)日：2022-09-06

申请号：US16520233

申请日：2019-07-23

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Russell Lu ,  Rick Lund ,  Alok S. Tiagi ,  Sushruth Gopal

IPC: G06F11/07 ,  H04L9/40 ,  H04L69/22 ,  H04L43/08 ,  H04L41/046

Abstract: Some embodiments provide a novel method for collecting and analyzing attributes of data flows associated with machines executing on a plurality of host computers to detect anomalous behavior. In some embodiments, an anomalous behavior is detected for at least one particular flow associated with at least one machine executing on the host computer. In some embodiments, anomaly detection is based on the context data from the guest introspection agent and deep packet inspection. An identifier of the detected anomalous behavior is stored, in some embodiments. The stored attributes are provided, in some embodiments, to a server for further analysis.

公开(公告)号：US11848946B2

公开(公告)日：2023-12-19

申请号：US18088620

申请日：2022-12-26

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L29/06 ,  H04L9/40 ,  G06F16/901 ,  G06F9/54 ,  G06F9/455

CPC classification number: H04L63/1416 ,  G06F9/45558 ,  G06F9/545 ,  G06F16/9027 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US20210026720A1

公开(公告)日：2021-01-28

申请号：US16520233

申请日：2019-07-23

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Russell Lu ,  Rick Lund ,  Alok S. Tiagi ,  Sushruth Gopal

IPC: G06F11/07 ,  H04L29/06 ,  H04L12/24 ,  H04L12/26

Abstract: Some embodiments provide a novel method for collecting and analyzing attributes of data flows associated with machines executing on a plurality of host computers to detect anomalous behavior. In some embodiments, an anomalous behavior is detected for at least one particular flow associated with at least one machine executing on the host computer. In some embodiments, anomaly detection is based on the context data from the guest introspection agent and deep packet inspection. An identifier of the detected anomalous behavior is stored, in some embodiments. The stored attributes are provided, in some embodiments, to a server for further analysis.

公开(公告)号：US20230131464A1

公开(公告)日：2023-04-27

申请号：US18088620

申请日：2022-12-26

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L9/40 ,  G06F16/901 ,  G06F9/54 ,  G06F9/455

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US20220400070A1

公开(公告)日：2022-12-15

申请号：US17347706

申请日：2021-06-15

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Rick Lund ,  Russell Lu ,  Sushruth Gopal ,  Subrahmanyam Manuguri

IPC: H04L12/26

Abstract: The method of some embodiments samples data flows. The method samples a first set of flows during a first time interval using a first logical port window for the first time interval. The first logical port window identifies a first set of non-contiguous layer 4 (L4) values in an L4 port range that are candidate values for sampling the flows during the first time interval. The method also samples a second set of flows during a second time interval using a second logical port window for the second time interval. The second logical port window identifies a second set of non-contiguous L4 values in an L4 port range that are candidate values for sampling the flows during the second time interval.

公开(公告)号：US20210218758A1

公开(公告)日：2021-07-15

申请号：US16739572

申请日：2020-01-10

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L29/06 ,  G06F16/901 ,  G06F9/455 ,  G06F9/54

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US11188570B2

公开(公告)日：2021-11-30

申请号：US16520224

申请日：2019-07-23

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Russell Lu ,  Ly Loi ,  Rick Lund ,  Sushruth Gopal

IPC: G06F17/00 ,  G06F16/28 ,  G06N20/00 ,  G06N5/04 ,  G06F16/2455 ,  G06F9/455 ,  G06F21/55

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Each host computer, in some embodiments, is responsible for collecting and reporting attributes of data flows associated with machines executing on a host computer. The host computer, in some embodiments, first eliminates duplicative flow group records and then aggregates the flow data according to a set of received keys that specify attributes that define the aggregation. For example, a simple key that specifies a set of machine identifiers (e.g., a VM ID) as attribute values will, for each machine identifier, aggregate all flows with that machine identifier into a single aggregated flow group record. In some embodiments, the host computer includes a flow exporter that processes and publishes flow data to the analysis appliance.