公开(公告)号：US11765174B2

公开(公告)日：2023-09-19

申请号：US16213545

申请日：2018-12-07

Applicant: VMware, Inc.

Inventor： Arijit Chanda ,  Venkat Rajagopalan ,  Rajiv Mordani ,  Arnold Poon ,  Rajiv Krishnamurthy ,  Farzad Ghannadian ,  Sirisha Myneni

IPC: H04L9/40 ,  G06F9/455

CPC classification number: H04L63/102 ,  H04L63/205 ,  G06F9/45533

Abstract: Techniques for providing application-independent access control in a cloud-services computing environment are provided. In one embodiment, a method for providing application-independent access control is provided. The method includes obtaining a user identity for accessing the cloud-services computing environment and receiving a user request to perform a task using an application. The method further includes collecting process-related data for performing the task using the application and obtaining one or more network routing addresses. The method further includes determining, based on the user identity, the process-related data, and the one or more network routing addresses, whether the task is to be performed. If that the task is to be performed, the task is caused to be performed using the application; and if the task is not to be performed, the user request is denied.

公开(公告)号：US20230015632A1

公开(公告)日：2023-01-19

申请号：US17374617

申请日：2021-07-13

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Nafisa Mandliwala ,  Subrahmanyam Manuguri

IPC: H04L29/06 ,  G06F9/54

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes a set of host computers that each execute multiple machines. The method receives, from the set of host computers, multiple contextual attributes that define one or more compute environments. Through a user interface, the method presents the multiple contextual attributes and a set of controls for use in generating intent-based API commands. The method receives, through the user interface, an intent-based API command that defines intent for a set of one or more intrusion detection rules to be enforced in the datacenter, the intent defined in terms of one or more of the multiple contextual attributes. The method processes the intent-based API command in order to distribute intrusion detection system configuration data to configure, for each host computer in the set of host computers, an intrusion detection system operating on the host computer.

公开(公告)号：US11463300B2

公开(公告)日：2022-10-04

申请号：US16927542

申请日：2020-07-13

Applicant: VMware, Inc.

Inventor： Nafisa Mandliwala ,  Sirisha Myneni ,  Robin Manhas ,  Baibhav Singh

IPC: H04L41/0681 ,  H04L41/0695 ,  H04L41/0631 ,  H04L9/40

Abstract: The disclosure provides an approach for remediating false positives for a network security monitoring component. Embodiments include receiving an alert related to network security for a virtual computing instance (VCI). Embodiments include collecting, in response to receiving the alert, context information from the VCI. Embodiments include providing a notification to a management plane based on the alert and the context information. Embodiments include receiving, from the management plane, in response to the notification, an indication of whether the alert is a false positive. Embodiments include training a model based on the alert, the context information, and the indication to determine whether a given alert is a false positive.

公开(公告)号：US11258718B2

公开(公告)日：2022-02-22

申请号：US16686922

申请日：2019-11-18

Applicant: VMware, Inc.

Inventor： Suresh Muppala ,  Nafisa Mandliwala ,  Sirisha Myneni ,  Venkatakrishnan Rajagopalan

IPC: H04L12/851 ,  G06F9/455 ,  H04L12/861 ,  H04L12/863 ,  H04L47/2441 ,  H04L49/90 ,  H04L47/62

Abstract: The disclosure provides an approach for rate limiting packets in a network. Embodiments include receiving, by a rate limiting engine running on a host machine, a network event related to a virtual computing instance running on the host machine, the network event comprising flow information about a network flow. Embodiments include receiving, by the rate limiting engine, context information corresponding to the network flow, wherein the context information comprises one or more of a user characteristic or an application characteristic. Embodiments include determining, by the rate limiting engine, a priority for the network flow by applying a rate limiting policy to the flow information and the context information. Embodiments include providing, by the rate limiting engine, the priority for the network flow to a multiplexer for use in rate limiting the network flow.

公开(公告)号：US20220035645A1

公开(公告)日：2022-02-03

申请号：US16942196

申请日：2020-07-29

Applicant: VMware, Inc.

Inventor： Suresh Babu Muppala ,  Venkatakrishnan Rajagopalan ,  Sirisha Myneni

IPC: G06F9/455 ,  G06F9/50 ,  G06F9/48 ,  G06F11/30

Abstract: Described herein are systems, methods, and software to manage communication rates between applications in a tiered application computing environment. In one implementation, a load service monitor load information associated with applications that each execute using one or more virtual nodes. The load service further determines that the load information associated with an application of the applications satisfy one or more load criteria and identifies at least one application that communicates requests to the application. Once identified, the load service communicates a notification to the at least one application to update a communication request configuration to the application.

公开(公告)号：US20200065080A1

公开(公告)日：2020-02-27

申请号：US16112396

申请日：2018-08-24

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Arijit Chanda ,  Laxmikant Vithal Gunda ,  Arnold Poon ,  Farzad Ghannadian ,  Kausum Kumar

IPC: G06F8/60 ,  H04L29/08 ,  H04L29/06 ,  H04L29/12 ,  G06F17/27 ,  G06F9/54 ,  G06F9/455

Abstract: Some embodiments provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

公开(公告)号：US20200014663A1

公开(公告)日：2020-01-09

申请号：US16028347

申请日：2018-07-05

Applicant: VMware, Inc.

Inventor： Tori Chen ,  Sirisha Myneni ,  Arijit Chanda ,  Arnold Poon ,  Farzad Ghannadian ,  Venkat Rajagopalan

IPC: H04L29/06 ,  G06F9/455

Abstract: Some embodiments of the invention provide a novel architecture for providing context-aware middlebox services at the edge of a physical datacenter. In some embodiments, the middlebox service engines run in an edge host (e.g., an NSX Edge) that provides routing services and connectivity to external networks (e.g., networks external to an NSX-T deployment). Some embodiments use a novel architecture for capturing contextual attributes on host computers that execute one or more machines and providing the captured contextual attributes to context-aware middlebox service engines providing the context-aware middlebox services. In some embodiments, a context header insertion processor uses contextual attributes to generate a header including data regarding the contextual attributes (a “context header”) that is used to encapsulate a data message that is processed by the SFE and sent to the context-aware middlebox service engine.

公开(公告)号：US20230018434A1

公开(公告)日：2023-01-19

申请号：US17374630

申请日：2021-07-13

Applicant: VMware, Inc.

Inventor： Nafisa Mandliwala ,  Sirisha Myneni ,  Subrahmanyam Manuguri

IPC: H04L29/06

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method receives multiple contextual attributes associated with a set of data messages processed by the multiple machines executing on the at least one host computer, the multiple contextual attributes including contextual attributes that are not L2-L4 attributes and that define a compute environment in which one or more workloads performed by the multiple machines executing on the at least one host computer operate. The method uses the received multiple contextual attributes to perform a filtering operation to identify, from multiple intrusion detection signatures, a set of intrusion detection signatures applicable to the one or more workloads. The method provides the identified set of intrusion detection signatures to an intrusion detection system operating on the particular host computer for enforcement.

公开(公告)号：US20230013808A1

公开(公告)日：2023-01-19

申请号：US17374608

申请日：2021-07-13

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Nafisa Mandliwala ,  Rajitha Arcot ,  Subrahmanyam Manuguri

IPC: H04L29/06 ,  G06F9/54

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method receives an intent-based application programming interface (API) command that defines intent for a set of one or more context-based intrusion detection rules for detecting and preventing intrusions on the at least one host computer. The method uses multiple contextual attributes to convert the defined intent into a set of one or more intrusion detection scripts for enforcement on the at least one host computer. The method provides the set of one or more intrusion detection scripts to an intrusion detection system operating on the at least one host computer for enforcement.

公开(公告)号：US11522835B2

公开(公告)日：2022-12-06

申请号：US16027086

申请日：2018-07-03

Applicant: VMware, Inc.

Inventor： Arijit Chanda ,  Sirisha Myneni ,  Arnold Poon ,  Kausum Kumar ,  Dhivya Srinivasan

IPC: H04L29/06 ,  H04L9/40 ,  H04L41/5041 ,  H04L65/1033 ,  G06F9/455

Abstract: A system and method for performing firewall operations on an edge service gateway virtual machine that monitors traffic for a network. The method includes detecting, from a directory service executing on a computing device, a login event on the computing device, obtaining, from the detected login event, login event information comprising an identifier that identifies a user associated with the login event, storing the login event information as one or more context attributes in an attribute table, and applying a firewall rule to a data message that corresponds to the one or more context attributes.