公开(公告)号：US20200241903A1

公开(公告)日：2020-07-30

申请号：US16258016

申请日：2019-01-25

Applicant: VMware, Inc.

Inventor： Bin Wang ,  Aditi Vutukuri ,  Lan Luo ,  Margaret Petrus

IPC: G06F9/455 ,  H04L29/12 ,  H04L12/24 ,  H04L12/26 ,  G06F9/54 ,  G06F9/451

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to improve containerized application visibility. An example apparatus includes a container application manager to build an inventory of the containerized application, the containerized application including a virtual machine, the virtual machine hosting one or more containers, and a network topology builder to invoke a virtual machine agent of the virtual machine to obtain network traffic events from the one or more containers to generate network topology information associated with the containerized application based on the inventory, generate a network topology for the containerized application based on the network topology information, build the visualization based on the network topology, the visualization including the inventory and the network topology information, and launch a user interface to display the visualization to execute one or more computing tasks.

公开(公告)号：US11785032B2

公开(公告)日：2023-10-10

申请号：US17220550

申请日：2021-04-01

Applicant: VMware, Inc.

Inventor： Santhanakrishnan Kaliya Perumal ,  Tejas Sanjeev Panse ,  Aditi Vutukuri ,  Rajiv Mordani ,  Margaret Petrus

IPC: H04L29/06 ,  H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/20

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. From multiple host computers in the datacenter, the method receives data indicating port usage for a particular time period for each of multiple destination data compute nodes (DCNs) executing on the host computers. For each DCN of a set of the destination DCNs, identifies whether the port usage for the particular time period deviates from a historical baseline port usage for the DCN. When the port usage for a particular DCN deviates from the historical baseline for the particular DCN, the method identifies the particular DCN as a target of a security threat.

公开(公告)号：US20230131894A1

公开(公告)日：2023-04-27

申请号：US17507548

申请日：2021-10-21

Applicant: VMware, Inc.

Inventor： Tejas Sanjeev Panse ,  Aditi Vutukuri ,  Arnold Koon-Chee Poon ,  Rajiv Mordani ,  Margaret Petrus

IPC: H04L29/12

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. The method receives flow attribute sets for multiple flows from multiple host computers in the datacenter on which data compute nodes (DCNs) execute. Each flow attribute set indicates at least a source DCN for the flow. The method identifies flow attribute sets that correspond to DCNs responding to name resolution requests. For each DCN of a set of DCNs executing on the host computers, the method determines whether the DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the DCN based on the identified flow attribute sets. When a particular DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the particular DCN, the method identifies the particular DCN as a security threat to the datacenter.

公开(公告)号：US20230011397A1

公开(公告)日：2023-01-12

申请号：US17372264

申请日：2021-07-09

Applicant: VMware, Inc.

Inventor： Tejas Sanjeev Panse ,  Aditi Vutukuri ,  Arnold Koon-Chee Poon ,  Rajiv Mordani ,  Margaret Petrus

IPC: H04L29/06

Abstract: Some embodiments provide a system for detecting threats to a datacenter. The system includes a set of processing units and a set of non-transitory machine-readable media storing an analysis appliance. The analysis appliance includes multiple event detectors that analyze information received from host computers in the datacenter to identify anomalous events occurring in the datacenter. The analysis appliance includes a graph generation module that generates a graph of connections between data compute nodes (DCNs) in the datacenter based on the information received from the host computers. The analysis appliance includes a lateral movement threat detection module that (i) uses the graph of connections to identify a set of connections between a set of the DCNs based on a particular anomalous event and (ii) uses the set of connections and the identified anomalous events to determine whether the set of connections is indicative of a lateral movement attack on the datacenter.

公开(公告)号：US20220417096A1

公开(公告)日：2022-12-29

申请号：US17355829

申请日：2021-06-23

Applicant: VMware, Inc.

Inventor： Aditi Vutukuri ,  Tejas Sanjeev Panse ,  Margaret Petrus ,  Arnold Koon-Chee Poon ,  Rajiv Mordani

IPC: H04L12/24 ,  H04L12/26

Abstract: Some embodiments provide a method for identifying policy misconfiguration in a datacenter. Based on flow data received for a plurality of data compute nodes (DCNs) in the datacenter, the method determines that an anomalous amount of data traffic relating to a particular DCN has been dropped. The method uses (i) the received flow data for the particular DCN and (ii) a set of recent policy configuration changes to determine policy configuration changes that contributed to the anomalous amount of dropped data traffic relating to the particular DCN. The method generates an alert for presentation to a user indicating the anomalous amount of data traffic and the contributing policy configuration changes.

公开(公告)号：US11431678B2

公开(公告)日：2022-08-30

申请号：US16351083

申请日：2019-03-12

Applicant: VMware, Inc.

Inventor： Arnold Poon ,  Sirisha Myneni ,  Rajiv Mordani ,  Aditi Vutukuri

IPC: H04L9/40 ,  H04L61/103 ,  G06F9/455 ,  H04L69/22

Abstract: In an embodiment, a computer-implemented method for enabling enhanced firewall rules via ARP-based annotations is described. In an embodiment, a method comprises detecting, by a hypervisor implemented in a first host, that a first process is executing on the first host. The hypervisor determines first context information for the first process, generates a first request, encapsulates the first request and the first context information in a first packet, and transmits the first packet to a central controller to cause the central controller to update the controller's table to indicate that the first process is executing on the first host. In response to receiving a second packet from the central controller and determining that the second packet comprises a first response, the hypervisor extracts second context information from the second packet and, based on the second context information, determines that a second process is executing on a second host.

公开(公告)号：US20220174041A1

公开(公告)日：2022-06-02

申请号：US17674936

申请日：2022-02-18

Applicant: VMware, Inc.

Inventor： Rishi Kanth Alapati ,  Parasuramji Rajendran ,  Weiming Xu ,  Shireesh Kumar Singh ,  Aditi Vutukuri ,  Anuprem Chalvadi ,  Chidambareswaran Raman ,  Margaret Angeline Petrus

IPC: H04L9/40 ,  H04L41/0806 ,  H04L41/00 ,  H04L61/5007

Abstract: Described herein are systems and methods to manage blacklists and duplicate addresses in software defined networks (SDNs). In one implementation, a method includes, in a control plane and data plane of an SDN environment, obtaining a blacklist for a logical port in the SDN environment. The method further includes deleting realized address bindings in a realized address list for the logical port that match the one or more address bindings in the blacklist and preventing subsequent address bindings that match the one or more address bindings in the blacklist from being added to the realized address list.

公开(公告)号：US11258757B2

公开(公告)日：2022-02-22

申请号：US16746075

申请日：2020-01-17

Applicant: VMware, Inc.

Inventor： Rishi Kanth Alapati ,  Parasuramji Rajendran ,  Weiming Xu ,  Shireesh Kumar Singh ,  Aditi Vutukuri ,  Anuprem Chalvadi ,  Chidambareswaran Raman ,  Margaret Angeline Petrus

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/12 ,  H04L41/0806 ,  H04L41/00 ,  H04L61/5007

Abstract: Described herein are systems and methods to manage blacklists and duplicate addresses in software defined networks (SDNs). In one implementation, a method includes, in a control plane and data plane of an SDN environment, obtaining a blacklist for a logical port in the SDN environment. The method further includes deleting realized address bindings in a realized address list for the logical port that match the one or more address bindings in the blacklist and preventing subsequent address bindings that match the one or more address bindings in the blacklist from being added to the realized address list.

公开(公告)号：US20210400014A1

公开(公告)日：2021-12-23

申请号：US17466165

申请日：2021-09-03

Applicant: VMware, Inc.

Inventor： Parasuramji Rajendran ,  Rishi Kanth Alapati ,  Shireesh Kumar Singh ,  Aditi Vutukuri ,  Chidambareswaran Raman ,  Margaret Angeline Petrus ,  Anuprem Chalvadi ,  Pallavi Moghe ,  Weiming Xu

IPC: H04L29/12 ,  G06F9/455 ,  H04L12/741 ,  H04L12/715 ,  H04L12/751

Abstract: Described herein are systems and methods to manage Internet Protocol (IP) address discovery in a software defined networking (SDN) environment. In one example, a manager may generate an IP address discovery configuration and pass the IP address discovery configuration to a controller. Once received, the controller may obtain a discovered list from a hypervisor of one or more IP addresses associated with one or more logical ports and update a realized list for the one or more logical ports based on the discovered list and the IP address discovery configuration.

公开(公告)号：US10911335B1

公开(公告)日：2021-02-02

申请号：US16520235

申请日：2019-07-23

Applicant: VMware, Inc.

Inventor： Rajiv Mordani ,  Santhana Krishna Kallya Perumal ,  Aditi Vutukuri

IPC: H04L12/00 ,  H04L12/26 ,  H04L29/06

Abstract: Some embodiments provide a novel method for analyzing the incoming flow data to detect anomalous behavior. The analysis, in some embodiments, is performed after a deduplication/aggregation operation. In some embodiments, the analysis identifies flows for further investigation by an administrator. The analysis, in some embodiments is also performed based on other received data sets (e.g., context data and configuration data), stored flow data, or both.