公开(公告)号：US11233770B2

公开(公告)日：2022-01-25

申请号：US16460823

申请日：2019-07-02

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Rajiv Mordani ,  Kausum Kumar

IPC: H04L29/06

Abstract: Behavior-based security in a datacenter includes monitoring user actions made by users in the datacenter. Behavior-based risk scores are computer for users based on their monitored actions. One or more firewall rules are generated for users based on their behavior-based risk scores. The firewall rules regulate the actions of the users.

公开(公告)号：US11184327B2

公开(公告)日：2021-11-23

申请号：US16028347

申请日：2018-07-05

Applicant: VMware, Inc.

Inventor： Tori Chen ,  Sirisha Myneni ,  Arijit Chanda ,  Arnold Poon ,  Farzad Ghannadian ,  Venkat Rajagopalan

IPC: H04L29/06 ,  G06F9/455

Abstract: Some embodiments of the invention provide a novel architecture for providing context-aware middlebox services at the edge of a physical datacenter. In some embodiments, the middlebox service engines run in an edge host (e.g., an NSX Edge) that provides routing services and connectivity to external networks (e.g., networks external to an NSX-T deployment). Some embodiments use a novel architecture for capturing contextual attributes on host computers that execute one or more machines and providing the captured contextual attributes to context-aware middlebox service engines providing the context-aware middlebox services. In some embodiments, a context header insertion processor uses contextual attributes to generate a header including data regarding the contextual attributes (a “context header”) that is used to encapsulate a data message that is processed by the SFE and sent to the context-aware middlebox service engine.

公开(公告)号：US11086700B2

公开(公告)日：2021-08-10

申请号：US16112408

申请日：2018-08-24

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Arijit Chanda ,  Laxmikant Vithal Gunda ,  Arnold Poon ,  Farzad Ghannadian ,  Kausum Kumar

IPC: G06F9/54 ,  G06F8/60 ,  H04L29/06

Abstract: A simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. These manifests are application specific. Also, in some cases, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

公开(公告)号：US20200065166A1

公开(公告)日：2020-02-27

申请号：US16112408

申请日：2018-08-24

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Arijit Chanda ,  Laxmikant Vithal Gunda ,  Arnold Poon ,  Farzad Ghannadian ,  Kausum Kumar

IPC: G06F9/54 ,  G06F8/60

Abstract: Some embodiments provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

公开(公告)号：US20200014662A1

公开(公告)日：2020-01-09

申请号：US16027086

申请日：2018-07-03

Applicant: VMware, Inc.

Inventor： Arijit Chanda ,  Sirisha Myneni ,  Arnold Poon ,  Kausum Kumar ,  Dhivya Srinivasan

IPC: H04L29/06 ,  H04L12/24 ,  G06F9/455

Abstract: A system and method for performing firewall operations on an edge service gateway virtual machine that monitors traffic for a network. The method includes detecting, from a directory service executing on a computing device, a login event on the computing device, obtaining, from the detected login event, login event information comprising an identifier that identifies a user associated with the login event, storing the login event information as one or more context attributes in an attribute table, and applying a firewall rule to a data message that corresponds to the one or more context attributes.

公开(公告)号：US11848946B2

公开(公告)日：2023-12-19

申请号：US18088620

申请日：2022-12-26

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L29/06 ,  H04L9/40 ,  G06F16/901 ,  G06F9/54 ,  G06F9/455

CPC classification number: H04L63/1416 ,  G06F9/45558 ,  G06F9/545 ,  G06F16/9027 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US11811791B2

公开(公告)日：2023-11-07

申请号：US16738305

申请日：2020-01-09

Applicant: VMware, Inc.

Inventor： Makarand Bhonsle ,  Sirisha Myneni ,  Anirban Sengupta ,  Subrahmanyam Manuguri

IPC: G06F21/00 ,  H04L9/40 ,  G06F17/18 ,  G06F21/56 ,  G06N3/045 ,  G06N3/047

CPC classification number: H04L63/1416 ,  G06F17/18 ,  G06F21/564 ,  G06N3/045 ,  G06N3/047

Abstract: Described herein are embodiments for transferring knowledge of intrusion signatures derived from a number of software-defined data centers (SDDCs), each of which has an intrusion detection system (IDS) with a convolutional neural network (CNN) to a centralized neural network. The centralized neural network is implemented as a generative adversarial neural network (GANN) having a multi-feed discriminator and a generator, which is trained from the discriminator. Knowledge in the GANN is then transferred back to the CNNs in each of the SDDCs. In this manner, each CNN obtains the learning of the CNNs in nearby IDSs of a region so that a distributed attack on each of the CNNs, such as a denial of service attack, can be defended by each of the CNNs.

公开(公告)号：US11720387B2

公开(公告)日：2023-08-08

申请号：US16942196

申请日：2020-07-29

Applicant: VMware, Inc.

Inventor： Suresh Babu Muppala ,  Venkatakrishnan Rajagopalan ,  Sirisha Myneni

IPC: G06F9/455 ,  G06F9/50 ,  G06F9/48 ,  G06F11/30

CPC classification number: G06F9/45558 ,  G06F9/485 ,  G06F9/505 ,  G06F9/5077 ,  G06F11/301 ,  G06F2009/4557 ,  G06F2009/45583

Abstract: Described herein are systems, methods, and software to manage communication rates between applications in a tiered application computing environment. In one implementation, a load service monitor load information associated with applications that each execute using one or more virtual nodes. The load service further determines that the load information associated with an application of the applications satisfy one or more load criteria and identifies at least one application that communicates requests to the application. Once identified, the load service communicates a notification to the at least one application to update a communication request configuration to the application.

公开(公告)号：US11641305B2

公开(公告)日：2023-05-02

申请号：US16714805

申请日：2019-12-16

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Kausum Kumar ,  Nafisa Mandliwala ,  Venkatakrishnan Rajagopalan

IPC: H04L41/0631 ,  H04L41/0654 ,  H04L41/0604 ,  H04L12/46 ,  H04L45/02 ,  H04L69/22 ,  H04L45/64

Abstract: Example methods and systems are provided for network diagnosis. One example method may comprise: detecting an egress packet and determining whether each of multiple network issues is detected for the egress packet or a datapath between a first virtualized computing instance and a second virtualized computing instance. The method may also comprise: generating network diagnosis code information specifying whether each of the multiple network issues is detected or not detected; generating an encapsulated packet by encapsulating the egress packet with an outer header that specifies the network diagnosis code information; and sending the encapsulated packet towards the second virtualized computing instance to cause a second computer system to perform one or more remediation actions based on the network diagnosis code information.

公开(公告)号：US20230014040A1

公开(公告)日：2023-01-19

申请号：US17374633

申请日：2021-07-13

Applicant: VMware, Inc.

Inventor： Nafisa Mandliwala ,  Sirisha Myneni ,  Subrahmanyam Manuguri

IPC: H04L29/06

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter, the datacenter including at least one host computer executing multiple machines. The method receives a filtered set of intrusion detection signatures to be enforced on the at least one host computer. The method uses a set of contextual attributes associated with a particular data message to generate an intrusion detection signature for the particular data message, the generated intrusion detection signature including a bit pattern, each bit associated with a contextual attribute in the set. The method compares the generated intrusion detection signature with the received set of intrusion detection signatures to identify a matching intrusion detection signature in the received filtered set.