公开(公告)号：US20150096007A1

公开(公告)日：2015-04-02

申请号：US14043714

申请日：2013-10-01

Applicant: VMware, Inc.

Inventor： Anirban Sengupta ,  Subrahmanyam Manuguri ,  Mitchell T. Christensen ,  Azeem Feroz ,  Todd Sabin

IPC: H04L29/06 ,  G06F9/455

CPC classification number: H04L63/0218 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L67/327

Abstract: Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information.

Abstract translation: 描述了使用分布式防火墙监控网络通信的系统和技术。 其中一种技术包括：在虚拟机的客户操作系统中执行的驱动程序接收从与用户相关联的进程打开网络连接的请求，其中所述驱动程序执行操作，包括：获得用户的身份信息; 将身份信息和标识网络连接的数据提供给驾驶员外部的身份模块; 并且由分布式防火墙接收将所述身份信息与从所述身份模块识别所述网络连接的数据相关联的数据，其中所述分布式防火墙执行操作，包括：从所述虚拟机接收输出数据包; 确定所述身份信息对应于所述传出分组; 以及至少部分地基于所述身份信息来评估一个或多个路由规则。

公开(公告)号：US11848946B2

公开(公告)日：2023-12-19

申请号：US18088620

申请日：2022-12-26

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L29/06 ,  H04L9/40 ,  G06F16/901 ,  G06F9/54 ,  G06F9/455

CPC classification number: H04L63/1416 ,  G06F9/45558 ,  G06F9/545 ,  G06F16/9027 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US11811791B2

公开(公告)日：2023-11-07

申请号：US16738305

申请日：2020-01-09

Applicant: VMware, Inc.

Inventor： Makarand Bhonsle ,  Sirisha Myneni ,  Anirban Sengupta ,  Subrahmanyam Manuguri

IPC: G06F21/00 ,  H04L9/40 ,  G06F17/18 ,  G06F21/56 ,  G06N3/045 ,  G06N3/047

CPC classification number: H04L63/1416 ,  G06F17/18 ,  G06F21/564 ,  G06N3/045 ,  G06N3/047

Abstract: Described herein are embodiments for transferring knowledge of intrusion signatures derived from a number of software-defined data centers (SDDCs), each of which has an intrusion detection system (IDS) with a convolutional neural network (CNN) to a centralized neural network. The centralized neural network is implemented as a generative adversarial neural network (GANN) having a multi-feed discriminator and a generator, which is trained from the discriminator. Knowledge in the GANN is then transferred back to the CNNs in each of the SDDCs. In this manner, each CNN obtains the learning of the CNNs in nearby IDSs of a region so that a distributed attack on each of the CNNs, such as a denial of service attack, can be defended by each of the CNNs.

公开(公告)号：US20230281096A1

公开(公告)日：2023-09-07

申请号：US18196367

申请日：2023-05-11

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  Subrahmanyam Manuguri ,  Jayant Jain ,  Anirban Sengupta

IPC: G06F11/30 ,  G06F40/205 ,  G06V10/94

CPC classification number: G06F11/3072 ,  G06F40/205 ,  G06V10/955

Abstract: In some embodiments, a method stores a plurality of identifiers for a plurality of rules. The plurality of rules each include a set of patterns, and a rule and a pattern combination is associated with an identifier in the plurality of identifiers. Information being sent on a network is scanned and the method determines when a pattern in the information matches a pattern for a rule. The method identifies an identifier for the pattern where the identifier identifies a rule and a pattern combination. Then, the method identifies the rule and the pattern combination based on the identifier. The set of patterns for the rule is found in the information based on determining that the rule and the pattern combinations for the rule have been found in the information.

公开(公告)号：US11734043B2

公开(公告)日：2023-08-22

申请号：US17122192

申请日：2020-12-15

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta ,  Rick Lund

IPC: G06F9/455 ,  G06F9/445

CPC classification number: G06F9/45558 ,  G06F9/44505 ,  G06F9/45545 ,  G06F2009/45562 ,  G06F2009/45579 ,  G06F2009/45595

Abstract: Some embodiments provide a method for performing services on a host computer that executes several machines in a datacenter. The method configures a first set of one or more service containers for a first machine executing on the host computer, and a second set of one or more service containers for a second machine executing on the host computer. Each configured service container performs a service operation (e.g., a middlebox service operation, such as firewall, load balancing, encryption, etc.) on data messages associated with a particular machine (e.g., on ingress and/or egress data messages to and/or from the particular machine). For each particular machine, the method also configures a module along the particular machine's datapath to identify a subset of service operations to perform on a set of data messages associated with the particular machine, and to direct the set of data messages to a set of service containers configured for the particular machine to perform the identified set of service operations on the set of data messages. In some embodiments, the first and second machines are part of one logical network or one virtual private cloud that is deployed over a common physical network in the datacenter.

公开(公告)号：US11611613B2

公开(公告)日：2023-03-21

申请号：US16938733

申请日：2020-07-24

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anand Parthasarathy ,  Mani Kancherla ,  Anirban Sengupta

IPC: H04L67/1023 ,  H04L47/20 ,  H04L12/66 ,  H04L12/46 ,  H04L101/622

Abstract: Some embodiments of the invention provide a method for forwarding data messages between a client and a server (e.g., between client and server machines and/or applications). In some embodiments, the method receives a data message that a load balancer has directed from a particular client to a particular server after selecting the particular server from a set of several candidate servers for the received data message's flow. The method stores an association between an identifier associated with the load balancer and a flow identifier associated with the message flow, and then forwards the received data message to the particular server. The method subsequently uses the load balancer identifier in the stored association to forward to the particular load balancer a data message that is sent by the particular server. The method of some embodiments is implemented by an intervening forwarding element (e.g., a router) between the load balancer set and the server set.

公开(公告)号：US11588682B2

公开(公告)日：2023-02-21

申请号：US16742663

申请日：2020-01-14

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Mike Parsa ,  Xinhua Hong ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: H04L41/0806 ,  H04L12/66 ,  H04L12/46 ,  H04L49/25 ,  H04L61/50 ,  H04L101/622

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). In some embodiments, each interface associated with a different bridge calls a service engine based on identifiers included in data messages received at the interface. Each data message flow is associated with a particular identifier that is associated with a particular service engine instance that provides the stateful service. In some embodiments, the interface that receives a data message identifies a service engine to provide the stateful service and provides the data message to the identified service engine. After processing the data message, the service engine provides the data message to the egress interface associated with the ingress interface.

公开(公告)号：US20220239635A1

公开(公告)日：2022-07-28

申请号：US17723191

申请日：2022-04-18

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  David Lorenzo ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: H04L9/40 ,  G06F9/455 ,  G06F16/901

Abstract: In some embodiments, a method receives a packet at an instance of a distributed firewall associated with one of a plurality of workloads running on a hypervisor. Each of the plurality of workloads has an associated instance of the distributed firewall. An index table is accessed for the workload where the index table includes a set of references to a set of rules in a rules table. Each workload in the plurality of workloads is associated with an index table that references rules that are applicable to each respective workload. The method then accesses at least one rule in a set of rules associated with the set of references from the rules table and compares one or more attributes for the packet to information stored for the at least one rule in the set of rules to determine a rule in the set of rules to apply to the packet.

公开(公告)号：US20220191304A1

公开(公告)日：2022-06-16

申请号：US17122153

申请日：2020-12-15

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta ,  Rick Lund

IPC: H04L29/08 ,  G06F9/455

Abstract: Some embodiments provide a method for performing services on a host computer that executes several machines in a datacenter. The method configures a first set of one or more service containers for a first machine executing on the host computer, and a second set of one or more service containers for a second machine executing on the host computer. Each configured service container performs a service operation on data messages associated with a particular machine. For each particular machine, the method also configures a module along the particular machine's datapath to identify a subset of service operations to perform on a set of data messages associated with the particular machine, and to direct the set of data messages to a set of service containers configured for the particular machine to perform the identified set of service operations on the set of data messages.

公开(公告)号：US20220038310A1

公开(公告)日：2022-02-03

申请号：US16941473

申请日：2020-07-28

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  Anirban Sengupta ,  Mani Kancherla ,  Jerome Catrouillet ,  Sri Mohana Singamsetty

IPC: H04L12/46 ,  H04L29/12 ,  H04L29/06 ,  G06F9/455

Abstract: Some embodiments of the invention provide a novel network architecture for providing edge services of a virtual private cloud (VPC) at host computers hosting machines of the VPC. The host computers in the novel network architecture are reachable from external networks through a gateway router of an availability zone (AZ). The gateway router receives a data message from the external network addressed to one or more data compute nodes (DCNs) in the VPC and forwards the data message to a particular host computer identified as providing a distributed edge service for the VPC. The particular host computer, upon receiving the forwarded data message, performs the distributed edge service and provides the serviced data message to a destination DCN.