System and method for monitoring application security in a network environment
    4.
    发明授权
    System and method for monitoring application security in a network environment 有权
    监控网络环境中的应用安全性的系统和方法

    公开(公告)号:US08949931B2

    公开(公告)日:2015-02-03

    申请号:US13462110

    申请日:2012-05-02

    IPC分类号: G06F17/00 H04L29/06

    摘要: A method includes determining an application role in a distributed application in a network environment, generating a role profile for the application role from an interaction pattern, mapping the role profile to a virtual machine (VM), and detecting a security breach of the VM. Determining the application role includes obtaining network traces from the distributed application, and analyzing the network traces to extract the application role. In one embodiment, detection of the security breach includes generating an access control policy for the VM from the role profile, and determining an anomaly in traffic based thereon. In another embodiment, detection of the security breach includes inserting the role profile in a port profile of the VM, generating a small state machine from the role profile, running the small state machine on a port associated with the VM, and inspecting, by the small state machine, an application level traffic at the port.

    摘要翻译: 一种方法包括确定在网络环境中的分布式应用程序中的应用程序角色,从交互模式生成应用程序角色的角色配置文件,将角色配置文件映射到虚拟机(VM),以及检测虚拟机的安全漏洞。 确定应用程序角色包括从分布式应用程序获取网络跟踪,并分析网络跟踪以提取应用程序角色。 在一个实施例中,安全漏洞的检测包括从角色简档生成VM的访问控制策略,并且基于此来确定业务的异常。 在另一个实施例中,安全漏洞的检测包括将角色简档插入到VM的端口配置文件中,从角色配置文件生成小状态机,在与VM关联的端口上运行小状态机,并且通过 小型状态机,端口上的应用级流量。

    SYSTEM AND METHOD FOR MONITORING APPLICATION SECURITY IN A NETWORK ENVIRONMENT
    5.
    发明申请
    SYSTEM AND METHOD FOR MONITORING APPLICATION SECURITY IN A NETWORK ENVIRONMENT 有权
    在网络环境中监控应用安全的系统和方法

    公开(公告)号:US20130298184A1

    公开(公告)日:2013-11-07

    申请号:US13462110

    申请日:2012-05-02

    IPC分类号: G06F21/00

    摘要: A method includes determining an application role in a distributed application in a network environment, generating a role profile for the application role from an interaction pattern, mapping the role profile to a virtual machine (VM), and detecting a security breach of the VM. Determining the application role includes obtaining network traces from the distributed application, and analyzing the network traces to extract the application role. In one embodiment, detection of the security breach includes generating an access control policy for the VM from the role profile, and determining an anomaly in traffic based thereon. In another embodiment, detection of the security breach includes inserting the role profile in a port profile of the VM, generating a small state machine from the role profile, running the small state machine on a port associated with the VM, and inspecting, by the small state machine, an application level traffic at the port.

    摘要翻译: 一种方法包括确定在网络环境中的分布式应用程序中的应用程序角色,从交互模式生成应用程序角色的角色配置文件,将角色配置文件映射到虚拟机(VM),以及检测虚拟机的安全漏洞。 确定应用程序角色包括从分布式应用程序获取网络跟踪,并分析网络跟踪以提取应用程序角色。 在一个实施例中,安全漏洞的检测包括从角色简档生成VM的访问控制策略,并且基于此来确定业务的异常。 在另一个实施例中,安全漏洞的检测包括将角色简档插入到VM的端口配置文件中,从角色配置文件生成小状态机,在与VM关联的端口上运行小状态机,并且通过 小型状态机,端口上的应用级流量。

    Service enabled network
    6.
    发明授权
    Service enabled network 有权
    服务启用网络

    公开(公告)号:US09531716B1

    公开(公告)日:2016-12-27

    申请号:US12537383

    申请日:2009-08-07

    摘要: In one embodiment, a service enabled network (SEN) controller receives, from a control plane of a network service device, service instructions for corresponding network services. The SEN controller may then distribute the service instructions for the network services to appropriate network access devices within the computer network, such that each of the network access devices may correspondingly implement the network services at their respective data planes, thus providing a distributed implementation of the network service within the computer network.

    摘要翻译: 在一个实施例中,服务使能网络(SEN)控制器从网络服务设备的控制平面接收用于相应网络服务的服务指​​令。 然后,SEN控制器可以将网络服务的服务指​​令分配给计算机网络内的适当的网络接入设备,使得每个网络接入设备可以相应地在其各自的数据平面上实施网络服务,从而提供 计算机网络内的网络服务。

    SECURE PREFIX AUTHORIZATION WITH UNTRUSTED MAPPING SERVICES
    7.
    发明申请
    SECURE PREFIX AUTHORIZATION WITH UNTRUSTED MAPPING SERVICES 有权
    安全地使用非映射映射服务进行授权

    公开(公告)号:US20130145152A1

    公开(公告)日:2013-06-06

    申请号:US13311976

    申请日:2011-12-06

    IPC分类号: H04L9/00 H04L9/32 G06F15/16

    摘要: In one embodiment, a first router associated with a first network node sends a first map lookup that includes a particular device identifier associated with a second network node to a mapping service that maintains a plurality of mappings that associate device identifiers with device locations. The first router receives, from a second router associated with the second network node, a map response that includes a particular device location that corresponds to the particular device identifier for the second network node. The first router establishes a secure session with the second router, and determines, based on the secure session, whether the second router is authorized to reply for the particular device identifier associated with the second network node.

    摘要翻译: 在一个实施例中,与第一网络节点相关联的第一路由器将包括与第二网络节点相关联的特定设备标识符的第一映射查找发送到维护将设备标识符与设备位置相关联的多个映射的映射服务。 第一路由器从与第二网络节点相关联的第二路由器接收包括对应于第二网络节点的特定设备标识符的特定设备位置的地图响应。 第一路由器与第二路由器建立安全会话,并且基于安全会话确定第二路由器是否被授权回复与第二网络节点相关联的特定设备标识符。

    Secure prefix authorization with untrusted mapping services
    8.
    发明授权
    Secure prefix authorization with untrusted mapping services 有权
    安全的前缀授权与不可信的地图服务

    公开(公告)号:US08635448B2

    公开(公告)日:2014-01-21

    申请号:US13311976

    申请日:2011-12-06

    IPC分类号: H04L9/00

    摘要: In one embodiment, a first router associated with a first network node sends a first map lookup that includes a particular device identifier associated with a second network node to a mapping service that maintains a plurality of mappings that associate device identifiers with device locations. The first router receives, from a second router associated with the second network node, a map response that includes a particular device location that corresponds to the particular device identifier for the second network node. The first router establishes a secure session with the second router, and determines, based on the secure session, whether the second router is authorized to reply for the particular device identifier associated with the second network node.

    摘要翻译: 在一个实施例中,与第一网络节点相关联的第一路由器将包括与第二网络节点相关联的特定设备标识符的第一映射查找发送到维护将设备标识符与设备位置相关联的多个映射的映射服务。 第一路由器从与第二网络节点相关联的第二路由器接收包括对应于第二网络节点的特定设备标识符的特定设备位置的地图响应。 第一路由器与第二路由器建立安全会话,并且基于安全会话确定第二路由器是否被授权回复与第二网络节点相关联的特定设备标识符。