公开(公告)号：US20200186409A1

公开(公告)日：2020-06-11

申请号：US16212170

申请日：2018-12-06

Applicant: VMware, Inc.

Inventor： Zhen MO ,  Dexiang WANG ,  Bin ZAN ,  Vijay GANTI ,  Amit CHOPRA ,  Ruimin SUN

IPC: H04L12/24 ,  G06F9/455

Abstract: A method for managing alarms in a virtual machine environment includes receiving alarm data related to a process and storing the alarm data in a database, where the alarm data comprises one or more features. The method further includes retrieving intended state information for the process and comparing the one more features of the alarm data to the intended state information to determine whether the alarm is an outlier. The method also includes computing a normal score for the alarm if the alarm is not an outlier, and computing an abnormal score for the alarm if the alarm is an outlier. The method also includes sending a notification for the alarm and the computed score.

公开(公告)号：US20240069948A1

公开(公告)日：2024-02-29

申请号：US17896718

申请日：2022-08-26

Applicant: VMware, Inc.

Inventor： Alexander Julian THOMAS ,  Amit CHOPRA ,  Anjali MANGAL ,  Xiaosheng WU ,  Ereli ERAN

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/4557 ,  G06F2009/45583 ,  G06F2009/45595

Abstract: Mapping of applications by the most common file path in which they are installed or found to be running. Embodiments of the disclosure may determine the most commonly occurring hash values appearing in events generated by a virtualized network. These most commonly occurring hash values may correspond to the hash values of file paths associated with the greatest number of detected events. The database may then be queried to determine the most commonly occurring file path for each of these hash values. A table of such most commonly occurring file paths and their associated hash values may then be compiled and stored. Use of the most commonly occurring file path in lieu of an alert's actual file path may prevent undesired or malicious processes from going undetected by simply adopting a new file path that has yet to be recognized as being associated with undesired behavior.

公开(公告)号：US20240163307A1

公开(公告)日：2024-05-16

申请号：US17987483

申请日：2022-11-15

Applicant: VMware, Inc.

Inventor： Aditya CHOUDHARY ,  Jonathan James OLIVER ,  Ritika SINGHAL ,  Shugao XIA ,  Raghav BATTA ,  Amit CHOPRA

IPC: H04L9/40

CPC classification number: H04L63/1441 ,  H04L63/104 ,  H04L63/1433

Abstract: A method of evaluating alerts generated by security agents installed in endpoints includes: receiving a locality-sensitive hash (LSH) value associated with an alert generated by a security agent installed in one of the endpoints; performing a search for centroids that are within a threshold distance from the received LSH value, wherein the centroids are each an LSH value that is representative of one of a plurality of groups of alerts; and assigning a security risk indicator to the alert associated with the received LSH value based on results of the search and transmitting the security risk indicator to a security analytics platform of the endpoints.

公开(公告)号：US20160099968A1

公开(公告)日：2016-04-07

申请号：US14965870

申请日：2015-12-10

Applicant: VMware, Inc.

Inventor： Amit CHOPRA ,  Uday MASUREKAR

IPC: H04L29/06

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract translation: 公开了用于使用基于组密钥的加密来保护跨越多租户虚拟化基础设施的流量的技术。 在一个实施例中，虚拟机（VM）主机的加密模块拦截经由虚拟NIC（vNIC）发送的帧2（L2）帧。 加密模块确定vNIC是否连接到“安全线”，并调用由密钥管理模块公开的API，以使用与安全线相关联的组密钥（如果有的话）加密帧。 可以对来自vNIC的所有帧执行加密，或者根据策略执行加密。 在一个实施例中，加密模块可以位于距离vNIC最远的一层，并且加密对于VM和虚拟交换机都是透明的。 缺少组密钥的未经授权的网络实体不能对加密帧的数据进行解密，即使它们能够访问这样的帧。

公开(公告)号：US20240020381A1

公开(公告)日：2024-01-18

申请号：US17867478

申请日：2022-07-18

Applicant: VMware, Inc.

Inventor： Alexander Julian THOMAS ,  Taruj GOYAL ,  Xiaosheng WU ,  Deepak Chowdary METTEM ,  Anjali MANGAL ,  Amit CHOPRA

IPC: G06F21/55 ,  G06F21/53

CPC classification number: G06F21/552 ,  G06F21/53 ,  G06F2221/031

Abstract: An example method of classifying alerts generated by endpoints in a virtualized computing system includes: receiving, at an alert processing engine executing in the virtualized computing system, a stream of the alerts generated by security agents executing in the endpoints; extracting fields from the alerts at the alert processing engine; computing, at the alert processing engine, features from the alerts based on the fields; computing, at the alert processing engine, a plurality of model scores for each alert using the features as parametric input to a plurality of models; aggregating, by the alert processing engine, the plurality of model scores into a final score for each alert; and annotating each of the alerts with a respective final score.

公开(公告)号：US20200019698A1

公开(公告)日：2020-01-16

申请号：US16032349

申请日：2018-07-11

Applicant: VMware, Inc.

Inventor： Zhen MO ,  Dexiang WANG ,  Bin ZAN ,  Vijay GANTI ,  Amit CHOPRA

IPC: G06F21/55 ,  G06F21/57 ,  G06F9/455

Abstract: A virtual computing instance (VCI) is protected against security threats by a security manager, monitoring a behavior of a VCI over an observation period. The method further includes, storing by the security manager a digital profile in a first database, wherein the digital profile comprises information indicative of the behavior. The method further includes, accessing by a detection system, the digital profile from the first database, and accessing by the detection system, an intended state associated with VCI, wherein the intended state comprises information indicative of a behavior from a second VCI. The method further includes, comparing at least part of the digital profile to the at least part of the intended state. The method further includes, determining by the detection system, that the VCI contains a security threat when information indicative of a behavior in the digital profile is an outlier.

公开(公告)号：US20140226820A1

公开(公告)日：2014-08-14

申请号：US13765618

申请日：2013-02-12

Applicant: VMWARE, INC.

Inventor： Amit CHOPRA ,  Uday MASUREKAR

IPC: H04L9/08

CPC classification number: H04L63/162 ,  H04L63/0272 ,  H04L63/0457 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/065 ,  H04L63/0876 ,  H04L63/123

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract translation: 公开了用于使用基于组密钥的加密来保护跨越多租户虚拟化基础设施的流量的技术。 在一个实施例中，虚拟机（VM）主机的加密模块拦截经由虚拟NIC（vNIC）发送的帧2（L2）帧。 加密模块确定vNIC是否连接到“安全线”，并调用由密钥管理模块公开的API，以使用与安全线相关联的组密钥（如果有的话）加密帧。 可以对来自vNIC的所有帧执行加密，或者根据策略执行加密。 在一个实施例中，加密模块可以位于距离vNIC最远的一层，并且加密对于VM和虚拟交换机都是透明的。 缺少组密钥的未经授权的网络实体不能对加密帧的数据进行解密，即使它们能够访问这样的帧。