公开(公告)号：US20240069948A1

公开(公告)日：2024-02-29

申请号：US17896718

申请日：2022-08-26

Applicant: VMware, Inc.

Inventor： Alexander Julian THOMAS ,  Amit CHOPRA ,  Anjali MANGAL ,  Xiaosheng WU ,  Ereli ERAN

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/4557 ,  G06F2009/45583 ,  G06F2009/45595

Abstract: Mapping of applications by the most common file path in which they are installed or found to be running. Embodiments of the disclosure may determine the most commonly occurring hash values appearing in events generated by a virtualized network. These most commonly occurring hash values may correspond to the hash values of file paths associated with the greatest number of detected events. The database may then be queried to determine the most commonly occurring file path for each of these hash values. A table of such most commonly occurring file paths and their associated hash values may then be compiled and stored. Use of the most commonly occurring file path in lieu of an alert's actual file path may prevent undesired or malicious processes from going undetected by simply adopting a new file path that has yet to be recognized as being associated with undesired behavior.

公开(公告)号：US20240020381A1

公开(公告)日：2024-01-18

申请号：US17867478

申请日：2022-07-18

Applicant: VMware, Inc.

Inventor： Alexander Julian THOMAS ,  Taruj GOYAL ,  Xiaosheng WU ,  Deepak Chowdary METTEM ,  Anjali MANGAL ,  Amit CHOPRA

IPC: G06F21/55 ,  G06F21/53

CPC classification number: G06F21/552 ,  G06F21/53 ,  G06F2221/031

Abstract: An example method of classifying alerts generated by endpoints in a virtualized computing system includes: receiving, at an alert processing engine executing in the virtualized computing system, a stream of the alerts generated by security agents executing in the endpoints; extracting fields from the alerts at the alert processing engine; computing, at the alert processing engine, features from the alerts based on the fields; computing, at the alert processing engine, a plurality of model scores for each alert using the features as parametric input to a plurality of models; aggregating, by the alert processing engine, the plurality of model scores into a final score for each alert; and annotating each of the alerts with a respective final score.

公开(公告)号：US20240241945A1

公开(公告)日：2024-07-18

申请号：US18154758

申请日：2023-01-13

Applicant: VMware, Inc.

Inventor： Lalit Prithviraj JAIN ,  Raghav BATTA ,  Jonathan James OLIVER ,  Anjali MANGAL

IPC: G06F21/55

CPC classification number: G06F21/552 ,  G06F2221/034

Abstract: A method of correlating alerts that are generated by a plurality of endpoints includes the steps of: collecting alert data of alerts generated by the endpoints; for each endpoint, computing alert sequences based on the collected alert data; training a sequence-based model with the computed alert sequences, to generate a vector representation for each of the alerts; for each alert in a set of alerts generated during a first time period, acquiring a vector representation corresponding thereto, which has been generated by the sequence-based model; and applying a clustering algorithm to the vector representations of the alerts in the set of alerts to generate a plurality of clusters of correlated alerts.