公开(公告)号：US20220014425A1

公开(公告)日：2022-01-13

申请号：US16927542

申请日：2020-07-13

Applicant: VMware, Inc.

Inventor： Nafisa MANDLIWALA ,  Sirisha MYNENI ,  Robin MANHAS ,  Baibhav SINGH

IPC: H04L12/24 ,  H04L29/06

Abstract: The disclosure provides an approach for remediating false positives for a network security monitoring component. Embodiments include receiving an alert related to network security for a virtual computing instance (VCI). Embodiments include collecting, in response to receiving the alert, context information from the VCI. Embodiments include providing a notification to a management plane based on the alert and the context information. Embodiments include receiving, from the management plane, in response to the notification, an indication of whether the alert is a false positive. Embodiments include training a model based on the alert, the context information, and the indication to determine whether a given alert is a false positive.

公开(公告)号：US20220021686A1

公开(公告)日：2022-01-20

申请号：US16929074

申请日：2020-07-14

Applicant: VMware, Inc.

Inventor： Baibhav SINGH ,  Jayant JAIN

IPC: H04L29/06 ,  G06F21/53 ,  G06F9/455 ,  H04L29/12

Abstract: Example methods and systems for a computer system to perform security threat detection are described. In one example, a computer system may intercept an egress packet from a virtualized computing instance to pause forwarding of the egress packet towards a destination and obtain process information associated a process from which the egress packet originates. The computer system may initiate security analysis based on the process information. In response to determination that the process is a potential security threat based on the security analysis, the egress packet may be dropped, and a remediation action performed. Otherwise, the egress packet may be forwarded towards the destination.

公开(公告)号：US20220201022A1

公开(公告)日：2022-06-23

申请号：US17126045

申请日：2020-12-18

Applicant: VMware, Inc.

Inventor： Baibhav SINGH ,  Jayant JAIN

IPC: H04L29/06 ,  G06F9/455

Abstract: Example methods and systems for correlation-based security threat analysis are described. In one example, a computer system may obtain event information that is generated by monitoring a virtualized computing instance supported by a host; and network alert information that is generated by monitoring network traffic associated with the virtualized computing instance. The network alert information may specify security threat signature(s) detected based on the network traffic. The computer system may map the network alert information to threat information that specifies indicator(s) of compromise associated with the signature(s) and perform a correlation analysis based on the event information, network alert information and threat information. Based on the correlation analysis, it is determined whether there is a potential security threat associated with the virtualized computing instance.