公开(公告)号：US20210392160A1

公开(公告)日：2021-12-16

申请号：US16900240

申请日：2020-06-12

Applicant: VMware, Inc.

Inventor： Zhen MO ,  Vijay GANTI ,  Debessay Fesehaye KASSA ,  Barak RAZ ,  Honglei LI

IPC: H04L29/06

Abstract: The disclosure provides an approach for detecting and preventing attacks in a network. Embodiments include determining a plurality of network behaviors of a process by monitoring the process. Embodiments include generating a plurality of intended states for the process based on subsets of the plurality of network behaviors. Embodiments include determining a plurality of intended state clusters by applying a clustering technique to the plurality of intended states. Embodiments include determining a state of the process. Embodiments include identifying a given cluster of the plurality of intended state clusters that corresponds to the state of the process. Embodiments include selecting a novelty detection technique based on a size of the given cluster. Embodiments include using the novelty detection technique to determine, based on the given cluster and the state of the process, whether to generate a security alert for the process.

公开(公告)号：US20230300155A1

公开(公告)日：2023-09-21

申请号：US18322558

申请日：2023-05-23

Applicant: VMware, Inc.

Inventor： Zhen MO ,  Ereli ERAN ,  Barak RAZ ,  Vijay GANTI

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/20 ,  H04L63/0263 ,  H04L63/1441

Abstract: The disclosure herein describes automatically performing security operations associated with a client system based on aggregated event impact scores of computing events during a rolling time interval. Event data is obtained, wherein the event data is from a plurality of computing devices of the client system associated with computing events occurring during a time interval after an endpoint of the rolling time interval. Event impact scores are calculated for the computing events of the obtained event data over the time interval based at least on cardinality estimation. The calculated event impact scores are merged into the set of aggregated event impact scores associated with the rolling time interval and event impact scores associated with an expired time interval are removed from the set of aggregated event impact scores. Based on the set of aggregated event impact scores, at least one security operation is performed for at least one computing event.

公开(公告)号：US20210004408A1

公开(公告)日：2021-01-07

申请号：US16502768

申请日：2019-07-03

Applicant: VMware, Inc.

Inventor： Barak RAZ ,  Vamsi AKKINENI

IPC: G06F16/906 ,  G06F9/455

Abstract: Certain aspects of the present disclosure relate to methods and systems for evaluating a first command line interface (CLI) input of a process. The method comprises examining the first CLI input and selecting a first clustering model corresponding to the process, wherein the first clustering model is created based on a first clustering configuration and a first feature type combination. The method further comprises creating a first feature combination for the first CLI input based on the first feature type combination, evaluating the first CLI input using the first clustering model and the first feature combination, wherein the evaluating further comprises determining a similarity score corresponding to a similarity between the first feature combination and the one or more clusters, and determining whether or not the first CLI input corresponds to normal behavior based on the similarity score.

公开(公告)号：US20220232032A1

公开(公告)日：2022-07-21

申请号：US17151142

申请日：2021-01-16

Applicant: VMware, Inc.

Inventor： Zhen MO ,  Ereli ERAN ,  Barak RAZ ,  Vijay GANTI

IPC: H04L29/06 ,  G06N7/00

Abstract: The disclosure herein describes automatically performing security operations associated with a client system based on aggregated event impact scores of computing events during a rolling time interval. Event data is obtained, wherein the event data is from a plurality of computing devices of the client system associated with computing events occurring during a time interval after an endpoint of the rolling time interval. Event impact scores are calculated for the computing events of the obtained event data over the time interval based at least on cardinality estimation. The calculated event impact scores are merged into the set of aggregated event impact scores associated with the rolling time interval and event impact scores associated with an expired time interval are removed from the set of aggregated event impact scores. Based on the set of aggregated event impact scores, at least one security operation is performed for at least one computing event.

公开(公告)号：US20220027409A1

公开(公告)日：2022-01-27

申请号：US16937417

申请日：2020-07-23

Applicant: VMware, Inc.

Inventor： Srilakshmi LINGAMNENI ,  Barak RAZ ,  Bin ZAN ,  Zhen MO ,  Vijay GANTI

IPC: G06F16/901 ,  G06F16/28 ,  H04L12/24 ,  H04L29/12 ,  G06K9/62

Abstract: An example method of representing a selected entity in a plurality of entities in a computing system includes: obtaining a graph representation of the plurality of entities, the graph representation having nodes and edges representing a hierarchy of the plurality of entities; extracting a set of paths from the graph representation, each path in the set of paths including a series of edge-connected nodes in the graph representation; processing the set of paths to generate a vector representation of the selected entity, the vector representation having a plurality of elements representing a context of the selected entity within the graph representation; and providing the vector representation as input to an application executing in the computing system.