公开(公告)号：US20230131464A1

公开(公告)日：2023-04-27

申请号：US18088620

申请日：2022-12-26

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L9/40 ,  G06F16/901 ,  G06F9/54 ,  G06F9/455

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US20210218758A1

公开(公告)日：2021-07-15

申请号：US16739572

申请日：2020-01-10

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L29/06 ,  G06F16/901 ,  G06F9/455 ,  G06F9/54

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US11663105B2

公开(公告)日：2023-05-30

申请号：US16569015

申请日：2019-09-12

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  Subrahmanyam Manuguri ,  Jayant Jain ,  Anirban Sengupta

IPC: G06F9/44 ,  G06F11/30 ,  G06F40/205 ,  G06V10/94

CPC classification number: G06F11/3072 ,  G06F40/205 ,  G06V10/955

Abstract: In some embodiments, a method stores a plurality of identifiers for a plurality of rules. The plurality of rules each include a set of patterns, and a rule and a pattern combination is associated with an identifier in the plurality of identifiers. Information being sent on a network is scanned and the method determines when a pattern in the information matches a pattern for a rule. The method identifies an identifier for the pattern where the identifier identifies a rule and a pattern combination. Then, the method identifies the rule and the pattern combination based on the identifier. The set of patterns for the rule is found in the information based on determining that the rule and the pattern combinations for the rule have been found in the information.

公开(公告)号：US20210081461A1

公开(公告)日：2021-03-18

申请号：US16569015

申请日：2019-09-12

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  Subrahmanyam Manuguri ,  Jayant Jain ,  Anirban Sengupta

IPC: G06F16/903 ,  G06N5/02 ,  G06F17/27 ,  G06K9/00

Abstract: In some embodiments, a method stores a plurality of identifiers for a plurality of rules. The plurality of rules each include a set of patterns, and a rule and a pattern combination is associated with an identifier in the plurality of identifiers. Information being sent on a network is scanned and the method determines when a pattern in the information matches a pattern for a rule. The method identifies an identifier for the pattern where the identifier identifies a rule and a pattern combination. Then, the method identifies the rule and the pattern combination based on the identifier. The set of patterns for the rule is found in the information based on determining that the rule and the pattern combinations for the rule have been found in the information.

公开(公告)号：US20200296078A1

公开(公告)日：2020-09-17

申请号：US16352577

申请日：2019-03-13

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  David Lorenzo ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: H04L29/06 ,  G06F9/455 ,  G06F16/901

Abstract: In some embodiments, a method receives a packet at an instance of a distributed firewall associated with one of a plurality of workloads running on a hypervisor. Each of the plurality of workloads has an associated instance of the distributed firewall. An index table is accessed for the workload where the index table includes a set of references to a set of rules in a rules table. Each workload in the plurality of workloads is associated with an index table that references rules that are applicable to each respective workload. The method then accesses at least one rule in a set of rules associated with the set of references from the rules table and compares one or more attributes for the packet to information stored for the at least one rule in the set of rules to determine a rule in the set of rules to apply to the packet.

公开(公告)号：US11539718B2

公开(公告)日：2022-12-27

申请号：US16739572

申请日：2020-01-10

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L29/06 ,  H04L9/40 ,  G06F16/901 ,  G06F9/54 ,  G06F9/455

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US11310202B2

公开(公告)日：2022-04-19

申请号：US16352577

申请日：2019-03-13

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  David Lorenzo ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: H04L29/06 ,  G06F9/455 ,  G06F16/901

Abstract: In some embodiments, a method receives a packet at an instance of a distributed firewall associated with one of a plurality of workloads running on a hypervisor. Each of the plurality of workloads has an associated instance of the distributed firewall. An index table is accessed for the workload where the index table includes a set of references to a set of rules in a rules table. Each workload in the plurality of workloads is associated with an index table that references rules that are applicable to each respective workload. The method then accesses at least one rule in a set of rules associated with the set of references from the rules table and compares one or more attributes for the packet to information stored for the at least one rule in the set of rules to determine a rule in the set of rules to apply to the packet.

公开(公告)号：US11036405B2

公开(公告)日：2021-06-15

申请号：US16124208

申请日：2018-09-07

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: G06F3/06 ,  G06F9/455

Abstract: Example methods and systems are provided for a computer system to transfer runtime information between a first kernel module and a second kernel module. In one example, the method may comprise assigning ownership of a memory pool to the first kernel module; and the first kernel module accessing the memory pool to store runtime information associated with one or more operations performed by the first kernel module. The method may also comprise releasing ownership of the memory pool from the first kernel module while maintaining the runtime information in the memory pool; and assigning ownership of the memory pool to the second kernel module. The second kernel module may then access the memory pool to obtain the runtime information stored by the first kernel module.

公开(公告)号：US11848946B2

公开(公告)日：2023-12-19

申请号：US18088620

申请日：2022-12-26

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L29/06 ,  H04L9/40 ,  G06F16/901 ,  G06F9/54 ,  G06F9/455

CPC classification number: H04L63/1416 ,  G06F9/45558 ,  G06F9/545 ,  G06F16/9027 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US20230281096A1

公开(公告)日：2023-09-07

申请号：US18196367

申请日：2023-05-11

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  Subrahmanyam Manuguri ,  Jayant Jain ,  Anirban Sengupta

IPC: G06F11/30 ,  G06F40/205 ,  G06V10/94

CPC classification number: G06F11/3072 ,  G06F40/205 ,  G06V10/955

Abstract: In some embodiments, a method stores a plurality of identifiers for a plurality of rules. The plurality of rules each include a set of patterns, and a rule and a pattern combination is associated with an identifier in the plurality of identifiers. Information being sent on a network is scanned and the method determines when a pattern in the information matches a pattern for a rule. The method identifies an identifier for the pattern where the identifier identifies a rule and a pattern combination. Then, the method identifies the rule and the pattern combination based on the identifier. The set of patterns for the rule is found in the information based on determining that the rule and the pattern combinations for the rule have been found in the information.