公开(公告)号：US11436075B2

公开(公告)日：2022-09-06

申请号：US16520233

申请日：2019-07-23

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Russell Lu ,  Rick Lund ,  Alok S. Tiagi ,  Sushruth Gopal

IPC: G06F11/07 ,  H04L9/40 ,  H04L69/22 ,  H04L43/08 ,  H04L41/046

Abstract: Some embodiments provide a novel method for collecting and analyzing attributes of data flows associated with machines executing on a plurality of host computers to detect anomalous behavior. In some embodiments, an anomalous behavior is detected for at least one particular flow associated with at least one machine executing on the host computer. In some embodiments, anomaly detection is based on the context data from the guest introspection agent and deep packet inspection. An identifier of the detected anomalous behavior is stored, in some embodiments. The stored attributes are provided, in some embodiments, to a server for further analysis.

公开(公告)号：US20220400070A1

公开(公告)日：2022-12-15

申请号：US17347706

申请日：2021-06-15

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Rick Lund ,  Russell Lu ,  Sushruth Gopal ,  Subrahmanyam Manuguri

IPC: H04L12/26

Abstract: The method of some embodiments samples data flows. The method samples a first set of flows during a first time interval using a first logical port window for the first time interval. The first logical port window identifies a first set of non-contiguous layer 4 (L4) values in an L4 port range that are candidate values for sampling the flows during the first time interval. The method also samples a second set of flows during a second time interval using a second logical port window for the second time interval. The second logical port window identifies a second set of non-contiguous L4 values in an L4 port range that are candidate values for sampling the flows during the second time interval.

公开(公告)号：US20210026830A1

公开(公告)日：2021-01-28

申请号：US16520232

申请日：2019-07-23

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Russell Lu ,  Ly Loi ,  Rick Lund ,  Arnold Poon

IPC: G06F16/23 ,  G06F16/22

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. The analysis appliance, in some embodiments, receives definitions of keys and provides them to the host computers. In some embodiments, existing keys are modified based on the analysis. Additionally, or alternatively, new keys are provided based on the analysis. In some embodiments, the analysis appliance receives the flow group records (e.g., sets of attributes) based on the keys and the configuration data from each host computer.

公开(公告)号：US20210029050A1

公开(公告)日：2021-01-28

申请号：US16520220

申请日：2019-07-23

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Russell Lu ,  Ly Loi ,  Rick Lund ,  Sushruth Gopal

IPC: H04L12/891 ,  H04L12/851 ,  H04L12/26

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Each host computer, in some embodiments, is responsible for collecting and reporting attributes of data flows associated with machines executing on a host computer. In some embodiments, the host computer includes a flow exporter that processes and publishes flow data to the analysis appliance, a set of agents for collecting context data relating to the flows from machines executing on the host, a set of additional modules that provide additional context data, an anomaly detection engine that analyzes flow data and context data and provides additional context data, and a context exporter for processing and publishing context data to the analysis appliance.

公开(公告)号：US11188570B2

公开(公告)日：2021-11-30

申请号：US16520224

申请日：2019-07-23

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Russell Lu ,  Ly Loi ,  Rick Lund ,  Sushruth Gopal

IPC: G06F17/00 ,  G06F16/28 ,  G06N20/00 ,  G06N5/04 ,  G06F16/2455 ,  G06F9/455 ,  G06F21/55

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Each host computer, in some embodiments, is responsible for collecting and reporting attributes of data flows associated with machines executing on a host computer. The host computer, in some embodiments, first eliminates duplicative flow group records and then aggregates the flow data according to a set of received keys that specify attributes that define the aggregation. For example, a simple key that specifies a set of machine identifiers (e.g., a VM ID) as attribute values will, for each machine identifier, aggregate all flows with that machine identifier into a single aggregated flow group record. In some embodiments, the host computer includes a flow exporter that processes and publishes flow data to the analysis appliance.

公开(公告)号：US20210026870A1

公开(公告)日：2021-01-28

申请号：US16520224

申请日：2019-07-23

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Russell Lu ,  Ly Loi ,  Rick Lund ,  Sushruth Gopal

IPC: G06F16/28 ,  G06N20/00 ,  G06N5/04 ,  G06F16/2455

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Each host computer, in some embodiments, is responsible for collecting and reporting attributes of data flows associated with machines executing on a host computer. The host computer, in some embodiments, first eliminates duplicative flow group records and then aggregates the flow data according to a set of received keys that specify attributes that define the aggregation. For example, a simple key that specifies a set of machine identifiers (e.g., a VM ID) as attribute values will, for each machine identifier, aggregate all flows with that machine identifier into a single aggregated flow group record. In some embodiments, the host computer includes a flow exporter that processes and publishes flow data to the analysis appliance.

公开(公告)号：US11288256B2

公开(公告)日：2022-03-29

申请号：US16520232

申请日：2019-07-23

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Russell Lu ,  Ly Loi ,  Rick Lund ,  Arnold Poon

IPC: G06F16/23 ,  G06F16/22 ,  G06N20/00 ,  G06F21/55

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. The analysis appliance, in some embodiments, receives definitions of keys and provides them to the host computers. In some embodiments, existing keys are modified based on the analysis. Additionally, or alternatively, new keys are provided based on the analysis. In some embodiments, the analysis appliance receives the flow group records (e.g., sets of attributes) based on the keys and the configuration data from each host computer.

公开(公告)号：US11265316B2

公开(公告)日：2022-03-01

申请号：US16998371

申请日：2020-08-20

Applicant: VMware, Inc.

Inventor： Ming Wen ,  Edilmo Palencia ,  Russell Lu ,  Laxmikant Vithal Gunda ,  Margaret Petrus

IPC: H04L29/06

Abstract: The disclosure provides an approach for establishing authentication between components in a network. Embodiments deploying a node of a monitoring appliance in response to a request and providing a token for accessing a network manager to the node of the monitoring appliance. Embodiments include generating, by the node of the monitoring appliance, a certificate of the node of the monitoring appliance and providing the certificate of the node of the monitoring appliance to the network manager with the token for accessing the network manager. Embodiments include adding, by the network manager, based on the token for accessing the network manager, the certificate of the node of the monitoring appliance to a first trust store and providing, by the network manager, a network manager certificate to the node of the monitoring appliance. Embodiments include adding, by the node of the monitoring appliance, the network manager certificate to a second trust store.

公开(公告)号：US20210026720A1

公开(公告)日：2021-01-28

申请号：US16520233

申请日：2019-07-23

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Russell Lu ,  Rick Lund ,  Alok S. Tiagi ,  Sushruth Gopal

IPC: G06F11/07 ,  H04L29/06 ,  H04L12/24 ,  H04L12/26

Abstract: Some embodiments provide a novel method for collecting and analyzing attributes of data flows associated with machines executing on a plurality of host computers to detect anomalous behavior. In some embodiments, an anomalous behavior is detected for at least one particular flow associated with at least one machine executing on the host computer. In some embodiments, anomaly detection is based on the context data from the guest introspection agent and deep packet inspection. An identifier of the detected anomalous behavior is stored, in some embodiments. The stored attributes are provided, in some embodiments, to a server for further analysis.