REMEDIATING FALSE POSITIVES OF INTRUSION DETECTION SYSTEMS WITH GUEST INTROSPECTION

    公开(公告)号:US20220014425A1

    公开(公告)日:2022-01-13

    申请号:US16927542

    申请日:2020-07-13

    Applicant: VMware, Inc.

    Abstract: The disclosure provides an approach for remediating false positives for a network security monitoring component. Embodiments include receiving an alert related to network security for a virtual computing instance (VCI). Embodiments include collecting, in response to receiving the alert, context information from the VCI. Embodiments include providing a notification to a management plane based on the alert and the context information. Embodiments include receiving, from the management plane, in response to the notification, an indication of whether the alert is a false positive. Embodiments include training a model based on the alert, the context information, and the indication to determine whether a given alert is a false positive.

    NETWORK DIAGNOSIS IN SOFTWARE-DEFINED NETWORKING (SDN) ENVIRONMENTS

    公开(公告)号:US20210184914A1

    公开(公告)日:2021-06-17

    申请号:US16714805

    申请日:2019-12-16

    Applicant: VMware, Inc.

    Abstract: Example methods and systems are provided for network diagnosis. One example method may comprise: detecting an egress packet and determining whether each of multiple network issues is detected for the egress packet or a datapath between a first virtualized computing instance and a second virtualized computing instance. The method may also comprise: generating network diagnosis code information specifying whether each of the multiple network issues is detected or not detected; generating an encapsulated packet by encapsulating the egress packet with an outer header that specifies the network diagnosis code information; and sending the encapsulated packet towards the second virtualized computing instance to cause a second computer system to perform one or more remediation actions based on the network diagnosis code information.

    CORRECTIVE ACTION ON MALWARE INTRUSION DETECTION USING FILE INTROSPECTION

    公开(公告)号:US20230081299A1

    公开(公告)日:2023-03-16

    申请号:US18057334

    申请日:2022-11-21

    Applicant: VMware, Inc.

    Abstract: The disclosure herein describes correlating file events with intrusion detection alerts for corrective action. A monitoring component receives file events from a thin agent. An analysis component analyzes the file events and metadata obtained from the intrusion detection alerts, such as attack type or file name, to correlate a set of file events to at least one detected action (intrusion) described in the alert. A recommendation component identifies one or more options, including one or more corrective actions, which are applicable for remediating the alert. The set of options includes a recommended action from two or more possible corrective actions. The set of options are output or displayed to the user. The user selects which option/action to perform in response to the alert. In some examples, an automatic response is performed without user selection with respect to selected types of alerts, detected action(s), selected file(s) or other user-generated criteria.

    CONTEXT-AWARE RATE LIMITING
    4.
    发明申请

    公开(公告)号:US20210152480A1

    公开(公告)日:2021-05-20

    申请号:US16686922

    申请日:2019-11-18

    Applicant: VMware, Inc.

    Abstract: The disclosure provides an approach for rate limiting packets in a network. Embodiments include receiving, by a rate limiting engine running on a host machine, a network event related to a virtual computing instance running on the host machine, the network event comprising flow information about a network flow. Embodiments include receiving, by the rate limiting engine, context information corresponding to the network flow, wherein the context information comprises one or more of a user characteristic or an application characteristic. Embodiments include determining, by the rate limiting engine, a priority for the network flow by applying a rate limiting policy to the flow information and the context information. Embodiments include providing, by the rate limiting engine, the priority for the network flow to a multiplexer for use in rate limiting the network flow.

    INTRUSION DETECTION WITH ADAPTIVE PATTERN SELECTION

    公开(公告)号:US20230388320A1

    公开(公告)日:2023-11-30

    申请号:US17752990

    申请日:2022-05-25

    Applicant: VMware, Inc.

    Abstract: Example methods and systems for intrusion detection with adaptive pattern selection are described. In one example, a computer system may perform pattern selection by selecting a subset from a set of multiple patterns based on metric information. In response to receiving a packet belonging to a flow between a source endpoint and a destination endpoint, a first matching operation may be performed to determine whether the packet is matchable to a particular pattern from the set of multiple patterns or the subset. In response to determination that the packet is matchable to the particular pattern, a second matching operation may be performed to determine whether the packet is matchable to a particular signature. The metric information associated with the particular pattern may be updated based on the first matching operation and/or the second matching operation. This way, the subset may be updated based at least on the updated metric information.

    CONTEXT-AWARE INTRUSION DETECTION SYSTEM

    公开(公告)号:US20220210167A1

    公开(公告)日:2022-06-30

    申请号:US17137385

    申请日:2020-12-30

    Applicant: VMware, Inc.

    Abstract: Example methods and systems for context-aware intrusion detection are described. In one example, in response to determination that there is a matching intrusion detection signature based on packet flow information associated with a packet, a computer system may generate an intrusion detection alert that identifies the matching intrusion detection signature and the packet flow information. Further, the computer system may map the intrusion detection alert to contextual information, and generate a context-aware intrusion detection alert to trigger a context-aware remediation action based on at least the contextual information. The intrusion detection alert may be enhanced with context information associated with at least one of the following: the virtualized computing instance, a client device associated with the virtualized computing instance, and a user operating the client device.

    GENERATIVE ADVERSARIAL NETWORK BASED PREDICTIVE MODEL FOR COLLABORATIVE INTRUSION DETECTION SYSTEMS

    公开(公告)号:US20210218757A1

    公开(公告)日:2021-07-15

    申请号:US16738305

    申请日:2020-01-09

    Applicant: VMware, Inc.

    Abstract: Described herein are embodiments for transferring knowledge of intrusion signatures derived from a number of software-defined data centers (SDDCs), each of which has an intrusion detection system (IDS) with a convolutional neural network (CNN) to a centralized neural network. The centralized neural network is implemented as a generative adversarial neural network (GANN) having a multi-feed discriminator and a generator, which is trained from the discriminator. Knowledge in the GANN is then transferred back to the CNNs in each of the SDDCs. In this manner, each CNN obtains the learning of the CNNs in nearby IDSs of a region so that a distributed attack on each of the CNNs, such as a denial of service attack, can be defended by each of the CNNs.

    METHODS FOR ENABLING ENHANCED FIREWALL RULES VIA ARP-BASED ANNOTATIONS

    公开(公告)号:US20220360563A1

    公开(公告)日:2022-11-10

    申请号:US17872846

    申请日:2022-07-25

    Applicant: VMware, Inc.

    Abstract: In an embodiment, a computer-implemented method for enabling enhanced firewall rules via ARP-based annotations is described. In an embodiment, a method comprises detecting, by a hypervisor implemented in a first host, that a first process is executing on the first host. The hypervisor determines first context information for the first process, generates a first request, encapsulates the first request and the first context information in a first packet, and transmits the first packet to a central controller to cause the central controller to update the controller's table to indicate that the first process is executing on the first host. In response to receiving a second packet from the central controller and determining that the second packet comprises a first response, the hypervisor extracts second context information from the second packet and, based on the second context information, determines that a second process is executing on a second host.

    CORRECTIVE ACTION ON MALWARE INTRUSION DETECTION USING FILE INTROSPECTION

    公开(公告)号:US20210182388A1

    公开(公告)日:2021-06-17

    申请号:US16718174

    申请日:2019-12-17

    Applicant: VMware, Inc.

    Abstract: The disclosure herein describes correlating file events with intrusion detection alerts for corrective action. A monitoring component receives file events from a thin agent. An analysis component analyzes the file events and metadata obtained from the intrusion detection alerts, such as attack type or file name, to correlate a set of file events to at least one detected action (intrusion) described in the alert. A recommendation component identifies one or more options, including one or more corrective actions, which are applicable for remediating the alert. The set of options includes a recommended action from two or more possible corrective actions. The set of options are output or displayed to the user. The user selects which option/action to perform in response to the alert. In some examples, an automatic response is performed without user selection with respect to selected types of alerts, detected action(s), selected file(s) or other user-generated criteria.

    METHODS FOR ENABLING ENHANCED FIREWALL RULES VIA ARP-BASED ANNOTATIONS

    公开(公告)号:US20200296077A1

    公开(公告)日:2020-09-17

    申请号:US16351083

    申请日:2019-03-12

    Applicant: VMware, Inc.

    Abstract: In an embodiment, a computer-implemented method for enabling enhanced firewall rules via ARP-based annotations is described. In an embodiment, a method comprises detecting, by a hypervisor implemented in a first host, that a first process is executing on the first host. The hypervisor determines first context information for the first process, generates a first request, encapsulates the first request and the first context information in a first packet, and transmits the first packet to a central controller to cause the central controller to update the controller's table to indicate that the first process is executing on the first host. In response to receiving a second packet from the central controller and determining that the second packet comprises a first response, the hypervisor extracts second context information from the second packet and, based on the second context information, determines that a second process is executing on a second host.

Patent Agency Ranking