公开(公告)号：US20230131464A1

公开(公告)日：2023-04-27

申请号：US18088620

申请日：2022-12-26

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L9/40 ,  G06F16/901 ,  G06F9/54 ,  G06F9/455

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US11544375B2

公开(公告)日：2023-01-03

申请号：US16718174

申请日：2019-12-17

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Nafisa Mandliwala ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: G06F21/55 ,  G06N5/04 ,  G06N20/00

Abstract: File events are correlated with intrusion detection alerts for corrective action. A monitoring component receives file events from a thin agent. An analysis component analyzes the file events and metadata obtained from the intrusion detection alerts, such as attack type or file name, to correlate a set of file events to at least one detected action (intrusion) described in the alert. A recommendation component identifies one or more options, including one or more corrective actions, which are applicable for remediating the alert. The set of options includes a recommended action from two or more possible corrective actions. The set of options are output or displayed to the user. The user selects which option/action to perform in response to the alert. In some examples, an automatic response is performed without user selection with respect to selected types of alerts, detected action(s), selected file(s) or other user-generated criteria.

公开(公告)号：US11431678B2

公开(公告)日：2022-08-30

申请号：US16351083

申请日：2019-03-12

Applicant: VMware, Inc.

Inventor： Arnold Poon ,  Sirisha Myneni ,  Rajiv Mordani ,  Aditi Vutukuri

IPC: H04L9/40 ,  H04L61/103 ,  G06F9/455 ,  H04L69/22

Abstract: In an embodiment, a computer-implemented method for enabling enhanced firewall rules via ARP-based annotations is described. In an embodiment, a method comprises detecting, by a hypervisor implemented in a first host, that a first process is executing on the first host. The hypervisor determines first context information for the first process, generates a first request, encapsulates the first request and the first context information in a first packet, and transmits the first packet to a central controller to cause the central controller to update the controller's table to indicate that the first process is executing on the first host. In response to receiving a second packet from the central controller and determining that the second packet comprises a first response, the hypervisor extracts second context information from the second packet and, based on the second context information, determines that a second process is executing on a second host.

公开(公告)号：US20210218758A1

公开(公告)日：2021-07-15

申请号：US16739572

申请日：2020-01-10

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L29/06 ,  G06F16/901 ,  G06F9/455 ,  G06F9/54

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US20230021269A1

公开(公告)日：2023-01-19

申请号：US17374623

申请日：2021-07-13

Applicant: VMware, Inc.

Inventor： Nafisa Mandliwala ,  Sirisha Myneni ,  Subrahmanyam Manuguri

IPC: G06F21/56

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter, the datacenter including at least one host computer executing multiple machines. The method forwards multiple contextual attributes to a set of servers that distribute intrusion detection scripts. The method receives a filtered set of intrusion detection signatures for enforcement on the at least one host computer, the filtered set of intrusion detection signatures identified based on the multiple contextual attributes. The method uses the filtered set of intrusion detection signatures to detect at least one potential intrusion associated with a particular data message processed on the at least one host computer.

公开(公告)号：US20230014706A1

公开(公告)日：2023-01-19

申请号：US17374611

申请日：2021-07-13

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Nafisa Mandliwala ,  Robin Manhas ,  Srinivas Ramaswamy

IPC: H04L29/06

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method forwards multiple contextual attributes to a set of servers that distribute intrusion detection scripts. The method receives, from the set of servers, a set of one or more intrusion detection scripts to be enforced on the at least one host computer, the set of one or more intrusion detection scripts defined based on the multiple forwarded contextual attributes. The method uses the multiple contextual attributes to identify and resolve at least one intrusion detection script in the set of one or more intrusion detection scripts.

公开(公告)号：US11539718B2

公开(公告)日：2022-12-27

申请号：US16739572

申请日：2020-01-10

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Jingmin Zhou ,  Sushruth Gopal ,  Anirban Sengupta ,  Sirisha Myneni

IPC: H04L29/06 ,  H04L9/40 ,  G06F16/901 ,  G06F9/54 ,  G06F9/455

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

公开(公告)号：US10999220B2

公开(公告)日：2021-05-04

申请号：US16028342

申请日：2018-07-05

Applicant: VMware, Inc.

Inventor： Tori Chen ,  Sirisha Myneni ,  Arijit Chanda ,  Arnold Poon ,  Farzad Ghannadian ,  Venkat Rajagopalan

IPC: H04L29/06 ,  G06F9/445 ,  H04L12/931 ,  H04L12/741 ,  H04L12/24 ,  H04L12/721 ,  G06F9/455 ,  H04L12/803 ,  H04L12/46

Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines and providing the captured contextual attributes to middlebox service engines executing at the edge of a physical datacenter. In some embodiments, the middlebox service engines run in an edge host (e.g., an NSX Edge) that provides routing services and connectivity to external networks (e.g., networks external to an NSX-T deployment). Some embodiments execute a context header insertion processor that receives contextual attributes relating to network events and/or process events on the machines collected using a guest-introspection (GI) agent on each machine. In some embodiments, the context header insertion processor uses these contextual attributes to generate a header including data regarding the contextual attributes (a “context header”) that is used to encapsulate a data message that is processed by the SFE.

公开(公告)号：US20210006542A1

公开(公告)日：2021-01-07

申请号：US16460823

申请日：2019-07-02

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Rajiv Mordani ,  Kausum Kumar

IPC: H04L29/06

Abstract: Behavior-based security in a datacenter includes monitoring user actions made by users in the datacenter. Behavior-based risk scores are computer for users based on their monitored actions. One or more firewall rules are generated for users based on their behavior-based risk scores. The firewall rules regulate the actions of the users.

公开(公告)号：US20200014638A1

公开(公告)日：2020-01-09

申请号：US16028342

申请日：2018-07-05

Applicant: VMware, Inc.

Inventor： Tori Chen ,  Sirisha Myneni ,  Arijit Chanda ,  Arnold Poon ,  Farzad Ghannadian ,  Venkat Rajagopalan

IPC: H04L12/931 ,  H04L12/741 ,  H04L12/24 ,  H04L12/721 ,  H04L12/46 ,  G06F9/455 ,  H04L12/803

Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines and providing the captured contextual attributes to middlebox service engines executing at the edge of a physical datacenter. In some embodiments, the middlebox service engines run in an edge host (e.g., an NSX Edge) that provides routing services and connectivity to external networks (e.g., networks external to an NSX-T deployment). Some embodiments execute a context header insertion processor that receives contextual attributes relating to network events and/or process events on the machines collected using a guest-introspection (GI) agent on each machine. In some embodiments, the context header insertion processor uses these contextual attributes to generate a header including data regarding the contextual attributes (a “context header”) that is used to encapsulate a data message that is processed by the SFE.