EFFICIENTLY PERFORMING INTRUSION DETECTION

    公开(公告)号:US20230131464A1

    公开(公告)日:2023-04-27

    申请号:US18088620

    申请日:2022-12-26

    Applicant: VMware, Inc.

    Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

    Corrective action on malware intrusion detection using file introspection

    公开(公告)号:US11544375B2

    公开(公告)日:2023-01-03

    申请号:US16718174

    申请日:2019-12-17

    Applicant: VMware, Inc.

    Abstract: File events are correlated with intrusion detection alerts for corrective action. A monitoring component receives file events from a thin agent. An analysis component analyzes the file events and metadata obtained from the intrusion detection alerts, such as attack type or file name, to correlate a set of file events to at least one detected action (intrusion) described in the alert. A recommendation component identifies one or more options, including one or more corrective actions, which are applicable for remediating the alert. The set of options includes a recommended action from two or more possible corrective actions. The set of options are output or displayed to the user. The user selects which option/action to perform in response to the alert. In some examples, an automatic response is performed without user selection with respect to selected types of alerts, detected action(s), selected file(s) or other user-generated criteria.

    Methods for enabling enhanced firewall rules via ARP-based annotations

    公开(公告)号:US11431678B2

    公开(公告)日:2022-08-30

    申请号:US16351083

    申请日:2019-03-12

    Applicant: VMware, Inc.

    Abstract: In an embodiment, a computer-implemented method for enabling enhanced firewall rules via ARP-based annotations is described. In an embodiment, a method comprises detecting, by a hypervisor implemented in a first host, that a first process is executing on the first host. The hypervisor determines first context information for the first process, generates a first request, encapsulates the first request and the first context information in a first packet, and transmits the first packet to a central controller to cause the central controller to update the controller's table to indicate that the first process is executing on the first host. In response to receiving a second packet from the central controller and determining that the second packet comprises a first response, the hypervisor extracts second context information from the second packet and, based on the second context information, determines that a second process is executing on a second host.

    EFFICIENTLY PERFORMING INTRUSION DETECTION

    公开(公告)号:US20210218758A1

    公开(公告)日:2021-07-15

    申请号:US16739572

    申请日:2020-01-10

    Applicant: VMware, Inc.

    Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

    METHOD AND SYSTEM FOR IMPLEMENTING INTRUSION DETECTION SIGNATURES CURATED FOR WORKLOADS BASED ON CONTEXTUAL ATTRIBUTES IN AN SDDC

    公开(公告)号:US20230021269A1

    公开(公告)日:2023-01-19

    申请号:US17374623

    申请日:2021-07-13

    Applicant: VMware, Inc.

    Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter, the datacenter including at least one host computer executing multiple machines. The method forwards multiple contextual attributes to a set of servers that distribute intrusion detection scripts. The method receives a filtered set of intrusion detection signatures for enforcement on the at least one host computer, the filtered set of intrusion detection signatures identified based on the multiple contextual attributes. The method uses the filtered set of intrusion detection signatures to detect at least one potential intrusion associated with a particular data message processed on the at least one host computer.

    METHOD AND SYSTEM FOR ENFORCING USER-DEFINED CONTEXT-BASED INTRUSION DETECTION RULES IN AN SDDC

    公开(公告)号:US20230014706A1

    公开(公告)日:2023-01-19

    申请号:US17374611

    申请日:2021-07-13

    Applicant: VMware, Inc.

    Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method forwards multiple contextual attributes to a set of servers that distribute intrusion detection scripts. The method receives, from the set of servers, a set of one or more intrusion detection scripts to be enforced on the at least one host computer, the set of one or more intrusion detection scripts defined based on the multiple forwarded contextual attributes. The method uses the multiple contextual attributes to identify and resolve at least one intrusion detection script in the set of one or more intrusion detection scripts.

    Efficiently performing intrusion detection

    公开(公告)号:US11539718B2

    公开(公告)日:2022-12-27

    申请号:US16739572

    申请日:2020-01-10

    Applicant: VMware, Inc.

    Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity. For instance, in some embodiments, the IDS engine identifies one rule in the identified subset of IDS rules as matching the received data message, and then processes this rule to determine whether the data message is associated with an intrusion.

    Context aware middlebox services at datacenter edge

    公开(公告)号:US10999220B2

    公开(公告)日:2021-05-04

    申请号:US16028342

    申请日:2018-07-05

    Applicant: VMware, Inc.

    Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines and providing the captured contextual attributes to middlebox service engines executing at the edge of a physical datacenter. In some embodiments, the middlebox service engines run in an edge host (e.g., an NSX Edge) that provides routing services and connectivity to external networks (e.g., networks external to an NSX-T deployment). Some embodiments execute a context header insertion processor that receives contextual attributes relating to network events and/or process events on the machines collected using a guest-introspection (GI) agent on each machine. In some embodiments, the context header insertion processor uses these contextual attributes to generate a header including data regarding the contextual attributes (a “context header”) that is used to encapsulate a data message that is processed by the SFE.

    CONTEXT AWARE MIDDLEBOX SERVICES AT DATACENTER EDGE

    公开(公告)号:US20200014638A1

    公开(公告)日:2020-01-09

    申请号:US16028342

    申请日:2018-07-05

    Applicant: VMware, Inc.

    Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines and providing the captured contextual attributes to middlebox service engines executing at the edge of a physical datacenter. In some embodiments, the middlebox service engines run in an edge host (e.g., an NSX Edge) that provides routing services and connectivity to external networks (e.g., networks external to an NSX-T deployment). Some embodiments execute a context header insertion processor that receives contextual attributes relating to network events and/or process events on the machines collected using a guest-introspection (GI) agent on each machine. In some embodiments, the context header insertion processor uses these contextual attributes to generate a header including data regarding the contextual attributes (a “context header”) that is used to encapsulate a data message that is processed by the SFE.

Patent Agency Ranking