公开(公告)号：US20230239204A1

公开(公告)日：2023-07-27

申请号：US17677039

申请日：2022-02-22

Applicant: VMware, Inc.

Inventor： Karen Hayrapetyan ,  Sunitha Krishna ,  Nikash Walia ,  Margaret Petrus

IPC: H04L41/0813 ,  H04L41/12 ,  H04L9/40

CPC classification number: H04L41/0813 ,  H04L41/12 ,  H04L63/104

Abstract: Systems and methods are described for recommending security groups using graph-based learning models. A server can create a network graph that illustrates network flows between devices in a network and security groups that the devices belong to. The network graph can include nodes that represent the devices and security groups. The server can apply a graph-based learning model to learn embeddings of the nodes and create vectors using the embeddings. Using vectors of two nodes, the server can calculate a vector that represents an edge between the two nodes. The server can apply a binary classifier determine whether the edge should exist. A “true” classification between two nodes can indicate that they should be able to communicate, and vice versa. A “true” classification between a device node and a security group node can indicate that the device should be assigned to the security group, and vice versa.

公开(公告)号：US11349876B2

公开(公告)日：2022-05-31

申请号：US16554414

申请日：2019-08-28

Applicant: VMware, Inc.

Inventor： Sunitha Krishna ,  Kausum Kumar ,  Rajiv Mordani ,  Radha Popuri ,  Kavya Kambi Ravi ,  Ankur Saran ,  Farzad Ghannadian

IPC: H04L29/06 ,  G06N20/00 ,  G06N5/04 ,  H04L9/40

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

公开(公告)号：US20210029166A1

公开(公告)日：2021-01-28

申请号：US16554414

申请日：2019-08-28

Applicant: VMware, Inc.

Inventor： Sunitha Krishna ,  Kausum Kumar ,  Rajiv Mordani ,  Radha Popuri ,  Kavya Kambi Ravi ,  Ankur Saran ,  Farzad Ghannadian

IPC: H04L29/06 ,  G06N5/04 ,  G06N20/00

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

公开(公告)号：US20230179572A1

公开(公告)日：2023-06-08

申请号：US17543294

申请日：2021-12-06

Applicant: VMware, Inc.

Inventor： Kavya Kambi Ravi ,  Radha Popuri ,  Sunitha Krishna ,  Margaret Petrus

IPC: H04L9/40

CPC classification number: H04L63/0263 ,  H04L63/20

Abstract: Some embodiments provide a method for modifying a set of firewall rules for implementation in a network. The method receives (i) a set of existing firewall rules and (ii) a set of flows observed in the network that do not match the firewall rules in the set. The method identifies an optimized set of modifications to the set of existing firewall rules to generate a set of modified firewall rules such that (i) the set of flows match firewall rules in the set of modified firewall rules and (ii) any flows that matched firewall rules in the set of existing firewall rules also match firewall rules in the set of modified firewall rules.

公开(公告)号：US20230179571A1

公开(公告)日：2023-06-08

申请号：US17543254

申请日：2021-12-06

Applicant: VMware, Inc.

Inventor： Kavya Kambi Ravi ,  Radha Popuri ,  Sunitha Krishna ,  Margaret Petrus ,  Yiwei Zhang

IPC: G06F21/62

CPC classification number: H04L63/0263 ,  H04L63/20

Abstract: Some embodiments provide a method for modifying a firewall rule of a security policy implemented in a network. The method identifies a set of compute machines to be added to a match condition for the firewall rule. The match condition is expressed using one or more groups of compute machines. The method selects a set of groups for the identified set of compute machines from a plurality of existing groups of compute machines based on a user-specified threshold indicating tolerance for inclusion of compute machines that are not in the identified set of compute machines in the selected groups. The method uses the selected set of groups for the match condition of the firewall rule.

公开(公告)号：US11659026B2

公开(公告)日：2023-05-23

申请号：US16855305

申请日：2020-04-22

Applicant: VMware, Inc.

Inventor： Alok Tiagi ,  Farzad Ghannadian ,  Karen Hayrapetyan ,  Laxmikant Vithal Gunda ,  Sunitha Krishna ,  Ashot Aslanyan ,  Anirban Sengupta

IPC: H04L47/78 ,  H04L47/125 ,  G06K9/62 ,  H04L9/40 ,  H04L41/22 ,  H04L67/01

CPC classification number: H04L47/781 ,  G06K9/6257 ,  H04L41/22 ,  H04L47/125 ,  H04L63/20 ,  H04L67/01

Abstract: The disclosure provides an approach for workload labeling and identification of known or custom applications. Embodiments include determining a plurality of sets of features comprising a respective set of features for each respective workload of a first subset of a plurality of workloads. Embodiments include identifying a group of workloads based on similarities among the plurality of sets of features. Embodiments include receiving label data from a user comprising a label for the group of workloads. Embodiments include associating the label with each workload of the group of workloads to produce a training data set. Embodiments include using the training data set to train a model to output labels for input workloads. Embodiments include determining a label for a given workload of the plurality of workloads by inputting features of the given workload to the model.

公开(公告)号：US11765179B2

公开(公告)日：2023-09-19

申请号：US17677039

申请日：2022-02-22

Applicant: VMware, Inc.

Inventor： Karen Hayrapetyan ,  Sunitha Krishna ,  Nikash Walia ,  Margaret Petrus

IPC: G06F15/177 ,  H04L41/0813 ,  H04L9/40 ,  H04L41/12

CPC classification number: H04L41/0813 ,  H04L41/12 ,  H04L63/104

Abstract: Systems and methods are described for recommending security groups using graph-based learning models. A server can create a network graph that illustrates network flows between devices in a network and security groups that the devices belong to. The network graph can include nodes that represent the devices and security groups. The server can apply a graph-based learning model to learn embeddings of the nodes and create vectors using the embeddings. Using vectors of two nodes, the server can calculate a vector that represents an edge between the two nodes. The server can apply a binary classifier determine whether the edge should exist. A “true” classification between two nodes can indicate that they should be able to communicate, and vice versa. A “true” classification between a device node and a security group node can indicate that the device should be assigned to the security group, and vice versa.

公开(公告)号：US20210026677A1

公开(公告)日：2021-01-28

申请号：US16554370

申请日：2019-08-28

Applicant: VMware, Inc.

Inventor： Sunitha Krishna ,  Kausum Kumar ,  Rajiv Mordani ,  Ashish Shendure ,  Ashish Patel ,  Farzad Ghannadian

IPC: G06F9/455 ,  H04L12/26 ,  H04L29/06

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

公开(公告)号：US20240004689A1

公开(公告)日：2024-01-04

申请号：US18211402

申请日：2023-06-19

Applicant: VMware, Inc.

Inventor： Sunitha Krishna ,  Kausum Kumar ,  Rajiv Mordani ,  Ashish Shendure ,  Ashish Patel ,  Farzad Ghannadian

IPC: G06F9/455 ,  H04L43/026 ,  H04L9/40

CPC classification number: G06F9/45558 ,  H04L43/026 ,  H04L63/0263 ,  G06F2009/4557 ,  G06F2009/45595 ,  G06F2009/45591

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

公开(公告)号：US20230239306A1

公开(公告)日：2023-07-27

申请号：US17582943

申请日：2022-01-24

Applicant: VMware, Inc.

Inventor： Karen Hayrapetyan ,  Sunitha Krishna ,  Nikash Walia ,  Margaret Petrus

IPC: H04L9/40 ,  G06N20/00 ,  G06F16/23

CPC classification number: H04L63/104 ,  G06N20/00 ,  G06F16/2365

Abstract: Systems and methods are described for recommending security groups using graph-based learning models. A server can create a network graph that illustrates network flows between devices in a network and security groups that the devices belong to. The network graph can include nodes that represent the devices and security groups. The server can apply a graph-based learning model to learn embeddings of the nodes and create vectors using the embeddings. Using vectors of two nodes, the server can calculate a vector that represents an edge between the two nodes. The server can apply a binary classifier determine whether the edge should exist. A “true” classification between two nodes can indicate that they should be able to communicate, and vice versa. A “true” classification between a device node and a security group node can indicate that the device should be assigned to the security group, and vice versa.