公开(公告)号：US20210019577A1

公开(公告)日：2021-01-21

申请号：US16514059

申请日：2019-07-17

Applicant: VMware, Inc.

Inventor： Bin ZAN ,  Zhen MO ,  Vijay GANTI ,  Vamsi Krishna AKKINENI

IPC: G06K9/62 ,  G06F9/455 ,  G06N20/00 ,  G06F17/16

Abstract: A feature selection methodology is disclosed. In a computer-implemented method, components of a computing environment are automatically monitored, and have a feature selection analysis performed thereon. Provided the feature selection analysis determines that features of the components are well defined, a classification of the features is performed. Provided the feature selection analysis determines that features of the components are not well defined, a similarity analysis of the features is performed. Results of the feature selection methodology are generated.

公开(公告)号：US20220179983A1

公开(公告)日：2022-06-09

申请号：US17112266

申请日：2020-12-04

Applicant: VMware, Inc.

Inventor： Debessay Fesehaye KASSA ,  Zhen MO ,  Patrick Charles UPATHAM

IPC: G06F21/62 ,  G06F16/901

Abstract: A method of generating relevant security rules for a user includes the steps of: building a first tree data structure from paths within a pool of security rules; collecting process paths for the user; and compiling the relevant security rules for the user by traversing the first tree data structure according to the process paths of the user.

公开(公告)号：US20200019698A1

公开(公告)日：2020-01-16

申请号：US16032349

申请日：2018-07-11

Applicant: VMware, Inc.

Inventor： Zhen MO ,  Dexiang WANG ,  Bin ZAN ,  Vijay GANTI ,  Amit CHOPRA

IPC: G06F21/55 ,  G06F21/57 ,  G06F9/455

Abstract: A virtual computing instance (VCI) is protected against security threats by a security manager, monitoring a behavior of a VCI over an observation period. The method further includes, storing by the security manager a digital profile in a first database, wherein the digital profile comprises information indicative of the behavior. The method further includes, accessing by a detection system, the digital profile from the first database, and accessing by the detection system, an intended state associated with VCI, wherein the intended state comprises information indicative of a behavior from a second VCI. The method further includes, comparing at least part of the digital profile to the at least part of the intended state. The method further includes, determining by the detection system, that the VCI contains a security threat when information indicative of a behavior in the digital profile is an outlier.

公开(公告)号：US20230300155A1

公开(公告)日：2023-09-21

申请号：US18322558

申请日：2023-05-23

Applicant: VMware, Inc.

Inventor： Zhen MO ,  Ereli ERAN ,  Barak RAZ ,  Vijay GANTI

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/20 ,  H04L63/0263 ,  H04L63/1441

Abstract: The disclosure herein describes automatically performing security operations associated with a client system based on aggregated event impact scores of computing events during a rolling time interval. Event data is obtained, wherein the event data is from a plurality of computing devices of the client system associated with computing events occurring during a time interval after an endpoint of the rolling time interval. Event impact scores are calculated for the computing events of the obtained event data over the time interval based at least on cardinality estimation. The calculated event impact scores are merged into the set of aggregated event impact scores associated with the rolling time interval and event impact scores associated with an expired time interval are removed from the set of aggregated event impact scores. Based on the set of aggregated event impact scores, at least one security operation is performed for at least one computing event.

公开(公告)号：US20200218800A1

公开(公告)日：2020-07-09

申请号：US16242396

申请日：2019-01-08

Applicant: VMware, Inc.

Inventor： Ruimin SUN ,  Vijay GANTI ,  Zhen MO ,  Bin ZAN ,  Vamsi AKKINENI

IPC: G06F21/55 ,  G06F21/53 ,  G06F21/56 ,  G06K9/62 ,  G06N20/00

Abstract: Certain aspects herein provide a system and method for performing behavior analysis for a computing device by a computing system. In certain aspects, a method includes detecting an event occurring at the computing device at a first time, determining, based on the detecting, an event category of the event, and collecting first one or more behaviors associated with the determined event category occurring on the computing device based. The method also includes comparing the first one or more behaviors with a dataset indicating one or more expected behaviors of the computing device associated with the event. Upon determining that at least one of the first one or more behaviors corresponds to an unexpected behavior based on the comparing, the method further comprises taking one or more remedial actions.

公开(公告)号：US20200174867A1

公开(公告)日：2020-06-04

申请号：US16205138

申请日：2018-11-29

Applicant: VMware, Inc.

Inventor： Zhen MO ,  Bin ZAN ,  Vijay GANTI ,  Vamsi AKKINENI ,  HengJun TIAN

IPC: G06F11/07 ,  G06F21/56

Abstract: A computer-implemented method for determining whether data is anomalous includes generating a holo-entropy adaptive boosting model using, at least in part, a set of normal data. The holo-entropy adaptive boosting model includes a plurality of holo-entropy models and associated model weights for combining outputs of the plurality of holo-entropy models. The method further includes receiving additional data, and determining at least one of whether the additional data is normal or abnormal relative to the set of normal data or a score indicative of how abnormal the additional data is using, at least in part, the generated holo-entropy adaptive boosting model.

公开(公告)号：US20220232032A1

公开(公告)日：2022-07-21

申请号：US17151142

申请日：2021-01-16

Applicant: VMware, Inc.

Inventor： Zhen MO ,  Ereli ERAN ,  Barak RAZ ,  Vijay GANTI

IPC: H04L29/06 ,  G06N7/00

Abstract: The disclosure herein describes automatically performing security operations associated with a client system based on aggregated event impact scores of computing events during a rolling time interval. Event data is obtained, wherein the event data is from a plurality of computing devices of the client system associated with computing events occurring during a time interval after an endpoint of the rolling time interval. Event impact scores are calculated for the computing events of the obtained event data over the time interval based at least on cardinality estimation. The calculated event impact scores are merged into the set of aggregated event impact scores associated with the rolling time interval and event impact scores associated with an expired time interval are removed from the set of aggregated event impact scores. Based on the set of aggregated event impact scores, at least one security operation is performed for at least one computing event.

公开(公告)号：US20220027409A1

公开(公告)日：2022-01-27

申请号：US16937417

申请日：2020-07-23

Applicant: VMware, Inc.

Inventor： Srilakshmi LINGAMNENI ,  Barak RAZ ,  Bin ZAN ,  Zhen MO ,  Vijay GANTI

IPC: G06F16/901 ,  G06F16/28 ,  H04L12/24 ,  H04L29/12 ,  G06K9/62

Abstract: An example method of representing a selected entity in a plurality of entities in a computing system includes: obtaining a graph representation of the plurality of entities, the graph representation having nodes and edges representing a hierarchy of the plurality of entities; extracting a set of paths from the graph representation, each path in the set of paths including a series of edge-connected nodes in the graph representation; processing the set of paths to generate a vector representation of the selected entity, the vector representation having a plurality of elements representing a context of the selected entity within the graph representation; and providing the vector representation as input to an application executing in the computing system.

公开(公告)号：US20200186409A1

公开(公告)日：2020-06-11

申请号：US16212170

申请日：2018-12-06

Applicant: VMware, Inc.

Inventor： Zhen MO ,  Dexiang WANG ,  Bin ZAN ,  Vijay GANTI ,  Amit CHOPRA ,  Ruimin SUN

IPC: H04L12/24 ,  G06F9/455

Abstract: A method for managing alarms in a virtual machine environment includes receiving alarm data related to a process and storing the alarm data in a database, where the alarm data comprises one or more features. The method further includes retrieving intended state information for the process and comparing the one more features of the alarm data to the intended state information to determine whether the alarm is an outlier. The method also includes computing a normal score for the alarm if the alarm is not an outlier, and computing an abnormal score for the alarm if the alarm is an outlier. The method also includes sending a notification for the alarm and the computed score.

公开(公告)号：US20210392160A1

公开(公告)日：2021-12-16

申请号：US16900240

申请日：2020-06-12

Applicant: VMware, Inc.

Inventor： Zhen MO ,  Vijay GANTI ,  Debessay Fesehaye KASSA ,  Barak RAZ ,  Honglei LI

IPC: H04L29/06

Abstract: The disclosure provides an approach for detecting and preventing attacks in a network. Embodiments include determining a plurality of network behaviors of a process by monitoring the process. Embodiments include generating a plurality of intended states for the process based on subsets of the plurality of network behaviors. Embodiments include determining a plurality of intended state clusters by applying a clustering technique to the plurality of intended states. Embodiments include determining a state of the process. Embodiments include identifying a given cluster of the plurality of intended state clusters that corresponds to the state of the process. Embodiments include selecting a novelty detection technique based on a size of the given cluster. Embodiments include using the novelty detection technique to determine, based on the given cluster and the state of the process, whether to generate a security alert for the process.