专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明申请

US20200225978A1 INTROSPECTION METHOD AND APPARATUS FOR NETWORK ACCESS FILTERING 审中-公开
公开(公告)号：US20200225978A1
公开(公告)日：2020-07-16
申请号：US16833532
申请日：2020-03-28
申请人： Nicira, Inc.
发明人： Azeem Feroz , Vasantha Kumar , James Christopher Wiese , Amit Vasant Patil
IPC分类号： G06F9/455 , G06F16/9535 , H04L29/06 , G06F16/958
摘要： Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g., application associated with a particular URL request). Hence, in some embodiments, this method seamlessly processes granular user-aware URL filtering rules (e.g., members of the sales organization can access social networking sites but not other members). This approach requires no additional configuration on networking infrastructure.

2. 发明授权

US10606626B2 Introspection method and apparatus for network access filtering 有权
公开(公告)号：US10606626B2
公开(公告)日：2020-03-31
申请号：US14814408
申请日：2015-07-30
申请人： Nicira, Inc.
发明人： Azeem Feroz , Vasantha Kumar , James Christopher Wiese , Amit Vasant Patil
IPC分类号： H04L12/927 , G06F9/455 , G06F16/9535 , H04L29/06 , G06F16/958
摘要： A method for performing network access filtering and/or categorization through guest introspection on a device data compute node (DCN) that executes on a host is provided. The method, through a guest introspector installed on the DCN, intercepts a data message that the DCN is preparing to send. The method identifies a category of the network resource. The method uses the category of the network resource to examine a set of network access policies that are stored on the host in order to determine whether the network access should be allowed. The method identifies a network access policy that requires the rejection of the network access when the access to the network resource causes an aggregate bandwidth for accessing the identified category of network resource to exceed a bandwidth threshold. The method rejects the network access based on the identified network access policy.

3. 发明授权

US10511636B2 Framework for coordination between endpoint security and network security services 有权
公开(公告)号：US10511636B2
公开(公告)日：2019-12-17
申请号：US16112732
申请日：2018-08-26
申请人： Nicira, Inc.
发明人： Sachin Mohan Vaidya , Azeem Feroz , Anirban Sengupta , James Christopher Wiese
IPC分类号： H04L29/06 , G06F21/56 , G06F21/55 , G06F21/53
摘要： Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the Obtained tags and the one or more criteria.

4. 发明申请

US20160191413A1 INTROSPECTION METHOD AND APPARATUS FOR NETWORK ACCESS FILTERING 审中-公开
标题翻译：网络访问过滤的引入方法和设备
公开(公告)号：US20160191413A1
公开(公告)日：2016-06-30
申请号：US14814408
申请日：2015-07-30
申请人： Nicira, Inc.
发明人： Azeem Feroz , Vasantha Kumar , James Christopher Wiese , Amit Vasant Patil
IPC分类号： H04L12/927
CPC分类号： G06F9/45558 , G06F16/9535 , G06F16/972 , G06F2009/45587 , G06F2009/45595 , H04L63/0236 , H04L63/0281 , H04L63/0876 , H04L63/20
摘要： Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g., application associated with a particular URL request). Hence, in some embodiments, this method seamlessly processes granular user-aware URL filtering rules (e.g., members of the sales organization can access social networking sites but not other members). This approach requires no additional configuration on networking infrastructure.
摘要翻译：本发明的一些实施例提供了一种用于通过设备上的访客内省（GI）执行网络访问过滤和/或分类的方法。在一些实施例中，该GI方法在设备上直接拦截设备准备发送的数据消息，并且使用服务设备来确定是否可以发送数据消息。一些实施例中的设备是在多虚拟机主机计算设备上与作为服务设备的服务VM（SVM）一起执行的来宾虚拟机（VM），所述服务VM（SVM）确定是否可以基于一组过滤规则。在一些实施例中，该方法使用一个或多个内省（例如，网络内部审查员和/或文件内部审查者）来捕获来自客户虚拟机（GVM）关于GVM准备发送的数据消息的内省数据。为了执行网络访问过滤，在一些实施例中，GI方法捕获诸如用户和应用信息（例如，与特定URL请求相关联的应用）的上下文信息。因此，在一些实施例中，该方法无缝地处理细粒度的用户感知URL过滤规则（例如，销售组织的成员可以访问社交网站而不是其他成员）。这种方法不需要在网络基础设施上进行额外的配置。

5. 发明申请

US20150379278A1 Method and Apparatus for Differently Encrypting Different Flows 有权
标题翻译：用于不同加密不同流量的方法和装置
公开(公告)号：US20150379278A1
公开(公告)日：2015-12-31
申请号：US14320578
申请日：2014-06-30
申请人： Nicira, Inc.
发明人： Kiran Kumar Thota , Azeem Feroz , James C. Wiese
IPC分类号： G06F21/60 , G06F9/455
CPC分类号： G06F21/602 , G06F9/45558 , G06F9/542 , G06F21/56 , G06F21/568 , G06F21/6236 , G06F2009/45587 , G06F2221/034 , G09C1/00 , H04L9/14 , H04L63/0428 , H04L63/123 , H04L63/1408 , H04L63/1441 , H04L2209/24
摘要： For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host. When two different GVMs are part of two different logical overlay networks that are implemented on common network fabric, the method in some embodiments encrypts the data messages exchanged between the GVMs of one logical network differently than the data messages exchanged between the GVMs of another logical network. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce encryption rules in response to dynamically detected events, such as malware infections.
摘要翻译：对于执行一个或多个来宾虚拟机（GVM）的主机，一些实施例提供用于加密由GVM发送的数据消息的新型加密方法。该方法最初接收一个数据消息，发送给在主机上执行的GVM。该方法然后基于一组或多个加密规则来确定它是否应该加密数据消息。当进程确定它应该加密接收到的数据消息时，它加密数据消息并将加密的数据消息转发到其目的地; 否则，该方法只将未加密的接收数据消息转发到其目的地。在一些实施例中，主机对在主机上执行的不同GVM的数据消息进行不同的加密。当两个不同的GVM是在公共网络结构上实现的两个不同的逻辑覆盖网络的一部分时，该方法在一些实施例中加密在一个逻辑网络的GVM之间交换的数据消息与在另一个逻辑网络的GVM之间交换的数据消息不同。在一些实施例中，该方法还可以不同地加密来自相同GVM的不同类型的数据消息。此外，在一些实施例中，该方法可以响应于动态检测到的事件（例如恶意软件感染）动态地实施加密规则。

6. 发明授权

US10798073B2 Secure key management protocol for distributed network encryption 有权
公开(公告)号：US10798073B2
公开(公告)日：2020-10-06
申请号：US15421377
申请日：2017-01-31
申请人： Nicira, Inc.
发明人： Sonia Jahid , Ganesan Chandrashekhar , Bin Qian , Azeem Feroz
IPC分类号： H04L29/06
摘要： For an encryption management module of a host that executes one or more data compute nodes (DCNs), some embodiments of the invention provide a method of providing key management and encryption services. The method initially receives an encryption key ticket at an encryption management module to be used to retrieve an encryption key identified by the ticket from a key manager. When the encryption key has been retrieved, the method uses the encryption key to encrypt a message sent by a data compute node executing on the host requiring encryption according to an encryption rule. The encryption key ticket, in some embodiments, is generated for an encryption management module to implement the principle of least privilege. The ticket acts as a security token in retrieving encryption keys from a key manager. Ticket distribution and encryption rule distribution are independent of each other in some embodiments.

7. 发明授权

US10798058B2 Distributed identity-based firewalls 有权
公开(公告)号：US10798058B2
公开(公告)日：2020-10-06
申请号：US16041698
申请日：2018-07-20
申请人： Nicira, Inc.
发明人： Anirban Sengupta , Subrahmanyam Manuguri , Mitchell T. Christensen , Azeem Feroz , Todd Sabin
IPC分类号： H04L29/06 , H04L29/08 , G06F9/455
摘要： Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information.

8. 发明授权

US09891940B2 Introspection method and apparatus for network access filtering 有权
公开(公告)号：US09891940B2
公开(公告)日：2018-02-13
申请号：US14814413
申请日：2015-07-30
申请人： Nicira, Inc.
发明人： Azeem Feroz , Vasantha Kumar , James Christopher Wiese , Amit Vasant Patil
IPC分类号： G06F21/00 , G06F9/455 , H04L29/06 , G06F17/30
CPC分类号： G06F9/45558 , G06F17/30867 , G06F17/30893 , G06F2009/45587 , G06F2009/45595 , H04L63/0236 , H04L63/0281 , H04L63/0876 , H04L63/20
摘要： Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g., application associated with a particular URL request). Hence, in some embodiments, this method seamlessly processes granular user-aware URL filtering rules (e.g., members of the sales organization can access social networking sites but not other members). This approach requires no additional configuration on networking infrastructure.

9. 发明申请

US20160191521A1 INTROSPECTION METHOD AND APPARATUS FOR NETWORK ACCESS FILTERING 有权
公开(公告)号：US20160191521A1
公开(公告)日：2016-06-30
申请号：US14814413
申请日：2015-07-30
申请人： Nicira, Inc.
发明人： Azeem Feroz , Vasantha Kumar , James Christopher Wiese , Amit Vasant Patil
IPC分类号： H04L29/06 , G06F9/455
CPC分类号： G06F9/45558 , G06F17/30867 , G06F17/30893 , G06F2009/45587 , G06F2009/45595 , H04L63/0236 , H04L63/0281 , H04L63/0876 , H04L63/20
摘要： Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g., application associated with a particular URL request). Hence, in some embodiments, this method seamlessly processes granular user-aware URL filtering rules (e.g., members of the sales organization can access social networking sites but not other members). This approach requires no additional configuration on networking infrastructure.

10. 发明授权

US11281485B2 Extended context delivery for context-based authorization 有权
公开(公告)号：US11281485B2
公开(公告)日：2022-03-22
申请号：US16403363
申请日：2019-05-03
申请人： Nicira, Inc.
发明人： Vasantha Kumar , Prasad Sharad Dabak , Azeem Feroz , Amit Vasant Patil
IPC分类号： H04L29/06 , G06F9/455 , G06F21/53 , G06F21/62
摘要： Some embodiments provide a novel method for authorizing network requests for a machine in a network. In some embodiments, the method is performed by security agents that execute on virtual machines operating on a host machine. In some embodiments, the method captures a network request (e.g., network control packets, socket connection request, etc.) from a primary application executing on the machine. The method identifies an extended context for the network request and determines whether the network request is authorized based on the extended context. The method then processes the network request according to the determination. The extended context of some embodiments includes identifications for primary and secondary applications associated with the network request. Alternatively, or conjunctively, some embodiments include identifications for primary and secondary users associated with the network request.

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式