专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明申请

US20220094717A1 FRAMEWORK FOR COORDINATION BETWEEN ENDPOINT SECURITY AND NETWORK SECURITY SERVICES 有权
公开(公告)号：US20220094717A1
公开(公告)日：2022-03-24
申请号：US17542411
申请日：2021-12-04
申请人： Nicira, Inc.
发明人： Sachin Mohan Vaidya , Azeem Feroz , Anirban Sengupta , James Christopher Wiese
IPC分类号： H04L29/06 , G06F21/55 , G06F21/56 , G06F21/53
摘要： Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

2. 发明授权

US09891940B2 Introspection method and apparatus for network access filtering 有权
公开(公告)号：US09891940B2
公开(公告)日：2018-02-13
申请号：US14814413
申请日：2015-07-30
申请人： Nicira, Inc.
发明人： Azeem Feroz , Vasantha Kumar , James Christopher Wiese , Amit Vasant Patil
IPC分类号： G06F21/00 , G06F9/455 , H04L29/06 , G06F17/30
CPC分类号： G06F9/45558 , G06F17/30867 , G06F17/30893 , G06F2009/45587 , G06F2009/45595 , H04L63/0236 , H04L63/0281 , H04L63/0876 , H04L63/20
摘要： Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g., application associated with a particular URL request). Hence, in some embodiments, this method seamlessly processes granular user-aware URL filtering rules (e.g., members of the sales organization can access social networking sites but not other members). This approach requires no additional configuration on networking infrastructure.

3. 发明申请

US20160191521A1 INTROSPECTION METHOD AND APPARATUS FOR NETWORK ACCESS FILTERING 有权
公开(公告)号：US20160191521A1
公开(公告)日：2016-06-30
申请号：US14814413
申请日：2015-07-30
申请人： Nicira, Inc.
发明人： Azeem Feroz , Vasantha Kumar , James Christopher Wiese , Amit Vasant Patil
IPC分类号： H04L29/06 , G06F9/455
CPC分类号： G06F9/45558 , G06F17/30867 , G06F17/30893 , G06F2009/45587 , G06F2009/45595 , H04L63/0236 , H04L63/0281 , H04L63/0876 , H04L63/20
摘要： Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g., application associated with a particular URL request). Hence, in some embodiments, this method seamlessly processes granular user-aware URL filtering rules (e.g., members of the sales organization can access social networking sites but not other members). This approach requires no additional configuration on networking infrastructure.

4. 发明授权

US11196773B2 Framework for coordination between endpoint security and network security services 有权
公开(公告)号：US11196773B2
公开(公告)日：2021-12-07
申请号：US16684400
申请日：2019-11-14
申请人： Nicira, Inc.
发明人： Sachin Mohan Vaidya , Azeem Feroz , Anirban Sengupta , James Christopher Wiese
IPC分类号： H04L29/06 , G06F21/53 , G06F21/56 , G06F21/55
摘要： Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

5. 发明申请

US20200092336A1 FRAMEWORK FOR COORDINATION BETWEEN ENDPOINT SECURITY AND NETWORK SECURITY SERVICES 审中-公开
公开(公告)号：US20200092336A1
公开(公告)日：2020-03-19
申请号：US16684400
申请日：2019-11-14
申请人： Nicira, Inc.
发明人： Sachin Mohan Vaidya , Azeem Feroz , Anirban Sengupta , James Christopher Wiese
IPC分类号： H04L29/06 , G06F21/53 , G06F21/56 , G06F21/55
摘要： Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

6. 发明申请

US20200225978A1 INTROSPECTION METHOD AND APPARATUS FOR NETWORK ACCESS FILTERING 审中-公开
公开(公告)号：US20200225978A1
公开(公告)日：2020-07-16
申请号：US16833532
申请日：2020-03-28
申请人： Nicira, Inc.
发明人： Azeem Feroz , Vasantha Kumar , James Christopher Wiese , Amit Vasant Patil
IPC分类号： G06F9/455 , G06F16/9535 , H04L29/06 , G06F16/958
摘要： Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g., application associated with a particular URL request). Hence, in some embodiments, this method seamlessly processes granular user-aware URL filtering rules (e.g., members of the sales organization can access social networking sites but not other members). This approach requires no additional configuration on networking infrastructure.

7. 发明授权

US10606626B2 Introspection method and apparatus for network access filtering 有权
公开(公告)号：US10606626B2
公开(公告)日：2020-03-31
申请号：US14814408
申请日：2015-07-30
申请人： Nicira, Inc.
发明人： Azeem Feroz , Vasantha Kumar , James Christopher Wiese , Amit Vasant Patil
IPC分类号： H04L12/927 , G06F9/455 , G06F16/9535 , H04L29/06 , G06F16/958
摘要： A method for performing network access filtering and/or categorization through guest introspection on a device data compute node (DCN) that executes on a host is provided. The method, through a guest introspector installed on the DCN, intercepts a data message that the DCN is preparing to send. The method identifies a category of the network resource. The method uses the category of the network resource to examine a set of network access policies that are stored on the host in order to determine whether the network access should be allowed. The method identifies a network access policy that requires the rejection of the network access when the access to the network resource causes an aggregate bandwidth for accessing the identified category of network resource to exceed a bandwidth threshold. The method rejects the network access based on the identified network access policy.

8. 发明授权

US10511636B2 Framework for coordination between endpoint security and network security services 有权
公开(公告)号：US10511636B2
公开(公告)日：2019-12-17
申请号：US16112732
申请日：2018-08-26
申请人： Nicira, Inc.
发明人： Sachin Mohan Vaidya , Azeem Feroz , Anirban Sengupta , James Christopher Wiese
IPC分类号： H04L29/06 , G06F21/56 , G06F21/55 , G06F21/53
摘要： Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the Obtained tags and the one or more criteria.

9. 发明申请

US20160191413A1 INTROSPECTION METHOD AND APPARATUS FOR NETWORK ACCESS FILTERING 审中-公开
标题翻译：网络访问过滤的引入方法和设备
公开(公告)号：US20160191413A1
公开(公告)日：2016-06-30
申请号：US14814408
申请日：2015-07-30
申请人： Nicira, Inc.
发明人： Azeem Feroz , Vasantha Kumar , James Christopher Wiese , Amit Vasant Patil
IPC分类号： H04L12/927
CPC分类号： G06F9/45558 , G06F16/9535 , G06F16/972 , G06F2009/45587 , G06F2009/45595 , H04L63/0236 , H04L63/0281 , H04L63/0876 , H04L63/20
摘要： Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g., application associated with a particular URL request). Hence, in some embodiments, this method seamlessly processes granular user-aware URL filtering rules (e.g., members of the sales organization can access social networking sites but not other members). This approach requires no additional configuration on networking infrastructure.
摘要翻译：本发明的一些实施例提供了一种用于通过设备上的访客内省（GI）执行网络访问过滤和/或分类的方法。在一些实施例中，该GI方法在设备上直接拦截设备准备发送的数据消息，并且使用服务设备来确定是否可以发送数据消息。一些实施例中的设备是在多虚拟机主机计算设备上与作为服务设备的服务VM（SVM）一起执行的来宾虚拟机（VM），所述服务VM（SVM）确定是否可以基于一组过滤规则。在一些实施例中，该方法使用一个或多个内省（例如，网络内部审查员和/或文件内部审查者）来捕获来自客户虚拟机（GVM）关于GVM准备发送的数据消息的内省数据。为了执行网络访问过滤，在一些实施例中，GI方法捕获诸如用户和应用信息（例如，与特定URL请求相关联的应用）的上下文信息。因此，在一些实施例中，该方法无缝地处理细粒度的用户感知URL过滤规则（例如，销售组织的成员可以访问社交网站而不是其他成员）。这种方法不需要在网络基础设施上进行额外的配置。

10. 发明申请

US20190014154A1 FRAMEWORK FOR COORDINATION BETWEEN ENDPOINT SECURITY AND NETWORK SECURITY SERVICES 审中-公开
公开(公告)号：US20190014154A1
公开(公告)日：2019-01-10
申请号：US16112732
申请日：2018-08-26
申请人： Nicira, Inc.
发明人： Sachin Mohan Vaidya , Azeem Feroz , Anirban Sengupta , James Christopher Wiese
IPC分类号： H04L29/06 , G06F21/56 , G06F21/55
摘要： Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the Obtained tags and the one or more criteria.

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式