Security policy generation for virtualization, bare-metal server, and cloud computing environments
First Claim
1. A computer-implemented method for security in virtualization, bare- metal server, and cloud computing environments comprising:
- receiving network traffic associated with a primary workload, the primary workload including a behavior and a relationship of a particular workload with a secondary workload;
generating first metadata using the network traffic;
determining a primary categorization associated with the primary workload, using the first metadata;
confirming the primary categorization is reliable;
determining a secondary categorization associated with at least one secondary workload, the at least one secondary workload being communicatively coupled to the primary workload;
ascertaining the primary categorization and the secondary categorization are consistent with each other and are each stable;
producing a model using the primary categorization and the secondary categorization, the model including a behavior and a relationship associated with the primary workload;
checking the model for sustained convergence; and
generating a high-level declarative security policy associated with the primary workload using the model, the high-level declarative security policy indicating at least an application or a service with which the primary workload can communicate.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and media for security in virtualization, bare-metal server, and cloud computing environments are provided herein. Exemplary methods include: receiving network traffic associated with a primary workload; generating first metadata using the network traffic; determining a primary categorization associated with the primary workload, using the first metadata; confirming the primary categorization is reliable; determining a secondary categorization associated with at least one secondary workload, the at least one secondary workload being communicatively coupled to the primary workload; ascertaining the primary categorization and the secondary categorization are consistent with each other and are each stable; producing a model using the primary categorization and the secondary categorization; checking the model for sustained convergence; and generating a high-level declarative security policy associated with the primary workload using the model, the high-level declarative security policy indicating at least an application or service with which the primary workload can communicate.
-
Citations
20 Claims
-
1. A computer-implemented method for security in virtualization, bare- metal server, and cloud computing environments comprising:
-
receiving network traffic associated with a primary workload, the primary workload including a behavior and a relationship of a particular workload with a secondary workload; generating first metadata using the network traffic; determining a primary categorization associated with the primary workload, using the first metadata; confirming the primary categorization is reliable; determining a secondary categorization associated with at least one secondary workload, the at least one secondary workload being communicatively coupled to the primary workload; ascertaining the primary categorization and the secondary categorization are consistent with each other and are each stable; producing a model using the primary categorization and the secondary categorization, the model including a behavior and a relationship associated with the primary workload; checking the model for sustained convergence; and
generating a high-level declarative security policy associated with the primary workload using the model, the high-level declarative security policy indicating at least an application or a service with which the primary workload can communicate. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for security in virtualization, bare-metal server, and cloud computing environments comprising:
-
a processor; and a memory coupled to the processor, the memory storing instructions which are executable by the processor to perform a method comprising; receiving network traffic associated with a primary workload; generating first metadata using the network traffic; determining a primary categorization associated with the primary workload, using the first metadata; confirming the primary categorization is reliable; determining a secondary categorization associated with at least one secondary workload, the at least one secondary workload being communicatively coupled to the primary workload; ascertaining the primary categorization and the secondary categorization are consistent with each other and are each stable; producing a model using the primary categorization and the secondary categorization, the model including a behavior and a relationship associated with the primary workload; checking the model for sustained convergence; and generating a high-level declarative security policy associated with the primary workload using the model, the high-level declarative security policy indicating at least an application or a service with which the primary workload can communicate. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for security in a container-based virtualization, bare-metal server, and cloud computing environments, the method comprising:
-
receiving network traffic associated with a primary workload; generating first metadata using the network traffic; determining a primary categorization associated with the primary workload, using the first metadata; confirming the primary categorization is reliable; determining a secondary categorization associated with at least one secondary workload, the at least one secondary workload being communicatively coupled to the primary workload; ascertaining the primary categorization and the secondary categorization are consistent with each other and are each stable; producing a model using the primary categorization and the secondary categorization, the model including a behavior and a relationship associated with the primary workload; checking the model for sustained convergence; and generating a high-level declarative security policy associated with the primary workload using the model, the high-level declarative security policy indicating at least an application or a service with which the primary workload can communicate.
-
Specification