Collecting and storing threat level indicators for service rule processing
First Claim
1. A method of performing services on a host computer that executes a plurality of machines, the plurality of machines including a first machine, the method comprising:
- at a process-control module executing on the host computer,receiving a process identifier identifying a first process executing on the first machine and associated with a first application executing on the first machine;
using the received process identifier to query the first machine to obtain one or more additional process identifiers of the first process, wherein the one or more additional process identifiers include at least one of a process hash and an application name,providing at least one of the additional process identifiers to a threat detector executing on the host computer to obtain a threat-level indicator for the first process, wherein the threat level indicator is a threat score that is based on a set of one or more behavioral factors associated with the first application;
in a storage on the host computer, storing the threat level indicator for a data message flow emanating from the first process in order to process attribute-based service rules that a service engine on the host computer enforces for said data message flow.
1 Assignment
0 Petitions
Accused Products
Abstract
Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines. The context engine then provides the contextual attributes to the service engines, which, in turn, use these contextual attributes to identify service rules for processing.
-
Citations
18 Claims
-
1. A method of performing services on a host computer that executes a plurality of machines, the plurality of machines including a first machine, the method comprising:
-
at a process-control module executing on the host computer, receiving a process identifier identifying a first process executing on the first machine and associated with a first application executing on the first machine; using the received process identifier to query the first machine to obtain one or more additional process identifiers of the first process, wherein the one or more additional process identifiers include at least one of a process hash and an application name, providing at least one of the additional process identifiers to a threat detector executing on the host computer to obtain a threat-level indicator for the first process, wherein the threat level indicator is a threat score that is based on a set of one or more behavioral factors associated with the first application; in a storage on the host computer, storing the threat level indicator for a data message flow emanating from the first process in order to process attribute-based service rules that a service engine on the host computer enforces for said data message flow. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of performing services on a host computer that executes a plurality of machines, the plurality of machines including a first machine, the method comprising:
at a process-control module executing on the host computer, receiving a set of one or more process identifiers identifying a first process executing on the first machine; providing at least one process identifier in the received set to a threat detector executing on the host computer to obtain a threat level indicator for the first process; in a storage on the host computer, storing the threat level indicator for a data message flow emanating from the first process in order to process attribute-based service rules that a service engine on the host computer enforces for said data message flow; and retrieving the threat-level indicator from the storage and providing the threat level indicator to the service engine in order to allow the service engine to perform a service operation on a data message emanating from the first process, wherein the service engine (1) compares the threat level indicator and one or more header values of the data message with service rule identifiers of service rules stored in a service rule storage, in order to identify a service rule with a rule identifier that matches the threat level indicator and the one or more header values, and (2) performs the service operation based on the identified service rule. - View Dependent Claims (8, 9)
-
10. A non-transitory machine readable medium storing a program for performing services on a host computer that executes a plurality of machines, the plurality of machines including a first machine, the program comprising sets of instructions for:
-
receiving a process identifier identifying a first process executing on the first machine and associated with a first application executing on the first machine; using the received process identifier to query the first machine to obtain one or more additional process identifiers of the first process, wherein the one or more additional process identifiers include at least one of a process hash and an application name; providing at least one of the additional process identifiers to a threat detector executing on the host computer to obtain a threat-level indicator for the first process, wherein the threat level indicator is a threat score that is based on a set of one or more behavioral factors associated with the first application; in a storage on the host computer, storing the threat level indicator for a data message flow emanating from the first process in order to process attribute-based service rules that a service engine on the host computer enforces for said data message flow. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A non-transitory machine readable medium storing a program for performing services on a host computer that executes a plurality of machines, the plurality of machines including a first machine, the program comprising sets of instructions for:
-
receiving a set of one or more process identifiers identifying a first process executing on the first machine; providing at least one process identifier in the received set to a threat detector executing on the host computer to obtain a threat level indicator for the first process; in a storage on the host computer, storing the threat level indicator for a data message flow emanating from the first process in order to process attribute-based service rules that a service engine on the host computer enforces for said data message flow; and retrieving the threat-level indicator from the storage and providing the threat level indicator to the service engine in order to allow the service engine to perform a service operation on a data message emanating from the first process, wherein the service engine (1) compares the threat level indicator and one or more header values of the data message with service rule identifiers of service rules stored in a service rule storage, in order to identify a service rule with a rule identifier that matches the threat level indicator and the one or more header values, and (2) performs the service operation based on the identified service rule. - View Dependent Claims (17, 18)
-
Specification