Collecting and storing threat level indicators for service rule processing

US 10,503,536 B2
Filed: 07/14/2017
Issued: 12/10/2019
Est. Priority Date: 12/22/2016
Status: Active Grant

First Claim

Patent Images

1. A method of performing services on a host computer that executes a plurality of machines, the plurality of machines including a first machine, the method comprising:

at a process-control module executing on the host computer,receiving a process identifier identifying a first process executing on the first machine and associated with a first application executing on the first machine;

using the received process identifier to query the first machine to obtain one or more additional process identifiers of the first process, wherein the one or more additional process identifiers include at least one of a process hash and an application name,providing at least one of the additional process identifiers to a threat detector executing on the host computer to obtain a threat-level indicator for the first process, wherein the threat level indicator is a threat score that is based on a set of one or more behavioral factors associated with the first application;

in a storage on the host computer, storing the threat level indicator for a data message flow emanating from the first process in order to process attribute-based service rules that a service engine on the host computer enforces for said data message flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines. The context engine then provides the contextual attributes to the service engines, which, in turn, use these contextual attributes to identify service rules for processing.

Citations

18 Claims

1. A method of performing services on a host computer that executes a plurality of machines, the plurality of machines including a first machine, the method comprising:
- at a process-control module executing on the host computer,receiving a process identifier identifying a first process executing on the first machine and associated with a first application executing on the first machine;
  
  using the received process identifier to query the first machine to obtain one or more additional process identifiers of the first process, wherein the one or more additional process identifiers include at least one of a process hash and an application name,providing at least one of the additional process identifiers to a threat detector executing on the host computer to obtain a threat-level indicator for the first process, wherein the threat level indicator is a threat score that is based on a set of one or more behavioral factors associated with the first application;
  
  in a storage on the host computer, storing the threat level indicator for a data message flow emanating from the first process in order to process attribute-based service rules that a service engine on the host computer enforces for said data message flow.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the process-control module and the threat detector operate outside of the first machine.
  - 3. The method of claim 1, wherein the set of behavioral factors includes two or more of the following:
    - how the first application validates inputs, how the first application authenticates credentials, how the first application stores configuration secrets, how the first application transfers files, how the first application specifies password policies, and how the first application specifies account policies.
  - 4. The method of claim 3, wherein the application behavioral factors further includes whether the application is known to propagate malware or is known to have vulnerabilities.
  - 5. The method of claim 1 further comprising receiving a notification that the first process has started on the first machine.
  - 6. The method of claim 1 further comprising determining that a data message has been sent by the first process.

7. A method of performing services on a host computer that executes a plurality of machines, the plurality of machines including a first machine, the method comprising:
- at a process-control module executing on the host computer,receiving a set of one or more process identifiers identifying a first process executing on the first machine;
  
  providing at least one process identifier in the received set to a threat detector executing on the host computer to obtain a threat level indicator for the first process;
  
  in a storage on the host computer, storing the threat level indicator for a data message flow emanating from the first process in order to process attribute-based service rules that a service engine on the host computer enforces for said data message flow; and
  
  retrieving the threat-level indicator from the storage and providing the threat level indicator to the service engine in order to allow the service engine to perform a service operation on a data message emanating from the first process, wherein the service engine (1) compares the threat level indicator and one or more header values of the data message with service rule identifiers of service rules stored in a service rule storage, in order to identify a service rule with a rule identifier that matches the threat level indicator and the one or more header values, and (2) performs the service operation based on the identified service rule.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7 further comprising receiving a notification that the first process has started on the first machine.
  - 9. The method of claim 7 further comprising determining that a data message has been sent by the first process.

10. A non-transitory machine readable medium storing a program for performing services on a host computer that executes a plurality of machines, the plurality of machines including a first machine, the program comprising sets of instructions for:
- receiving a process identifier identifying a first process executing on the first machine and associated with a first application executing on the first machine;
  
  using the received process identifier to query the first machine to obtain one or more additional process identifiers of the first process, wherein the one or more additional process identifiers include at least one of a process hash and an application name;
  
  providing at least one of the additional process identifiers to a threat detector executing on the host computer to obtain a threat-level indicator for the first process, wherein the threat level indicator is a threat score that is based on a set of one or more behavioral factors associated with the first application;
  
  in a storage on the host computer, storing the threat level indicator for a data message flow emanating from the first process in order to process attribute-based service rules that a service engine on the host computer enforces for said data message flow.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The non-transitory machine readable medium of claim 10, wherein the threat detector operates outside of the first machine.
  - 12. The non-transitory machine readable medium of claim 10, wherein the set of behavioral factors includes two or more of the following:
    - how the first application validates inputs, how the first application authenticates credentials, how the first application stores configuration secrets, how the first application transfers files, how the first application specifies password policies, and how the first application specifies account policies.
  - 13. The non-transitory machine readable medium of claim 10, wherein the application behavioral factors further includes whether the application is known to propagate malware or is known to have vulnerabilities.
  - 14. The non-transitory machine readable medium of claim 10, wherein the program further comprises a set of instructions for receiving a notification that the first process has started on the first machine.
  - 15. The non-transitory machine readable medium of claim 10, wherein the program further comprises a set of instructions for determining that a data message has been sent by the first process.

16. A non-transitory machine readable medium storing a program for performing services on a host computer that executes a plurality of machines, the plurality of machines including a first machine, the program comprising sets of instructions for:
- receiving a set of one or more process identifiers identifying a first process executing on the first machine;
  
  providing at least one process identifier in the received set to a threat detector executing on the host computer to obtain a threat level indicator for the first process;
  
  in a storage on the host computer, storing the threat level indicator for a data message flow emanating from the first process in order to process attribute-based service rules that a service engine on the host computer enforces for said data message flow; and
  
  retrieving the threat-level indicator from the storage and providing the threat level indicator to the service engine in order to allow the service engine to perform a service operation on a data message emanating from the first process, wherein the service engine (1) compares the threat level indicator and one or more header values of the data message with service rule identifiers of service rules stored in a service rule storage, in order to identify a service rule with a rule identifier that matches the threat level indicator and the one or more header values, and (2) performs the service operation based on the identified service rule.
- View Dependent Claims (17, 18)
- - 17. The non-transitory machine readable medium of claim 16, wherein the program further comprises a set of instructions for receiving a notification that the first process has started on the first machine.
  - 18. The non-transitory machine readable medium of claim 16, wherein the program further comprises a set of instructions for determining that a data message has been sent by the first process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Gunda, Laxmikant Vithal
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/650,340
Publication Number

US 20180181763A1
Time in Patent Office

879 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2105   Dual mode as a secondary as...

G06F 9/06   using stored programs, i.e....

G06F 9/45558   Hypervisor-specific managem...

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 51/212   using filtering or selectiv...

H04L 51/214   using selective forwarding

H04L 61/103   across network layers, e.g....

H04L 61/2521   Translation architectures o...

H04L 61/2596   Translation of addresses of...

H04L 61/5014   using dynamic host configur...

H04L 61/59   using proxies for addressing

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0281 : Proxies

H04L 63/0471 : applying encryption by an i...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/1466 : Active attacks involving in...

H04L 63/20 : for managing network securi...

View All

Collecting and storing threat level indicators for service rule processing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Collecting and storing threat level indicators for service rule processing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links