Container telemetry
US-10782990-B1 · Sep 22, 2020 · US
Security protection for a host computer in a computer network using cross-domain security-relevant information
US11316879B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11316879-B2 |
| Application number | US-201916255551-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 23, 2019 |
| Priority date | Jan 23, 2019 |
| Publication date | Apr 26, 2022 |
| Grant date | Apr 26, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A computer-implemented method and system for protecting a host computer in a computer network from security threats uses local security-relevant data for the host computer, as well as global security-relevant data for other components in the computer network downloaded from a security information plane system to the host computer, to determine a security threat to the host computer. When a security threat is determined to be a legitimate threat, a security alert is issued, and then an action is initiated in response to the security alert.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method for protecting a host computer in a computer network from security threats, the method comprising: collecting local security-relevant data of the host computer, wherein the local security-relevant data includes system events of applications running in the host computer and network traffic associated with the host computer; downloading global security-relevant data for other components in the computer network from a security information plane system to the host computer, wherein the global security-relevant data includes application related information from other host computers in the computer network; analyzing the local security-relevant data, by an application behavior classifier running in the host computer, without using the global security-relevant data to categorize the local security-relevant data as being one of within bounds of expected application behavior and out of the bounds of expected application behavior and determine a security threat to the host computer when the local security-relevant data is categorized as being out of the bounds of expected application behavior; in response to a determination that the local security-relevant data is categorized as being out of the bounds of expected application behavior, determining whether the security threat is a legitimate threat or a false-positive threat, by a resolution agent running in the host computer, using the global security-relevant data downloaded from the security information plane system; issuing a security alert when the security threat is determined to be a legitimate threat; and initiating an action in response to the security alert of the security threat, wherein the action includes quarantining or shutting down an application at risk. 2. The method of claim 1 , further comprising uploading at least some of the local security-related data to the security information plane system from a security information plane application running in a virtual computing instance in the host computer, and wherein downloading the global security-relevant data includes downloading the global security-relevant data to the security information plane application running in the virtual computing instance in the host computer. 3. The method of claim 2 , wherein the virtual computing instance is a virtual machine running in the host computer. 4. The method of claim 1 , wherein analyzing the local security-relevant data includes using a whitelist model to categorize the local security-relevant data as being one of within bounds of expected application behavior and out of the bounds of expected application behavior. 5. The method of claim 2 , wherein the resolution agent is running in the virtual computing instance in the host computer and the application behavior classifier is running outside of the virtual computing instance in the host computer. 6. A non-transitory computer-readable storage medium containing program instructions for a method for protecting a host computer in a computer network from security threats, wherein execution of the program instructions by one or more processors of a computer system causes the one or more processors to perform steps comprising: collecting local security-relevant data of the host computer, wherein the local security-relevant data includes system events of applications running in the host computer and network traffic associated with the host computer; downloading global security-relevant data for other components in the computer network from a security information plane system to the host computer, wherein the global security-relevant data includes application related information from other host computers in the computer network; analyzing the local security-relevant data, by an application behavior classifier running in the host computer, without using the global security-relevant data to categorize the local security-relevant data as being one of within bounds of expected application behavior and out of the bounds of expected application behavior and determine a security threat to the host computer when the local security-relevant data is categorized as being out of the bounds of expected application behavior; in response to a determination that the local security-relevant data is categorized as being out of the bounds of expected application behavior, determining whether the security threat is a legitimate threat or a false-positive threat, by a resolution agent running in the host computer, using the global security-relevant data downloaded from the security information plane system; issuing a security alert when the security threat is determined to be a legitimate threat; and initiating an action in response to the security alert of the security threat, wherein the action includes quarantining or shutting down an application at risk. 7. The computer-readable storage medium of claim 6 , wherein the steps further comprise uploading at least some of the local security-related data to the security information plane system from a security information plane application running in a virtual computing instance in the host computer, and wherein downloading the global security-relevant data includes downloading the global security-relevant data to the security information plane application running in the virtual computing instance in the host computer. 8. The computer-readable storage medium of claim 7 , wherein the virtual computing instance is a virtual machine running in the host computer. 9. The computer-readable storage medium of claim 6 , wherein analyzing the local security-relevant data includes using a whitelist model to categorize the local security-relevant data as being one of within bounds of expected application behavior and out of the bounds of expected application behavior. 10. The computer-readable storage medium of claim 7 , wherein the resolution agent is running in the virtual computing instance in the host computer and the application behavior classifier is running outside of the virtual computing instance in the host computer. 11. A system comprising: a computer network; a security information plane system coupled to the computer network; and a host computer including at least one processor configured to: collect local security-relevant data of the host computer, wherein the local security-relevant data includes system events of applications running in the host computer and network traffic associated with the host computer; download global security-relevant data for other components in the computer network from the security information plane system to the host computer, wherein the global security-relevant data includes application related information from other host computers in the computer network; analyze the local security-relevant data, using an application behavior classifier running in the host computer, without using the global security-relevant data to categorize the local security-relevant data as being one of within bounds of expected application behavior and out of the bounds of expected application behavior and determine a security threat to the host computer when the local security-relevant data is categorized as being out of the bounds of expected application behavior; in response to a determination that the local security-relevant data is categorized as being out of the bounds of expected application behavior, determine whether the security threat is a legitimate threat or a false-positive threat, using a resolution agent running in the host computer, using the global security-relevant data downloaded from the security information plane system; issue a security alert when the security threat is determined to be a le
Assignees
Inventors
Classifications
Network integration; Enabling network access in virtual machine instances · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Isolation or security of virtual machine instances · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11316879B2 cover?
- A computer-implemented method and system for protecting a host computer in a computer network from security threats uses local security-relevant data for the host computer, as well as global security-relevant data for other components in the computer network downloaded from a security information plane system to the host computer, to determine a security threat to the host computer. When a secu…
- Who is the assignee on this patent?
- Vmware Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 26 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).