Abstract: Aspects of the present invention include hypervisor based security using a hypervisor to monitor a VM. In embodiments of the present invention, the information gathered by the hypervisor in the monitoring is compared against a reference image to determine if there are possible rootkits present on the VM. If there are potential rootkits, the VM can be quarantined.

Abstract: Methods and systems for protecting a virtual machine network are disclosed. In an embodiment, a method involves storing an application whitelist including application-to-user associations in memory such that the application whitelist is immutable by a guest virtual machine, receiving a request to execute an application including an application identifier and a user identifier, comparing the application identifier and the user identifier of the request with the application whitelist, and generating an execution decision indicating whether the requested application can execute on the guest virtual machine.

Abstract: Methods, apparatuses and systems directed to an aggregate bandwidth utilization control scheme including fair share bandwidth allocation and dynamic allocation of bandwidth in response to detected traffic utilization. In one implementation, the present invention includes a weighted, fair share aggregate bandwidth allocation mechanism that dynamically responds to observed bandwidth utilization to provide unutilized or excess bandwidth to flows and partitions that require it. In another implementation, the present invention features a weighted fair share allocation scheme for hierarchical partition configurations. In other implementations, the present invention provides a per-flow target rate assignment mechanism that prevents spiraling decline of data flow rates.

Abstract: Some embodiments provide a novel method for authorizing network requests for a machine in a network. In some embodiments, the method is performed by security agents that execute on virtual machines operating on a host machine. In some embodiments, the method captures a network request (e.g., network control packets, socket connection request, etc.) from a primary application executing on the machine. The method identifies an extended context for the network request and determines whether the network request is authorized based on the extended context. The method then processes the network request according to the determination. The extended context of some embodiments includes identifications for primary and secondary applications associated with the network request. Alternatively, or conjunctively, some embodiments include identifications for primary and secondary users associated with the network request.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: A method for enforcing a network policy is described herein. In the method, a network socket event request from an application executing in a first context is intercepted by an agent prior to the request reaching a transport layer in the first context. A context refers to virtualization software, a physical computer, or a combination of virtualization software and physical computer. In response to the interception of the request, the agent requests a decision on whether to allow or deny the network socket event request to be communicated to a security server executing in a second context that is distinct from the first context. The request for a decision includes an identification of the application. The agent then receives from the security server either an allowance or a denial of the network socket event request, the allowance or denial being based at least in part on the identification of the application and a security policy.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: A method for enforcing a network policy is described herein. In the method, a network socket event request from an application executing in a first context is intercepted by an agent prior to the request reaching a transport layer in the first context. A context refers to virtualization software, a physical computer, or a combination of virtualization software and physical computer. In response to the interception of the request, the agent requests a decision on whether to allow or deny the network socket event request to be communicated to a security server executing in a second context that is distinct from the first context. The request for a decision includes an identification of the application. The agent then receives from the security server either an allowance or a denial of the network socket event request, the allowance or denial being based at least in part on the identification of the application and a security policy.

Abstract: Aspects of the present invention include hypervisor based security using a hypervisor to monitor a VM. In embodiments of the present invention, the information gathered by the hypervisor in the monitoring is compared against a reference image to determine if there are possible rootkits present on the VM. If there are potential rootkits, the VM can be quarantined.

Abstract: Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g.

Abstract: Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g.

Abstract: The disclosure herein describes a system for facilitating intelligent auditing of security log records. A set of security policies are converted into a set of web ontology language (OWL)-based rules. At the same time, log records are also converted into an OWL-based format. The system then applies the OWL-based rules, which can be in the form of a number of semantic web rule language (SWRL) statements, to the OWL-formatted log data. As a result, the system can identify potential security breaches which cannot be easily identified by conventional auditing methods.

Abstract: In a virtualized computer system, gray applications that are selected to be executed in a first virtual computing instance are executed and monitored in a second virtual computing instance that is a clone of the first virtual computing instance, and classified according to their monitored behavior. This process is conducted in real-time, in response to a notification that a gray application has been selected for execution in the first virtual computing instance. The execution of the gray application in the first virtual computing instance is delayed until the first virtual computing instance receives a notification from an application admission control manager that the gray application is safe to be executed in the first virtual computing instance.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.