Abstract: A method includes determining an application role in a distributed application in a network environment, generating a role profile for the application role from an interaction pattern, mapping the role profile to a virtual machine (VM), and detecting a security breach of the VM. Determining the application role includes obtaining network traces from the distributed application, and analyzing the network traces to extract the application role. In one embodiment, detection of the security breach includes generating an access control policy for the VM from the role profile, and determining an anomaly in traffic based thereon. In another embodiment, detection of the security breach includes inserting the role profile in a port profile of the VM, generating a small state machine from the role profile, running the small state machine on a port associated with the VM, and inspecting, by the small state machine, an application level traffic at the port.

Abstract: Embodiments of the invention improve the detection of malicious software applications, such as a rootkit, on hosts configured to access storage volumes over a storage area network (SAN). A rootkit detection program running on a switch may be configured to detect rootkits present on the storage volumes of the SAN. Because the switch may mount and access storage volumes independently from the (possibly comprised) hosts, the rootkit is not able to conceal itself from the rootkit detection program running on the switch.

Abstract: A computer system for authenticating, encrypting, and transmitting a secret communication, where the encryption key is transmitted along with the encrypted message, is disclosed. In an embodiment, a first transmitting processor encrypts a plaintext message to a ciphertext message using a data key, encrypts the data key using a key encrypting key, and sends a communication comprising the encrypted data key and the ciphertext message. A second receiving processor receives the communication and then decrypts the encrypted data key using the key encrypting key and decrypts the ciphertext message using the data key to recover the plaintext message.

Abstract: Methods and apparatus for performing encryption for data at rest at a port of a network device such as a switch are disclosed. Specifically, when data is received from a host during a write to a storage medium such as a disk, the data is encrypted by the port prior to transmitting the encrypted data to the storage medium. Similarly, when a host attempts to read data from the storage medium, the port of the network device receives the encrypted data from the storage medium, decrypts the data, and transmits the decrypted data to the host. In this manner, encryption and decryption of data at rest are supported by the port of the network device.

Abstract: A reliable asymmetric method for distributing security information within a Fiber Channel Fabric. The Switching Fabric includes a set of security servers, which maintain among themselves a replicated copy of the Fabric security databases using the currently defined Merge and Change protocols. The other Switches of the Fabric are configured as client-Switches. They maintain only the subset of the authorization and authentication information required for their correct operation. A client-Switch queries the security server when a new end-device is connected to it, or when it is connected to the Fabric. When the security configuration of the Fabric changes by an administrative action, a security server solicits the client-Switches to update their information. In an alternative embodiment, the end-devices may query directly the security server, usually for authentication purposes.

Abstract: Techniques are described for securely booting and executing a virtual machine (VM) image in an untrusted cloud infrastructure. A multi-core processor may be configured with additional hardware components—referred to as a trust anchor. The trust anchor may be provisioned with a private/public key pair, which allows the multi-core CPU to authenticate itself as being able to securely boot and execute a virtual machine (VM) image in an untrusted cloud infrastructure.

Abstract: Techniques for memory compartmentalization for trusted execution of a virtual machine (VM) on a multi-core processing architecture are described. Memory compartmentalization may be achieved by encrypting layer 3 (L3) cache lines using a key under the control of a given VM within the trust boundaries of the processing core on which that VMs is executed. Further, embodiments described herein provide an efficient method for storing and processing encryption related metadata associated with each encrypt/decrypt operation performed for the L3 cache lines.

Abstract: The present disclosure presents a method and apparatus configured to provide for the trusted execution of virtual machines (VMs) on a virtualization server, e.g., for executing VMs on a virtualization server provided within Infrastructure as a Service (IaaS) cloud environment. A physical multi-core CPU may be configured with a hardware trust anchor. The trust anchor itself may be configured to manage session keys used to encrypt/decrypt instructions and data when a VM (or hypervisor) is executed on one of the CPU cores. When a context switch occurs due to an exception, the trust anchor swaps the session key used to encrypt/decrypt the contents of memory and cache allocated to a VM (or hypervisor).

Abstract: Various systems and method are disclosed for disseminating security server contact information in a network. For example, one method (e.g., performed by a security server) involves determining that a network device is a secure network device, in response to participating in a security exchange with the network device; and then sending a server list to the network device. The server list includes the network address of at least one security server. Another method (e.g., performed by a network device) involves initiating an authentication exchange; receiving a server list, which includes the network address of a security server, as part of the authentication exchange; and communicating with the security server by sending a packet to the network address included in the server list.

Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fibre channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fibre channel network entities into a fibre channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fibre channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.

Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fibre channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fibre channel network entities into a fibre channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fibre channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.

Abstract: In one embodiment, a MUD logger receives a notification from another MUD logger maintaining another MUD log for a volume, the notification indicating one or more modifications to be made to a MUD log maintained by the MUD logger receiving the notification, wherein the MUD log includes information for one or more epochs, wherein the information for each of the epochs indicates a set of one or more regions of the volume that have been modified during the corresponding epoch. The MUD logger updates the MUD log associated with the volume, wherein updating the MUD log is performed in response to the notification.

Abstract: A computer system for authenticating, encrypting, and transmitting a secret communication, where the encryption key is transmitted along with the encrypted message, is disclosed. In an embodiment, a first transmitting processor encrypts a plaintext message to a ciphertext message using a data key, encrypts the data key using a key encrypting key, and sends a communication comprising the encrypted data key and the ciphertext message. A second receiving processor receives the communication and then decrypts the encrypted data key using the key encrypting key and decrypts the ciphertext message using the data key to recover the plaintext message.

Abstract: In one embodiment, a MUD logger receives a notification from another MUD logger maintaining another MUD log for a volume, the notification indicating one or more modifications to be made to a MUD log maintained by the MUD logger receiving the notification, wherein the MUD log includes information for one or more epochs, wherein the information for each of the epochs indicates a set of one or more regions of the volume that have been modified during the corresponding epoch. The MUD logger updates the MUD log associated with the volume, wherein updating the MUD log is performed in response to the notification.

Abstract: Methods and apparatus for performing MUD logging for a volume in a system implementing network-based virtualization are disclosed. This is accomplished by enabling two or more MUD loggers to separately maintain a MUD log for the volume. Through enabling the MUD loggers to communicate, the MUD loggers may update their respective MUD logs. Each MUD log includes information for one or more epochs, where the information for each of the epochs indicates a set of one or more regions that have been modified during the corresponding epoch.

Abstract: Embodiments of the invention improve the detection of malicious software applications, such as a rootkit, on hosts configured to access storage volumes over a storage area network (SAN). A rootkit detection program running on a switch may be configured to detect rootkits present on the storage volumes of the SAN. Because the switch may mount and access storage volumes independently from the (possibly comprised) hosts, the rootkit is not able to conceal itself from the rootkit detection program running on the switch.

Abstract: A fast, lightweight, reliable, packet-based protocol that operates independent of the type of networking protocol used by the underlying physical layer of the network is disclosed. More specifically, the packet based protocol operates independently of or is capable of encapsulating physical layer protocols such as but not limited to MAC, Ethernet, Ethernet II, HARD or IP. The protocol defines at least three different types of frames including Information frames, Supervisory frames, and Unnumbered frames. In various embodiments of the invention, the Information, Supervisory, and Unnumbered frames include DSAP and SSAP field with semantics which are sufficiently large to support the various physical layer protocols that may be used on the network. The Information frames, Supervisory frames, and Unnumbered frames also have the ability to support urgent data delivery and certain memory management functions.

Abstract: Methods and apparatus are provided for improving message-based security in a Fibre Channel network. More specifically, the present invention relates to methods and apparatus for providing confidentiality for Fibre Channel control messages encapsulated within Common Transport Information Units. Control messages transported with the Fibre Channel Common Transport protocol, and passed between Fibre Channel network entities, can be encrypted providing confidentiality combined with data origin authentication, integrity and anti-replay protection provided by existing Fibre Channel security mechanisms.

Abstract: Methods and apparatus for processing a reserve request requesting a reservation of at least a portion of a volume in a system implementing network-based virtualization of storage are disclosed. More particularly, multiple ports and/or network devices together implement the virtualization of storage. When a network device or port receives a reserve request from a host requesting that at least a portion of a volume be reserved, a notification is sent indicating the at least a portion of the volume being reserved. The notification may be sent to one or more network devices or ports. A lock corresponding to the reserve request may then be obtained such that a lock of the at least a portion of the volume is acquired. When another network device or port receives a reserve intention notification, the network device or port stores information indicating that a lock of the at least a portion of the volume has been obtained.

Abstract: Methods and apparatus for performing MUD logging for a volume in a system implementing network-based virtualization are disclosed. This is accomplished by enabling two or more MUD loggers to separately maintain a MUD log for the volume. Through enabling the MUD loggers to communicate, the MUD loggers may update their respective MUD logs. Each MUD log includes information for one or more epochs, where the information for each of the epochs indicates a set of one or more regions that have been modified during the corresponding epoch.