Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Some embodiments collect, each time a request for a new data message flow is initiated, a set of contextual attributes (i.e., context data) associated with the requested new data message flow. The method, in some embodiments, generates a correlation data set and provides the correlation data set to be included in flow data regarding the requested data message flow to be used by the analysis appliance to correlate context data and flow data received as separate data sets from multiple host computers.

Abstract: The disclosure herein describes executing unknown processes while preventing sandbox-evading malware therein from performing malicious behavior. A process execution event associated with an executable is detected, wherein the executable is to be executed in a production environment. The executable is determined to be an unknown executable (e.g., an executable that has not been analyzed for malware) using signature data in the process execution event. A function call hook interface of a sandbox simulator is activated, and a process of the executable is executed in the production environment. Any function calls from the executing process are intercepted by the activated function call hook interface, and sandbox-style responses to the intercepted function call are generated using sandbox response data of the sandbox simulator. The generated sandbox responses are provided to the executing process, whereby malware included in the executable behaves as if the executing process is executing in a sandbox environment.

Abstract: Some embodiments provide a system that detects whether a data flow is an elephant flow; and if so, the system treats it differently than a mouse flow. The system of some embodiments detects an elephant flow by examining, among other items, the operations of a machine. In detecting, the system identifies an initiation of a new data flow associated with the machine. The new data flow can be an outbound data flow or an inbound data flow. The system then determines, based on the amount of data being sent or received, if the data flow is an elephant flow. The system of some embodiments identifies the initiation of a new data flow by intercepting a socket call or request to transfer a file.

Abstract: Some embodiments provide a system that detects whether a data flow is an elephant flow; and if so, the system treats it differently than a mouse flow. The system of some embodiments detects an elephant flow by examining, among other items, the operations of a machine. In detecting, the system identifies an initiation of a new data flow associated with the machine. The new data flow can be an outbound data flow or an inbound data flow. The system then determines, based on the amount of data being sent or received, if the data flow is an elephant flow. The system of some embodiments identifies the initiation of a new data flow by intercepting a socket call or request to transfer a file.

Abstract: A method for opening unknown files in a malware detection system, is provided. The method generally includes receiving a request to open a file classified as an unknown file, opening the file in a container, collecting at least one of a log of events carried out by the file or observed behavior traces of the file while open in the container, transmitting, to a file analyzer, at least one of the file, the log of events, or the behavior traces for static analysis, determining, a final verdict for the file, based on at least one of the file, the log of events, or the behavior traces, wherein the final verdict for the file is based on the static analysis or dynamic analysis of the file, and taking one or more actions based on a policy configured for the first endpoint and the final verdict.

Abstract: The disclosure provides an approach for workload labeling and identification of known or custom applications. Embodiments include determining a plurality of sets of features comprising a respective set of features for each respective workload of a first subset of a plurality of workloads. Embodiments include identifying a group of workloads based on similarities among the plurality of sets of features. Embodiments include receiving label data from a user comprising a label for the group of workloads. Embodiments include associating the label with each workload of the group of workloads to produce a training data set. Embodiments include using the training data set to train a model to output labels for input workloads. Embodiments include determining a label for a given workload of the plurality of workloads by inputting features of the given workload to the model.

Abstract: The disclosure provides an approach for workload labeling and identification of known or custom applications. Embodiments include determining a plurality of sets of features comprising a respective set of features for each respective workload of a first subset of a plurality of workloads. Embodiments include identifying a group of workloads based on similarities among the plurality of sets of features. Embodiments include receiving label data from a user comprising a label for the group of workloads. Embodiments include associating the label with each workload of the group of workloads to produce a training data set. Embodiments include using the training data set to train a model to output labels for input workloads. Embodiments include determining a label for a given workload of the plurality of workloads by inputting features of the given workload to the model.

Abstract: Some embodiments provide a system that detects whether a data flow is an elephant flow; and if so, the system treats it differently than a mouse flow. The system of some embodiments detects an elephant flow by examining, among other items, the operations of a machine. In detecting, the system identifies an initiation of a new data flow associated with the machine. The new data flow can be an outbound data flow or an inbound data flow. The system then determines, based on the amount of data being sent or received, if the data flow is an elephant flow. The system of some embodiments identifies the initiation of a new data flow by intercepting a socket call or request to transfer a file.

Abstract: Some embodiments provide a system that detects whether a data flow is an elephant flow; and if so, the system treats it differently than a mouse flow. The system of some embodiments detects an elephant flow by examining, among other items, the operations of a machine. In detecting, the system identifies an initiation of a new data flow associated with the machine. The new data flow can be an outbound data flow or an inbound data flow. The system then determines, based on the amount of data being sent or received, if the data flow is an elephant flow. The system of some embodiments identifies the initiation of a new data flow by intercepting a socket call or request to transfer a file.

Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Some embodiments collect, each time a request for a new data message flow is initiated, a set of contextual attributes (i.e., context data) associated with the requested new data message flow. The method, in some embodiments, generates a correlation data set and provides the correlation data set to be included in flow data regarding the requested data message flow to be used by the analysis appliance to correlate context data and flow data received as separate data sets from multiple host computers.

Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Some embodiments collect, each time a request for a new data message flow is initiated, a set of contextual attributes (i.e., context data) associated with the requested new data message flow. The method, in some embodiments, generates a correlation data set and provides the correlation data set to be included in flow data regarding the requested data message flow to be used by the analysis appliance to correlate context data and flow data received as separate data sets from multiple host computers.

Abstract: The disclosure provides an approach for establishing authentication between components in a network. Embodiments deploying a node of a monitoring appliance in response to a request and providing a token for accessing a network manager to the node of the monitoring appliance. Embodiments include generating, by the node of the monitoring appliance, a certificate of the node of the monitoring appliance and providing the certificate of the node of the monitoring appliance to the network manager with the token for accessing the network manager. Embodiments include adding, by the network manager, based on the token for accessing the network manager, the certificate of the node of the monitoring appliance to a first trust store and providing, by the network manager, a network manager certificate to the node of the monitoring appliance. Embodiments include adding, by the node of the monitoring appliance, the network manager certificate to a second trust store.

Abstract: Some embodiments provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

Abstract: The disclosure provides an approach for workload labeling and identification of known or custom applications. Embodiments include determining a plurality of sets of features comprising a respective set of features for each respective workload of a first subset of a plurality of workloads. Embodiments include identifying a group of workloads based on similarities among the plurality of sets of features. Embodiments include receiving label data from a user comprising a label for the group of workloads. Embodiments include associating the label with each workload of the group of workloads to produce a training data set. Embodiments include using the training data set to train a model to output labels for input workloads. Embodiments include determining a label for a given workload of the plurality of workloads by inputting features of the given workload to the model.

Abstract: A simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. These manifests are application specific. Also, in some cases, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Some embodiments collect, each time a request for a new data message flow is initiated, a set of contextual attributes (i.e., context data) associated with the requested new data message flow. The method, in some embodiments, generates a correlation data set and provides the correlation data set to be included in flow data regarding the requested data message flow to be used by the analysis appliance to correlate context data and flow data received as separate data sets from multiple host computers.

Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. One of these service engines is a firewall engine. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines.

Abstract: The disclosure provides an approach for establishing authentication between components in a network. Embodiments deploying a node of a monitoring appliance in response to a request and providing a token for accessing a network manager to the node of the monitoring appliance. Embodiments include generating, by the node of the monitoring appliance, a certificate of the node of the monitoring appliance and providing the certificate of the node of the monitoring appliance to the network manager with the token for accessing the network manager. Embodiments include adding, by the network manager, based on the token for accessing the network manager, the certificate of the node of the monitoring appliance to a first trust store and providing, by the network manager, a network manager certificate to the node of the monitoring appliance. Embodiments include adding, by the node of the monitoring appliance, the network manager certificate to a second trust store.