Patents by Inventor Nafisa Mandliwala
Nafisa Mandliwala has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240163294Abstract: Some embodiments of the invention provide, for an intrusion detection and prevention system (IDPS) engine operating on a host computer deployed in a software-defined datacenter (SDDC), a method for detecting and analyzing malicious packet flows. Upon detecting a new packet flow, the method captures packets belonging to the new packet flow in a file. When the new packet flow ends, the method determines that a particular packet belonging to the new packet flow has triggered an alert indicating the particular packet includes a potentially malicious payload. The method annotates the file for the new packet flow with a set of contextual data that (1) specifies the new packet flow as a potentially malicious packet flow and (2) identifies the particular packet and at least one signature associated with the alert triggered by the particular packet.Type: ApplicationFiled: November 10, 2022Publication date: May 16, 2024Inventors: Robin Manhas, Nafisa Mandliwala, Sirisha Myneni, Srinivas Ramaswamy
-
Publication number: 20230388320Abstract: Example methods and systems for intrusion detection with adaptive pattern selection are described. In one example, a computer system may perform pattern selection by selecting a subset from a set of multiple patterns based on metric information. In response to receiving a packet belonging to a flow between a source endpoint and a destination endpoint, a first matching operation may be performed to determine whether the packet is matchable to a particular pattern from the set of multiple patterns or the subset. In response to determination that the packet is matchable to the particular pattern, a second matching operation may be performed to determine whether the packet is matchable to a particular signature. The metric information associated with the particular pattern may be updated based on the first matching operation and/or the second matching operation. This way, the subset may be updated based at least on the updated metric information.Type: ApplicationFiled: May 25, 2022Publication date: November 30, 2023Applicant: VMware, Inc.Inventors: Russell LU, Sirisha MYNENI, Nafisa MANDLIWALA, Mani KANCHERLA
-
Patent number: 11641305Abstract: Example methods and systems are provided for network diagnosis. One example method may comprise: detecting an egress packet and determining whether each of multiple network issues is detected for the egress packet or a datapath between a first virtualized computing instance and a second virtualized computing instance. The method may also comprise: generating network diagnosis code information specifying whether each of the multiple network issues is detected or not detected; generating an encapsulated packet by encapsulating the egress packet with an outer header that specifies the network diagnosis code information; and sending the encapsulated packet towards the second virtualized computing instance to cause a second computer system to perform one or more remediation actions based on the network diagnosis code information.Type: GrantFiled: December 16, 2019Date of Patent: May 2, 2023Assignee: VMWARE, INC.Inventors: Sirisha Myneni, Kausum Kumar, Nafisa Mandliwala, Venkatakrishnan Rajagopalan
-
Publication number: 20230081299Abstract: The disclosure herein describes correlating file events with intrusion detection alerts for corrective action. A monitoring component receives file events from a thin agent. An analysis component analyzes the file events and metadata obtained from the intrusion detection alerts, such as attack type or file name, to correlate a set of file events to at least one detected action (intrusion) described in the alert. A recommendation component identifies one or more options, including one or more corrective actions, which are applicable for remediating the alert. The set of options includes a recommended action from two or more possible corrective actions. The set of options are output or displayed to the user. The user selects which option/action to perform in response to the alert. In some examples, an automatic response is performed without user selection with respect to selected types of alerts, detected action(s), selected file(s) or other user-generated criteria.Type: ApplicationFiled: November 21, 2022Publication date: March 16, 2023Inventors: Sirisha MYNENI, Nafisa MANDLIWALA, Subrahmanyam MANUGURI, Anirban SENGUPTA
-
Publication number: 20230018434Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method receives multiple contextual attributes associated with a set of data messages processed by the multiple machines executing on the at least one host computer, the multiple contextual attributes including contextual attributes that are not L2-L4 attributes and that define a compute environment in which one or more workloads performed by the multiple machines executing on the at least one host computer operate. The method uses the received multiple contextual attributes to perform a filtering operation to identify, from multiple intrusion detection signatures, a set of intrusion detection signatures applicable to the one or more workloads.Type: ApplicationFiled: July 13, 2021Publication date: January 19, 2023Inventors: Nafisa Mandliwala, Sirisha Myneni, Subrahmanyam Manuguri
-
Publication number: 20230014040Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter, the datacenter including at least one host computer executing multiple machines. The method receives a filtered set of intrusion detection signatures to be enforced on the at least one host computer. The method uses a set of contextual attributes associated with a particular data message to generate an intrusion detection signature for the particular data message, the generated intrusion detection signature including a bit pattern, each bit associated with a contextual attribute in the set. The method compares the generated intrusion detection signature with the received set of intrusion detection signatures to identify a matching intrusion detection signature in the received filtered set.Type: ApplicationFiled: July 13, 2021Publication date: January 19, 2023Inventors: Nafisa Mandliwala, Sirisha Myneni, Subrahmanyam Manuguri
-
Publication number: 20230014706Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method forwards multiple contextual attributes to a set of servers that distribute intrusion detection scripts. The method receives, from the set of servers, a set of one or more intrusion detection scripts to be enforced on the at least one host computer, the set of one or more intrusion detection scripts defined based on the multiple forwarded contextual attributes. The method uses the multiple contextual attributes to identify and resolve at least one intrusion detection script in the set of one or more intrusion detection scripts.Type: ApplicationFiled: July 13, 2021Publication date: January 19, 2023Inventors: Sirisha Myneni, Nafisa Mandliwala, Robin Manhas, Srinivas Ramaswamy
-
Publication number: 20230013808Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method receives an intent-based application programming interface (API) command that defines intent for a set of one or more context-based intrusion detection rules for detecting and preventing intrusions on the at least one host computer. The method uses multiple contextual attributes to convert the defined intent into a set of one or more intrusion detection scripts for enforcement on the at least one host computer. The method provides the set of one or more intrusion detection scripts to an intrusion detection system operating on the at least one host computer for enforcement.Type: ApplicationFiled: July 13, 2021Publication date: January 19, 2023Inventors: Sirisha Myneni, Nafisa Mandliwala, Rajitha Arcot, Subrahmanyam Manuguri
-
Publication number: 20230021269Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter, the datacenter including at least one host computer executing multiple machines. The method forwards multiple contextual attributes to a set of servers that distribute intrusion detection scripts. The method receives a filtered set of intrusion detection signatures for enforcement on the at least one host computer, the filtered set of intrusion detection signatures identified based on the multiple contextual attributes. The method uses the filtered set of intrusion detection signatures to detect at least one potential intrusion associated with a particular data message processed on the at least one host computer.Type: ApplicationFiled: July 13, 2021Publication date: January 19, 2023Inventors: Nafisa Mandliwala, Sirisha Myneni, Subrahmanyam Manuguri
-
Publication number: 20230015632Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes a set of host computers that each execute multiple machines. The method receives, from the set of host computers, multiple contextual attributes that define one or more compute environments. Through a user interface, the method presents the multiple contextual attributes and a set of controls for use in generating intent-based API commands. The method receives, through the user interface, an intent-based API command that defines intent for a set of one or more intrusion detection rules to be enforced in the datacenter, the intent defined in terms of one or more of the multiple contextual attributes. The method processes the intent-based API command in order to distribute intrusion detection system configuration data to configure, for each host computer in the set of host computers, an intrusion detection system operating on the host computer.Type: ApplicationFiled: July 13, 2021Publication date: January 19, 2023Inventors: Sirisha Myneni, Nafisa Mandliwala, Subrahmanyam Manuguri
-
Patent number: 11544375Abstract: File events are correlated with intrusion detection alerts for corrective action. A monitoring component receives file events from a thin agent. An analysis component analyzes the file events and metadata obtained from the intrusion detection alerts, such as attack type or file name, to correlate a set of file events to at least one detected action (intrusion) described in the alert. A recommendation component identifies one or more options, including one or more corrective actions, which are applicable for remediating the alert. The set of options includes a recommended action from two or more possible corrective actions. The set of options are output or displayed to the user. The user selects which option/action to perform in response to the alert. In some examples, an automatic response is performed without user selection with respect to selected types of alerts, detected action(s), selected file(s) or other user-generated criteria.Type: GrantFiled: December 17, 2019Date of Patent: January 3, 2023Assignee: VMware, Inc.Inventors: Sirisha Myneni, Nafisa Mandliwala, Subrahmanyam Manuguri, Anirban Sengupta
-
Patent number: 11463300Abstract: The disclosure provides an approach for remediating false positives for a network security monitoring component. Embodiments include receiving an alert related to network security for a virtual computing instance (VCI). Embodiments include collecting, in response to receiving the alert, context information from the VCI. Embodiments include providing a notification to a management plane based on the alert and the context information. Embodiments include receiving, from the management plane, in response to the notification, an indication of whether the alert is a false positive. Embodiments include training a model based on the alert, the context information, and the indication to determine whether a given alert is a false positive.Type: GrantFiled: July 13, 2020Date of Patent: October 4, 2022Assignee: VMWARE, INC.Inventors: Nafisa Mandliwala, Sirisha Myneni, Robin Manhas, Baibhav Singh
-
Publication number: 20220210167Abstract: Example methods and systems for context-aware intrusion detection are described. In one example, in response to determination that there is a matching intrusion detection signature based on packet flow information associated with a packet, a computer system may generate an intrusion detection alert that identifies the matching intrusion detection signature and the packet flow information. Further, the computer system may map the intrusion detection alert to contextual information, and generate a context-aware intrusion detection alert to trigger a context-aware remediation action based on at least the contextual information. The intrusion detection alert may be enhanced with context information associated with at least one of the following: the virtualized computing instance, a client device associated with the virtualized computing instance, and a user operating the client device.Type: ApplicationFiled: December 30, 2020Publication date: June 30, 2022Applicant: VMware, Inc.Inventors: Venkatakrishnan RAJAGOPALAN, Sirisha MYNENI, Srinivas RAMASWAMY, Nafisa MANDLIWALA, Robin MANHAS
-
Patent number: 11258718Abstract: The disclosure provides an approach for rate limiting packets in a network. Embodiments include receiving, by a rate limiting engine running on a host machine, a network event related to a virtual computing instance running on the host machine, the network event comprising flow information about a network flow. Embodiments include receiving, by the rate limiting engine, context information corresponding to the network flow, wherein the context information comprises one or more of a user characteristic or an application characteristic. Embodiments include determining, by the rate limiting engine, a priority for the network flow by applying a rate limiting policy to the flow information and the context information. Embodiments include providing, by the rate limiting engine, the priority for the network flow to a multiplexer for use in rate limiting the network flow.Type: GrantFiled: November 18, 2019Date of Patent: February 22, 2022Assignee: VMWARE, INC.Inventors: Suresh Muppala, Nafisa Mandliwala, Sirisha Myneni, Venkatakrishnan Rajagopalan
-
Publication number: 20220014425Abstract: The disclosure provides an approach for remediating false positives for a network security monitoring component. Embodiments include receiving an alert related to network security for a virtual computing instance (VCI). Embodiments include collecting, in response to receiving the alert, context information from the VCI. Embodiments include providing a notification to a management plane based on the alert and the context information. Embodiments include receiving, from the management plane, in response to the notification, an indication of whether the alert is a false positive. Embodiments include training a model based on the alert, the context information, and the indication to determine whether a given alert is a false positive.Type: ApplicationFiled: July 13, 2020Publication date: January 13, 2022Inventors: Nafisa MANDLIWALA, Sirisha MYNENI, Robin MANHAS, Baibhav SINGH
-
Publication number: 20210182388Abstract: The disclosure herein describes correlating file events with intrusion detection alerts for corrective action. A monitoring component receives file events from a thin agent. An analysis component analyzes the file events and metadata obtained from the intrusion detection alerts, such as attack type or file name, to correlate a set of file events to at least one detected action (intrusion) described in the alert. A recommendation component identifies one or more options, including one or more corrective actions, which are applicable for remediating the alert. The set of options includes a recommended action from two or more possible corrective actions. The set of options are output or displayed to the user. The user selects which option/action to perform in response to the alert. In some examples, an automatic response is performed without user selection with respect to selected types of alerts, detected action(s), selected file(s) or other user-generated criteria.Type: ApplicationFiled: December 17, 2019Publication date: June 17, 2021Inventors: Sirisha MYNENI, Nafisa MANDLIWALA, Subrahmanyam MANUGURI, Anirban SENGUPTA
-
Publication number: 20210184914Abstract: Example methods and systems are provided for network diagnosis. One example method may comprise: detecting an egress packet and determining whether each of multiple network issues is detected for the egress packet or a datapath between a first virtualized computing instance and a second virtualized computing instance. The method may also comprise: generating network diagnosis code information specifying whether each of the multiple network issues is detected or not detected; generating an encapsulated packet by encapsulating the egress packet with an outer header that specifies the network diagnosis code information; and sending the encapsulated packet towards the second virtualized computing instance to cause a second computer system to perform one or more remediation actions based on the network diagnosis code information.Type: ApplicationFiled: December 16, 2019Publication date: June 17, 2021Applicant: VMware, Inc.Inventors: Sirisha MYNENI, Kausum KUMAR, Nafisa MANDLIWALA, Venkatakrishnan RAJAGOPALAN
-
Publication number: 20210152480Abstract: The disclosure provides an approach for rate limiting packets in a network. Embodiments include receiving, by a rate limiting engine running on a host machine, a network event related to a virtual computing instance running on the host machine, the network event comprising flow information about a network flow. Embodiments include receiving, by the rate limiting engine, context information corresponding to the network flow, wherein the context information comprises one or more of a user characteristic or an application characteristic. Embodiments include determining, by the rate limiting engine, a priority for the network flow by applying a rate limiting policy to the flow information and the context information. Embodiments include providing, by the rate limiting engine, the priority for the network flow to a multiplexer for use in rate limiting the network flow.Type: ApplicationFiled: November 18, 2019Publication date: May 20, 2021Inventors: Suresh MUPPALA, Nafisa MANDLIWALA, Sirisha MYNENI, Venkatakrishnan RAJAGOPALAN
-
Patent number: 10938681Abstract: Example methods are provided for a first host to perform context-aware network mapping a software-defined networking (SDN) environment. One example method may comprise: detecting multiple packet flows that include an egress packet flow originating from a first endpoint and destined for a second host, and an ingress packet flow originating from a second host or a third host and destined for the first endpoint or a second endpoint. The method may also comprise: in response to detecting the egress packet flow, obtaining first packet flow information and first context information; in response to detecting the ingress packet flow, obtaining second packet header information and second context information; and generating network map information that identifies the egress packet flow based on the first packet flow information and first context information, and the ingress packet flow based on the second packet flow information and second context information.Type: GrantFiled: July 25, 2018Date of Patent: March 2, 2021Assignee: VMWARE, INC.Inventors: Arijit Chanda, Nafisa Mandliwala
-
Publication number: 20200036608Abstract: Example methods are provided for a first host to perform context-aware network mapping a software-defined networking (SDN) environment. One example method may comprise: detecting multiple packet flows that include an egress packet flow originating from a first endpoint and destined for a second host, and an ingress packet flow originating from a second host or a third host and destined for the first endpoint or a second endpoint. The method may also comprise: in response to detecting the egress packet flow, obtaining first packet flow information and first context information; in response to detecting the ingress packet flow, obtaining second packet header information and second context information; and generating network map information that identifies the egress packet flow based on the first packet flow information and first context information, and the ingress packet flow based on the second packet flow information and second context information.Type: ApplicationFiled: July 25, 2018Publication date: January 30, 2020Applicant: VMware, Inc.Inventors: Arijit CHANDA, Nafisa MANDLIWALA