Abstract: A distributed computer system and method for managing secret information for virtual entities in the distributed computer system utilizes multiple secret storage service entities to provide secret information to a virtual entity to be hosted in a host computer in the distributed computer system. At least one piece of the secret information for the virtual entity is distributed to the multiple secret storage service entities to provide the secret information to the virtual entity using the at least one piece of the secret information from one of the multiple secret storage service entities.

Abstract: Certain embodiments described herein are generally directed to systems and methods for preventing access to files on a virtual machine. One example method involves receiving network information associated with a network connection opened at the virtual machine and determining a process that opened the network connection. The method further involves receiving information indicative of a file access event attempted at the virtual machine and determining the process that opened the network connection initiated the file access event . The method further involves transmitting information indicative of the file access event and the network connection to a security virtual machine and receiving an enforcement decision for the file access event from the security virtual machine based on the information indicative of the file access event and the network connection. The method further involves applying the enforcement decision to either allow or prevent the file access event by the process.

Abstract: Some embodiments provide a method for an end machine, that implements a distributed application, to redirect new network connection requests to other end machines that also implement the distributed application. The method receives a set of measurement data from a set of resources of the end machine and determines whether a measurement data received from a particular resource has exceeded a threshold. When the measurement data has exceeded the threshold, the method notifies a load balancer that balances new requests for connection to the distributed application between the end machines. The notification causes the load balancer not to send any new connection request to the end machine and redirect them to other end machines.

Abstract: Some embodiments provide a method for preventing stressed end machines from being scanned for security check on a host machine that executes several different end machines scheduled to be scanned for security check. The method collects, at one of the end machines, a set of measurement data from a set of resources of the end machine. The method then determines whether a measurement data collected from a particular resource has exceeded a threshold. When the measurement data has exceeded the threshold, the method tags the end machine as a stressed machine so that the end machine will not participate in any future security check scans.

Abstract: Some embodiments provide a novel method for authorizing network requests for a machine in a network. In some embodiments, the method is performed by security agents that execute on virtual machines operating on a host machine. In some embodiments, the method captures a network request (e.g., network control packets, socket connection request, etc.) from a primary application executing on the machine. The method identifies an extended context for the network request and determines whether the network request is authorized based on the extended context. The method then processes the network request according to the determination. The extended context of some embodiments includes identifications for primary and secondary applications associated with the network request. Alternatively, or conjunctively, some embodiments include identifications for primary and secondary users associated with the network request.

Abstract: Some embodiments provide a novel method for authorizing network requests for a machine in a network. In some embodiments, the method is performed by security agents that execute on virtual machines operating on a host machine. In some embodiments, the method captures a network request (e.g., network control packets, socket connection request, etc.) from a primary application executing on the machine. The method identifies an extended context for the network request and determines whether the network request is authorized based on the extended context. The method then processes the network request according to the determination. The extended context of some embodiments includes identifications for primary and secondary applications associated with the network request. Alternatively, or conjunctively, some embodiments include identifications for primary and secondary users associated with the network request.

Abstract: Some embodiments provide a system that detects whether a data flow is an elephant flow; and if so, the system treats it differently than a mouse flow. The system of some embodiments detects an elephant flow by examining, among other items, the operations of a machine. In detecting, the system identifies an initiation of a new data flow associated with the machine. The new data flow can be an outbound data flow or an inbound data flow. The system then determines, based on the amount of data being sent or received, if the data flow is an elephant flow. The system of some embodiments identifies the initiation of a new data flow by intercepting a socket call or request to transfer a file.

Abstract: Some embodiments provide a system that detects whether a data flow is an elephant flow; and if so, the system treats it differently than a mouse flow. The system of some embodiments detects an elephant flow by examining, among other items, the operations of a machine. In detecting, the system identifies an initiation of a new data flow associated with the machine. The new data flow can be an outbound data flow or an inbound data flow. The system then determines, based on the amount of data being sent or received, if the data flow is an elephant flow. The system of some embodiments identifies the initiation of a new data flow by intercepting a socket call or request to transfer a file.

Abstract: Some embodiments provide a novel method for monitoring network requests from a machine. The method captures the network request at various layers of a protocol stack. At a first layer of a protocol stack, the method tags a packet related to the network request with a tag value, maps the tag value to a set of tuples associated with the packet, and sends a first set of data related to the packet to a security engine. At a second layer of the protocol stack, the method determines whether the packet has been modified through the protocol stack, and sends an updated second set of data to the security engine when the packet has been modified.

Abstract: A distributed computer system and method for managing secret information for virtual entities in the distributed computer system utilizes multiple secret storage service entities to provide secret information to a virtual entity to be hosted in a host computer in the distributed computer system. At least one piece of the secret information for the virtual entity is distributed to the multiple secret storage service entities to provide the secret information to the virtual entity using the at least one piece of the secret information from one of the multiple secret storage service entities.

Abstract: Some embodiments provide a method for an end machine, that implements a distributed application, to redirect new network connection requests to other end machines that also implement the distributed application. The method receives a set of measurement data from a set of resources of the end machine and determines whether a measurement data received from a particular resource has exceeded a threshold. When the measurement data has exceeded the threshold, the method notifies a load balancer that balances new requests for connection to the distributed application between the end machines. The notification causes the load balancer not to send any new connection request to the end machine and redirect them to other end machines.

Abstract: Some embodiments provide a method for preventing stressed end machines from being scanned for security check on a host machine that executes several different end machines scheduled to be scanned for security check. The method collects, at one of the end machines, a set of measurement data from a set of resources of the end machine. The method then determines whether a measurement data collected from a particular resource has exceeded a threshold. When the measurement data has exceeded the threshold, the method tags the end machine as a stressed machine so that the end machine will not participate in any future security check scans.

Abstract: Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g.

Abstract: Some embodiments provide a novel method for monitoring network requests from a machine. The method captures the network request at various layers of a protocol stack. At a first layer of a protocol stack, the method tags a packet related to the network request with a tag value, maps the tag value to a set of tuples associated with the packet, and sends a first set of data related to the packet to a security engine. At a second layer of the protocol stack, the method determines whether the packet has been modified through the protocol stack, and sends an updated second set of data to the security engine when the packet has been modified.

Abstract: Some embodiments provide a novel method for authorizing network requests for a machine in a network. In some embodiments, the method is performed by security agents that execute on virtual machines operating on a host machine. In some embodiments, the method captures a network request (e.g., network control packets, socket connection request, etc.) from a primary application executing on the machine. The method identifies an extended context for the network request and determines whether the network request is authorized based on the extended context. The method then processes the network request according to the determination. The extended context of some embodiments includes identifications for primary and secondary applications associated with the network request. Alternatively, or conjunctively, some embodiments include identifications for primary and secondary users associated with the network request.

Abstract: Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g.

Abstract: Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g.

Abstract: Some embodiments provide a system that detects whether a data flow is an elephant flow; and if so, the system treats it differently than a mouse flow. The system of some embodiments detects an elephant flow by examining, among other items, the operations of a machine. In detecting, the system identifies an initiation of a new data flow associated with the machine. The new data flow can be an outbound data flow or an inbound data flow. The system then determines, based on the amount of data being sent or received, if the data flow is an elephant flow. The system of some embodiments identifies the initiation of a new data flow by intercepting a socket call or request to transfer a file.