Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: Methods and systems for protecting a virtual machine network are disclosed. In an embodiment, a method involves storing an application whitelist including application-to-user associations in memory such that the application whitelist is immutable by a guest virtual machine, receiving a request to execute an application including an application identifier and a user identifier, comparing the application identifier and the user identifier of the request with the application whitelist, and generating an execution decision indicating whether the requested application can execute on the guest virtual machine.

Abstract: The disclosure herein describes a system for facilitating intelligent auditing of security log records. A set of security policies are converted into a set of web ontology language (OWL)-based rules. At the same time, log records are also converted into an OWL-based format. The system then applies the OWL-based rules, which can be in the form of a number of semantic web rule language (SWRL) statements, to the OWL-formatted log data. As a result, the system can identify potential security breaches which cannot be easily identified by conventional auditing methods.

Abstract: Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information.

Abstract: Methods, apparatuses and systems directed to enhanced random early discard mechanisms implemented in various networked devices including end-systems such as servers and intermediate systems such as gateways and routers. In one implementation, the present invention enables a random early discard mechanism that intelligently biases the drop probabilities of select packets based on one or more application-aware and/or flow-aware metrics or state conditions.

Abstract: Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

Abstract: A method for enforcing a network policy is described herein. In the method, a network socket event request from an application executing in a first context is intercepted by an agent prior to the request reaching a transport layer in the first context. A context refers to virtualization software, a physical computer, or a combination of virtualization software and physical computer. In response to the interception of the request, the agent requests a decision on whether to allow or deny the network socket event request to be communicated to a security server executing in a second context that is distinct from the first context. The request for a decision includes an identification of the application. The agent then receives from the security server either an allowance or a denial of the network socket event request, the allowance or denial being based at least in part on the identification of the application and a security policy.

Abstract: Methods, apparatuses and systems directed to enhanced random early discard mechanisms implemented in various networked devices including end-systems such as servers and intermediate systems such as gateways and routers. In one implementation, the present invention enables a random early discard mechanism that intelligently biases the drop probabilities of select packets based on one or more application-aware and/or flow-aware metrics or state conditions.

Abstract: Methods, apparatuses and systems directed to improving the efficiency of bandwidth allocation schemes by adapting to slow-start mechanisms associated with network communications protocols, such as the TCP/IP protocol suite. In one implementation, the present invention scales down the initial target rate assigned to a data flow to a fraction of an initial estimate of the effective rate capacity of the communications path between two hosts. As packets are received, the target rate is gradually increased, eventually up to the detected rate capacity of the communications path. Implementations of the present invention improve the efficiency of bandwidth allocation by reducing the over-allocation of bandwidth to data flows during the slow-start phase, leaving more bandwidth available to other data flows.

Abstract: A method for controlling data rate at an application layer. The method, in a particular implementation, includes identifying an application-layer message corresponding to a network application, wherein the application-layer message is transmitted in a first direction from a first host to a remote host and is operable to cause the remote host to transmit one or more responsive messages to the first host. A queuing delay is computed for the application-layer message and transmission of the application-layer message across a link to the remote host is delayed according to the queuing delay wherein the computed queuing delay is based at least in part on utilization of the link in a direction opposite the first direction of network traffic corresponding to the network application.

Abstract: Methods, apparatuses and systems directed to an adaptive partitioning mechanism responsive to observed latency conditions in a communications network. Embodiments of the present invention can be configured to adapt to changing network conditions and ensure that selected network applications meet desired QoS levels. In one implementation, the present invention provides a mechanism that adjusts the minimum bandwidth setting corresponding to a given partition in response to observed latency. According to one implementation, a latency threshold is configured relative to local queuing latency or a latency metric corresponding to the network itself. A process modulates the minimum bandwidth setting associated with one or more partitions in response to observed latency relative to the configured threshold.

Abstract: Methods, apparatuses and systems directed to improving the efficiency of bandwidth allocation schemes by adapting to slow-start mechanisms associated with network communications protocols, such as the TCP/IP protocol suite. In one implementation, the present invention scales down the initial target rate assigned to a data flow to a fraction of an initial estimate of the effective rate capacity of the communications path between two hosts. As packets are received, the target rate is gradually increased, eventually up to the detected rate capacity of the communications path. Implementations of the present invention improve the efficiency of bandwidth allocation by reducing the over-allocation of bandwidth to data flows during the slow-start phase, leaving more bandwidth available to other data flows.

Abstract: Methods, apparatuses and systems directed to an aggregate bandwidth utilization control scheme including fair share bandwidth allocation and dynamic allocation of bandwidth in response to detected traffic utilization. In one implementation, the present invention includes a weighted, fair share aggregate bandwidth allocation mechanism that dynamically responds to observed bandwidth utilization to provide unutilized or excess bandwidth to flows and partitions that require it. In another implementation, the present invention features a weighted fair share allocation scheme for hierarchical partition configurations. In other implementations, the present invention provides a per-flow target rate assignment mechanism that prevents spiraling decline of data flow rates.

Abstract: Methods, apparatuses and systems directed to improving the efficiency of bandwidth allocation schemes by adapting to slow-start mechanisms associated with network communications protocols, such as the TCP/IP protocol suite. In one implementation, the present invention scales down the initial target rate assigned to a data flow to a fraction of an initial estimate of the effective rate capacity of the communications path between two hosts. As packets are received, the target rate is gradually increased, eventually up to the detected rate capacity of the communications path. Implementations of the present invention improve the efficiency of bandwidth allocation by reducing the over-allocation of bandwidth to data flows during the slow-start phase, leaving more bandwidth available to other data flows.