Abstract: In accordance with an embodiment, described herein is a system and method for supporting patching in a multi-tenant application server environment. The system can associate one or more partitions with a tenant, for use by that tenant, wherein a partition is a runtime and administrative subdivision or slice of a domain. A patching process can take advantage of high-availability features provided by an application server clustering environment, to apply patches in a controlled, rolling restart, which maintains a domain's ability to operate without interruption, or with zero downtime. The process can be used to automate complex or long running tasks, including preserving an unpatched or prior version of an application server, application, or other software component for possible rollback, or providing automatic reversion in the event of an unrecoverable error.

Abstract: Some embodiments provide a method for detecting a threat to a datacenter. The method generates a graph of connections between data compute nodes (DCNs) in the datacenter. Each connection has an associated time period during which the connection is active. The method receives an anomalous event occurring during a particular time period at a particular DCN operating in the datacenter. The method analyzes the generated graph to determine a set of paths between DCNs in the datacenter that include connections to the particular DCN during the particular time period. The method uses the set of paths to identify a threat to the datacenter.

Abstract: Some embodiments provide a method for detecting a threat to a datacenter. The method receives a set of connections between a set of DCNs in the datacenter over a particular time period. The set of DCNs includes at least a first DCN at which a first anomalous event was detected. The method analyzes a set of detected anomalous events to identify additional anomalous events detected at other DCNs in the set of DCNs during the particular time period. Based on the first anomalous event and identified additional anomalous events, the method determines whether the anomalous events indicate a threat to the datacenter.

Abstract: Some embodiments provide a system for detecting threats to a datacenter. The system includes a set of processing units and a set of non-transitory machine-readable media storing an analysis appliance. The analysis appliance includes multiple event detectors that analyze information received from host computers in the datacenter to identify anomalous events occurring in the datacenter. The analysis appliance includes a graph generation module that generates a graph of connections between data compute nodes (DCNs) in the datacenter based on the information received from the host computers. The analysis appliance includes a lateral movement threat detection module that (i) uses the graph of connections to identify a set of connections between a set of the DCNs based on a particular anomalous event and (ii) uses the set of connections and the identified anomalous events to determine whether the set of connections is indicative of a lateral movement attack on the datacenter.

Abstract: Some embodiments provide a method for identifying policy misconfiguration in a datacenter. Based on flow data received for a plurality of data compute nodes (DCNs) in the datacenter, the method determines that an anomalous amount of data traffic relating to a particular DCN has been dropped. The method uses (i) the received flow data for the particular DCN and (ii) a set of recent policy configuration changes to determine policy configuration changes that contributed to the anomalous amount of dropped data traffic relating to the particular DCN. The method generates an alert for presentation to a user indicating the anomalous amount of data traffic and the contributing policy configuration changes.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

Abstract: In an embodiment, a computer-implemented method for enabling enhanced firewall rules via ARP-based annotations is described. In an embodiment, a method comprises detecting, by a hypervisor implemented in a first host, that a first process is executing on the first host. The hypervisor determines first context information for the first process, generates a first request, encapsulates the first request and the first context information in a first packet, and transmits the first packet to a central controller to cause the central controller to update the controller's table to indicate that the first process is executing on the first host. In response to receiving a second packet from the central controller and determining that the second packet comprises a first response, the hypervisor extracts second context information from the second packet and, based on the second context information, determines that a second process is executing on a second host.

Abstract: In accordance with an embodiment, described herein is a system and method for supporting partitions in a multitenant application server environment. In accordance with an embodiment, an application server administrator (e.g., a WLS administrator) can create or delete partitions; while a partition administrator can administer various aspects of a partition, for example create resource groups, deploy applications to a specific partition, and reference specific realms for a partition. Resource groups can be globally defined at the domain, or can be specific to a partition. Applications can be deployed to a resource group template at the domain level, or to a resource group scoped to a partition or scoped to the domain. The system can optionally associate one or more partitions with a tenant, for use by the tenant.

Abstract: A system and method for providing a service management engine for use with a cloud computing environment. In accordance with an embodiment, enterprise software applications (e.g., Fusion Middleware applications) can be instantiated as services within a cloud platform, where they are then made accessible by other (e.g., customer) applications. In an embodiment, a service management engine (SME), in communication with an orchestration engine, can be used to provision services as one or more different service types, according to a service definition package (SDP). Service types can be instantiated according to the configuration of the cloud platform itself, and the contents of the SDP, including discovering, provisioning, and associating service types with system resources, to address different customer requirements.

Abstract: In accordance with an embodiment, described herein is a system and method for supporting patching in a multi-tenant application server environment. The system can associate one or more partitions with a tenant, for use by that tenant, wherein a partition is a runtime and administrative subdivision or slice of a domain. A patching process can take advantage of high-availability features provided by an application server clustering environment, to apply patches in a controlled, rolling restart, which maintains a domain's ability to operate without interruption, or with zero downtime. The process can be used to automate complex or long running tasks, including preserving an unpatched or prior version of an application server, application, or other software component for possible rollback, or providing automatic reversion in the event of an unrecoverable error.

Abstract: In an embodiment, a computer-implemented method for enabling enhanced firewall rules via ARP-based annotations is described. In an embodiment, a method comprises detecting, by a hypervisor implemented in a first host, that a first process is executing on the first host. The hypervisor determines first context information for the first process, generates a first request, encapsulates the first request and the first context information in a first packet, and transmits the first packet to a central controller to cause the central controller to update the controller's table to indicate that the first process is executing on the first host. In response to receiving a second packet from the central controller and determining that the second packet comprises a first response, the hypervisor extracts second context information from the second packet and, based on the second context information, determines that a second process is executing on a second host.

Abstract: In accordance with an embodiment, described herein is a system and method for supporting multi-tenancy in an application server, cloud, on-premise, or other environment, which enables categories of components and configurations to be associated with particular application instances or partitions. Resource group templates define, at a domain level, collections of deployable resources that can be referenced from resource groups. Each resource group is a named, fully-qualified collection of deployable resources that can reference a resource group template. A partition provides an administrative and runtime subdivision of the domain, and contains one or more resource groups. Each resource group can reference a resource group template, to bind deployable resources to partition-specific values, for use by the referencing partition. A tenant of the application server or cloud environment can be associated with a partition, or applications deployed therein, for use by that tenant.

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. From multiple host computers in the datacenter, the method receives data indicating port usage for a particular time period for each of multiple destination data compute nodes (DCNs) executing on the host computers. For each DCN of a set of the destination DCNs, identifies whether the port usage for the particular time period deviates from a historical baseline port usage for the DCN. When the port usage for a particular DCN deviates from the historical baseline for the particular DCN, the method identifies the particular DCN as a target of a security threat.

Abstract: A system and method for providing a service management engine for use with a cloud computing environment. In accordance with an embodiment, enterprise software applications (e.g., Fusion Middleware applications) can be instantiated as services within a cloud platform, where they are then made accessible by other (e.g., customer) applications. In an embodiment, a service management engine (SME), in communication with an orchestration engine, can be used to provision services as one or more different service types, according to a service definition package (SDP). Service types can be instantiated according to the configuration of the cloud platform itself, and the contents of the SDP, including discovering, provisioning, and associating service types with system resources, to address different customer requirements.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

Abstract: In accordance with an embodiment, described herein is a system and method for supporting multi-tenancy in an application server, cloud, on-premise, or other environment, which enables categories of components and configurations to be associated with particular application instances or partitions. Resource group templates define, at a domain level, collections of deployable resources that can be referenced from resource groups. Each resource group is a named, fully-qualified collection of deployable resources that can reference a resource group template. A partition provides an administrative and runtime subdivision of the domain, and contains one or more resource groups. Each resource group can reference a resource group template, to bind deployable resources to partition-specific values, for use by the referencing partition. A tenant of the application server or cloud environment can be associated with a partition, or applications deployed therein, for use by that tenant.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

Abstract: Behavior-based security in a datacenter includes monitoring user actions made by users in the datacenter. Behavior-based risk scores are computer for users based on their monitored actions. One or more firewall rules are generated for users based on their behavior-based risk scores. The firewall rules regulate the actions of the users.

Abstract: Some embodiments provide a novel method for receiving a plurality of attribute sets from a set of host computers, each attribute set associated with a group of one or more flows that is created by using a key to associate individual flows into the group of flows. The appliance, in some embodiments, identifies at least two received attribute sets from two different host computers that relate to a same set of flows between a same set of source machines and a same set of destination machines. The appliance merges the two identified attribute sets into one merged attribute set and analyzes the merged attribute set to identify a set of properties of the flows in the groups of flows associated with the two identified attribute sets, in some embodiments.

Abstract: Some embodiments provide a novel method for correlating configuration data received from the network manager computer with flow group records. In some embodiments, the correlation with the configuration data identifies a group associated with at least one of: (i) the source machine, (ii) destination machine, and (iii) service rules applied to the flows. The correlation with the configuration data, in some embodiments, also identifies whether a service rule applied to the flows is a default service rule. In some embodiments, the correlation with the configuration is based on a tag included in the flow group record that identifies a configuration version, and a configuration associated with the identified configuration version is used to identify the group association or the identity of the default service rule.