Abstract: Example methods and systems for security threat analysis are described. One example may involve a first computer system configuring a test packet that includes malicious content for forwarding along a network path between (a) a first network element that is connected with a first virtualized computing instance and (b) a second network element that is connected with a second virtualized computing instance. The test packet may be injected at the first network element and forwarded towards the second network element. In response to a security checkpoint detecting the test packet, the security checkpoint may apply one or more security policies on the test packet; and generate and send report information towards a management entity. The report information may indicate whether the malicious content in the test packet is detectable based on the one or more security policies.

Abstract: Example methods and systems for context-aware intrusion detection are described. In one example, in response to determination that there is a matching intrusion detection signature based on packet flow information associated with a packet, a computer system may generate an intrusion detection alert that identifies the matching intrusion detection signature and the packet flow information. Further, the computer system may map the intrusion detection alert to contextual information, and generate a context-aware intrusion detection alert to trigger a context-aware remediation action based on at least the contextual information. The intrusion detection alert may be enhanced with context information associated with at least one of the following: the virtualized computing instance, a client device associated with the virtualized computing instance, and a user operating the client device.

Abstract: The disclosure provides an approach for remediating false positives for a network security monitoring component. Embodiments include receiving an alert related to network security for a virtual computing instance (VCI). Embodiments include collecting, in response to receiving the alert, context information from the VCI. Embodiments include providing a notification to a management plane based on the alert and the context information. Embodiments include receiving, from the management plane, in response to the notification, an indication of whether the alert is a false positive. Embodiments include training a model based on the alert, the context information, and the indication to determine whether a given alert is a false positive.