Abstract: The present disclosure provides engineered WNT agonists and methods of treating gastrointestinal disorders with modulators of the WNT signaling pathway.

Abstract: Example methods and systems for intrusion detection with adaptive pattern selection are described. In one example, a computer system may perform pattern selection by selecting a subset from a set of multiple patterns based on metric information. In response to receiving a packet belonging to a flow between a source endpoint and a destination endpoint, a first matching operation may be performed to determine whether the packet is matchable to a particular pattern from the set of multiple patterns or the subset. In response to determination that the packet is matchable to the particular pattern, a second matching operation may be performed to determine whether the packet is matchable to a particular signature. The metric information associated with the particular pattern may be updated based on the first matching operation and/or the second matching operation. This way, the subset may be updated based at least on the updated metric information.

Abstract: The method of some embodiments samples data flows. The method samples a first set of flows during a first time interval using a first logical port window for the first time interval. The first logical port window identifies a first set of non-contiguous layer 4 (L4) values in an L4 port range that are candidate values for sampling the flows during the first time interval. The method also samples a second set of flows during a second time interval using a second logical port window for the second time interval. The second logical port window identifies a second set of non-contiguous L4 values in an L4 port range that are candidate values for sampling the flows during the second time interval.

Abstract: Some embodiments provide a novel method for collecting and analyzing attributes of data flows associated with machines executing on a plurality of host computers to detect anomalous behavior. In some embodiments, an anomalous behavior is detected for at least one particular flow associated with at least one machine executing on the host computer. In some embodiments, anomaly detection is based on the context data from the guest introspection agent and deep packet inspection. An identifier of the detected anomalous behavior is stored, in some embodiments. The stored attributes are provided, in some embodiments, to a server for further analysis.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Each host computer, in some embodiments, is responsible for collecting and reporting attributes of data flows associated with machines executing on a host computer. In some embodiments, the host computer includes a flow exporter that processes and publishes flow data to the analysis appliance, a set of agents for collecting context data relating to the flows from machines executing on the host, a set of additional modules that provide additional context data, an anomaly detection engine that analyzes flow data and context data and provides additional context data, and a context exporter for processing and publishing context data to the analysis appliance.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. The analysis appliance, in some embodiments, receives definitions of keys and provides them to the host computers. In some embodiments, existing keys are modified based on the analysis. Additionally, or alternatively, new keys are provided based on the analysis. In some embodiments, the analysis appliance receives the flow group records (e.g., sets of attributes) based on the keys and the configuration data from each host computer.

Abstract: The disclosure provides an approach for establishing authentication between components in a network. Embodiments deploying a node of a monitoring appliance in response to a request and providing a token for accessing a network manager to the node of the monitoring appliance. Embodiments include generating, by the node of the monitoring appliance, a certificate of the node of the monitoring appliance and providing the certificate of the node of the monitoring appliance to the network manager with the token for accessing the network manager. Embodiments include adding, by the network manager, based on the token for accessing the network manager, the certificate of the node of the monitoring appliance to a first trust store and providing, by the network manager, a network manager certificate to the node of the monitoring appliance. Embodiments include adding, by the node of the monitoring appliance, the network manager certificate to a second trust store.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Each host computer, in some embodiments, is responsible for collecting and reporting attributes of data flows associated with machines executing on a host computer. The host computer, in some embodiments, first eliminates duplicative flow group records and then aggregates the flow data according to a set of received keys that specify attributes that define the aggregation. For example, a simple key that specifies a set of machine identifiers (e.g., a VM ID) as attribute values will, for each machine identifier, aggregate all flows with that machine identifier into a single aggregated flow group record. In some embodiments, the host computer includes a flow exporter that processes and publishes flow data to the analysis appliance.

Abstract: Example methods and systems for dynamic event processing for network diagnosis are described. In one example, a computer system may monitor a runtime flow of multiple packets to detect a set of multiple events associated with the runtime flow. The computer system may perform a first stage of event processing by matching the set of multiple events to a set of multiple signatures that includes a first signature and a second signature. The first signature may be associated with a first mapping rule that is fully satisfied by the set of multiple events. The second signature may be associated with a second mapping rule that is partially satisfied. During a second stage of event processing, the second signature is disregarded. In response to diagnosing an issue associated with the runtime flow, remediation action(s) may be performed.

Abstract: The disclosure provides an approach for establishing authentication between components in a network. Embodiments deploying a node of a monitoring appliance in response to a request and providing a token for accessing a network manager to the node of the monitoring appliance. Embodiments include generating, by the node of the monitoring appliance, a certificate of the node of the monitoring appliance and providing the certificate of the node of the monitoring appliance to the network manager with the token for accessing the network manager. Embodiments include adding, by the network manager, based on the token for accessing the network manager, the certificate of the node of the monitoring appliance to a first trust store and providing, by the network manager, a network manager certificate to the node of the monitoring appliance. Embodiments include adding, by the node of the monitoring appliance, the network manager certificate to a second trust store.

Abstract: For a network including multiple host machines that together implement at least one logical network including a firewall, some embodiments provide a method for collecting traffic flow data that includes identifiers for firewall rules applied to the traffic flow and a logical entity identifier. In some embodiments, the host machines receive traffic monitoring configuration data for a logical network. The traffic monitoring configuration data in some embodiments indicates a set of logical entities of the logical network for which to collect traffic flow data and a set of traffic flow data collectors associated with the set of logical entities. The indicated logical entities may be logical forwarding elements (logical switches, routers, etc.) or logical ports of logical forwarding elements.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Each host computer, in some embodiments, is responsible for collecting and reporting attributes of data flows associated with machines executing on a host computer. In some embodiments, the host computer includes a flow exporter that processes and publishes flow data to the analysis appliance, a set of agents for collecting context data relating to the flows from machines executing on the host, a set of additional modules that provide additional context data, an anomaly detection engine that analyzes flow data and context data and provides additional context data, and a context exporter for processing and publishing context data to the analysis appliance.

Abstract: Some embodiments provide a novel method for collecting and analyzing attributes of data flows associated with machines executing on a plurality of host computers to detect anomalous behavior. In some embodiments, an anomalous behavior is detected for at least one particular flow associated with at least one machine executing on the host computer. In some embodiments, anomaly detection is based on the context data from the guest introspection agent and deep packet inspection. An identifier of the detected anomalous behavior is stored, in some embodiments. The stored attributes are provided, in some embodiments, to a server for further analysis.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Each host computer, in some embodiments, is responsible for collecting and reporting attributes of data flows associated with machines executing on a host computer. The host computer, in some embodiments, first eliminates duplicative flow group records and then aggregates the flow data according to a set of received keys that specify attributes that define the aggregation. For example, a simple key that specifies a set of machine identifiers (e.g., a VM ID) as attribute values will, for each machine identifier, aggregate all flows with that machine identifier into a single aggregated flow group record. In some embodiments, the host computer includes a flow exporter that processes and publishes flow data to the analysis appliance.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. The analysis appliance, in some embodiments, receives definitions of keys and provides them to the host computers. In some embodiments, existing keys are modified based on the analysis. Additionally, or alternatively, new keys are provided based on the analysis. In some embodiments, the analysis appliance receives the flow group records (e.g., sets of attributes) based on the keys and the configuration data from each host computer.

Abstract: For a network including multiple host machines that together implement at least one logical network including a firewall, some embodiments provide a method for collecting traffic flow data that includes identifiers for firewall rules applied to the traffic flow and a logical entity identifier. In some embodiments, the host machines receive traffic monitoring configuration data for a logical network. The traffic monitoring configuration data in some embodiments indicates a set of logical entities of the logical network for which to collect traffic flow data and a set of traffic flow data collectors associated with the set of logical entities. The indicated logical entities may be logical forwarding elements (logical switches, routers, etc.) or logical ports of logical forwarding elements.

Abstract: A computer system provides a method for identifying firewall rules to apply to a virtual machine based on detecting initiation of a new network connection from the virtual machine. An example method generally includes detecting initiation of communications on a network port by a virtual machine, identifying one or more applications executing on the virtual machine that initiated communications on the network port, identifying one or more firewall rules to apply to the virtual machine based, at least in part, on the identification of the one or more applications, determining a deviation between firewall rules applied to the virtual machine and the identified one or more firewall rules, and upon determining that a deviation exists between the firewall rules applied to the virtual machine and the identified one or more firewall rules, applying one or more rules corresponding to the determined deviation to the virtual machine.

Abstract: A computer system provides a method for identifying firewall rules to apply to a virtual machine based on detecting initiation of a new network connection from the virtual machine. An example method generally includes detecting initiation of communications on a network port by a virtual machine, identifying one or more applications executing on the virtual machine that initiated communications on the network port, identifying one or more firewall rules to apply to the virtual machine based, at least in part, on the identification of the one or more applications, determining a deviation between firewall rules applied to the virtual machine and the identified one or more firewall rules, and upon determining that a deviation exists between the firewall rules applied to the virtual machine and the identified one or more firewall rules, applying one or more rules corresponding to the determined deviation to the virtual machine.