Abstract: Some embodiments of the invention provide, for an intrusion detection and prevention system (IDPS) engine operating on a host computer deployed in a software-defined datacenter (SDDC), a method for detecting and analyzing malicious packet flows. Upon detecting a new packet flow, the method captures packets belonging to the new packet flow in a file. When the new packet flow ends, the method determines that a particular packet belonging to the new packet flow has triggered an alert indicating the particular packet includes a potentially malicious payload. The method annotates the file for the new packet flow with a set of contextual data that (1) specifies the new packet flow as a potentially malicious packet flow and (2) identifies the particular packet and at least one signature associated with the alert triggered by the particular packet.

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method forwards multiple contextual attributes to a set of servers that distribute intrusion detection scripts. The method receives, from the set of servers, a set of one or more intrusion detection scripts to be enforced on the at least one host computer, the set of one or more intrusion detection scripts defined based on the multiple forwarded contextual attributes. The method uses the multiple contextual attributes to identify and resolve at least one intrusion detection script in the set of one or more intrusion detection scripts.

Abstract: Example methods and systems for context-aware intrusion detection are described. In one example, in response to determination that there is a matching intrusion detection signature based on packet flow information associated with a packet, a computer system may generate an intrusion detection alert that identifies the matching intrusion detection signature and the packet flow information. Further, the computer system may map the intrusion detection alert to contextual information, and generate a context-aware intrusion detection alert to trigger a context-aware remediation action based on at least the contextual information. The intrusion detection alert may be enhanced with context information associated with at least one of the following: the virtualized computing instance, a client device associated with the virtualized computing instance, and a user operating the client device.

Abstract: Example methods and systems for failure handling for service chaining with service path monitoring. One example may comprise a first computer system detecting a data packet that is being forwarded along a first service path. The first computer system may configure a liveness check query and send the liveness check query along with the data packet towards a service virtualized computing instance to cause a liveness check response. In response to detecting the liveness check response from the service virtualized computing instance, the first computer system may determine that the service virtualized computing instance is available. Otherwise, report information may be generated and sent to trigger a switch from the first service path to a second service path that excludes the service virtualized computing instance.

Abstract: Example methods and systems for failure handling for service chaining with service path monitoring. One example may comprise a first computer system detecting a data packet that is being forwarded along a first service path. The first computer system may configure a liveness check query and send the liveness check query along with the data packet towards a service virtualized computing instance to cause a liveness check response. In response to detecting the liveness check response from the service virtualized computing instance, the first computer system may determine that the service virtualized computing instance is available. Otherwise, report information may be generated and sent to trigger a switch from the first service path to a second service path that excludes the service virtualized computing instance.