Techniques for providing network traffic security in a virtualized environment are described. A threat aware controller uses a threat feed provided by a threat intelligence service to establish a threat detection engine on virtual switches. The threat aware controller and threat detection engine work together to detect any anomalous or malicious behavior of network traffic on the virtual switch and established virtual network functions to quickly detect, verify, and isolate network threats.

Techniques related to communication between independent containers are provided. In an embodiment, a first programmatic container includes one or more first namespaces in which an application program is executing. A second programmatic container includes one or more second namespaces in which a monitoring agent is executing. The one or more first namespaces are independent of the one or more second namespaces. A monitoring agent process hosts the monitoring agent. The monitoring agent is programmed to receive an identifier of the application program. The monitoring agent is further programmed to switch the monitoring agent process from the one or more second namespaces to the one or more first namespaces. After the switch, the monitoring agent process continues to execute in the second programmatic container, but communication is enabled between the application program and the monitoring agent via the monitoring agent process.

Techniques related to communication between independent containers are provided. In an embodiment, a first programmatic container includes one or more first namespaces in which an application program is executing. A second programmatic container includes one or more second namespaces in which a monitoring agent is executing. The one or more first namespaces are independent of the one or more second namespaces. A monitoring agent process hosts the monitoring agent. The monitoring agent is programmed to receive an identifier of the application program. The monitoring agent is further programmed to switch the monitoring agent process from the one or more second namespaces to the one or more first namespaces. After the switch, the monitoring agent process continues to execute in the second programmatic container, but communication is enabled between the application program and the monitoring agent via the monitoring agent process.

Examples described herein relate to a method and a system, for example, a restore management system for providing secure restore of computing system. In some examples, the restore management system may determine that the computing system is restored. Further, the restore management system may isolate the computing system by restricting access to the computing system for any data traffic other than data traffic associated with a security fix to be applied to the computing system. Furthermore, the restore management system may determine that the security fix has been successfully applied to the computing system and, in response to determining that the security fix has been successfully applied, the restore management system may remove the computing system from isolation.

In accordance with some embodiments, a method and system for establishing the trustworthiness of software and running systems by analyzing software and its provenance using automated means. In some embodiments, a risk score is produced. In some embodiments, software is analyzed for insecure behavior or structure. In some embodiments, parts of the software are hardened by producing possibly multiple different versions of the software with different hardening techniques applied, and a choice can be made based on user or environmental needs. In some embodiments, the software is verified and constraints are enforced on the endpoint using techniques such as verification injection and secure enclaves. In some embodiments, endpoint injection is managed through container orchestration.

In accordance with some embodiments, a method and system for establishing the trustworthiness of software and running systems by analyzing software and its provenance using automated means. In some embodiments, a risk score is produced. In some embodiments, software is analyzed for insecure behavior or structure. In some embodiments, parts of the software are hardened by producing possibly multiple different versions of the software with different hardening techniques applied, and a choice can be made based on user or environmental needs. In some embodiments, the software is verified and constraints are enforced on the endpoint using techniques such as verification injection and secure enclaves. In some embodiments, endpoint injection is managed through container orchestration.

A method for a cyber threat defense system is provided. The method comprises receiving a first abnormal behavior pattern where the first abnormal behavior pattern represents behavior on a first network deviating from a normal benign behavior of that network; and receiving a second abnormal behavior pattern where the second abnormal behavior pattern representing either behavior on the first network or on a second network deviating from a normal benign behavior of that network. The method further comprises comparing the first and second abnormal behavior patterns to determine a similarity score between the first and second abnormal behavior patterns and determining, based on the comparison, that the first abnormal behavior pattern likely corresponds to malicious behavior when the similarity score is above a threshold. A corresponding non-transitory computer readable medium is also provided.

Systems and methods for attesting an enclave in a network. A method includes receiving, by a first device, proof information from an application provider entity that the enclave is secure, wherein the proof information includes a public part, Ga, of information used by the enclave to derive a Diffie-Hellman key in a key generation process with the application provider entity, processing, by the first device, the proof information to verify that the enclave is secure and ensuring that Ga is authentic and/or valid, deriving, by the first device, a new Diffie-Hellman key, based on Ga and x, wherein x is a private part of information used by the first device to derive the new Diffie-Hellman key, and sending, by the first device, a message including Ga and a public part, Gx, of the information used by the first device to derive the new Diffie-Hellman key to the enclave.

In one embodiment, a system for managing communication connections in a virtualization environment includes a plurality of host machines implementing a virtualization environment, wherein each of the host machines includes a hypervisor, at least one user virtual machine (user VM), and a distributed file server that includes file server virtual machines (FSVMs) and associated local storage devices. Each FSVM and associated local storage device are local to a corresponding one of the host machines, and the FSVMs conduct I/O transactions with their associated local storage devices based on I/O requests received from the user VMs. Each of the user VMs on each host machine sends each of its respective I/O requests to an FSVM that is selected by one or more of the FSVMs for each I/O request based on a lookup table that maps a storage item referenced by the I/O request to the selected one of the FSVMs.

In one embodiment, a system for managing communication connections in a virtualization environment includes a plurality of host machines implementing a virtualization environment, wherein each of the host machines includes a hypervisor, at least one user virtual machine (user VM), and a distributed file server that includes file server virtual machines (FSVMs) and associated local storage devices. Each FSVM and associated local storage device are local to a corresponding one of the host machines, and the FSVMs conduct I/O transactions with their associated local storage devices based on I/O requests received from the user VMs. Each of the user VMs on each host machine sends each of its respective I/O requests to an FSVM that is selected by one or more of the FSVMs for each I/O request based on a lookup table that maps a storage item referenced by the I/O request to the selected one of the FSVMs.