公开(公告)号：US20220215088A1

公开(公告)日：2022-07-07

申请号：US17576432

申请日：2022-01-14

Applicant: NeuVector, Inc.

Inventor： Glen K. Kosaka ,  Gang Duan ,  Fei Huang

IPC: G06F21/53 ,  G06F9/451 ,  G06F9/455

Abstract: A policy interpreter detects that an application container has been added in a container system, and opens a stored manifest for the application container. The policy interpreter retrieves running services information regarding the application container, and generates a security policy for the application container. The security policy defines a set of actions for which the application container can perform, and the set of actions are determined using the manifest and the running service information associated with the application container. The policy interpreter loads the security policy at a security container. The security container blocks an action performed by the application container in response to determining that the action performed by the application container does not match any action in the set of actions defined in the security policy. The policy interpreter transmits the security policy to a graphical user interface container for presentation to a user via a display device.

公开(公告)号：US11075884B2

公开(公告)日：2021-07-27

申请号：US16265850

申请日：2019-02-01

Applicant: NeuVector, Inc.

Inventor： Yuncong Feng ,  Gang Duan

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/741

Abstract: A security monitor monitors network communications at a loopback interface of a pod in the container system. The pod includes a service mesh proxy and an application container. The application container includes computer-readable instructions and is initiated via a container service and is isolated using operating system-level virtualization. The application container communicates with the service mesh proxy using the loopback interface. The security monitor extracts network address and port information from packet data in the network communications at the loopback interface. The security monitor determines one or more connection contexts of the network communications at the loopback interface, each connection context used to identify a network session of the application container with a remote application container.

公开(公告)号：US10185638B2

公开(公告)日：2019-01-22

申请号：US15151461

申请日：2016-05-10

Applicant: NeuVector, Inc.

Inventor： Gang Duan

IPC: G06F9/46 ,  G06F11/20 ,  H04L29/06 ,  G06F11/16 ,  G06F9/455

Abstract: A security container of a container environment monitors a resource load in a container environment, the container environment including a container service providing operating system-level virtualization for one or more application containers connected to a virtual switch within the container environment, the one or more application containers having their traffic intercepted by the security container for inspection. The security container activates, in response to determining that the monitored resource load meets a condition in a network load policy, a new security container. The security container determines a subset of the one or more application containers to be associated with the new security container, and transfers the network connections and network sessions of the subset of the one or more application containers to the new security container.

公开(公告)号：US11232192B2

公开(公告)日：2022-01-25

申请号：US16238524

申请日：2019-01-03

Applicant: NeuVector, Inc.

Inventor： Glen K. Kosaka ,  Gang Duan ,  Fei Huang

IPC: G06F21/53 ,  G06F9/451 ,  G06F9/455

Abstract: A policy interpreter detects that an application container has been added in a container system, and opens a stored manifest for the application container. The policy interpreter retrieves running services information regarding the application container, and generates a security policy for the application container. The security policy defines a set of actions for which the application container can perform, and the set of actions are determined using the manifest and the running service information associated with the application container. The policy interpreter loads the security policy at a security container. The security container blocks an action performed by the application container in response to determining that the action performed by the application container does not match any action in the set of actions defined in the security policy. The policy interpreter transmits the security policy to a graphical user interface container for presentation to a user via a display device.

公开(公告)号：US20170353499A1

公开(公告)日：2017-12-07

申请号：US15427004

申请日：2017-02-07

Applicant: NeuVector, Inc.

Inventor： Fei Huang ,  Gang Duan

IPC: H04L29/06 ,  G06F9/455

CPC classification number: H04L63/20 ,  G06F9/45558 ,  G06F2009/45587 ,  H04W12/08

Abstract: The various implementations described herein include systems, methods and/or devices method for applying security policies in a virtualization environment. In one aspect, the method is performed at an electronic device of a plurality of electronic devices in a computing network, the electronic device having one or more processors and memory storing instructions for execution by the one or more processors. A plurality of user-space instances is instantiated. Furthermore, a security instance distinct from the plurality of user-space instances is instantiated. The security instance, which executes in user space of a respective virtual address space, monitors operations and data communications for the plurality of user-space instances. The security instance applies security policies to the monitored operations and data communications for the plurality of user-space instances so as to detect and/or remediate violations of the security policies.

公开(公告)号：US20170353498A1

公开(公告)日：2017-12-07

申请号：US15426998

申请日：2017-02-07

Applicant: NeuVector, Inc.

Inventor： Fei Huang ,  Gang Duan

IPC: H04L29/06 ,  G06F9/455

CPC classification number: H04L63/20 ,  G06F9/45558 ,  G06F2009/45587 ,  H04W12/08

Abstract: The various implementations described herein include systems, methods and/or devices method for applying security policies in a virtualization environment. In one aspect, the method is performed at an electronic device of a plurality of electronic devices in a computing network, the electronic device having one or more processors and memory storing instructions for execution by the one or more processors. A plurality of user-space instances is instantiated. Respective properties that characterize the user-space instances are identified, and based on the identified properties, respective security policies that define authorized or unauthorized operations and data communications for user-space instances are identified. Furthermore, the identified security policies are applied so as to detect and/or remediate violations of the identified set of security policies.

公开(公告)号：US20230412628A1

公开(公告)日：2023-12-21

申请号：US18452539

申请日：2023-08-20

Applicant: NeuVector, Inc.

Inventor： Fei Huang ,  Gang Duan ,  Zang Li

IPC: H04L9/40 ,  H04L43/06 ,  G06F9/455 ,  H04L41/22

CPC classification number: H04L63/1425 ,  H04L43/06 ,  G06F2009/45591 ,  H04L41/22 ,  H04L63/168 ,  G06F9/45558

Abstract: A container system monitors one or more activities of an application container in a container system by intercepting data from the one or more activities of the application container. The application container includes computer-readable instructions and initiated via a container service and isolated using operating system-level virtualization. The monitoring is performed at a layer between the app container and the container service. The container system also transmits a report of the intercepted one or more activities to a designated source. The container system inspects the intercepted one or more activities, and in response to the intercepted one or more activities violating a policy in a policy store, triggers an action specified in the policy.

公开(公告)号：US20190394219A1

公开(公告)日：2019-12-26

申请号：US16019368

申请日：2018-06-26

Applicant: NeuVector, Inc.

Inventor： Fei Huang ,  Gang Duan ,  Zang Li

IPC: H04L29/06 ,  H04L12/26 ,  H04L12/24 ,  G06F9/455

Abstract: A container system monitors one or more activities of an application container in a container system by intercepting data from the one or more activities of the application container. The application container includes computer-readable instructions and initiated via a container service and isolated using operating system-level virtualization. The monitoring is performed at a layer between the app container and the container service. The container system also transmits a report of the intercepted one or more activities to a designated source. The container system inspects the intercepted one or more activities, and in response to the intercepted one or more activities violating a policy in a policy store, triggers an action specified in the policy.

公开(公告)号：US10341387B2

公开(公告)日：2019-07-02

申请号：US15427004

申请日：2017-02-07

Applicant: NeuVector, Inc.

Inventor： Fei Huang ,  Gang Duan

IPC: G06F17/00 ,  H04L29/06 ,  G06F9/455 ,  H04W12/08

Abstract: The various implementations described herein include systems, methods and/or devices method for applying security policies in a virtualization environment. In one aspect, the method is performed at an electronic device of a plurality of electronic devices in a computing network, the electronic device having one or more processors and memory storing instructions for execution by the one or more processors. A plurality of user-space instances is instantiated. Furthermore, a security instance distinct from the plurality of user-space instances is instantiated. The security instance, which executes in user space of a respective virtual address space, monitors operations and data communications for the plurality of user-space instances. The security instance applies security policies to the monitored operations and data communications for the plurality of user-space instances so as to detect and/or remediate violations of the security policies.

公开(公告)号：US20170093921A1

公开(公告)日：2017-03-30

申请号：US15151455

申请日：2016-05-10

Applicant: NeuVector, Inc.

Inventor： Gang Duan

IPC: H04L29/06 ,  H04L12/931 ,  H04L12/713 ,  G06F9/455

CPC classification number: G06F9/45558 ,  G06F9/455 ,  G06F9/45533 ,  G06F2009/45562 ,  G06F2009/45587 ,  G06F2009/45595 ,  H04L45/306 ,  H04L45/586 ,  H04L49/70 ,  H04L63/1408 ,  H04L67/36

Abstract: A security container of a container environment receives an indication of a new application container connected to a virtual switch of a server, the connection established by a container service providing operating system-level virtualization for each application container. The security container disconnects a first connection from the virtual switch to the application container at the application container. The security container connects the first connection from the virtual switch to the security container. The security container establishes a second connection from the security container to the application container. The security container receives data from the application container. The security container inspects the received data for network security. The security container forwards the received data to an intended destination via the virtual switch.