US 12,261,859 B2
System and method for capturing malicious flows and associated context for threat analysis
Robin Manhas, Santa Clara, CA (US); Nafisa Mandliwala, Sunnyvale, CA (US); Sirisha Myneni, Santa Clara, CA (US); and Srinivas Ramaswamy, Dublin, CA (US)
Assigned to VMWare LLC, Palo Alto, CA (US)
Filed by VMware LLC, Palo Alto, CA (US)
Filed on Nov. 10, 2022, as Appl. No. 17/985,089.
Prior Publication US 2024/0163294 A1, May 16, 2024
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1416 (2013.01) [H04L 63/1425 (2013.01); H04L 63/1441 (2013.01)] 20 Claims
OG exemplary drawing
 
1. For an intrusion detection and prevention system (IDPS) engine operating on a host computer deployed in a software-defined datacenter (SDDC), a method for detecting and analyzing malicious packet flows, the method comprising:
upon detecting a new packet flow, capturing packets belonging to the new packet flow in a file;
when the new packet flow ends, determining that a particular packet belonging to the new packet flow has triggered an alert indicating the particular packet includes a potentially malicious payload;
annotating the file for the new packet flow with a set of contextual data that (i) specifies the new packet flow as a potentially malicious packet flow and (ii) identifies the particular packet and at least one signature associated with the alert triggered by the particular packet; and
sending the annotated file to a network management server to analyze the set of contextual data to extract further information regarding the potentially malicious payload.