US Patent 10320813 Threat detection and mitigation in a virtualized computing environment

A service provider may deploy a security threat detection and mitigation platform in a multi-tenant virtualization environment that includes pluggable data collection, data analysis, and response components. The data analysis components may apply machine learning techniques to generate (based on training data sets) and refine (based on subsequently received data sets and feedback about the resulting classifications) predictors configured to detect particular types of security threats, such as denial of service attacks, botnets, scans, or remote desktop attacks. A data collection layer may collect, filter, organize, and curate network packet traffic data, network packet header data, or other information emitted by computing instances or applications executing on them, and provide the curated data as streams to the analysis layer. A response layer may automatically take action in response to threat detections (which may be overridden by an administrator) and may store classification data for subsequent analysis, feedback, and predictor refinement.