Abstract: Aspects of the present invention disclose a method and system for anomaly detection for a data source. The method includes one or more processors identifying unexpected values of monitoring measurands in a monitored time series utilizing an anomaly detection algorithm. A data source provides sensor data, including values of a first group of measurands, which include monitoring measurands. The method further includes determining that values of a second group of one or more of the measurands of a subset of sensor data indicates an anomaly utilizing the anomaly detection algorithm. The method further includes sending anomalous data indicative of the subset of sensor data to a root cause analysis system and receiving corresponding feedback that is indicative of a result of a root cause analysis of the subset of sensor data and comprises a third group of the measurands. The method further includes adapting the anomaly detection algorithm.

Abstract: Embodiments of the invention include a computer-implemented method for detecting anomalies in non-stationary data in a network of computing entities. The method collects non-stationary data in the network and classifies the non-stationary data according to a non-Markovian, stateful classification, based on an inference model. Anomalies can then be detected, based on the classified data. The non-Markovian, stateful process allows anomaly detection even when no a priori knowledge of anomaly signatures or malicious entities exists. Anomalies can be detected in real time (e.g., at speeds of 10-100 Gbps) and the network data variability can be addressed by implementing a detection pipeline to adapt to changes in traffic behavior through online learning and retain memory of past behaviors. A two-stage scheme can be relied upon, which involves a supervised model coupled with an unsupervised model.

Abstract: In a computer-implemented method for providing obfuscated data to users, first, a user request to access data is received; then, an authorization level associated with the request received is identified. Next, obfuscated data is accessed in a protected enclave, which data corresponds to the request received. The data accessed has been obfuscated with an obfuscation algorithm that yields a level of obfuscation compatible with the authorization level identified. Finally, the obfuscated data accessed is provided to the user, from the protected enclave. Related systems and computer program products are also disclosed.

Abstract: Optimizing a network comprising a core computing system (CCS) and a set of edge computing devices (ECDs), wherein each of the ECDs locally performs computations based on a trained machine learning (ML) model. A plurality of ML models are continually trained at the CCS, concurrently, based on data collected from the ECDs. One or more states of the network and/or components thereof are monitored. The monitored states are relied upon to decide (when) to change a trained ML model as currently used by any of the ECDs to perform said computations. It may be decided to change the model used by a given one of the ECDs to perform ML-based computations. One of the models as trained at the CCS is selected (based on the monitored states) and corresponding parameters are sent to this ECD. The latter can resume computations according to a trained model.

Abstract: Aspects of the present invention disclose a method and system for troubleshooting. The method includes identifying data sources providing sensor data, including a first group of measurands. The method further includes processors determining that values of a second group of the measurands of a subset of the sensor data (provided by a given data source, comprising a component set) indicates an anomaly. The method further includes determining a third group of the measurands that are root cause candidates of the anomaly. The measurands of the third group are provided by the component set. The method further includes assigning a set of coefficients to respective measurands. Each coefficient is indicative of a comparison result of each measurand with a measurand of the third group. The method further includes determining, using the sets of coefficients, whether a specific subset of the component set can be identified as an anomaly root cause.

Abstract: A computer-implemented method of controlling communication resources and computation resources of a computerized system includes continually monitoring dual observables. The dual observables include one or more communication observables pertaining to one or more communication channels of the system, and one or more compute observables pertaining to a computational workload execution by a processor of the system. The method also includes jointly adjusting dual resources of the system based on the dual observables monitored, where the dual resources include communication resources for the one or more communication channels, and computation resources for the computational workload execution. Such a method can be used for sprinting both communication and computational resources, in a consistent way, for the system to best cope with temporary situations, in terms of both workload execution and data traffic. The invention is further directed to related systems and computer program products.

Abstract: Aspects of the present invention disclose a method and system for troubleshooting. The method includes identifying data sources providing sensor data, including a first group of measurands. The method further includes processors determining that values of a second group of the measurands of a subset of the sensor data (provided by a given data source, comprising a component set) indicates an anomaly. The method further includes determining a third group of the measurands that are root cause candidates of the anomaly. The measurands of the third group are provided by the component set. The method further includes assigning a set of coefficients to respective measurands. Each coefficient is indicative of a comparison result of each measurand with a measurand of the third group. The method further includes determining, using the sets of coefficients, whether a specific subset of the component set can be identified as an anomaly root cause.

Abstract: Aspects of the present invention disclose a method and system for anomaly detection for a data source. The method includes one or more processors identifying unexpected values of monitoring measurands in a monitored time series utilizing an anomaly detection algorithm. A data source provides sensor data, including values of a first group of measurands, which include monitoring measurands. The method further includes determining that values of a second group of one or more of the measurands of a subset of sensor data indicates an anomaly utilizing the anomaly detection algorithm. The method further includes sending anomalous data indicative of the subset of sensor data to a root cause analysis system and receiving corresponding feedback that is indicative of a result of a root cause analysis of the subset of sensor data and comprises a third group of the measurands. The method further includes adapting the anomaly detection algorithm.

Abstract: Methods and apparatus are provided for managing data flows in a switch connected in a network. Such a method includes monitoring a set of data flows traversing the switch for compliance with a predetermined resource-usage policy, and, in response to detection of a non-compliant data flow, mirroring a set of data packets of that flow to send respective mirror packets to a mirror port of the switch. The method further comprises using the mirror packets sent to the mirror port to construct a non-compliance notification for the non-compliant flow, and sending the non-compliance notification into the network. The resource-usage policy can be defined such that the switch is operable to send a non-compliance notification before occurrence of congestion due to the non-compliant flow.

Abstract: A computer-implemented method of controlling communication resources and computation resources of a computerized system includes continually monitoring dual observables. The dual observables include one or more communication observables pertaining to one or more communication channels of the system, and one or more compute observables pertaining to a computational workload execution by a processor of the system. The method also includes jointly adjusting dual resources of the system based on the dual observables monitored, where the dual resources include communication resources for the one or more communication channels, and computation resources for the computational workload execution. Such a method can be used for sprinting both communication and computational resources, in a consistent way, for the system to best cope with temporary situations, in terms of both workload execution and data traffic. The invention is further directed to related systems and computer program products.

Abstract: In a computer-implemented method for providing obfuscated data to users, first, a user request to access data is received; then, an authorization level associated with the request received is identified. Next, obfuscated data is accessed in a protected enclave, which data corresponds to the request received. The data accessed has been obfuscated with an obfuscation algorithm that yields a level of obfuscation compatible with the authorization level identified. Finally, the obfuscated data accessed is provided to the user, from the protected enclave. Related systems and computer program products are also disclosed.

Abstract: Embodiments of the invention provide a computer-implemented method for managing cryptographic objects in a key management system. This system comprises a set of one or more hardware security modules (HSMs), as well as clients interacting with the HSMs on behalf of users who interact with the clients. The method comprises monitoring, for each HSM of the set, an entropy pool and/or a load at each HSM. The entropy pool of a HSM is the entropy that is available at this HSM for generating cryptographic objects. The load induced at a HSM is the load due to the users interacting with the clients to obtain cryptographic objects. Cryptographic objects are generated, at each HSM, according to the monitored entropy pool and/or load. The extent to which such objects are generated depends on the monitored entropy pool and/or load.

Abstract: Distinct sets of non-stationary data seen on a switch in data communication with one or more of computerized units in a network, are mirrored via two switch ports, which include a first port and a second port. A dual analysis is performed while mirroring said distinct sets of data. First data obtained from data mirrored at the first port are analyzed (e.g., using a trained machine learning model) and, based on the first data analyzed, the switch is reconfigured for the second port to mirror second data, which are selected from non-stationary data as seen on the switch (e.g., data received and/or transmitted by the switch). The second data mirrored at the second port is analyzed (e.g., using a different analysis scheme, suited for the selected data).

Abstract: Optimizing a network comprising a core computing system (CCS) and a set of edge computing devices (ECDs), wherein each of the ECDs locally performs computations based on a trained machine learning (ML) model . A plurality of ML models are continually trained at the CCS, concurrently, based on data collected from the ECDs. One or more states of the network and/or components thereof are monitored. The monitored states are relied upon to decide (when) to change a trained ML model as currently used by any of the ECDs to perform said computations. It may be decided to change the model used by a given one of the ECDs to perform ML-based computations. One of the models as trained at the CCS is selected (based on the monitored states) and corresponding parameters are sent to this ECD. The latter can resume computations according to a trained model.

Abstract: Methods and apparatus are provided for managing data flows in a switch connected in a network. Such a method includes monitoring a set of data flows traversing the switch for compliance with a predetermined resource-usage policy, and, in response to detection of a non-compliant data flow, mirroring a set of data packets of that flow to send respective mirror packets to a mirror port of the switch. The method further comprises using the mirror packets sent to the mirror port to construct a non-compliance notification for the non-compliant flow, and sending the non-compliance notification into the network. The resource-usage policy can be defined such that the switch is operable to send a non-compliance notification before occurrence of congestion due to the non-compliant flow.

Abstract: Embodiments of the invention include a computer-implemented method for detecting anomalies in non-stationary data in a network of computing entities. The method collects non-stationary data in the network and classifies the non-stationary data according to a non-Markovian, stateful classification, based on an inference model. Anomalies can then be detected, based on the classified data. The non-Markovian, stateful process allows anomaly detection even when no a priori knowledge of anomaly signatures or malicious entities exists. Anomalies can be detected in real time (e.g., at speeds of 10-100 Gbps) and the network data variability can be addressed by implementing a detection pipeline to adapt to changes in traffic behavior through online learning and retain memory of past behaviors. A two-stage scheme can be relied upon, which involves a supervised model coupled with an unsupervised model.

Abstract: Embodiments of the invention provide a computer-implemented method for managing cryptographic objects in a key management system. This system comprises a set of one or more hardware security modules (HSMs), as well as clients interacting with the HSMs on behalf of users who interact with the clients. The method comprises monitoring, for each HSM of the set, an entropy pool and/or a load at each HSM. The entropy pool of a HSM is the entropy that is available at this HSM for generating cryptographic objects. The load induced at a HSM is the load due to the users interacting with the clients to obtain cryptographic objects. Cryptographic objects are generated, at each HSM, according to the monitored entropy pool and/or load. The extent to which such objects are generated depends on the monitored entropy pool and/or load.

Abstract: Embodiments of the invention are directed to a computer-implemented method for monitoring a computerized network comprising several nodes that are, each, configured for receiving and/or sending data packets via one or more communication channels, such that physical queues of data packets arriving at and/or departing from each of the nodes may form in said one or more communication channels. According to this method, virtual queues are maintained, wherein each of said virtual queues simulates a queue of data packets in a virtual channel associated to one of said one or more communication channels, wherein the service rate of said virtual channel can be varied. The virtual queues maintained are further monitored. Finally, this method comprises varying a service rate of one or more virtual channels, on which queues are respectively simulated by one or more of the virtual queues maintained.

Abstract: Embodiments of the present invention may provide improved handling of communication characteristics, such as burstiness, latency-sensitive applications, bandwidth-sensitive applications, etc., to improve peak performance while not compromising other characteristics, such as thermal design power of the input/output chip packages. In an embodiment, in a control circuit that may be connected to and control a data transmitter, a method of transmitting data in a network may comprise receiving at least one feed-forward signal from the data transmitter, receiving at least one feedback signal from at least a first node of the network, comparing the at least one feed-forward signal with at least one threshold or condition, comparing the at least one feedback signal with at least one threshold or condition, and generating a signal indicating that a burst transmission should be started or stopped.

Abstract: Embodiments of the invention are directed to a computer-implemented method for monitoring a computerized network comprising several nodes that are, each, configured for receiving and/or sending data packets via one or more communication channels, such that physical queues of data packets arriving at and/or departing from each of the nodes may form in said one or more communication channels. According to this method, virtual queues are maintained, wherein each of said virtual queues simulates a queue of data packets in a virtual channel associated to one of said one or more communication channels, wherein the service rate of said virtual channel can be varied. The virtual queues maintained are further monitored. Finally, this method comprises varying a service rate of one or more virtual channels, on which queues are respectively simulated by one or more of the virtual queues maintained.