Abstract: Techniques for orchestrating workloads based on policy to operate in optimal host and/or network proximity in cloud-native environments are described herein. The techniques may include receiving flow data associated with network paths between workloads hosted by a cloud-based network. Based at least in part on the flow data, the techniques may include determining that a utilization of a network path between a first workload and a second workload is greater than a relative utilization of other network paths between the first workload and other workloads. The techniques may also include determining that reducing the network path would optimize communications between the first workload and the second workload without adversely affecting communications between the first workload and the other workloads. The techniques may also include causing at least one of a redeployment or a network path re-routing to reduce the networking proximity between the first workload and the second workload.

Abstract: Techniques for tunneling Layer 2 ethernet frames over a connection tunnel using the MASQUE protocol are described herein. The MASQUE protocol may be extended to include a new entity, configured to proxy ethernet frames using a MASQUE proxy connection, and an associated CONNECT method, CONNECT-ETH. Using the extended MASQUE protocol, an Ethernet over MASQUE (EoMASQUE) tunnel may then be established between various networks that are remote from one another and connected to the internet. An EoMASQUE tunnel, established between separate remote client premises, and/or between a remote client premise and an enterprise premise, may tunnel ethernet packets between the endpoints. Additionally, a first EoMASQUE tunnel, established between a first client router provisioned in a first remote client premise and an EoMASQUE proxy node, and a second EoMASQUE tunnel, established between a second client premise and the EoMASQUE proxy node, may tunnel ethernet packets between the first and second client premise.

Abstract: Techniques for managing migrations of QUIC connection session(s) across proxy nodes, data centers, and/or private application nodes are described herein. A global key-value datastore, accessible by proxy nodes and/or application nodes, may store mappings between a first QUIC connection, associated with a proxy node and a client device, on the frontend of the proxy node and a second QUIC connection, associated with the proxy node and an application node, on the backend of the proxy node. With the global key-value datastore being accessible by the proxy nodes, when a proxy node receives a QUIC packet on the front end or the back end, the proxy node may determine where to map this connection to on the opposite end. Additionally, with the global key-value datastore being accessible to the application nodes, when an application node receives a QUIC packet, the application node may determine the client device associated with the connection.

Abstract: Techniques for using device proximity of a primary device and a secondary device to allow or deny connections to network resource(s), as well as terminate existing connections to the network resource(s). The techniques may include monitoring a proximity-based direct networking connection between a primary device and a secondary device, the proximity-based direct networking connection established in association with authenticating the primary device to access a resource. The techniques may also include determining, based at least in part on the monitoring, that a network proximity between the primary device and the secondary device exceeds a threshold proximity. Based at least in part on determining that the network proximity exceeds the threshold proximity, the techniques may include causing termination of the access to the resource for the primary device.

Abstract: Techniques for determining whether HTTP/2 or HTTP/3 is a preferred protocol for communication between a client device and a server over a network are described. A change associated with a network interface of a client device is detected. Based at least in part on detecting the change, a determination is made to identify a preferred communication protocol for a network over which the client device communicates using the network interface. A HTTP/2 probe is transmitted over the network and to a server. A HTTP/3 probe is transmitted over the network and to the server. In response to not receiving a HTTP/3 probe response, the preferred communication protocol is determined to be HTTP/2. In response to receiving the HTTP/2 probe response and the HTTP/3 probe response, the preferred communication protocol is determined to be HTTP/3. The client device communicates with the server over the network using the preferred communication protocol.

Abstract: Techniques for routing service mesh traffic based on whether the traffic is encrypted or unencrypted are described herein. The techniques may include receiving, from a first node of a cloud-based network, traffic that is to be sent to a second node of the cloud-based network and determining whether the traffic is encrypted or unencrypted. If it is determined that the traffic is encrypted, the traffic may be sent to the second node via a service mesh of the cloud-based platform. Alternatively, or additionally, if it is determined that the traffic is unencrypted, the traffic may be sent to the second node via an encrypted tunnel. In some examples, the techniques may be performed at least partially by a program running on the first node of the cloud-based network, such as an extended Berkeley Packet Filter (eBPF) program, and the like.

Abstract: Techniques for combining independent sessions between application(s) and a VPN, proxy service, or similar system, including inner protocol sessions (e.g., such as QUIC, etc.), coming from a single device to form a single logical session, where the single logical session could share a single authentication/authorization token are described. The techniques include receiving, from a device within a network, a request for a first application to access a service associated with the proxy service or the VPN, sending, to the device, a first authentication request, and receiving, from the device, a message including a token. The techniques may further include authenticating, by the proxy service or the VPN, the token using a unique identifier associated with the device and enabling, by the proxy service or the VPN, the device to access the service via a first session flow.

Abstract: Techniques for managing migrations of QUIC connection session(s) across proxy nodes, data centers, and/or private application nodes are described herein. A global key-value datastore, accessible by proxy nodes and/or application nodes, may store mappings between a first QUIC connection, associated with a proxy node and a client device, on the frontend of the proxy node and a second QUIC connection, associated with the proxy node and an application node, on the backend of the proxy node. With the global key-value datastore being accessible by the proxy nodes, when a proxy node receives a QUIC packet on the front end or the back end, the proxy node may determine where to map this connection to on the opposite end. Additionally, with the global key-value datastore being accessible to the application nodes, when an application node receives a QUIC packet, the application node may determine the client device associated with the connection.

Abstract: Techniques for orchestrating workloads based on policy to operate in optimal host and/or network proximity in cloud-native environments are described herein. The techniques may include receiving flow data associated with network paths between workloads hosted by a cloud-based network. Based at least in part on the flow data, the techniques may include determining that a utilization of a network path between a first workload and a second workload is greater than a relative utilization of other network paths between the first workload and other workloads. The techniques may also include determining that reducing the network path would optimize communications between the first workload and the second workload without adversely affecting communications between the first workload and the other workloads. The techniques may also include causing at least one of a redeployment or a network path re-routing to reduce the networking proximity between the first workload and the second workload.

Abstract: Techniques for preserving privacy while still allowing secure access to private resources. Among other things, the techniques may include receiving a request to provide a remote device with access to a private resource. In some instances, the request may be redirected to an identity provider service to authenticate the user of the remote device to maintain anonymity of an identity of the user. The techniques may also include receiving an indication of an entitlement-set provided by the identity provider service, the indication of the entitlement-set indicative of whether the user is entitled to access the resource without revealing the identity of the user. The techniques may also include at least one of authorizing the remote device to access the resource or refraining from authorizing the remote device to access the resource based at least in part on the indication of the entitlement-set.

Abstract: Techniques for preserving privacy while still allowing secure access to private resources. Among other things, the techniques may include receiving a request to provide a remote device with access to a private resource. In some instances, the request may be redirected to an identity provider service to authenticate the user of the remote device to maintain anonymity of an identity of the user. The techniques may also include receiving an indication of an entitlement-set provided by the identity provider service, the indication of the entitlement-set indicative of whether the user is entitled to access the resource without revealing the identity of the user. The techniques may also include at least one of authorizing the remote device to access the resource or refraining from authorizing the remote device to access the resource based at least in part on the indication of the entitlement-set.

Abstract: In one embodiment, an illustrative method herein may comprise: obtaining, by a device, one or more independent telemetry streams, wherein each of the one or more independent telemetry streams is uniquely identifiable by a span identifier; translating, by the device, each of the one or more independent telemetry streams into a corresponding QUIC protocol stream; mapping, by the device, the span identifier of each of the one or more independent telemetry streams to a respective stream identifier that uniquely identifies a QUIC channel of a multiplexed QUIC protocol stream; and communicating, by the device, the multiplexed QUIC protocol stream containing each of the one or more independent telemetry streams on its corresponding QUIC channel to cause a retrieving device to determine the span identifier of each of the one or more independent telemetry streams based on their respective stream identifier.

Abstract: This disclosure describes techniques and mechanisms for defining dynamic security compliance in networks to proactively prevent security policy violations from being added and/or made, retroactively and continuously identify security policy violations based on data from the changing threat landscape, and provide auto-remediation of non-compliant security policies. The techniques enable automated security policies and provide improved network security against a dynamic threat landscape.

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include receiving a report of a first anomaly based on real-time control flow graph diagram monitoring of an application at a first system and receiving a second report of a second anomaly from a second system. An exploit report may be generated by providing the first report and the second report to a machine learning model trained to output information related to an exploit based on input reports, and subsequently to provide the output information to a cloud-based reporting tool.

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow diagram for a process on a computing system and monitoring execution of the process on the computing system using the control flow diagram. An unobserved transition is determined based on the learned control flow diagram and the unobserved transition is classified as safe or unsafe based on a monitoring component analysis. An action is performed based on the safety classification and the learned control flow diagram.

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow directed graph for a program and subsequently determining valid target destinations for transitions within the program. The instructions of the program may be executed by determining a destination for a transition, performing the transition when the destination is included in the list of valid target destinations, and performing a secondary action when the destination is not included in the list of valid target destinations.

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow directed graph for executable code of an application by observing executions of transitions during an observation period and determining destinations of indirect transfers based on the learned control flow directed graph. Next a disassembly of the executable code is determined based on the learned control flow directed graph, the destinations of the transfers, and the executable code.

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow directed graph for a process executed on the computing system. A vulnerability may be determined or identified within the process as well as a software bill of materials for the process. A code portion of the process associated with the vulnerability is determined based on the software bill of materials. A tainted control flow directed graph is generated based on the code portion and excluded from the learned control flow directed graph. The adjusted control flow directed graph may be used to prevent execution of the vulnerability.

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining an observation phase for a process or application on a computing device. During the observation phase, CPU telemetry is determined and used to generate a control flow directed graph. After the control flow directed graph is generated, a monitoring phase may be entered where transfers of instruction pointers are monitored based on the control flow directed graph to identify invalid transfers.

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on observing and generating a control flow directed graph. The techniques and systems include determining an observation phase for a process or application on a computing device. During the observation phase, CPU telemetry is determined and used to generate a control flow directed graph. After the control flow directed graph is generated, a monitoring phase may be entered where transfers of instruction pointers are monitored based on the control flow directed graph to identify invalid transfers. Transition to the monitoring phase may be based on determining a confidence score in the observed control flow directed graph and causing the transition when the confidence score is above a threshold.