Abstract: Systems and methods discussed for redirection of launch requests for local applications to corresponding remote applications, such as SaaS or network applications provided by an application server, and access of the corresponding remote application via an embedded browser of a client application. A client application executed by a client device may detect a request of a user to launch a local application of the client device. The client application may determine that the local application corresponds to a network application provided by an application server. The client application may intercept the request to launch the local application, responsive to the determination. An embedded browser of the client application may access the network application from the application server, responsive to interception of the request.

Abstract: Methods and systems for secure authentication of a first device through attestation by one or more other devices are described herein. A server used to authenticate the first device may transmit, to the first device, a request for attestation of the first device by one or more other devices. A user of the first device may attempt to find a user of a second device to attest to the identity of the first device and/or the user of the first device. Once the user of the second device attests to the identity of the first device and/or the user of the first device, the server device may receive, from the second device, an indication of the attestation. Based on the attestation, the server device may grant, to the first device, access to one or more services associated with the server device. One or more additional devices may be used to attest to the identity of the first device and/or the user of the first device.

Abstract: Embodiments described include systems and methods for encoding and decoding data for a network application. A client application may include an embedded browser. The embedded browser may establish a session with a network application. The client application may identify a policy specifying a type of data to encode upon input. The embedded browser may detect the type of data of an input field of the network application being displayed in the embedded browser. The embedded browser may, responsive to the detection and the policy, encode the data inputted into the input field or decode encoded data displayed in the input field.

Abstract: A computer system is provided. The computer system includes a memory and at least one processor coupled to the memory and configured to detect open eyes in an image received from a camera of the computer; recognize properties of the open eyes including orientation, designation as a left or right eye, and relative position of the eyes; group the detected open eyes into pairs of eyes based on the recognized properties; measure pupillary distance (e.g. represented in image pixels) of each of the pairs of eyes; identify the pair of eyes associated with the largest pupillary distance as the eyes closest to the camera; calculate a relative distance from the camera to the closest pair of eyes, the relative distance calculated as a ratio of the camera focal length to the largest pupillary distance; and reduce brightness of the computer screen if the relative distance is less than a threshold ratio.

Abstract: Described embodiments provide systems and methods for policy-based authentication, where the policy may designate locations and/or forms of proof of locations, for use in authentication. Some embodiments include or utilize a database storing authentication policies. In an example system, an authentication server in communication with the database is configured to receive a request from a device needing authentication. The request may include a credential. The authentication server is configured to retrieve, from the database storing authentication policies, an authentication policy corresponding to the device, the retrieved authentication policy specifying a location parameter. The authentication server is configured to receive location data from the device and resolve the authentication request using the credential and the received location data pursuant to the retrieved authentication policy.

Abstract: Systems and methods for establishing a secure connection are described. A server receives a plurality of routing tokens for establishing a service connection between a service node and the server along a network path through a plurality of network devices. The routing tokens can be validated by a corresponding network device. The server transmits a packet including the routing tokens to a first network device. The first network device validates a first routing token associated therewith, then directs the packet along the network path to a second network device, and so forth, until each of the network device receives and validates their routing token. The server establishes a cryptographic context between the service node and server for establishing a secure channel between the service node and the server. The server transmits a service node routing token to the service node via the secure channel for validation.

Abstract: Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.

Abstract: Described embodiments provide systems and methods for routing client requests. A device may be arranged intermediary to a plurality of clients and a domain name system (DNS) controller. The device may generate a query for the DNS controller. The query may correspond to a service to be accessed by the clients. The device may receive, from the DNS controller, a response to the query. The response may include a value used by the device to route respective client requests for accessing the service to a corresponding version of a plurality of versions of the service. The device may receive, from a client, a client request for accessing the service. The device may route the client request to one of the versions of the service according to the value included in the response to manage traffic between various versions of the service.

Abstract: A method for generating microapp recommendations comprises receiving observational data that characterizes interactions between users and applications. The method further comprises defining a set of correlation trees based on the received observational data. Each correlation tree in the set represents a sequence of interactions between one of the users and one or more of the applications. The set includes a first quantity of correlation trees. The method further comprises identifying a subset of similar correlation trees, each of which is included in the set. The subset includes a second quantity of correlation trees that is less than the first quantity. The method further comprises making a determination that the second quantity is greater than a threshold quantity. The method further comprises, in response to making the determination, generating a microapp recommendation based on the sequence of interactions represented by a correlation tree that is representative of the subset.

Abstract: Described embodiments provide systems and methods for inferring a network type and network conditions. The system includes a packet capturing engine configured to capture a plurality of network packets from a plurality of TCP network connections. The system includes a packet analyzer configured to analyze the plurality of network packets to generate a plurality of metrics. The system includes a network classifier configured to infer network types of the plurality of TCP connections based on the plurality of metrics and at least one classification model. The system also includes a conditions ranking engine configured to estimate a level of network congestion for each TCP connection based on the plurality of metrics and the network types.

Abstract: A system for managing a virtual machine is provided. The system includes a processor configured to initiate a session for accessing a virtual machine by accessing an operating system image from a system disk and monitor read and write requests generated during the session. The processor is further configured to write any requested information to at least one of a memory cache and a write back cache located separately from the system disk and read the operating system image content from at least one of the system disk and a host cache operably coupled between the system disk and the at least one processor. Upon completion of the computing session, the processor is configured to clear the memory cache, clear the write back cache, and reboot the virtual machine using the operating system image stored on the system disk or stored in the host cache.

Abstract: A technique increases capacity in a topic-subscription messaging system. The technique involves, during a first time period, operating a first topic structure of the system. The first topic structure includes a first topic and a plurality of first subscriptions coupled with the first topic. The technique further involves, during a second time period, providing a second topic structure which includes a second topic and a plurality of second subscriptions coupled with the second topic. The technique further involves, during a third time period, providing a link from the second topic structure to the first topic structure making (i) the second topic structure a parent to the first topic structure and (ii) the first topic structure a child to the second topic structure, the link conveying messages from a particular second subscription of the second topic structure to the first topic of the first topic structure.

Abstract: A method for generating microapp recommendations comprises receiving observational data that characterizes interactions between users and applications. The method further comprises defining a set of correlation trees based on the received observational data. Each correlation tree in the set represents a sequence of interactions between one of the users and one or more of the applications. The set includes a first quantity of correlation trees. The method further comprises identifying a subset of similar correlation trees, each of which is included in the set. The subset includes a second quantity of correlation trees that is less than the first quantity. The method further comprises making a determination that the second quantity is greater than a threshold quantity. The method further comprises, in response to making the determination, generating a microapp recommendation based on the sequence of interactions represented by a correlation tree that is representative of the subset.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: Described embodiments provide systems and methods for replaying a service graph of a plurality of microservices. A device stores a plurality of snapshots of a service graph of a plurality of microservices generated for each of a plurality time increments over a time period. Each of the plurality of snapshots of the service graphs include metrics at a respective time increment from execution of each of the plurality of microservices. The device receives a request to replay the service graph. Responsive to the request, the device displays at least two or more of the plurality of snapshots of the service graph in sequence corresponding to two or more of the plurality of time increments.

Abstract: A principal database is described in which each entry includes one principal identity, and one or more alias identities that may each have an authorization scope. Principal identity attributes include a principal identifier and login credentials, and alias identity attributes include an authorization scope and login credentials. Responsive to successfully authenticating the user for a first application (a multiple-identity application), based on the alias identity login credentials, an access token containing both the alias identity attributes and the principal identity attributes is transmitted to the first application, causing the first application to grant a scope of access based on the authorization scope. Responsive to a request to authenticate the user for a second application (a single-identity application), the access token is transmitted to the second application without re-authenticating the user, causing the second application to grant a scope of access based on the principal identifier.

Abstract: The system and methods discussed herein provide for filtering out noisy application signatures to improve the precision of first packet application classification. In some implementations, the system receive application signatures from devices along with their network identifiers. Based upon the frequency at which identical application signatures appear as originating from distinct network environments, the system determines the validity of application signatures and avoids storing irrelevant information for routing network traffic.

Abstract: Described embodiments provide systems and method for filtering notifications across multiple end points associated with a user. A server can establish, for a user of an end point, a session with the end point. The server can identify properties of a plurality of applications and properties of the plurality of end points. A filter can be generated for the user and the filter can include one or more polices to selectively permit or prevent notifications received from one or more applications through the client application. The server can apply the filter to the applications and use the filter to filter one or more notifications received from the applications to selectively permit or prevent the one or more notifications from being received at each end point of the plurality of end points that the user accesses during the session to the server through the client application.