Abstract: Described embodiments provide systems and methods for policy-based authentication, where the policy may designate locations and/or forms of proof of locations, for use in authentication. Some embodiments include or utilize a database storing authentication policies. In an example system, an authentication server in communication with the database is configured to receive a request from a device needing authentication. The request may include a credential. The authentication server is configured to retrieve, from the database storing authentication policies, an authentication policy corresponding to the device, the retrieved authentication policy specifying a location parameter. The authentication server is configured to receive location data from the device and resolve the authentication request using the credential and the received location data pursuant to the retrieved authentication policy.

Abstract: Methods, apparatuses, systems, and computer-readable mediums for sharing user credentials in federated authentication are described herein. An identity provider may receive a user credential from a user device. The identity provider may receive, from a relying party, a request for an access token. The identity provider may encrypt the user credential based on a nonce that is uniquely generated for the relying party. The identity provider may send a response to the relying party. The response may include the access token, the encrypted user credential, and the nonce.

Abstract: A computing device configured to determine current user status information is provided. The computing device includes a computer readable memory, a network interface, and at least one processor operably coupled to the memory and the network interface. The at least one processor can be configured to receive, via the network interface from a first end-user application being of a first type, a first message specifying status information of a first user, process the status information of a first user to determine current user status information for the first user, generate a second message specifying the current user status information for the first user, and transmit the second message to a second end-user application being of a second type distinct from the type of the first end-user application such that at least one second user can review the current status information for the first user.

Abstract: Described embodiments provide systems and methods for generating a network space to perform mitigation actions on a plurality of users. At least one server may determine a plurality of users of one or more levels of riskiness in a network environment, and network locations of the users. Using a plurality of clustering features, the at least one server may generate a network space comprising a cluster of network locations corresponding to a subset of the users of at least a defined level of riskiness. The at least one server may perform a mitigation action on the subset of users corresponding to the generated network space.

Abstract: Systems and methods for establishing a multipath connection include a first processor of a first cluster forwarding a first request from a client to establish a first connection with a server to a second processor of a second cluster. A third processor of the first cluster receives a second request to establish a multipath connection between the client and the server. The third processor forwards the second request to the second processor responsive to determining that the second request is to establish a multipath connection. The second processor establishes the multipath connection that includes the first connection and a second connection used as paths of the multipath connection.

Abstract: A computer system configured to augment images of software objects is provided. The computer system includes a memory and at least one processor coupled to the memory. The at least one processor is configured to iteratively select an attribute value from a predetermined set of attribute values; modify an attribute of a software object according to the attribute value; and generate a respective augmented image of the software object with the attribute modified according to the attribute value. The software object may comprise an executable software object.

Abstract: One example disclosed method involves a computing system providing a client device a virtualized computing environment. Upon receiving a request to access a file or folder in the virtualized computing environment from the client device, a file system filter driver of the computing system may intercept the request, and determine authorization to access the file or folder based at least in part on a security policy associated with the user account. If the client device is authorized to access the file or folder, the computing system may cause the client device to output a representation of contents of the first file or folder using the virtualized computing environment.

Abstract: Methods and systems for granting or denying a client device access to one or more resources in a remote computing environment are described herein. A computing device may receive from an identity provider a token authenticating that a user of a client device is at a first location. The computing device may determine, based on the token, one or more labels for a session associated with the user. Each label of the one or more labels is associated with a corresponding security group. Based on the one or more labels, the user of the client device may be granted access to sensitive data.

Abstract: Techniques are provided for a coordinated microservice system including a worker orchestrator and multiple worker instances, which are tasked with performing a limited and specific operation, such as reading messages from a queue on behalf of a microservice. In operation, each worker instance of each microservice can use, or otherwise depend upon, one or more external systems or other dependencies to perform at least some of its respective function(s). The worker coordinator is a microservice separate from the workers. The worker orchestrator monitors operational state data from each instance of the workers and computes an updated policy based on an expected throughput that accommodates current load demands. The worker coordinator then sends the policy to the respective microservices, which implement the policy to help to maintain the overall system health.

Abstract: Described embodiments provide systems and detecting and predicting virtual CPU resource starvation of a virtual machine. One or more processors can determine, within a time period, a count of a number of delays in occurrences of a timer interrupt scheduled for a virtual processor of a virtual machine executing an application. The one or more processors can compare the count of the number of delays with a threshold established for the time period. The one or more processors can execute a process to migrate the application to a second one or more processors based at least on the comparison of the count of the number of delays with the threshold.

Abstract: A computer system is provided. The computer system includes a memory and at least one processor coupled to the memory. The at least one processor is configured to implement a rule processor to receive a UI element recognition rule comprising one or more UI element specifications and a response action from a workspace server, and generate a task identifier for the received UI element recognition rule; implement a computer vision (CV) processor to receive the task identifier from the rule processor, and recognize, based on the one or more UI element specifications and the task identifier, a UI element presented at the client computer system; and implement an action handler configured to execute the response action based on the task identifier and in response to the recognized UI element.

Abstract: Techniques are provided for a coordinated microservice system including a coordinator and multiple services, which interact with each other. Each of the services can have multiple execution instances, which run independently of each other. In operation, each instance of each service can use, or otherwise depend upon, one or more of the other services to perform at least some of its respective function(s). The coordinator monitors execution requests from each instance of the services to other services and calculates an available capacity of the other services upon which the requesting services depend to execute each of the execution requests based on the monitored performance metrics of the other services and level(s) of resource consumption associated with each of the execution requests. The coordinator then selects one of the execution requests based on the available capacity of the other services to service the execution requests without degrading the other services.

Abstract: Methods and systems for routing a user request for a service to a version of the service in a geographical region associated with the user are described herein. The service may be deployed in multiple geographical regions, and the service may have multiple versions in each of the geographical regions. A user device may send a request for a service to a first server in a geographical region. The first server may determine whether the user is associated with the geographical region. Responsive to determining that the user is not associated with the geographical region, the first server may ask one or more servers in other geographical regions whether the user is associated with any of the other geographical regions.

Abstract: Methods and systems for file locking are described herein. An on-premise file share may store files that are accessible to both a local on-premise client and a remote off-premise client. The off-premise file share may request to check-out one of the files. In response, one of multiple nodes may obtain for the file a file handle with exclusive write access. File locking information may be stored at the file share that indicates the node that holds the file handle and that indicates the file is in a locked state whereby other remote off-premise clients or local on-premise clients are prevented from editing the file.

Abstract: A computing device includes a memory and at least one processor configured to cooperate with the memory. The processor is to boot the computing device, and direct generated data to data storage. The data storage includes at least one persistent layer and a non-persistent layer. The processor determines if the data is to be stored in the at least one persistent layer or the non-persistent layer based on a version of the operating system being used to boot the computing device.

Abstract: Methods, systems, computer-readable media, and apparatuses may provide for the intermediated retrieval of applications on a network. A computing device may be configured to receive an application from an application server on a network. Based on, for example, the network conditions between the computing device and the application server, the computing device may query a plurality of intermediary servers. Based on a decision that, for example, the network conditions between the computing device, application server, and a selected intermediary server are better than the network conditions between the computing device and the application server, the computing device may cause the application to be retrieved by a host application of the selected intermediary server. The host application may process and transmit the application to the computing device. The computing device may display the processed application and transmit user input corresponding to the processed application to the intermediary server.

Abstract: Described embodiments provide systems and methods for selecting a device via which to access a server. A service having one or more processors coupled with memory may detect a measure of experience for a client device in accessing a server via a first device being below a threshold. The service may identify, responsive to the detection, a plurality of devices available for the client device to access the server. The service may determine a distance between each of the plurality of devices and at least one of the client device or the server. The service may select a second device from the plurality of devices via which the client device is to access the server based at least on the distance between the second device and at least one of the client device or the server.

Abstract: A computer system is provided. The computer system includes a memory and at least one processor coupled to the memory and configured to detect entry of data into a username entry field of a login form served to a web browser from a website. The at least one processor is further configured to detect a paste operation associated with the login form. The at least one processor is further configured to identify a focus for the paste operation. The at least one processor is further configured to perform a security action in response to the focus not being directed to a field other than a password entry field of the login form. Th security action may include blocking the paste operation, providing a warning, and/or obtaining confirmation for the paste operation.

Abstract: A computer system is provided. The computer system includes a memory and at least one processor coupled to the memory and configured to identify a first domain name associated with a website that served a login form to a web browser. The at least one processor is further configured to identify a one-time password (OTP) entry request served from the website in response to transmitting user credentials to the website. The at least one processor is further configured to identify a second domain name associated with an OTP server that provided an OTP. The at least one processor is further configured to perform a security action in response to determining that the first domain name differs from the second domain name. The security action may include blocking a response to the OTP request from the website, providing a warning, and/or obtaining confirmation for the response to the OTP entry request.

Abstract: A user space driver for input/output traffic distribution and packet processing is provided. A device can establish a driver in user space with access to a memory mapped region shared with a kernel of the device. The driver can access a packet stored to the memory mapped region by a network interface of the device responsive to receipt of the packet. The driver can provide the packet to a selected application of a plurality of applications for processing by the selected application.