Abstract: Example implementations relate a system and method for storing configuration files of a host computing device in a secure storage of a Baseboard Management Controller (BMC). The secure storage includes configuration files associated with the host computing device. The BMC is communicatively connected to the host computing device using a communication link. The secure storage is emulated as a storage device to the host computing device. The BMC monitors the secure storage to detect changes in the configuration files. When there is a change in a configuration file, the BMC performs a security action in the host computing device.

Abstract: Secured data access in virtual data processing is described. An example includes instructions to receive a request from an application in a compute node of a compute cluster in a virtual data processing environment to access a secured data source for a user, the virtual data processing environment including a multiple secured data sources that are accessible by compute nodes of the virtual compute cluster; fetch a credential in a current application context and forward the credential for validation; validate the credential with a credential authority; and, upon successfully validating the credential, authenticate the user at the secured data source and establish a connection with the secured data source.

Abstract: In some examples, a system receives, from a requesting entity, input information relating to a program to be deployed on a server system. The system establishes, based on the input information, an environment in the server system, where the environment is based on interaction with a subsystem of the server system, the subsystem of the server system to support one or more of fault tolerance for the program or scalability of the program in the server system. After establishing the environment of the subsystem of the server system, the system sends response information to the requesting entity, the response information useable by the requesting entity to manage the program when executed in the server system.

Abstract: A compute device may include one or more processors operable at variable performance levels depending upon power supplied from a compute device power supply. A baseboard management controller of the compute device may periodically calculate an adjustment value for the power supply to adjust the power delivered to the one or more processors. The adjustment value may be calculated as a function of a thermal margin between the temperature of the one or more processors over time and a thermal operating limit of the one or more processors.

Abstract: Methods and systems for implementing DevID enrollment for hardware redundant Trust Platform Modules (TPMs), are described. A system can include hardware redundancy for management modules, and for TPMs that correspond to each management module. Accordingly, a product can have a dual-TPM configuration, where both modules are associated with the same product. Further, a process that particularly considers the presence of dual-TPMs for creating, issuing, and enrolling DevID certificates is described. The process issues and maintains DevID certificates for each TPM by synchronizing dual sessions that correspond to each TPM. Also, the process accounts for duplicate identification data, for example allowing the certificate authority (CA) to sign certificates for dual-TPMs linked to the same chassis number. The process can include performing validation checks, rendezvous points, and locks to ensure that DevID certificates are successfully issued for each of the dual-TPMs, respectively.

Abstract: A technique includes an operating system agent of a computer system monitoring a process to detect whether an integrity of the process has been compromised. The monitoring includes the operating system agent scanning a data structure. The process executes in a user space, and the data structure is part of an operating system kernel space. The technique includes a hardware controller of the computer system listening for a heartbeat that is generated by the operating system agent. The hardware controller takes a corrective action in response to at least one of the hardware controller detecting an interruption of the heartbeat, or the operating system agent communicating to the hardware controller a security alert for the process.

Abstract: One embodiment can provide a method and system for tuning parameters of a numerical model of a physical system. During operation, the system can obtain, using a machine-learning technique, a parameter-transform model for mapping parameters of the numerical model at a first resolution to parameters of the numerical model at a second resolution, the second resolution being higher than the first resolution. The system can perform a parameter-tuning operation on the numerical model at a first resolution to obtain a first set of tuned parameters and apply the parameter-transform model on the first set of tuned parameters to obtain a second set of tuned parameters at a second resolution. The system can then generate behavior information associated with the physical system by running the numerical model at the second resolution using the second set of tuned parameters.

Abstract: Data transfer for access points or switches in a cluster upon data tunnel failure is described. An example includes receiving uniform mapping information for a cluster including a bucket map mapping an active gateway and a standby gateway for each of multiple entries, the bucket map including mapping a first gateway node as a standby gateway and a second gateway node as an active gateway for an entry. Synchronized user information is received from the second gateway node including identification of a user indexed to the first entry. A message is received from a first AP or switch requesting activation of the user on the first gateway node as a standby gateway upon failure of a data tunnel between the first AP or switch and the second gateway node. The user is activated on the first gateway node.

Abstract: Examples disclosed herein relate to selection of a set of nodes in a HPC system for running one or more computational jobs. In some examples, the selection of the set of nodes includes gathering information about a cluster of nodes in a high-performance computing system. The HPC system may be in a production state with one or more computational workloads getting executed thereon. In some examples, periodically sending one or more test-computing jobs for execution on each node to measure one or more performance metrics thereof. Receiving measured performance metrics from each node, in response to the one or more test-computing jobs executed thereon. Recording in a database, the measured performance metrics received from each node. Selecting the set of nodes from the cluster of nodes, based on the database, and based on a request received to nm one or more computational jobs on the HPC system.

Abstract: Examples of the presently disclosed technology provide new memory management systems and methods that improve dynamic memory region utilization by: (1) creating a new class/type of dynamic memory regions—i.e., “fluid” dynamic memory regions—that are automatically relinquished to a free pool of dynamic memory regions upon expiration of a “fluid memory validity time interval;” and (2) responsive to requests for dynamic memory regions, allocating “fluid” dynamic memory regions when levels of importance for data to be stored in the requested dynamic memory regions fall below a “data-oriented priority-fluidity threshold.

Abstract: A system may identify a resource deployed in a computer, where discovery protocol data traffic is unencrypted. The system may receive metadata associated with the discovery protocol data traffic, update the computer network based at least in part on the information included in the metadata, and provide a response to the client. The system may authenticate a request from the client to access the resource using an encrypted protocol, and provide, to the client, access to the resource upon authentication, according to a resource attribute.

Abstract: Some examples relate to a pre-shared key based virtual private network. In an example, a VPN server generates a unique pre-shared key (PSK) corresponding to an identity of a VPN client. The VPN server creates a mapping between the identity and the unique PSK of the VPN client, and stores it in a database. The VPN server shares the unique PSK with the VPN client. In response to receiving an IKE packet comprising an encrypted identity of the VPN client, the VPN server decrypts the encrypted identity of the VPN client from the IKE packet to determine the identity of the VPN client associated with the IKE packet. The VPN server retrieves the unique PSK corresponding to the identity of the VPN client associated with the IKE packet from the mapping stored in the database. The VPN server establishes a VPN connection with the VPN client.

Abstract: In an example implementation consistent with the features disclosed herein, network management system deployments with a large operational footprint are given a longer grace period before they are forced to upgrade than network management system deployments with a small operational footprint. Criticality scores for the network management system deployments are calculated based on the operational footprints of the network management system deployments. The network management system deployments are grouped into criticality groups based on the criticality scores for the network management system deployments. The network management system deployments are forced to upgrade within timelines that are based on the criticality groups in which the network management system deployments are grouped.

Abstract: A cloud-based application assurance service system and method using Deep Packet Inspection (DPI) enables Network Elements (NE) to access the cloud-based application assurance service to search a rules/signature database, without impacting latency on network-firewall decisions. Additionally, the application assurance service system distributes the associated mapping of the NE cache's latest contents to neighboring NEs, where a given user might next access the network. The system can recognize applications associated with network traffic and apply firewall rules. Further, the system tracks applications and uses this data to update NE caches periodically, such that NE caches are more likely to store the relevant application signatures in advance. Moreover, a historical user usage matrix is generated to track application use per user, which is used to detect a highly probable user path and transfer mapping to an associated NE.

Abstract: Examples increase precision for aCAMs by converting an input signal (x) received by a circuit into a first analog voltage signal (V(xMSB)) representing the most significant bits of the input signal (x) and a second analog voltage signal (V(xLSB)) representing the least significant bits of the input signal (x). By dividing the input signal (x) bit-wise into the first analog voltage signal (V(xMSB)) and the second analog voltage signal (V(xLSB)), the circuit can utilize aCAM sub-circuits implementing a combination of Boolean operations to search the input signal (x) against 22*M programmable levels, where “M” represents the number of programmable bits for each aCAM sub-circuit. Thus, using similar circuit hardware, example circuits square the number of programmable levels of conventional aCAMs (which generally only have 2M programmable levels). Accordingly, examples provide new aCAMs that can carry out more complex computations than conventional aCAMs of comparable cost, size, and power consumption.

Abstract: Example implementations relate to journals for metadata changes. An example includes detecting, by a storage controller of a deduplication storage system, a cloning operation of a manifest range; loading a journal from persistent storage into memory in response to the detected cloning operation, wherein the journal is to store changes to a container index associated with the manifest range, and wherein the container index is not loaded into the memory in response to the detected cloning operation; and updating the journal in the memory to include an indication of changes to metadata of the container index that is not loaded into the memory, wherein the changes to the metadata are associated with the detected cloning operation.

Abstract: In an example, a switch may receive an authentication request from a host associated with a first wireless access point (WAP) connected to the switch. The switch acts as a VXLAN Tunnel Endpoint (VTEP) in a Border Gateway Protocol (BGP) Ethernet Virtual Private Network (EVPN) based Virtual Extensible Local Area Network (VXLAN). The switch forwards the authentication request to an authentication server and on successful authentication of the host, may associate a role information with the host based on an authentication response from the authentication server. Further, the switch may create a BGP extended community field carrying the role identifier indicative of network policies to be implemented for the host and attach the BGP extended community field with a route advertisement. The switch then sends the route advertisement to another switch. The another switch is configured as a peer VTEP in the VXLAN. The switch and the another switch is configured in a single Virtual Local Area Network (VLAN).

Abstract: A system hash for each production system is generated. Each system hash includes a concatenation of a hardware hash and a software hash of each production system in the datacenter. A datacenter hash tree is created based on a combination of the system hashes. A test copy of the software hash of each of the production systems is created in respective test systems in the datacenter. In response to detecting a change in the datacenter hash tree, a modification in a system hash which resulted in the change is identified. The central copy of the software hash is compared with the test copy of the software hash. In response to a mismatch between the central copy and the test copy, occurrence of an unauthorized attack in a software of the production system is detected.

Abstract: Some examples described relate to securing a memory device of a computing system. For instance, a method may comprise comparing a command for the memory device to each command in a list of commands. The command is accepted when the command matches an authorized command in the list of commands. The accepted command is issued to the memory device.

Abstract: A system for enforcement of a set of segmentation policies at a gateway switch of a network is provided. Here, the segmentation policies can indicate which other roles are allowed to communicate with a respective role, which can indicate a set of privileges in the network. During operation, the switch can receive a first message associated with a join request for a multicast group from a host. The switch can also receive a second message comprising data from a source of the multicast group. The first and second messages can indicate first and second roles, respectively, of the host and source. Based on the first and second roles and a corresponding segmentation policy, the system can determine whether the host is allowed to receive the data from the source. If not allowed, the system can prevent the second message from being forwarded to the host from the gateway switch.