Abstract: Techniques for personalizing content are presented. A principal requests access to content. Policy is evaluated in response to the request for the content. Scripts are processed in response to the policy evaluation to rewrite and modify the content. The modified content is then delivered to the requesting principal to personalize the content for the principal.

Abstract: Apparatus, systems, and methods may operate to receive a request to access a file from a client node at one of a plurality of lookup nodes, the lookup nodes storing portions of a distributed table having lookup information associated with the file. The distributed table, which may comprise a distributed hash table, includes replicated references to virtualized and non-virtualized file elements of varied granularity in a unified file system. Additional activity may comprise forwarding the request to another one of the lookup nodes until the lookup information is located, or chaining the request to one of the plurality of lookup nodes and implementing activity that has been requested. Additional apparatus, systems, and methods are disclosed.

Abstract: System and method for efficient maintenance of indexes for XML and other documents comprising semi-structured, hierarchical data are described. In one embodiment, the method comprises providing a first index definition document (“IDD”) for defining a first index for the document, wherein the first IDD is applied to the document to create a first set of index keys for the document stored in the database and wherein the first IDD defines at least one set of relationships among nodes in the document; responsive to a change to the document affecting an update node thereof, performing a limited, localized traversal of the document around the update node to determine whether the change affects the first set of index keys; and updating the first set of index keys as necessitated by the change.

Abstract: Apparatus, systems, and methods may operate to assert a first semi-exclusive write lock with respect to a storage medium area by storing lock information when assertion of another semi-exclusive write lock with respect to the area is not detected. Additional activities may include writing data to the area by a writing entity that has asserted the first semi-exclusive write lock after determining the lock information has not changed, while substantially simultaneously de-asserting the first semi-exclusive write lock. Reading from the area may be determined as successful by determining that the semi-exclusive write lock was not asserted prior to or during the reading by checking the status of the lock information. Additional apparatus, systems, and methods are disclosed.

Abstract: In a computing system environment, methods and apparatus include tapping a plurality of connected computing devices and distilling small amounts of entropy from each, concentrating the entropy so collected, and performing all in a stealth or surreptitious fashion relative to the providers of the entropy. In this manner: the potential supply of entropy on a networked computing device is greatly expanded; the potential for entropy-related denial-of-service attacks in Linux systems is reduced; no significant extra processing burden on participating computing devices is required; and enlisting entropy-providing computing devices (including or not naïve applications) in entropy exchanges occurs unobtrusively. Representative particular environments include web servers, including servlet filters, and clients engaged in http sessions; Java virtual machines; network interface cards in promiscuous mode analyzing packets; and other. Computer program products for devices to realize the foregoing are also intended.

Abstract: Techniques for securing data access are presented. A user's data is encrypted on multiple servers throughout a network. Each portion of the encrypted data resides on a different server, and each portion represents a non-contiguous data selection from the user's original unencrypted data. Each portion encrypted using a master credential that is different from the user's logon credential. Also, each portion encrypted using a server identity for the server on which that portion resides. An order, which is used for assembling decrypted versions of the encrypted portions back into the user's data, is acquired via another and different principal-supplied credential.

Abstract: Techniques for parallel processing of directory searches are provided. A directory search is received on a multicore or multiprocessor architecture machine. At least two threads processing on different cores or processors of the machine handle different aspects of the directory search. A first thread identifies matches in the directory for the search and serially populates the matches to search results. The second thread serially and in parallel grabs the matches in the search results and filters some out and modifies other ones of them to complete processing on the search. The search results are then returned to an initial requester making the initial search.

Abstract: A Request for content is validated for a specific level of service that is to be provided over a network when making the request for the content and when delivering the content to satisfy the request over the network. A network transaction is tagged representing the request and the delivery of the content. Resources that comport with the specific level of service are designated to handle the network transaction and the transaction is injected into the network. Usage of the resources is monitored as the network transaction is processed.

Abstract: Techniques for secure access management to virtual environments are provided. A user authenticates to a portal for purposes of establishing a virtual machine (VM). The portal interacts with a cloud server and an identity server to authenticate the user, to acquire an Internet Protocol (IP) address and port number for the VM, and to obtain a secure token. The user then interacts with a secure socket layer virtual private network (SSL VPN) server to establish a SSL VPN session with the VM. The SSL VPN server also authenticates the token through the identity server and acquires dynamic policies to enforce during the SSL VPN session between the user and the VM (the VM managed by the cloud server).

Abstract: Methods and apparatus teach a digital spectrum of a data file. The digital spectrum is used to map a file's position in multi-dimensional space. This position relative to another file's position reveals closest neighbors. Certain of the closest neighbors are grouped together to define a set. Overlapping members in the groups may be further differentiated from one another by partitioning. An optimized partition of set S of N overlapping groups yields a maximum strength for groups and members in that partition. Among other things, the optimized partition includes relative strengths of every individual member in every possible partition and weighting functions applied to the relative strengths and to subgroups of files within the partitions.

Abstract: Techniques for identity and policy based routing are presented. A resource is initiated on a device with a resource identity and role assignments along with policies are obtained for the resource. A customized network is created for the resource using a device address for the device, the resource identity, the role assignments, and the policies.

Abstract: Techniques for debugging applications are provided. Access to an application is controlled by a wrapper. The wrapper intercepts calls to the application and records the calls. The calls are then passed to the application for processing. The recorded calls form a log which may be analyzed or mined to detect error conditions or undesirable performance characteristics associated with the application independent of source associated with the application.

Abstract: Techniques for cloud control and management are provided. The control, creation, and management of workloads in distributed infrastructures are coordinated via a master Configuration Management Database (CMDB). The master CMDB is also used to unify the multiple distributed infrastructures so that the workloads are rationalized. Moreover, data centers are coordinated with the distributed infrastructures so the configuration settings and policies included in the master CMDB are enforced and synchronized throughout the network.

Abstract: Methods and apparatus involve managing workload migration to host devices in a data center having heterogeneously arranged computing platforms. Fully virtualized images include drivers compatible with varieties of host devices. The images also include an agent that detects a platform type of a specific host device upon deployment. If the specific host is a physical platform type, the agent provisions native drivers. If the specific host is a virtual platform type, the agent also detects a hypervisor. The agent then provisions front-end drivers that are most compatible with the detected hypervisor. Upon decommissioning of the image, the image is returned to its pristine state and saved for later re-use. In other embodiments, detection methods of the agent are disclosed as are computing systems, data centers, and computer program products, to name a few.

Abstract: Apparatus, systems, and methods may operate to receive reports at a server node, the reports indicating a change in virtual machine status for virtual machines hosted on a virtual machine host node; and to allocate/de-allocate addresses to the virtual machines based on the change in virtual machine status and one or more policies. Some embodiments may operate to detect, at a virtual machine host node, a change in virtual machine status for virtual machines hosted on the host node; and to transmit reports to a server node from the host node, the reports indicating the change in virtual machine status, to enable the server node to allocate/de-allocate addresses to the virtual machines based on the change in virtual machine status and one or more policies. Additional apparatus, systems, and methods are disclosed.

Abstract: Apparatus, systems, and methods may operate to generate a reference statistical model of an operating system, such as a computer system, and display the reference statistical model as a hierarchical, segmented time series event stream graph, along with a graph representing current behavior of the system. The event stream graph may be derived from one or more streams of security events. Additional operations may include receiving requests to display further detail respecting discrepancies between the reference statistical model and the current behavior. Other apparatus, systems, and methods are disclosed.

Abstract: A system and method for determining effective policy profiles, is presented herein. The system includes one or more client devices configured to initiate a request for at least one effective policy profile, a server mechanism communicatively coupled to the one or more client devices and configured to receive the request for the at least one effective policy profile and determine the at least effective policy profiles for each of the requesting one or more client devices, and a policy data storage component communicatively coupled to the server mechanism and configured to store a plurality of policy profiles. The plurality of plurality of policy profiles includes an association between each of the one or more client devices and one or more of the plurality of policy profiles.

Abstract: Techniques for dynamic disk personalization are provided. A virtual image that is used to create an instance of a virtual machine (VM) is altered so that disk access operations are intercepted within the VM and redirected to a service that is external to the VM. The external service manages a personalized storage for a principal, the personalized storage used to personalize the virtual image without altering the virtual image.

Abstract: Apparatus, systems, and methods may operate to receive a public key associated with a public/private key pair at a key distribution handler, after a new workload and an associated key agent are created within a network of nodes. The associated key agent may be used to generate the key pair. Additional activity may include distributing, by the key distribution handler, the public key to other key agents associated with permitted workloads operating in the network. The public key may be used to overwrite or delete prior public keys for an authenticated workload identity associated with the new workload. Additional apparatus, systems, and methods are disclosed.

Abstract: Techniques for toxic workload mapping are provided. A state of a target workload is recorded along with a configuration and state of an environment that is processing the workload. Micro valuations are taken, via statistical sampling, for metrics associated with the workload and for different combinations of resources within the environment. The sampling taken at micro second intervals. The valuations are aggregated to form an index representing a toxic mapping for the workload within the environment. The toxic mapping is mined, in view of policy, to provide conditions and scenarios that may be deemed problematic within the workload and/or environment.