Abstract: Behavior blocking mobility token managers track movement of suspicious files within a network. A behavior blocking mobility token manager on a source computer detects an attempt by a process on the source computer to write a file to a target computer. The behavior blocking mobility token manager determines a suspicion level associated with the process, and writes a behavior blocking mobility token containing at least the suspicion level associated with the process to the target computer. A behavior blocking mobility token manager on the target computer detects that a behavior blocking mobility token is being written to the target computer. The behavior blocking mobility token manager reads the behavior blocking mobility token, and determines a suspicion level of the file associated with the behavior blocking mobility token, responsive to contents of the behavior blocking mobility token.

Abstract: Method, system, and apparatus for maintaining consistent images of metadata and data in a file system or other data journaling software stored on a temporal volume are presented. An intent log is maintained of all data and metadata modifying transactions, which is then relayed either asynchronously or form a last known consistent checkpoint to a requested checkpoint thereby rendering the requested checkpoint data and metadata consistent.

Abstract: A computer system or memory medium with instructions executable by a computer system to detect and/or suggest corrective actions when performance and availability are violated in an environment deploying virtualization at multiple levels. In one embodiment the computer system receives identities of a plurality of first physical storage devices, wherein storage in the plurality of first physical storage devices was logically aggregated to create a first storage object. The computer system also receives identities of a plurality of second physical storage devices, wherein storage in the plurality of second physical storage devices was logically aggregated to create a second storage object. Then, the computer system compares the identity of each of the plurality of first physical storage devices with the identities of the plurality of second physical storage devices.

Abstract: A method and system for implementing a global name space service. The method may include receiving a file system unique identifier corresponding to a particular file and a human-readable name corresponding to the same file. The method may further include binding the human-readable name to the file system unique identifier, thereby creating a mapping between the human-readable name and the file system unique identifier. The system may include a processor coupled to a memory and to a global name space service manager. The global name space service manager may be configured to receive a file system unique identifier corresponding to a particular file and a human-readable name corresponding to the same file. The global name space service manager may be further configured to bind the human-readable name to the file system unique identifier, thereby creating a mapping between the human-readable name and the file system unique identifier.

Abstract: A system for communication using emulated LUN blocks in storage virtualization environments includes a first host and an off-host virtualizer. The off-host virtualizer may be configured to generate operating system metadata for a virtual storage device, and to make the operating system metadata accessible to the first host. A first layer of a storage software stack at the host may use the operating system metadata to detect the existence of the virtual storage device as an addressable storage device. The off-host virtualizer may also be configured to provide configuration information at a designated set of block addresses within the virtual storage device. A second layer of the storage software stack may be configured to read the configuration information from the designated set of blocks.

Abstract: Data center activity traces form a corpus used for machine learning. The data in the corpus are putatively normal but may be tainted with latent anomalies. There is a statistical likelihood that the corpus represents predominately legitimate activity, and this likelihood is exploited to allow for a targeted examination of only the data representing possible anomalous activity. The corpus is separated into clusters having members with like features. The clusters having the fewest members are identified, as these clusters represent potential anomalous activities. These clusters are evaluated to determine whether they represent actual anomalous activities. The data from the clusters representing actual anomalous activities are excluded from the corpus. As a result, the machine learning is more effective and the trained system provides better performance, since latent anomalies are not mistaken for normal activity.

Abstract: A method and apparatus of identifying and using storage properties within a file system. In particular, the invention exposes the storage property of an underlying storage volume i.e., mirrored storage, RAID storage, standard storage, archival storage and the like, to the user such that the user may select a volume with appropriate storage capabilities for their files. Furthermore, the storage property of a storage volume is used as a file property within the file system such that files may be organized using the storage property. In another embodiment of the invention, altering the storage property that is used as a file property, automatically moves the file from one storage volume type to another storage volume type in accordance with the selected storage property.

Abstract: Backup of a production instance of an application in a production machine environment is performed by creating a snapshot image that captures the state of the production machine, and then backing up the application from a backup machine created using the snapshot image. The backup of the application can be effected by shutting down the backup machine and backing up its storage, or by using backup software to act on the backup version of the application.

Abstract: A system may be provided which is operable to determine a routing node for a data object. The system can comprise an identifier generator operable to generate an identifier for the data object on the basis of data content thereof, and a lookup engine operable to compare the identifier for the data object to a routing table to determine a routing node for the data element.

Abstract: Aspects of the invention relate to a method, apparatus, and computer readable medium for determining software trustworthiness. In some examples, a software package identified as including at least one file of unknown trustworthiness is installed on a clean machine. A report package including a catalog of files that have been installed or modified on the clean machine by the software package is generated. Identification attributes for each of the files in the catalog is determined. Each of the files in the catalog is processed to assign a level of trustworthiness thereto. The report package is provided as output.

Abstract: Security software on a client observes a request for a resource from an application on the client and then determines the application's reputation. The application's reputation may be measured by a reputation score obtained from a remote reputation server. The security software determines an access policy from a graduated set of possible access policies for the application based on the application's reputation. The security software applies the access policy to the application's request for the resource. In this way, the reputation-based system uses a graduated trust scale and a policy enforcement mechanism that restricts or grants application functionality for resource interactivity along a graduated scale.

Abstract: Embodiments of a system and method for providing service-level monitoring for applications in SANs. Embodiments may identify what applications are running on which hosts in a SAN, automatically identify which paths the applications use through the storage infrastructure to reach their storage, and may monitor SAN components of the paths. One embodiment may provide a task group monitor that monitors groups of SAN components and reports problems detected on group members at the application level. Embodiments may proactively monitor SAN infrastructure including the hardware and/or software components of storage, hosts, fabric, etc. needed for scheduled application tasks such as backup tasks and may alert the operator when problems are detected. Thus, embodiments correlate detected infrastructure problems directly to the applications that are affected, allowing these problems to be addressed at the application level, and prior to scheduled execution of tasks.

Abstract: Various methods and systems are disclosed for handling I/O requests to a replica that has not yet been fully synchronized. One method involves detecting the transfer of the role of working volume from a first volume to a second volume. The second volume is configured as a replica of the first volume, but the second volume may not be fully synchronized with the first volume at the time that the role of working volume is transferred. Subsequent to the role of working volume being transferred to the second volume, a read request to the second volume is satisfied by accessing a log. The log is configured to store values that have been written to the first volume, and at least one of the values written to the first volume has not been written to the second volume.

Abstract: Techniques are disclosed that exploit system call mechanism to effect robust security applications. In one particular case, security software is able to effectively “sandbox” user mode applications at the thread granularity level, by replacing the system call mechanism of the operating system with a custom mechanism that limits the rights available to a target application that is vulnerable to malicious attack. The techniques allow the security software to create service tables with varying degrees of security levels, and do not impact performance of non-targeted running processes/threads.

Abstract: A backup system can be provided, which system can comprise an identifier operable to identify a data object for possible backup and a generator operable to generate an identity representation for the data object on the basis of the content thereof. The identity representation can be transmitted to a backup store where it can be tested against identity representations for previously stored objects. The system can also comprise a receiver operable to receive from the backup store an indication of whether the data object described by the identity representation has previously been stored at the backup store. The system can be operable to transmit the data object to the backup store in the event that the data object described by the identity representation has not previously been stored at the backup store.

Abstract: An outgoing e-mail manager inserts headers into outgoing e-mail messages originating from at least one source on a computer. Each header includes data concerning the source of the e-mail. An e-mail header manager monitors an e-mail stream, and reads headers inserted into e-mail messages. The e-mail header manager applies a security policy to e-mail messages, responsive to the contents of the inserted headers.

Abstract: A computer running a host operating system in a host virtual machine includes a support operating system running in a support virtual machine. A support module running in the support operating system identifies and remediates defects associated with the host operating system. A monitoring module running in the support operating system identifies a defect associated with the host operating system and notifies the support module responsive to identification of the defect. A user interface is provided for the support module. The user interface can be through a web server or a support button associated with an input device of the computer. The user interface can be supported through input/output virtualization hardware of the computer. A host agent module executing in the host operating system can interact with the support module to remediate a defect associated with the host operating system.

Abstract: An extensible architecture for centralized discovery and management of heterogeneous Storage Area Network (SAN) components. A SAN management server may be provided for communicating with the heterogeneous SAN components to perform centralized discovery and management of the SAN. The server may manage a data repository for storing data objects representing the components of the SAN. The SAN management server may include one or more explorers for communicating with SAN components to perform one or more discovery or management operations. Each explorer may be added to the system as a separate module. The SAN management server may receive SAN management commands and select and sequence one or more of the explorers to perform one or more SAN component discovery or management operations. The SAN management server may convert data obtained from the heterogeneous SAN components into a common data model.

Abstract: A distributed testing platform tests network traffic filtering rules. A control point receives a network traffic filtering rule and test parameters describing how to test the rule. The control point distributes the rule and parameters to a plurality of testing nodes. The testing nodes are located on a network at locations where they receive a variety of different network traffic. The testing nodes test the rule against traffic received by the nodes according to the test parameters. The traffic can include real-time traffic and corpora of traffic designed to test different types of rules. The testing nodes return test results describing the testing to the control point. The control point analyzes the test results to determine the accuracy and performance of the rule.

Abstract: System and method for resynchronizing mirrored volumes in a storage system. According to one embodiment, a system may include a first volume located at a primary site and associated with a first storage management device, and a second volume located at a secondary site and associated with a second storage management device, where the secondary site is coupled to the primary site via a data link, and where the second volume is configured as a mirror of the first volume. The first storage management device may be configured to convey to the second storage management device an indication of a data block written to the first volume subsequent to a failure of the data link. Dependent upon the indication, the second storage management device may be configured to create a snapshot of the data block as stored on the second volume prior to resynchronization of the data block.