Abstract: Write operations are scheduled for multiple nodes in a shared storage cluster that supports volume replication. Requests are received from nodes for allocation of space for write operations in a replication log. In response to a received request, the current capacity of the requesting node to manage a backlog can be determined. The amount of space in the replication log allocated to the node is then calibrated to the node's capacity, thereby preventing self-throttling. A separate priority can be assigned to each volume, and space in the replication log assigned to each volume based on its priority. Nodes can target synchronous and other latency sensitive operations to higher priority volumes. A single global queue can be maintained to schedule write operations for all nodes, thereby providing a fair scheduling. A separate local queue can be maintained for each node, thereby providing specific levels of preference to specific nodes.

Abstract: An input dataset comprising a plurality of input items is transformed into a smaller output dataset comprising a plurality of corresponding output items. For each input item, a corresponding output item is created, wherein each input item contains some content that is not present in the corresponding output item. Creating an output item can comprise right shifting the bits of the input item by a shifting value, and performing an exclusive or operation on the input item and the results of the right shifting. The content contained in each input item that is not present in the corresponding output item is encoded in the storage address of the corresponding output item, such that the content of each input item is contained in a combination of the corresponding output item and its storage address. The output dataset comprises multiple levels.

Abstract: An InfiniBand managed storage environment is made up of processor nodes containing HCAs and managed storage devices containing TCAs and exposing a plurality of LUNs and volumes. For each InfiniBand channel between a specific HCA and a specific TCA, the paths between the HCA and any LUN or volume exposed by the TCA are grouped into a set. Occurrence of failures on specific paths of specific sets on specific channels are determined, for example by registering for callbacks or polling for occurrence of events which adversely affect communication between endpoints. Also, I/O operations executed by processor nodes are tracked and failures thereof are detected. When the occurrence of a failure on a specific path of a set is determined, all I/O operations on all paths of the set are proactively rerouted to a separate set on a separate channel that connects the same processor node and storage device.

Abstract: Techniques are disclosed for protecting cryptographic secrets stored locally in a device, such as a mobile phone. A client device creates or downloads a shared secret to be used in a server transaction. To protect this shared secret locally, the client device encrypts the shared secret using a key generated a file system attributes value, along with other sources of entropy. The file system attributes value may correspond to the inode of a file in a UNIX-based file system. Thereafter, when the shared secret is required for logical computation, the client device reconstructs the key using the file system attributes value and the other previous sources of entropy. The client device may use the key to decrypt the information and use the shared secret for its required purpose, e.g., in generating a one-time password for a login session.

Abstract: A computer-implemented method for preventing chronic false positives may include (1) whitelisting a file based on a challenge notification that challenges a classification of the file as insecure, (2) obtaining attribute information about the file, (3) identifying, by analyzing the attribute information, a primitive that identifies a source of origin for the file, (4) determining, based on an analysis of files that originate from the source of origin, that the source of origin identified by the primitive is trustworthy, and (5) adjusting, based on the determination that the source of origin identified by the primitive is trustworthy, a security policy associated with the primitive to prevent future false positives for other files that originate from the source of origin. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques are disclosed for managing a digital certificate enrollment process. A certificate assistant on a server is configured to encode certificate enrollment data in a barcode graphic, such as a quick response (QR) code. A mobile phone application can then scan the barcode graphic using a camera to recover and transmit the enrollment data to a certificate authority. Doing so allows a system administrator (or other user) to complete the certificate enrollment process in cases where the server is blocked from connecting to a certificate authority (CA) directly, e.g., because the server is behind a firewall blocking any outbound network connections from being initiated.

Abstract: A script hosting server receives a script from an authenticated source, associates the script with a certificate profile for digital certificates based on input from the authenticated source, receives user enrollment information for the certificate profile from the authenticated source, receives a script request of a client device, the script request identifying the certificate profile and a user of the client device, determines whether the user is enrolled in the certificate profile based on the user enrollment information, and, upon determining that the user is enrolled, providing the scripts to the client device.

Abstract: A computer-implemented method for reducing false positives when using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that represents an additional suspicious event involving the first actor and the second actor, (3) comparing the event-correlation graph with at least one additional event-correlation graph that represents events on at least one additional computing system, (4) determining that a similarity of the event-correlation graph and the additional event-correlation graph exceeds a predetermined threshold, and (5) classifying the suspicious event as benign based on determining that the similarity of the event-correlation graph and the additional event-correlation graph exceeds the predetermined threshold.

Abstract: A computer-implemented method for using user-input information to identify computer security threats may include (1) detecting activity at a computing system, (2) determining whether a user provided input at the computing system when the activity occurred, (3) determining that the activity indicates a potential security threat based at least in part on whether the user provided input at the computing system when the activity occurred, and (4) performing a security action on the activity in response to the determination that the activity indicates a potential security threat. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A periodic checkpoint method for a file system replication source. The method comprises generating a first checkpoint at a first time on a file system replication source and identifying a set of data objects from the replication source that have been modified during a time period between the first time and a subsequent second time. A periodic checkpoint is then generated at the second time on the file system replication source by using the set of data objects.

Abstract: A system and method for deduplicating messages is provided. Duplicate copies of messages are excluded from a set of deduplicated messages. The set of deduplicated messages can then be sampled to obtain a sample set usable for ensuring compliance according to a set of rules. One method for deduplicating messages involves receiving a message, determining whether the message is a duplicate copy, and adding the message to the set of deduplicated messages, if it is determined that the message is not a duplicate copy.

Abstract: A method and apparatus for automatic anomaly detection based on profile history and peer history are described. An anomaly detection system collects file-activity data pertaining to file accesses activities in a network share. The system computes file access patterns for the individual users and compares the individual user's file access pattern against a profile history to find a first deviation. The system also identifies a cluster of users from the group based on at least one of user collaborations of individual users of the group or a reporting structure of the group of users. When the first deviation is found, the system compares the user's file access pattern against a peer history of the other individual users in the cluster to find a second deviation. The system reports an anomaly in the file access patterns by the individual user when the first deviation and the second deviation are found.

Abstract: A data loss prevention (DLP) manager running on a security virtual machine manages DLP policies for a plurality of guest virtual machines. The DLP manager identifies a source associated with a file open or create event. The source is at least one of an application or a device being used by a guest virtual machine (GVM). The DLP manager enforces a first response rule associated with the GVM when the source is a non-approved source per a source control policy. The DLP manager enforces a second response rule when the file violates a DLP policy.

Abstract: A computer-implemented method for detecting suspicious attempts to access data based on organizational relationships may include (1) detecting an attempt by a computing device within an organization to access an additional computing device within the organization, (2) identifying, based on a directory service associated with the organization that classifies the computing device and the additional computing device, an organizational relationship between the computing device and the additional computing device, (3) determining, based on the organizational relationship between the computing device and the additional computing device, that the attempt by the computing device to access the additional computing device is suspicious, and (4) performing a security action in response to determining that the attempt by the computing device to access the additional computing device is suspicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for performing a search on a data backup system is disclosed, where at least a portion of the method is performed by a computing device comprising at least one processor. The method includes receiving a search query, performing a search of indexed information stored in the data backup system based on the search query, determining non-indexed information stored in the data backup system related to the search query, and returning results of the performing and the determining.

Abstract: A method and apparatus for coordinating service execution within a shared storage cluster file system environment to optimize cluster performance is disclosed. In one embodiment, the method includes accessing host information in memory comprising mappings between file data and a plurality of nodes, wherein the mappings indicate at least one portion of the file data that is accessed by at least one node of the plurality of nodes on behalf of at least one application and executing at least one service on the at least one node of the plurality of nodes using at least one processor, wherein the at least one service accesses the at least one portion of the file data in the memory.

Abstract: A method to create a version map to represent the data state of a file at a particular point in time when an incremental backup is performed. In one embodiment, a logical memory backup file is created that is known as a cumulative data file. Changes to the cumulative data file according to one embodiment of the present invention include appending copies of modified data when the modified data meets a certain condition. A new version map may be created each time an incremental backup occurs. Locations of both modified and unmodified data in the backup data file are mapped for future reference to the data.

Abstract: A computer-implemented method for protecting organizations against spear phishing attacks may include (1) searching a plurality of websites for user profiles belonging users who are affiliated with an organization and who have access to at least one privileged computing resource controlled by the organization, (2) retrieving, from the user profiles, personal information describing the users, (3) determining, based on the personal information, that a portion of the user profiles belongs to an individual user with access to the privileged computing resource, (4) identifying at least one phishing attack risk factor in the user profiles that belong to the individual user, and (5) assessing, based at least in part on the phishing attack risk factor, a risk of a phishing attack targeting the individual user to illegitimately gain access to the privileged computing resource. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method and system for load balancing. The method includes discovering each of a plurality of hosts in a cluster, wherein the plurality of hosts is configured for accessing a LUN of a storage system through a storage network fabric. Global input/output (I/O) load characteristics are collected for each of the plurality of hosts at the device and/or volume level. A selected host is determined for processing an I/O originating at the local host, wherein the host is selected based on a current set of the global I/O load characteristics.

Abstract: A computer-implemented method for providing application manifest information may include analyzing source code of a software application. The method may also include detecting that the source code is programmed to access a computer resource and determining a security implication of the source code being programmed to access the computer resource. Determining the security implication may include providing a notification of the security implication of the source code to a developer of the source code. Determining the security implication may also include providing information about the security implication in an application manifest. Systems and computer-readable-media for creating and editing application manifests are also disclosed.