Abstract: Some embodiments of the invention provide a method of dynamically scaling a hub cluster in a software-defined wide area network (SD-WAN) based on particular traffic statistics, the hub cluster being located in a datacenter of the SD-WAN and allowing branch sites of the SD-WAN to access resource of the datacenter by connecting to the hub cluster. A controller of the SD-WAN receives, from the hub cluster, traffic statistics centrally captured at the hub cluster. The controller then analyzes these statistics to identify traffic load fluctuations, and determines that a number of hubs in the hub cluster should be adjusted based on the identified fluctuations. The controller adjusts the number of hubs in the hub cluster based on the determination.

Abstract: Examples for validating the identify of an application in an inter-app communication protocol are described. An attestation payload is obtained from a third party attestation service that is executed remotely from a device on which the application is running. The attestation payload can be validated by another application on the device in order to validate the identity of the application providing the attestation payload.

Abstract: Systems and methods are described for employing event context to improve threat detection. Systems and methods of embodiments of the disclosure measure both process deviation and path deviation to determine whether processes are benign or represent threats. Both a process deviation model and a path deviation model are deployed. The process deviation model determines the similarity of a process to past processes, and the path deviation model estimates whether processes have been called out of turn. In this manner, systems and methods of embodiments of the disclosure are able to detect both whether a process is in itself unusual, and whether it is called at an unusual time. This added context contributes to improved threat detection.

Abstract: Some embodiments provide a method of performing control plane operations in a radio access network (RAN). The method deploys several machines on a host computer. On each machine, the method deploys a control plane application to perform a control plane operation. The method also configures on each machine a RAN intelligent controller (RIC) SDK to serve as an interface between the control plane application on the same machine and a set of one or more elements of the RAN. In some embodiments, the RIC SDK on each machine includes a set of network connectivity processes that establish network connections to the set of RAN elements for the control plane application. These RIC SDK processes allow the control plane application on their machine to forego having the set of network connectivity processes.

Abstract: An example virtualized computing system includes: a host cluster having a virtualization layer directly executing on hardware platforms of hosts, the virtualization layer supporting execution of virtual machines (VMs), the VMs including pod VMs and native VMs, the pod VMs including container engines supporting execution of containers in the pod VMs, the native VMs including applications executing on guest operating systems; an orchestration control plane integrated with the virtualization layer and including a master server and native VM controllers, the master server managing lifecycles of the pod VMs and the native VMs; and management agents, executing in the native VMs, configured to receive decoupled information from the master server through the native VM controllers and to provide the decoupled information for consumption by the applications executing in the native VMs, the decoupled information including at least one of configuration information and secret information.

Abstract: Computer-implemented methods and systems described herein are directed to constructing a navigable tiered ontology that characterize how groups of log messages are distributed across products and applications that run on the platforms provided by the products. The ontology is constructed based on the products, applications, and event types of the log messages. The ontology represents how the log messages are distributed across the products. applications, and event types.

Abstract: Described herein are systems and methods to apply route-map configurations in a computing network. In one implementation, a routing computing system may identify a route for redistribution in a computing network and identify a longest prefix in a radix tree associated with the route. The routing computing system may further identify a highest priority route-map clause associated with the longest prefix match or any parent prefixes of the longest prefix match in the radix tree. Once identified, the computing system may perform an action associated with the highest priority route-map clause.

Abstract: Some embodiments provide a method for forwarding data messages at multiple edge gateways of a logical network that process data messages between the logical network and an external network. At a first edge gateway, the method receives a data message, having an external address as a destination address, from the logical network. Based on the destination address, the method applies a default route to the data message that routes the data message to a second edge gateway and specifies a first output interface of the first edge gateway for the data message. After routing the data message, the method applies a stored NAT entry that (i) modifies a source address of the data message to be a public NAT address associated with the first edge gateway and (ii) redirects the modified data message to a second output interface of the first edge gateway instead of the first output interface.

Abstract: Techniques for migrating virtual machines (VMs) in the presence of uncorrectable memory errors are provided. According to one set of embodiments, a source host hypervisor of a source host system can determine, for each guest memory page of a VM to be migrated from the source host system to a destination host system, whether the guest memory page is impacted by an uncorrectable memory error in a byte-addressable memory of the source host system. If the source host hypervisor determines that the guest memory page is impacted, the source host hypervisor can transmit a data packet to a destination host hypervisor of the destination host system that includes error metadata identifying the guest memory page as being corrupted. Alternatively, if the source host hypervisor determines that the guest memory page is not impacted, the source host hypervisor can attempt to read the guest memory page from the byte-addressable memory in a memory exception-safe manner.

Abstract: In some embodiments, a method sends first messages that request first information for a set of blocks of the blockchain to the N replicas. Each replica maintains a respective instance of the blockchain. Second messages is received from at least a portion of the N replicas. The second messages include the first information for the set of blocks from each respective instance of the blockchain that is maintained by the N replicas. The method analyzes the first information to determine whether a consensus on the first information is reached by a number of replicas. When consensus is reached, a request is sent to a replica for one or more blocks to back up to a backup blockchain and second information is received for the one or more blocks from the replica. The method uses the second information to back up the one or more blocks in the backup blockchain.

Abstract: In some embodiments, a method receives a packet for a flow associated with a workload. Based on an indicator for the flow, the method determines whether the flow corresponds to one of an elephant flow or a mice flow. Only when the flow is determined to correspond to an elephant flow, the method enables a hardware acceleration operation on the packet. The hardware acceleration operation may include hardware operation offload, receive side scaling, and workload migration.

Abstract: Some embodiments provide a method for forwarding data messages at multiple edge nodes of a logical network that process data messages between a logical network and an external network. At a particular one of the edge nodes, the method receives a data message sent from a source machine in the logical network. The method performs network address translation to translate a source network address of the data message corresponding to the source machine into an anycast network address that is shared among the edge nodes. The method sends the data message with the anycast network address as a source network address to the external network. Each edge node receives data messages from source machines in the logical network and translates the source addresses of the data messages into the same anycast public network address prior to sending the data messages to the external network.

Abstract: An example method of virtualizing a hardware accelerator in a host cluster of a virtualized computing system includes: commanding, at an initiator host in the host cluster, a programmable expansion bus device to reconfigure as a virtual accelerator based on specifications of a hardware accelerator in a target host of the host cluster; executing, in the programmable expansion bus device, software to emulate the virtual accelerator as connected to an expansion bus of the initiator host; receiving, at the programmable expansion bus device, compute tasks from an application executing in the initiator host; and sending, to the target host, the compute tasks for processing by the hardware accelerator.

Abstract: In some embodiments, a method stores a plurality of identifiers for a plurality of rules. The plurality of rules each include a set of patterns, and a rule and a pattern combination is associated with an identifier in the plurality of identifiers. Information being sent on a network is scanned and the method determines when a pattern in the information matches a pattern for a rule. The method identifies an identifier for the pattern where the identifier identifies a rule and a pattern combination. Then, the method identifies the rule and the pattern combination based on the identifier. The set of patterns for the rule is found in the information based on determining that the rule and the pattern combinations for the rule have been found in the information.

Abstract: Some embodiments of the invention provide a method for transmitting data messages via secure tunnels in a network. The method is performed at a gateway device. The method determines that a data message received at the gateway device should be sent via a secure interface of the gateway device. The method matches the data message to a firewall rule that maps to a particular secure tunnel used by the secure interface, with multiple different firewall rules mapping to multiple different secure tunnels used by the secure interface. The method encapsulates the data message with a header that comprises an indicator value specifying the particular secure tunnel and forwards the encapsulated data message to a destination interface.

Abstract: Embodiments of the present disclosure provide to techniques for automatically grouping software applications based on their technical patterns/characteristics (i.e., technical facets) via machine learning (ML) algorithms. For instance, a first set of software applications that exhibit a high prevalence of one or more first technical facets may be grouped into a first category, a second set of software applications that exhibit a high prevalence of one or more second technical facets may be grouped into a second category, and so on. Once grouped into categories, the software applications in a given category may be assessed, analyzed, and/or processed together for various purposes.

Abstract: In some embodiments, a method stores domain name system (DNS) resolution mappings from a domain name to an address in a first table. The DNS resolution mappings are intercepted from DNS responses being sent by a DNS server. The first table is sent to a manager for validation of the DNS resolution mappings. Then, a second table is received from the manager that contains validated DNS resolution mappings. The method intercepts a DNS response that includes a domain name to address resolution mapping from the DNS server and validates the domain name to address resolution mapping using a validated DNS resolution mapping in the second table.

Abstract: Computer-implemented methods and systems described herein perform intelligent sampling of application traces generated by an application. Computer-implemented methods and systems determine different sampling rates based on frequency of occurrence of trace types and/or frequency of occurrence of durations of the traces. Each sampling rate corresponds to a different trace type and/or different duration. The sampling rates for low frequency trace types and durations are larger than the sampling rates for high frequency trace types and durations. The relatively larger sampling rates for low frequency trace types and low frequency durations ensures that low frequency trace types and low frequency durations are sampled in sufficient numbers and are not passed over during sampling of the application traces. The set of sampled traces are stored in a data storage device.

Abstract: Various approaches for exposing a virtual Non-Uniform Memory Access (NUMA) locality table to the guest OS of a VM running on NUMA system are provided. These approaches provide different tradeoffs between the accuracy of the virtual NUMA locality table and the ability of the system's hypervisor to migrate virtual NUMA nodes, with the general goal of enabling the guest OS to make more informed task placement/memory allocation decisions.

Abstract: Some embodiments provide a method for implementing a software-defined private mobile network (SD-PMN) for an entity. At a physical location of the entity, the method deploys a first set of control plane components for the SD-PMN, the first set of control plane components including a security gateway, a user-plane function (UPF), an AMF (access and mobility management function), and an SMF (session management function). At an SD-WAN (software-defined wide area network) PoP (point of presence) belonging to a provider of the SD-PMN, the method deploys a second set of control plane components for the SD-PMN that includes a subscriber database that stores data associated with users of the SD-PMN. The method uses an SD-WAN edge router located at the physical location of the entity and a SD-WAN gateway located at the SD-WAN PoP to establish a connection from the physical location of the entity to the SD-WAN PoP.