Abstract: System and method for backing up management components of a software-defined data center (SDDC) managed by a cloud-based service uses backup rules for the SDDC, which are used to configure a backup manager agent in the SDDC. The backup rules are then used by the backup manager agent to determine whether at least one of system logs generated by the management components in the SDDC, which are monitored by the backup manager agent, satisfies the backup rules to initiate a backup operation for at least one of the management components of the SDDC.

Abstract: Example methods and systems for a computer system to perform security threat detection during service query handling are described. In one example, a process running on a virtualized computing instance supported by the computer system may generate and send a first service query specifying a query input according to a service protocol. The first service query may be detected by a security agent configured to operate in a secure enclave that is isolated from the process. Next, the security agent may generate and send a second service query specifying the query input in the first service query. It is then determined whether there is a potential security threat based on a comparison between (a) a first reply received responsive to the first service query and (b) a second reply received responsive to the second service query.

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter, the datacenter including at least one host computer executing multiple machines. The method receives a filtered set of intrusion detection signatures to be enforced on the at least one host computer. The method uses a set of contextual attributes associated with a particular data message to generate an intrusion detection signature for the particular data message, the generated intrusion detection signature including a bit pattern, each bit associated with a contextual attribute in the set. The method compares the generated intrusion detection signature with the received set of intrusion detection signatures to identify a matching intrusion detection signature in the received filtered set.

Abstract: The disclosure provides an approach for hypervisor-assisted security analysis. Embodiments include receiving, at a hypervisor on a host computer, events from one or more virtual computing instances (VCIs). Embodiments include analyzing, by the hypervisor, the events according to one or more rules to identify a subset of the events for additional analysis. Embodiments include compressing, by the hypervisor, the subset of the events by performing deduplication to produce a compressed subset of the events. Embodiments include transmitting, by the hypervisor, the compressed subset of the events over a network to a separate analysis component, wherein the separate analysis component performs the additional analysis.

Abstract: Some embodiments provide a method for a gateway datapath that executes on a gateway device to implement logical routers for a set of logical networks and process traffic between the logical networks and an external network. The method receives a data message at the gateway device. To process the data message, the method executes a set of processing stages that includes a processing stage for a particular logical router. As part of the processing stage for the particular logical router, the method (i) uses an access control list (ACL) table to determine whether the data message is subject to rate limiting controls defined for the particular logical router and (ii) only when the data message is subject to rate limiting controls, determines whether to allow the data message according to a rate limiting mechanism for the particular logical router.

Abstract: Disclosed are various embodiments for improving the resiliency and performance for clustered memory. A computing device can mark a page of the memory as being reclaimed. The computing device can then set the page of the memory as read-only. Next, the computing device can submit a write request for the contents of the page to individual ones of a plurality of memory hosts. Subsequently, the computing device can receive individual confirmations of a successful write of the page from the individual ones of the plurality of memory hosts. Then, the computing device can mark the page as free in response to receipt of the individual confirmations of the successful write from the individual ones of the plurality of memory hosts.

Abstract: Described herein are example methods and systems for enrolling a user device with an unified endpoint management system (“UEMS”) directly from another user device. The examples describe a first user device that is already enrolled with the UEMS and a second user device that is seeking to be enrolled. The two user devices can establish a direct connection with each other. The second user device can be authenticated by a user inputting the same migration password or pin at both user device. The first user device can generate and send a migration data file to the second user device. The migration data file can include settings, policies, software packages, and files managed by the UEMS. The second user device can copy settings, policies, and files, and install the applications from the migration data file. The second user device can notify an UEMS server of the device migration.

Abstract: In an embodiment, a method for a VRF and multi-service insertion on edge gateways is described. In an embodiment, the method comprises obtaining a rule configuration. Based on, at least in part, the rule configuration, a rule table is created. The rule table comprises rule data records, wherein a rule data record comprises packet attributes and a redirection identifier. A policy configuration comprising policy records is obtained. Each policy record comprises a redirection identifier, a next_hop, and an address pair for interfaces. A mapping between VRF identifiers and address pairs is generated. Based on, at least in part, the mapping and the policy configuration, a policy table is generated. The policy table comprises table records, wherein a table record comprises a redirection identifier, a next_hop, and an address pair. The rule and policy tables are used to redirect a packet from an edge gateway to a service virtual machine.

Abstract: An example method of placing a virtual machine (VM) in a cluster of hosts is described. Each of the hosts having a hypervisor managed by a virtualization management server for the cluster, the hosts separated into a plurality of nonuniform memory access (NUMA) domains. The method including: comparing a virtual central processing unit (vCPU) and memory configuration of the VM with physical NUMA topologies of the hosts; selecting a set of the hosts spanning at least one of the NUMA domains, each host in the set of hosts having a physical NUMA topology that maximizes locality for vCPU and memory resources of the VM as specified in the vCPU and memory configuration; and providing the set of hosts to a distributed resource scheduler (DRS) executing in the virtualization management server, the DRS configured to place the VM in a host selected from the set of hosts.

Abstract: Disclosed herein are examples of systems and methods for synchronizing notification actions across multiple enrolled devices. A management service can receive from a first client device metadata associated with a notification posted on the first client device. The management service can receive from the first client device an indication of an action performed with respect to the notification. The management service can determine whether to propagate a new notification state to a second client device based at least in part on a type of the action and a current notification state associated with the second client device. In response to determining to propagate the new notification state to the second client device, the management service can provide to the second client device a command to change the current notification state to the new notification state.

Abstract: System and method for checking reputations of executable files in an endpoint device use an integrity verification on an executable file being scanned to determine whether the executable file has been unaltered since being installed in the endpoint device. When the executable file has been determined to be unaltered since being installed in the endpoint device, a file origin analysis is executed on the executable file based on a vendor identifier for the executable file to determine whether the executable file is from an approved source. When the executable file is determined to be from an approved source, an output is produced that indicates that the executable file has an approved reputation.

Abstract: Techniques for implementing IOMMU-based DMA tracking for enabling live migration of VMs that use passthrough physical devices are provided. In one set of embodiments, these techniques leverage an IOMMU feature known as dirty bit tracking which is available in most, if not all, modern IOMMU implementations. The use of this feature allows for the tracking of passthrough DMA in a manner that is device/vendor/driver agnostic, resulting in a solution that is universally applicable to all passthrough physical devices.

Abstract: Some embodiments of the invention provide a novel method for managing layer four (L4) ports associated with a machine executing on a host computer. The method collects a set of contextual attributes relating to applications executing on the machine. It then analyzes the collected contextual attributes to identify at least one L4 port that has to have its status modified. Next, it modifies the status of the identified L4 port. In some embodiments, the status of an L4 port can be either open or closed, and the modification can open a closed port or close an open port. In some embodiments, the method is performed when the machine starts up on the host computer, performed each time a new application is installed on the machine, performed periodically to close unused L4 ports, and/or performed periodically to close L4 ports that should not be open based on a set of L4-port control policies.

Abstract: System and computer-implemented method for generating multi-cloud recommendations for workloads uses costs and performance metrics of appropriate instance types in specific public clouds for target workloads to produce recommendation results. The appropriate instance types in the specific public clouds are determined based on instance capabilities and the workload type of the target workloads. In addition, a recommended cloud resource offering is determined for the target workloads, which is sent as a notification with the recommendation results of the appropriate instance types in the specific public clouds.

Abstract: In some embodiments, a method fragments a first packet into a plurality of fragments when a length of an encapsulated first packet is larger than a maximum transmission unit size. For each fragment in the plurality of fragments, fragmentation information is generated. The method encapsulates each fragment in the plurality of fragments with an outer header to form a plurality of encapsulated packets. The respective fragmentation information for each fragment is inserted in a portion of the outer header that is processed by endpoints of an overlay tunnel and not processed by a device along a path of the overlay tunnel. The plurality of encapsulated packets are sent via the overlay tunnel.

Abstract: The disclosure provides an approach for cryptographic agility. Embodiments include receiving a request from an application for a cryptographic operation, wherein the request is associated with a computing device. Embodiments include determining one or more resource constraints related to the computing device. Embodiments include selecting, based on the one or more resource constraints, a cryptographic technique from a plurality of cryptographic techniques associated with indications of resource requirements. Embodiments include performing the cryptographic operation using the cryptographic technique. Embodiments include providing a response to the application based on performing the cryptographic operation.

Abstract: Disclosed are various aspects of voice skill session lifetime management. In some examples, a session extension request is received. The session extension request extends a voice skill session of a voice-activated device. A personal client device is identified based on the session extension request. A command to emit an ultrasonic pulse is transmitted to the personal client device.

Abstract: Techniques for optimizing virtual machine (VM) scheduling on a non-uniform cache access (NUCA) system are provided. In one set of embodiments, a hypervisor of the NUCA system can partition the virtual CPUs of each VM running on the system into logical constructs referred to as last level cache (LLC) groups, where each LLC group is sized to match (or at least not exceed) the LLC domain size of the system. The hypervisor can then place/load balance the virtual CPUs of each VM on the system's cores in a manner that attempts to keep virtual CPUs which are part of the same LLC group within the same LLC domain, subject to various factors such as compute load, cache contention, and so on.

Abstract: Systems and methods are described for creating a customized response to user feedback. In an example, a feedback system can receive user feedback about a product. The feedback system can parse the user feedback to extract keywords and assign categories to the keywords. The feedback system can also receive update information related to the product. The feedback system can parse the product update information in a similar manner to extract keywords and assign them to categories. The feedback system can compare the parsed user feedback and the parsed product update information and identify any matches that indicate that the product update addresses something mentioned in the user feedback. The feedback system can create a custom notification that highlights the portion of the product update information that matched to the user feedback.

Abstract: Some embodiments of the invention provide novel methods for using probabilistic filters to keep track of data message flows that are processed at an element (e.g., forwarding element or middlebox service element) of a network. In some embodiments, the method iteratively switches between two probabilistic filters as the active and backup filters as a way of maintaining and refreshing its active probabilistic filter without the need for maintaining time values for removing outdated records from its active filter.