Abstract: Some embodiments provide a method of transmitting data in a logical network that includes multiple hubs in a hub cluster and multiple branches. Each branch connects to a hub of the cluster through a virtual private network (VPN) tunnel. The method is performed by a network controller. The method assigns one of the hubs as a master hub. The method then sends a command to each of the other hubs in the hub cluster to establish a VPN tunnel between the other hub and the master hub. The method then advertises, to the other hubs, routes between the other hubs through the master hub. Each branch, in some embodiments is connected to only one hub in the hub cluster.

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method receives multiple contextual attributes associated with a set of data messages processed by the multiple machines executing on the at least one host computer, the multiple contextual attributes including contextual attributes that are not L2-L4 attributes and that define a compute environment in which one or more workloads performed by the multiple machines executing on the at least one host computer operate. The method uses the received multiple contextual attributes to perform a filtering operation to identify, from multiple intrusion detection signatures, a set of intrusion detection signatures applicable to the one or more workloads.

Abstract: A method of updating a desired state of a virtualization software for a cluster of hosts includes: in response to a notification of a change associated with the cluster, determining versions of a base image of the virtualization software that are compatible with the cluster; for each compatible version of the base image, determining versions of an add-on image of the virtualization software that are compatible with the compatible version of the base image and the cluster; presenting as a recommended image a complete image of the virtualization software, the complete image containing a first version of the base image that is compatible with the cluster and a first version of the add-on image that is compatible with the first version of the base image and the cluster; and upon acceptance of the recommended image, updating a software specification to include the recommended image.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to generate code as a plug-in in a cloud computing environment. An example system includes at least one memory, programmable circuitry, and machine readable instructions to program the programmable circuitry to introspect code in a library to obtain introspection data, the library corresponding to a resource that is to be deployed in a cloud infrastructure environment, generate a model based on the introspection data, the model to be a representation of the resource, cross-reference the model with a resource meta-model, the resource meta-model to map characteristics of the resource represented by the model to an actual state of the resource, and generate a plug-in based on the cross-referenced model.

Abstract: A method of managing the sharing of inventory data across a plurality of data centers, includes the steps of detecting a change made to the inventory data by one of the data centers, updating a desired state document that specifies a desired state of each of the data centers, the updated desired state document including the inventory data as changed, and instructing each of other ones of the data centers to update the inventory data using the updated desired state document. Each of the data centers employ a database for storing the inventory data, and so after the remaining ones of the data centers have updated the inventory data using the updated desired state document, the change made to the inventory data stored in the database of one of the data centers is replicated in the respective databases of the remaining ones of the data centers.

Abstract: In one set of embodiments, each server executing a secure multi-party computation (MPC) protocol can receive shares of inputs to the MPC protocol from a plurality of clients, where each input is private to each client and where each share is generated from its corresponding input using a threshold secret sharing scheme. Each server can then verify whether the shares of the plurality of inputs are valid/invalid and, for each invalid share, determine whether a client that submitted the invalid share or a server that holds the invalid share is corrupted. If the client that submitted the invalid share is corrupted, each server can ignore the input of that corrupted client during a computation phase of the MPC protocol. Alternatively, if the server that holds the invalid share is corrupted, each server can prevent that corrupted server from participating in the computation phase.

Abstract: A method of migrating an application to a container platform includes the steps of: installing a first agent that collects information about the application; detecting information about a first process of the application, wherein the detected information about the first process is received from the first agent; and based on the detected information about the first process, generating a container file including instructions for building a first container that executes the first process and a deployment file for deploying the first container for execution on the container platform.

Abstract: Some embodiments provide a method for synchronizing state between multiple smart NICs of a host computer that perform operations using dynamic state information. At a first smart NIC of the plurality of smart NICs, the method stores a set of dynamic state information. The method synchronizes the set of dynamic state information across a communication channel that connects the smart NICs so that each of the smart NICs also stores the set of dynamic state information.

Abstract: An example method includes: executing, by application analysis software executing in the virtualized computing system, process discovery agents on the VMs; receiving, at the application analysis software from the process discovery agents, process metadata describing processes executing on the VMs; generating signatures for the processes based on the process metadata; determining components of an application based on the signatures; determining components of an application based on the signatures; identifying, for a first component of the components, a component-specific metadata collector; executing, by the application analysis software, the component-specific metadata collector on a first VM of the VMs; and receiving, at the application analysis software from the component-specific metadata collector, custom metadata further describing a first process of the processes associated with the first component.

Abstract: Some embodiments of the invention provide a method of performing services on a host computer on which a machine executes. The method sends, to a file inspector, a first set of data associated with an event detected on the machine that is associated with a file stored on the machine. The method receives, from the file inspector, indication that the file stores confidential information. The method sends, to a context engine executing on the host computer separately from the machine, a second set of data associated with the file, the context engine storing the second set of data for subsequent access by a service engine that executes on the host computer separately from the machine, the service engine using the second set of data to perform a service operation on data messages associated with the machine.

Abstract: A virtual machine (VM) is migrated from a source host to a destination host in a virtualized computing system, the VM having a plurality of virtual central processing units (CPUs). The method includes copying, by VM migration software executing in the source host and the destination host, memory of the VM from the source host to the destination host by installing, at the source host, write traces spanning all of the memory and then copying the memory from the source host to the destination host over a plurality of iterations; and performing switch-over, by the VM migration software, to quiesce the VM in the source host and resume the VM in the destination host. The VM migration software installs write traces using less than all of the virtual CPUs, and using trace granularity larger than a smallest page granularity.

Abstract: Described herein are systems, methods, and software to manage internet protocol (IP) address allocation for tenants in a computing environment. In one implementation, a logical router associated with a tenant in the computing environment requests a public IP address for a new segment instance from a controller. In response to the request, the controller may select a public IP address from a pool of available IP addresses and update networking address translation (NAT) on the logical router to associate the public IP address with a private IP address allocated to the new segment instance.

Abstract: Some embodiments provide a method for detecting a threat to a datacenter. The method receives a set of connections between a set of DCNs in the datacenter over a particular time period. The set of DCNs includes at least a first DCN at which a first anomalous event was detected. The method analyzes a set of detected anomalous events to identify additional anomalous events detected at other DCNs in the set of DCNs during the particular time period. Based on the first anomalous event and identified additional anomalous events, the method determines whether the anomalous events indicate a threat to the datacenter.

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. From multiple host computers in the datacenter, the method receives attribute sets for multiple flows. Each respective attribute set for a respective flow includes at least (i) a source identifier for the respective flow and (ii) an indicator as to whether the respective flow is indicative of the source of the respective flow being a security threat. For each of multiple source identifiers, the method aggregates the received attribute sets to generate an aggregate attribute set for the source identifier that includes a combined measurement of security threat indicators. For a particular source identifier, the method adjusts a security threat likelihood score for the source corresponding to the particular source identifier based on the combined measurement of security threat indicators for the source identifier.

Abstract: Methods and apparatus to validate and restore machine configurations are disclosed herein. An example apparatus includes a context identifier to obtain first context information for a first set of configuration update events occurring on a computing device, a guest agent interface to transmit the first set of configuration update events to a security manager for generation of a policy, the policy including allowable configuration update events and responses to unallowable configuration update events, an event comparator to compare second context information of a subsequent configuration update event obtained by the context identifier to the policy received from the security manager, and an event handler to determine, when the subsequent configuration update event is not included in the policy, that the subsequent configuration update event is to be transmitted to the security manager for generation of an updated policy.

Abstract: The disclosure provides an approach for storage device write performance improvement in a remote computing environment. Embodiments include creating, on a remote device that is remote from a client device, a virtual storage device corresponding to a physical storage device physically connected to the client device. Embodiments include receiving, by a driver on the remote device, a request from an application on the remote device to perform a write operation with respect to the virtual storage device. Embodiments include sending, by the remote device, a write operation to the client device based on the request. Embodiments include prior to receiving a confirmation from the client device that the write operation was received or completed, sending, by the driver, to the application, a message indicating that the write operation is complete. Embodiments include receiving, by the driver, based on the message, an additional request to perform an additional write operation.

Abstract: Some embodiments of the invention provide a method of dynamically scaling a hub cluster in a software-defined wide area network (SD-WAN) based on particular traffic statistics, the hub cluster being located in a datacenter of the SD-WAN and allowing branch sites of the SD-WAN to access resource of the datacenter by connecting to the hub cluster. A controller of the SD-WAN receives, from the hub cluster, traffic statistics centrally captured at the hub cluster. The controller then analyzes these statistics to identify traffic load fluctuations, and determines that a number of hubs in the hub cluster should be adjusted based on the identified fluctuations. The controller adjusts the number of hubs in the hub cluster based on the determination.

Abstract: Examples for validating the identify of an application in an inter-app communication protocol are described. An attestation payload is obtained from a third party attestation service that is executed remotely from a device on which the application is running. The attestation payload can be validated by another application on the device in order to validate the identity of the application providing the attestation payload.

Abstract: Systems and methods are described for employing event context to improve threat detection. Systems and methods of embodiments of the disclosure measure both process deviation and path deviation to determine whether processes are benign or represent threats. Both a process deviation model and a path deviation model are deployed. The process deviation model determines the similarity of a process to past processes, and the path deviation model estimates whether processes have been called out of turn. In this manner, systems and methods of embodiments of the disclosure are able to detect both whether a process is in itself unusual, and whether it is called at an unusual time. This added context contributes to improved threat detection.

Abstract: An example virtualized computing system includes: a host cluster having a virtualization layer directly executing on hardware platforms of hosts, the virtualization layer supporting execution of virtual machines (VMs), the VMs including pod VMs and native VMs, the pod VMs including container engines supporting execution of containers in the pod VMs, the native VMs including applications executing on guest operating systems; an orchestration control plane integrated with the virtualization layer and including a master server and native VM controllers, the master server managing lifecycles of the pod VMs and the native VMs; and management agents, executing in the native VMs, configured to receive decoupled information from the master server through the native VM controllers and to provide the decoupled information for consumption by the applications executing in the native VMs, the decoupled information including at least one of configuration information and secret information.