Abstract: Disclosed are various examples for audio data leak prevention using user and device contexts. In some examples, a voice assistant device can be connected to a remote service that provides enterprise data to be audibly emitted by the voice assistant device. In response to a request for the enterprise data being received from the voice assistant device, an audio signal can be generated that audibly broadcasts the enterprise data. The audio signal can be generated to audibly redact at least a portion of the enterprise data based at least in part on a mode of operation of the voice assistant device. The voice assistant device can be directed to emit the enterprise data through a playback of the audio signal.

Abstract: Metrics corresponding to services provided by a cloud service provider can be received via a first API responsive to queries specifying identifiers of the services. A configuration file can be maintained that includes mappings between the identifiers of the services and the metrics corresponding to the services. An identifier of a new service provided by the cloud service provider can be received via a second API. A mapping between the identifier of the new service and a metric corresponding to the new service can be received by the configuration file. The metric corresponding to the new service can be received via the first API responsive to a query specifying the identifier of the new service.

Abstract: In an embodiment, a computer-implemented method provides mechanisms for identifying a source location in a service chaining topology. In an embodiment, a method comprises: determining, at an egress interface of a host that hosts a virtual machine (“VM”), whether a service plane MAC address (“spmac”) in a packet header of a packet, provided to the egress interface, is the same as an inner destination MAC address in the packet; in response to determining that the spmac in the packet header of the packet, provided to the egress interface, is the same as the inner destination MAC address in the packet: encapsulating the packet with a destination virtual tunnel endpoint (“VTEP”) address retrieved from a mapping of VTEP-labels onto VTEP addresses; and causing providing the packet from the egress interface of the host that hosts the VM to a source host that hosts a source guest virtual machine (“GVM”).

Abstract: Some embodiments provide a novel method for enforcing service policies at different container clusters configured by several SDN controller clusters. A first SDN controller cluster defines a particular service policy to be enforced for machines in first, second, and third container clusters. First, second, and third sets of network elements for the first, second, and third container clusters are managed by the first, a second, and a third SDN controller cluster respectively. For data message flows exchanged between machines in the first and second container clusters, the first SDN controller cluster distributes the particular service policy to service nodes only in the first container cluster. For data message flows exchanged between machines in the second and third container clusters, the first SDN controller cluster distributes the particular service policy to service nodes in at least one of the second and third container clusters.

Abstract: Some embodiments provide a method for a compute manager that manages (i) virtual machines executing on host computers and (ii) physical computers. The method uses a first set of application programming interfaces (APIs) to communicate with a virtual machine (VM) executing on a host first computer via a hypervisor executing on the host first computer. The method uses the first set of APIs to communicate with a second computer via a smart network interface controller (NIC) of the second computer, wherein the smart NIC translates the first set of APIs into a different, second set of APIs for the second computer so that the compute manager manages the VM and the second computer with the same first set of APIs.

Abstract: A system and method for using private native security groups and private native firewall policy rules for a private cloud computing environment and a public cloud computing environment uses a public cloud gateway for routing data traffic between at least a cloud network created in the public cloud computing environment and the private cloud computing environment. For each of some private native firewall policy rules that has any of newly created private native security groups as one of source and destination, a cloud native security group (CNSG) rule object with an CNSG outbound rule object and an CNSG inbound rule object for the public cloud is created and at least one of the CNSG outbound rule object and the CNSG inbound rule object is updated so that the private native firewall policy rule can be used in the cloud network.

Abstract: To provide a low latency near RT RIC, some embodiments separate the RIC's functions into several different components that operate on different machines (e.g., execute on VMs or Pods) operating on the same host computer or different host computers. Some embodiments also provide high speed interfaces between these machines. Some or all of these interfaces operate in non-blocking, lockless manner in order to ensure that critical near RT RIC operations (e.g., datapath processes) are not delayed due to multiple requests causing one or more components to stall. In addition, each of these RIC components also has an internal architecture that is designed to operate in a non-blocking manner so that no one process of a component can block the operation of another process of the component. All of these low latency features allow the near RT RIC to serve as a high speed IO between the E2 nodes and the xApps.

Abstract: A system and method for recommending demand-supply agent pairs for transactions uses a deep neural network on data of demand agents to produce a demand agent vector, which is used to select supply agents based on their likelihood of future transaction and to find k nearest neighbor demand agents for each of the demand agents. The candidate supply agents and the k nearest neighbor demand agents are then combined to produce candidate demand-supply agent pairs, which are used to find recommended demand-supply agent pairs by applying modeling using machine learning.

Abstract: Methods and apparatus to manage a dynamic deployment environment including one or more virtual machines is provided herein. A disclosed example includes involves: scanning, by executing a computer readable instruction with a processor, the virtual machines in the deployment environment to identify a service installed on any of the virtual machines; determining, by executing a computer readable instruction with the processor, the identified service corresponds to a service monitoring rule; determining, by executing a computer readable instruction with the processor, that a monitoring agent identified by the service monitoring rule is installed on the one or more virtual machines on which the service is installed; and configuring the monitoring agent, by executing a computer readable instruction with the processor, to monitor the service in accordance with the service monitoring rule on the at least one of the virtual machines on which the service is installed.

Abstract: Some embodiments provide a method for detecting a threat to a datacenter. The method generates a graph of connections between data compute nodes (DCNs) in the datacenter. Each connection has an associated time period during which the connection is active. The method receives an anomalous event occurring during a particular time period at a particular DCN operating in the datacenter. The method analyzes the generated graph to determine a set of paths between DCNs in the datacenter that include connections to the particular DCN during the particular time period. The method uses the set of paths to identify a threat to the datacenter.

Abstract: Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.

Abstract: Techniques for live migrating a paravirtual remote direct memory access (PVRDMA) virtual machine (VM) from a source host system to a destination host system are provided. In one set of embodiments, during a pre-copy phase of the live migration process, a source hypervisor of the source host system can invoke an application programming interface (API) exposed by a source host channel adapter (HCA) of the source host system for initiating write tracing of remote direct memory access (RDMA) writes/atomic operations received from remote endpoints and can retrieve a write trace element generated by the source HCA that identifies a memory region of the PVRDMA VM written to as a result of an RDMA write/atomic operation and a write location within the memory region. The source hypervisor can then identify one or more guest memory pages of the PVRDMA VM dirtied per the write trace element and transmit data contents of those pages to the destination host system.

Abstract: In an embodiment, a distributed firewall that learns from traffic patterns to prevent attacks is configured to receive traffic comprising one or more uniform resource identifiers (URIs), where a URI of the one or more URIs includes one or more parameters and one or more corresponding values. The firewall is configured to classify the corresponding value(s) using a pre-configured classifier and obtain a statistical rule that specifies an allowable type and an allowable length for traffic containing the one or more parameters, where the statistical rule is generated based on the classification. The firewall is configured to apply the statistical rule to incoming traffic to allow or drop requests comprising the parameter(s).

Abstract: Example methods are provided to use a guest monitoring mode (GMM) module in a hypervisor to authenticate hypercalls sent by a guest agent to the GMM module. The GMM module uses reference information, including thread information associated with a thread, to determine whether a hypercall associated with the thread was issued by the trusted guest agent or by potentially malicious code.

Abstract: An example virtualized computing system includes: a host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts, the virtualization layer supporting execution of virtual machines (VMs); an orchestration control plane integrated with the virtualization layer, the orchestration control plane including a master server executing in a first VM of the VMs; guest cluster infrastructure software (GCIS) executing in the master server, the GCIS configured to create a set of objects defining a container orchestration cluster, and manage lifecycles of second VMs of the VMs based on state of the set of objects; and guest software executing in the second VMs to implement the container orchestration cluster as a guest cluster of the host cluster, the guest software having components that interface with the GCIS.

Abstract: Example methods are provided to for automated determination of a minimal set of privileges that are required to execute a workflow in a virtualized computing environment. While the workflow is being executed, interactions with a user interface are recorded. The interactions include application program interface (API) calls. The method identifies the privileges that are used to execute the API calls, and the identified privileges are combined to form the minimal set of privileges. A model is generated that associates the minimal set of privileges to the workflow, and the model is applied to determine the privileges to assign to users that will be performing the same workflow.

Abstract: In some embodiments, a method stores a plurality of requests for routes in a queue based on respective priorities for the routes. The plurality of requests are for programming destinations and next hops for the destinations in a route table that is used by a device in a network to route packets. The method selects a request for a route from the queue based on a respective priority for the queue. Then, the request for the route is sent to an entity to program the route in the route table.

Abstract: The present disclosure is related to methods, systems, and machine-readable media for managing extent sharing between snapshots using mapping addresses. A first mapping address can be assigned to a first extent responsive to a request to write the first extent. A second mapping address can be assigned to a second extent responsive to a request to write the second extent. A snapshot can be created. A snapshot mapping address, that is monotonically increased from the second mapping address, can be assigned to the snapshot. A third mapping address, that is monotonically increased from the second mapping address, can be assigned to a third extent of the snapshot responsive to a request to write the third extent.

Abstract: The present disclosure is related to methods, systems, and machine-readable media for cloneless snapshot reversion. A request can be received to revert to a past snapshot of a virtual computing instance in a snapshot chain of a snapshot tree provided by a software defined data center. A live snapshot can be created at an end of the snapshot chain comprising the past snapshot. An intervening snapshot in the snapshot chain can be indicated as abandoned in a snapshot map associated with the snapshot tree based on the reversion.

Abstract: Systems and methods are described for onboarding a new device to a blockchain secured network. A trusted device that is already enrolled on the blockchain can receive information from a new device. The new device can send an onboarding request to a server through a non-blockchain secured Application Programming Interface (“API”). The trusted device can send an onboarding request for the new device through a blockchain secured API. The server can receive the requests and match them. The server can authenticate the two devices and send a request to a blockchain consensus to add the new device to the blockchain with the trusted device as a referral. The blockchain consensus can add the new device to the blockchain and notify the server. The server can notify the new device, and the new device can begin communicating through the blockchain secured API or directly with other devices on the blockchain.