Abstract: A scanner redirection method for a remote desktop system that includes a client computing device and a host server, includes the steps of: acquiring properties of a physical scanner from a data source; generating a user interface (UI) for the acquired properties of the physical scanner; in response to a first user selection made on the UI, transmitting a request to the physical scanner to update a scanner property that is one of the acquired properties of the physical scanner; and in response to a second user selection made on the UI, receiving from an application running on the host server, a request for a scanned image, transmitting to the data source a request to acquire the scanned image from the physical scanner, and upon receiving the scanned image from the data source, transmitting the scanned image to the application.

Abstract: An example method of upgrading a host in a cluster under management of a lifecycle manager in a virtualized computing system includes: receiving, from the lifecycle manager at a host in the cluster being upgraded, a desired software specification for a hypervisor of the host; determining, by the host, a list of required software installation bundles (SIBs) to satisfy the desired software specification; identifying a neighboring host in the cluster for the host; downloading, from the neighboring host to the host, at least at portion of the required SIBs; and executing an upgrade of the hypervisor in the host using the required SIBs.

Abstract: Example methods and systems for logical network packet handling are described. In one example, a physical network interface controller (PNIC) may receive an ingress encapsulated packet associated with a packet flow via a physical network. The ingress encapsulated packet may include an outer header and an inner packet that is destined for a virtualized computing instance. The ingress encapsulated packet may be steered towards a processing pipeline for processing to generate a processed packet. The processing pipeline may include (a) retrieving a logical network policy associated with the packet flow from a datastore on the PNIC; and (b) performing decapsulation to remove the outer header and one or more actions on the inner packet according to the logical network policy. The processed packet may be forwarded towards the virtualized computing instance via a virtual function supported by the PNIC or a physical network connected to the PNIC.

Abstract: In an embodiment, a statistical approach for augmenting signature detection in a Web application firewall includes receiving a new request including a parameter in a uniform resource identifier (URI), tokenizing the new request, and determining a compound probability that tokens in a value that is associated with the parameter of the URI and that is included in the new request are associated with an attack. The compound probability is determined based at least in part on component probabilities of tokens of historical values associated with the parameter of the URI.

Abstract: Various examples are disclosed for transitioning usage forecasting in a computing environment. Usage of computing resources of a computing environment are forecasted using a first forecasting data model and usage measurements obtained from the computing resources. A use of the first forecasting data model in forecasting the usage is transitioned to a second forecasting data model without incurring downtime in the computing environment. After the transition, the usage of the computing resources of the computing environment is forecasted using the second forecasting data model and the usage measurements obtained from the computing resources. The second forecasting data model exponentially decays the usage measurements based on a respective time period at which the usage measurements were obtained.

Abstract: Examples for detecting a compromised device are described. A set of threat detection rules can instruct an application on the client device how to detect whether the client device is compromised. The rules can be updated dynamically and without updating the application that is performing the compromise detection. The rules can be encoded in an interpreted scripting language and executed by a runtime environment that is embedded within the application.

Abstract: The disclosure provides an approach for high-availability admission control. Embodiments include determining a number of slots present on the cluster of hosts. Embodiments include receiving an indication of a number of host failures to tolerate. Embodiments include determining a number of slots that are assigned to existing computing instances on the cluster of hosts. Embodiments include determining an available cluster capacity based on the number of slots present on the cluster of hosts, the number of host failures to tolerate, and the number of slots that are assigned to existing computing instances on the cluster of hosts. Embodiments include determining whether to admit a given computing instance to the cluster of hosts based on the available cluster capacity.

Abstract: Some embodiments of the invention provide a method for processing requests for performing operations on resources in a software defined datacenter (SDDC). The resources are software-defined (SD) resources in some embodiments. The method initially receives a request to perform an operation with respect to a first resource in the SDDC. The method identifies a policy that matches (i.e., is applicable to) the received request for the first resource by comparing a set of attributes of the request with sets of attributes of a set of policies that place constraints on operations specified for resources. In some embodiments, several sets of attributes for several policies can be expressed for resources at different hierarchal resource levels of the SDDC. The method rejects the received request when the identified policy specifies that the requested operation violates a constraint on operations specified for the first resource.

Abstract: The present disclosure is related to methods, systems, and machine-readable media for log-structured file system management operations. An aggregate amount of over-provisioned computing resources assigned to a plurality of log-structured file system (LFS) objects that are allocated for performance of memory management operations associated with a virtual storage area network (vSAN) can be determined. A subset of LFS objects that are candidates for performance of a particular memory management operation based on an amount of over-provisioned computing resources consumed by one or more LFS objects among the plurality of LFS objects exceeding a resource consumption threshold associated with the determined amount of over-provisioned computing resources assigned to the plurality of LFS objects can be selected. The particular memory management operation using one or more of the candidate LFS objects can be performed.

Abstract: A system and method for deploying a virtual network function (VNF) are disclosed. Deploying a VNF includes receiving a request to instantiate a VNF in a network virtualization infrastructure, obtaining input from a user providing parameters needed for performing the instantiation of the VNF, determining a type of deployment for the VNF, and adding parameters inferred from the type of deployment to the user data to complete the parameters needed for deployment of the VNF, wherein the added parameters are inferred based on stored data regarding previous instantiations of the VNF. Determining the type of deployment for the VNF includes determining a number of instances of the VNFs to be deployed and a number of virtual infrastructure managers that will be instructed to deploy resources needed by the VNF.

Abstract: Techniques for implementing a tree-based ensemble classifier comprising an internal load balancer are provided. In one set of embodiments, the tree-based ensemble classifier can receive a query data instance and select, via the internal load balancer, a subset of its decision trees for processing the query data instance. The tree-based ensemble classifier can then query each decision tree in the selected subset with the query data instance, combine the per-tree classifications generated by the subset trees to generate a subset classification, and determine whether a confidence level associated with the subset classification is sufficiently high. If the answer is yes, the tree-based ensemble classifier can output the subset classification as a final classification result for the query data instance. If the answer is no, the tree-based ensemble classifier can repeat the foregoing steps until a sufficient confidence level is reached or until all of its decision trees have been selected and queried.

Abstract: The present disclosure relates to techniques for handling of bidirectional command protocols via a unidirectional communication connection established between a client computing environment and a cloud-services computing environment. In one embodiment, a command request message is pushed from a service component of the cloud-services computing environment to a client gateway of the client computing environment via the unidirectional communication connection. A token indicating routing information to the service component is embedded in the pushed command request message. A command response message is received at the cloud gateway from the client gateway via a bidirectional communication connection established between the client computing environment and the cloud-services computing environment. The command response message includes the token and data associated with executing the command request message at the client computing environment.

Abstract: The disclosure provides an approach for a non-disruptive system upgrade. Embodiments include installing an upgraded version of an operating system (OS) on a computing system while a current version of the OS continues to run. Embodiments include entering a maintenance mode on the computing system, including preventing the addition of new applications and modifying the handling of storage operations on the computing system for the duration of the maintenance mode. Embodiments include, during the maintenance mode, configuring the upgraded version of the OS. Embodiments include, after configuring the upgraded version of the OS, suspending a subset of applications running on the computing system, transferring control over resources of the computing system to the upgraded version of the OS, and resuming the subset of the applications running on the computing system. Embodiments include exiting the maintenance mode on the computing system.

Abstract: A method for the reverse deletion of a plurality of snapshots in a chain of snapshots is provided. The method includes in reverse order, starting from a latest snapshot in time to an earliest snapshot in time of the plurality of snapshots: identifying at least one of a first set of one or more data blocks of a snapshot that are shared with an earlier snapshot in time in the chain of snapshots or a second set of one or more data blocks of the snapshot that are owned by the snapshot and processing the second set of one or more data blocks and skipping processing the first set of one or more data blocks, wherein processing the second set of one or more data blocks comprises performing one or more actions to maintain and/or delete data blocks of the second set of one or more data blocks.

Abstract: Some embodiments provide a novel method for monitoring health of an SMN that includes multiple networking components. A health analytics manager identifies a set of one or more metrics associated with the network components of the SMN. The health analytics manager uses the set of metrics to compute a first health score for the SMN. Then, the health analytics manager presents the first health score in a UI along with (1) data regarding how the first health score was computed, and (2) a set of one or more parameters for a user to modify how the health for the SMN is computed. After receiving from the user one or more modifications to at least one of the parameters, the health analytics manager computes a second health score for the SMN based on the modified set of parameters.

Abstract: Techniques for implementing improved USB redirection of USB HID class devices are provided. In one set of embodiments a client system can receive, from a virtual desktop running on a server system, a poll message directed to an HID interface of a USB HID class device plugged into the client system and identify a polling thread associated with the HID interface. The client system can further save a copy of the poll message in the polling thread and initiate local polling of the HID interface, where the local polling comprises providing, via the polling thread, the copy of the poll message to the HID interface.

Abstract: This application relates generally to validating cybersecurity standard compliance of a computer system within a protected execution environment. An example method includes, obtaining one or more messages from a first component while the first component is operating in a protected execution environment created by applying cybersecurity requirements of a security standard, wherein the one or more messages include information about the cybersecurity requirements, and wherein the one or more messages are encrypted; decrypting the one or more messages; comparing the information contained in the one more messages with corresponding cybersecurity requirements of the security standard for the first component; and determining whether the first component is in compliance with the security standard based on the comparing of the information contained in the one more messages with corresponding cybersecurity requirements of the security standard.

Abstract: Some embodiments of the invention provide a method of upgrading software defined networking (SDN) modules executing on a host computer. While a first version of the SDN modules is executing on the host computer to perform traffic processing, the method loads a second version of the SDN modules alongside the first version of the SDN modules such that the first and second versions of the SDN modules are executing on the host computer at the same time. The method saves runtime states from the first version of the SDN modules, and transfers responsibility for performing traffic processing from the first version of the SDN modules to the second version of the SDN modules. The method then restores the saved runtime states to the second version of the SDN modules.

Abstract: Techniques for using data mirroring across regions to reduce the likelihood of losing objects in a cloud object storage platform are provided. In one set of embodiments, a computer system can upload first and second copies of a data object to first and second regions of the cloud object storage platform respectively, where the first and second copies are identical. The computer system can then attempt to read the first copy of the data object from the first region. If the read attempt fails, the computer system can retrieve the second copy of the data object from the second region.

Abstract: Some embodiments provide novel methods for providing different types of services for a logical network associated with an edge forwarding element acting between the logical network and an external network. The edge forwarding element receives data messages for forwarding and performs a service classification operation to select a set of services of a particular type for the data message. The particular type of service is one of multiple types of services that use different transport mechanisms to forward the data to a set of service nodes (e.g., service virtual machines, or service appliances, etc.) that provide the service. The edge forwarding element receives the data message after the selected set of services has been performed and performs a forwarding operation to forward the data message. In some embodiments, the method is also performed by edge forwarding elements that are at the edges of logical network segments within the logical network.