Abstract: Methods, systems, and computer-readable storage media for receiving a AAG from computer-readable memory, generating from logical network ontology data, asset inventory data, and asset communication data, a logical topology of the enterprise network as a computer-readable data structure, defining, at least partially by executing community detection over the logical topology, a sub-set of groups within the enterprise network, each group representing a process of a plurality of process, each process being at least partially executed by one or more assets within the enterprise network, processing the AAG based on the sub-set of groups and data from one or more contextual data sources to provide the process aware AAG, the process aware AAG defining a mapping between an infrastructure-layer of the enterprise network and a process-layer of the enterprise network, and executing one or more remedial actions in the enterprise network in response to analytics executed on the process aware AAG.

Abstract: Methods, systems, and computer-readable storage media for receiving a process aware AAG from computer-readable memory, the process aware AAG having been generated from the AAG, processing the process aware AAG to consolidate asset nodes to group nodes at least partially by providing metadata describing an asset node to a set of properties of a group node and pruning the asset node and any child nodes of the asset node from the process aware AAG, providing the aggregation graph by identifying relationships between group nodes and, for each relationship, inserting an edge between group nodes, and aggregating one or more of a set of node properties and a set of edge properties for each group node or edge, respectively, storing the aggregation graph to computer-readable memory, and executing one or more remedial actions in the enterprise network in response to analytics executed on the aggregation graph.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for reducing carbon emission debt. A method includes actions of obtaining candidate cloud deployment architectures; obtaining a set of requirements for quality attributes, each requirement corresponding to a respective quality attribute of the candidate cloud deployment architectures; selecting, from the candidate cloud deployment architectures, a particular cloud deployment architecture for implementation based on the set of requirements for the quality attributes; determining a wasted carbon emission debt for the particular cloud deployment architecture; selecting a requirement corresponding to a particular quality attribute to adjust based on the wasted carbon emission debt; and providing, for output, an adjusted requirement corresponding to the particular quality attribute. The wasted carbon emission debt includes a difference between the actual carbon emission debt and the theoretical carbon emission debt.

Abstract: A method and system for multi-layer traffic steering for enabling service chaining over a software defined network (SDN) are provided. The method is performed by a central controller of the SDN and includes receiving at least one service chaining rule defining at least one value-added service (VAS) to assign to an incoming traffic flow addressed to a destination server; analyzing each of the at least one received service chaining rule to determine if an application-layer steering is required; generating at least one application-layer steering rule, upon determining that an application-layer steering is required; generating at least one network-layer steering rule, upon determining that an application-layer steering is not required; and programming a multi-layer steering fabric with the generated at least one of network-layer steering rule and application-layer steering rule.

Abstract: The present disclosure provides a system architecture for designing and monitoring privacy-aware services and improving privacy regulation compliance. A privacy-preserving knowledge graph (PPKG) system provides functionality for modelling and analyzing processes that use, share, or request sensitive data from users and the outcomes of such functionality may be utilized to modify the design of the processes (e.g., to improve security of the process, regulatory compliance of the process, and the like). The PPKG system may also be used to modify the process, such as to write code that may be compiled into executable form and deployed to a run-time environment. A privacy-preserving posture (PPP) system monitors the run-time environment and analyzes where processes obtain, store, and share sensitive data. The PPP system may identify run-time vulnerabilities that may pose risks with respect to the sensitive data, as well as areas where modifications could be made to improve regulatory compliance.

Abstract: Methods, systems, and computer-readable storage media for receiving data representative of two or more AAGs, providing an identifier for each element of each of the two or more AAGs, each identifier being unique within a respective AAG, at least one identifier being non-unique between the two or more AAGs, determining an attribute value for each element of each of the two or more AAGs, storing attribute value to element mappings in an attribute dictionary, providing a differenced AAG based on the attribute value to element mappings in the attribute dictionary, determining a set of remedial actions at least partially based on the differenced AAG, and executing one or more remedial actions in the set of remedial actions to reduce a cyber security risk to the enterprise network.

Abstract: Methods, systems, and computer-readable storage media for receiving a process aware AAG from computer-readable memory, the process aware AAG having been generated from the AAG, processing the process aware AAG to consolidate asset nodes to group nodes at least partially by providing metadata describing an asset node to a set of properties of a group node and pruning the asset node and any child nodes of the asset node from the process aware AAG, providing the aggregation graph by identifying relationships between group nodes and, for each relationship, inserting an edge between group nodes, and aggregating one or more of a set of node properties and a set of edge properties for each group node or edge, respectively, storing the aggregation graph to computer-readable memory, and executing one or more remedial actions in the enterprise network in response to analytics executed on the aggregation graph.

Abstract: Methods, systems, and computer-readable storage media for receiving a AAG from computer-readable memory, generating from logical network ontology data, asset inventory data, and asset communication data, a logical topology of the enterprise network as a computer-readable data structure, defining, at least partially by executing community detection over the logical topology, a sub-set of groups within the enterprise network, each group representing a process of a plurality of process, each process being at least partially executed by one or more assets within the enterprise network, processing the AAG based on the sub-set of groups and data from one or more contextual data sources to provide the process aware AAG, the process aware AAG defining a mapping between an infrastructure-layer of the enterprise network and a process-layer of the enterprise network, and executing one or more remedial actions in the enterprise network in response to analytics executed on the process aware AAG.

Abstract: A system, and method therefor for disaggregated detection denial-of-service (DDoS) are provided. The system includes a plurality of detectors deployed on a plurality of network nodes, wherein each network node is connected to an edge network, wherein one detector of the plurality of detectors is deployed in each of the plurality of network nodes, wherein each of the plurality of detectors is configured to detect and characterize at least a DDoS attack by analyzing telemetries received by the respective network node in which the detector is deployed.

Abstract: A system and method for managing an application delivery controller (ADC) cluster including a plurality of ADCs are provided. The method includes creating a hash table including a plurality of buckets, wherein a number of the plurality of buckets is a multiple of a maximum number of active ADCs that can be supported by the ADC cluster; allocating, to each active ADC of the ADC cluster, one of the plurality of buckets; and instructing at least one network element to distribute traffic to and from the active ADCs based on the hash table.

Abstract: A method, host machine, and a virtual network for distributing application delivery controller services in a virtual network are presented. The method includes activating a first application delivery controller (ADC) agent on at least a first host machine of a plurality of host machines included in the virtual network, wherein the first host machine is configured to host at least one client; intercepting, by the first ADC agent, a request from the at least one client, wherein the request is for a service provided by one server of a plurality of servers hosted by the plurality of host machines; selecting, by the first ADC agent, a server of the plurality of servers to serve the request; forwarding, by the first ADC agent, the intercepted request to the selected server; and relaying a response to the intercepted request received from the selected server to the at least one client.

Abstract: A method, host machine, and a virtual network for distributing application delivery controller services in a virtual network are presented. The method includes activating a first application delivery controller (ADC) agent on at least a first host machine of a plurality of host machines included in the virtual network, wherein the first host machine is configured to host at least one client; intercepting, by the first ADC agent, a request from the at least one client, wherein the request is for a service provided by one server of a plurality of servers hosted by the plurality of host machines; selecting, by the first ADC agent, a server of the plurality of servers to serve the request; forwarding, by the first ADC agent, the intercepted request to the selected server; and relaying a response to the intercepted request received from the selected server to the at least one client.

Abstract: A system and method for managing an application delivery controller (ADC) cluster including a plurality of ADCs are provided. The method includes creating a hash table including a plurality of buckets, wherein a number of the plurality of buckets is a multiple of a maximum number of active ADCs that can be supported by the ADC cluster; allocating, to each active ADC of the ADC cluster, one of the plurality of buckets; and instructing at least one network element to distribute traffic to and from the active ADCs based on the hash table.

Abstract: An approach is provided in which a system creates a network application model that includes network policy objects and connection rules corresponding to sending data between the network policy objects. The system converts the network application model to network configuration information, which links the network policy objects to the connection rules. In turn, a network control plane is configured based upon the network configuration information to map the network application model to a physical infrastructure.

Abstract: An approach is provided in which a system creates a network application model that includes network policy objects and connection rules corresponding to sending data between the network policy objects. The system converts the network application model to network configuration information, which links the network policy objects to the connection rules. In turn, a network control plane is configured based upon the network configuration information to map the network application model to a physical infrastructure.

Abstract: A method and system for multi-layer traffic steering for enabling service chaining over a software defined network (SDN) are provided. The method is performed by a central controller of the SDN and includes receiving at least one service chaining rule defining at least one value-added service (VAS) to assign to an incoming traffic flow addressed to a destination server; analyzing each of the at least one received service chaining rule to determine if an application-layer steering is required; generating at least one application-layer steering rule, upon determining that an application-layer steering is required; generating at least one network-layer steering rule, upon determining that an application-layer steering is not required; and programming a multi-layer steering fabric with the generated at least one of network-layer steering rule and application-layer steering rule.

Abstract: Systems and methods for migrating a virtual resource from a source host in a source network to a destination host in a destination network are provided. In one embodiment, the method comprises establishing a secure communication connection between a source proxy in the source network and a destination proxy in the destination network; and monitoring migration traffic directed from the source host to the source proxy and forwarding said traffic to the destination proxy which in turn forwards the traffic to the destination host over the secure communication connection between the source proxy and the destination proxy, such that the communication addresses of the source host and the destination host remain guarded from direct access by an entity outside of the source network or the destination network.

Abstract: A method for managing remote deployment of a virtual machine (VM) in a network environment is provided. A VM image stored in a second storage medium is copied to a first storage medium. The first storage medium is located in close proximity to a first computing system, and the second storage medium is located remotely from the first computing system and in close proximity to a second computing system. As the VM image is being copied, a first VM is deployed on the first computing system from a partial copy of the VM image stored in the first storage medium, and a second VM is deployed on the second computing system from the VM image stored in the second storage medium. Service requests submitted to the first computing system are managed either locally by the first VM or remotely by the second VM based on type of service requested.

Abstract: According to one embodiment of the present disclosure, an approach is provided in which a policy server receives a request for a policy from a requestor. The policy server identifies an initiating virtual machine; the initial virtual machine's corresponding virtual network; and a destination virtual machine. Next, a policy corresponding to sending data from the first virtual machine to the second virtual machine is selected. The policy includes one or more logical references to the virtual network and does not include a physical reference to a physical entity located on a physical network. In turn, a physical path translation corresponding to the selected policy is identified and sent to the requestor.

Abstract: Systems and methods for deploying a virtual machine (VM) on a host are provided. An exemplary method comprises notifying a host to download a master copy of a VM image from a remotely located network storage device, in response to a service provider providing a definition manifest for a service request supported by the VM, wherein the host deploys the VM directly from the VM image downloaded to a storage medium locally connected to the host machine, wherein deployment of the VM allows the host to locally service the service request associated with the definition manifest, wherein the host replicates copies of the VM image, in response to receiving additional service requests to create one or more VM clones; wherein the host customizes the one or more VM clones based on the definition manifest.