Abstract: Example methods are provided for a network device to perform adaptive polling in a software-defined networking (SDN) environment. One example method may comprise: operating in a polling mode at a current polling round to detect zero or more packets that require packet processing by the network device. The method may also comprise: determining packet characteristic information associated with multiple polling rounds that include the current polling round and one or more previous polling rounds; and based on the packet characteristic information, determining whether a resource performance condition associated with the network device is satisfied. In response to determination that the resource performance condition is satisfied, the network device may operate in the polling mode at a subsequent polling round; but otherwise, switch from the polling mode to an interrupt mode.

Abstract: A hemostatic material or a tissue sealant, wherein a main component of the hemostatic material or the tissue sealant or part of the hemostatic material or the tissue sealant is a sponge grown in sea water or fresh water.

Abstract: Example methods and computer systems for encapsulated fragmented packet handling. One example may comprise a first computer system detecting an egress packet that requires fragmentation and determining an outer connectionless transport layer value based on content of an inner transport layer header of the egress packet. The first computer system may generate a first encapsulated fragmented packet that includes a first fragment of the inner payload, the inner transport layer header and a first outer header specifying the outer connectionless transport layer value; and a second encapsulated fragmented packet that includes a second fragment of the inner payload and a second outer header specifying the outer connectionless transport layer value. The first encapsulated fragmented packet and the second encapsulated fragmented packet may be forwarded towards a second computer system to cause receive-side processing based on the outer connectionless transport layer value.

Abstract: The disclosure provides an approach for routing traffic in a network. Embodiments include receiving, by a service router of an edge services gateway (ESG), a packet comprising a virtual network identifier (VNI) and a virtual local area network (VLAN) identifier. Embodiments include sending, by the service router, the packet to a virtual switch of the ESG based on the VNI of the packet. Embodiments include determining, by the virtual switch, a virtual routing and forwarding (VRF) router of the ESG for the packet based on the VLAN identifier. Embodiments include forwarding, by the virtual switch, the packet to the VRF router.

Abstract: Example methods and computer systems for encapsulated encrypted packet handling for receive-side scaling (RSS). One example may comprise a first computer system performing encryption and encapsulation on a first inner packet to generate a first encapsulated encrypted packet that includes (a) a first security protocol header and (b) a first outer header configured based on a first security association (SA). The first encapsulated encrypted packet may be forwarded to cause receive-side processing using a first core of a second computer system based on the first outer header. The first computer system may further perform encryption and encapsulation on a second inner packet to generate a second encapsulated encrypted packet that includes (a) a second security protocol header (b) a second outer header configured based on a second SA. The second encapsulated encrypted packet may be forwarded to cause receive-side processing using a second core based on the second outer header.

Abstract: Feature vectors are abstracted from data describing application processes. The feature vectors are grouped to define non-anomalous clusters of feature vectors corresponding to normal application behavior. Subsequent feature vectors are considered anomalous if they do not fall within one of the non-anomalous clusters; alerts are issued for anomalous feature vectors. In addition, the subsequent feature vectors may be used to regroup feature vectors to adapt to changes in what constitutes normal application behavior.

Abstract: A first host receives a packet from a first compute node for a second compute node of a second host. The payload is larger than a maximum transmission unit size. The first packet is encapsulated with an outer header. The first host analyzes a length of at least a portion of the outer header in determining a size of an encrypted segment of the payload. Then, the first host forms a plurality of packets where each packet in the packets includes an encrypted segment of the payload, a respective encryption header, and a respective authentication value. The payload of the first packet is segmented to form a plurality of encrypted segments based on the size. The first host sends the packets to the second host and receives an indication that a packet was not received. A second packet including the encrypted segment is sent to the second compute node.

Abstract: Example methods and systems for adaptive polling. One example may comprise operating in a polling mode to poll, from a network interface, zero or more packets that require packet processing by the network device. The method may also comprise: in response to detecting a non-zero polling round, adjusting a polling parameter to delay switching from the polling mode to a sleep mode. The method may further comprise: in response to detecting a zero polling round and determining that a switch condition is satisfied, adjusting a sleep parameter associated with the sleep mode based on traffic characteristic information associated with one or more polling rounds; and switching from the polling mode to the sleep mode in which polling from the network interface is halted based on the sleep parameter.

Abstract: In an embodiment, a computer-implemented method for a MAC addresses synchronization mechanism for a bridge port failover is disclosed.

Abstract: Some embodiments provide, for a gateway datapath that executes on a gateway device to implement tenant logical routers for multiple different tenant logical networks and process traffic between the tenant logical networks and an external network, a method for managing QoS for the plurality of tenant logical networks. The method receives a data message for a particular tenant logical network. The method executes a set of processing stages to process the data message. The set of processing stages includes a processing stage for a particular tenant logical router of the particular tenant logical network. As part of the processing stage for the particular tenant logical router, the method uses a QoS data structure specific to the particular tenant logical router to determine whether to allow the data message. The gateway device stores at least one separate QoS data structure for each of a set of the tenant logical routers.

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). A set of interfaces on each side of the network edge device for a set of equal cost paths, in some embodiments, are bonded together in the network edge device to correspond to a single interface on either side of a logical bridge including at least one logical switch providing a stateful service implemented by the network edge device. The bond is implemented, in some embodiments, by a bonding module executing on the network edge device that maintains a mapping between ingress and egress interfaces to allow deterministic forwarding through the network edge device in the presence of bonded interfaces.

Abstract: The method for a virtual machine to use a port and loopback IP addresses allocation scheme for full-mesh communications with transparent transport layer security tunnels is presented. In an embodiment, the method comprises detecting, at a redirect agent implemented in a first machine, a packet that is sent from a client application executing on the first machine toward a server application executing on a second machine; and determining, by the redirect agent, whether a first redirect rule matches the packet. In response to determining that the first redirect rule matches the packet, the redirect agent applies the first redirect rule to the packet to translate the packet into a translated packet, and provides the translated packet to a client agent implemented in the first machine to cause the client agent to transmit the translated packet to a server agent implemented in the second machine.

Abstract: Automated methods and systems described directed to determining a root cause of problem with a system executing in a distributed computing system. Methods and systems train a normal-state model that characterizes a normal state of the system based on normal log files generated by event sources of the system executed under normal or test conditions. Methods and systems use the normal-state model and a log file containing log messages recorded about the time when a problem with the system has been detected to identify log messages that describe a root cause of the problem.

Abstract: The disclosure provides an approach for routing traffic in a network. Embodiments include receiving, by a service router of an edge services gateway (ESG), a packet comprising a virtual network identifier (VNI) and a virtual local area network (VLAN) identifier. Embodiments include sending, by the service router, the packet to a virtual switch of the ESG based on the VNI of the packet. Embodiments include determining, by the virtual switch, a virtual routing and forwarding (VRF) router of the ESG for the packet based on the VLAN identifier. Embodiments include forwarding, by the virtual switch, the packet to the VRF router.

Abstract: The present disclosure discloses a skin penetration enhancing composition and a use thereof in preparation of a skin delivery formulation. The skin penetration enhancing composition comprises sponge spicules and nanoparticles. The nanoparticles comprise at least one of one or more drugs or one or more cosmetic active ingredients.

Abstract: An approach for an adaptive, performance-oriented, and compression-assisted encryption scheme implemented on a host computer to adaptively improve utilization of CPU resources is provided. The method comprises queueing a new data packet and determining a size of the new data packet. Based on historical data, a plurality of already encrypted data packets is determined. Based on information stored for the plurality of already encrypted data packets, an average ratio of compression for the plurality of already encrypted data packets is determined. Based on the average ratio of compression, a throughput of compression value and a throughput of encryption value, a prediction whether compressing the new data packet will reduce a CPU load is derived. If it is determined that compressing the new data packet will improve utilization of the CPU resources, then a compressed new data packet is generated by compressing the new data packet.

Abstract: Example methods and systems for adaptive polling. One example may comprise operating in a polling mode to poll, from a network interface, zero or more packets that require packet processing by the network device. The method may also comprise: in response to detecting a non-zero polling round, adjusting a polling parameter to delay switching from the polling mode to a sleep mode. The method may further comprise: in response to detecting a zero polling round and determining that a switch condition is satisfied, adjusting a sleep parameter associated with the sleep mode based on traffic characteristic information associated with one or more polling rounds; and switching from the polling mode to the sleep mode in which polling from the network interface is halted based on the sleep parameter.

Abstract: A virtual computing instance (VCI) is protected against security threats by a security manager, monitoring a behavior of a VCI over an observation period. The method further includes, storing by the security manager a digital profile in a first database, wherein the digital profile comprises information indicative of the behavior. The method further includes, accessing by a detection system, the digital profile from the first database, and accessing by the detection system, an intended state associated with VCI, wherein the intended state comprises information indicative of a behavior from a second VCI. The method further includes, comparing at least part of the digital profile to the at least part of the intended state. The method further includes, determining by the detection system, that the VCI contains a security threat when information indicative of a behavior in the digital profile is an outlier.

Abstract: A computer-implemented method for a media access control (MAC) address synchronization mechanism for a bridge port failover is disclosed. The method comprises: detecting a failover of a previously active bridge node; for each MAC address stored in a MAC-SYNC table: generating a first reverse address resolution protocol (“RARP”) packet having a source MAC address; broadcasting the first RARP message to a virtual extensible LAN (“VXLAN”) switch via a bridge port to register the source MAC address on the bridge port; and storing an association of the MAC address and an identifier of the bridge port in a forwarding table; for each MAC address stored in the forwarding table but not stored in the MAC-SYNC table: generating a second RARP packet with a MAC address to be the source MAC address; causing a physical switch to update a forwarding table maintained by the physical switch; and forwarding traffic via the bridge port.

Abstract: An approach for an adaptive, performance-oriented, and compression-assisted encryption scheme implemented on a host computer to adaptively improve utilization of CPU resources is provided. The method comprises queueing a new data packet and determining a size of the new data packet. Based on historical data, a plurality of already encrypted data packets is determined. Based on information stored for the plurality of already encrypted data packets, an average ratio of compression for the plurality of already encrypted data packets is determined. Based on the average ratio of compression, a throughput of compression value and a throughput of encryption value, a prediction whether compressing the new data packet will reduce a CPU load is derived. If it is determined that compressing the new data packet will improve utilization of the CPU resources, then a compressed new data packet is generated by compressing the new data packet.