Abstract: A method for implementing a software update for a selected enclave of a computing system includes obtaining, by a security monitor (SM) of the computing system, the software update for the selected enclave, installing, by the SM, the software update for the selected enclave to provide updated enclave software code, and measuring, by the SM, the updated enclave software code to provide a software update measurement. The updated enclave software code is stored in a memory region isolated from a memory region in which data for the selected enclave is stored. The method further includes transmitting, by the SM, the software update measurement to one or more respective other enclaves that share a memory region with the selected enclave.

Abstract: A method provides trusted timing services to an enclave of a computer having memory and a trusted hardware timer. The computer executes a privileged management program and an untrusted operating system. The privileged management program has access to the memory and the trusted hardware timer, has higher privileges than the untrusted operating system, and exposes a system call to the enclave for requesting the trusted timing services. The method includes: receiving, by the privileged management program, a request for timing services from the enclave, via the system call; reserving, by the privileged management program, a memory region of the memory for tracking time; and writing, by the privileged management program, at least one value of the trusted hardware timer into the memory region.

Abstract: A method for processing an out-of-order data stream includes inserting a new data stream element into a segment list according to a timestamp of the new data stream element. It is identified whether there are missing data stream elements between segments in the segment list. The segments which have no missing data stream elements between them are merged. Values of the data stream elements are aggregated using a sliding window over out-of-order data stream elements in the merged segment.

Abstract: Systems and methods for attesting an enclave in a network. A method includes receiving, by a first device, proof information from an application provider entity that the enclave is secure, wherein the proof information includes a public part, Ga, of information used by the enclave to derive a Diffie-Hellman key in a key generation process with the application provider entity, processing, by the first device, the proof information to verify that the enclave is secure and ensuring that Ga is authentic and/or valid, deriving, by the first device, a new Diffie-Hellman key, based on Ga and x, wherein x is a private part of information used by the first device to derive the new Diffie-Hellman key, and sending, by the first device, a message including Ga and a public part, Gx, of the information used by the first device to derive the new Diffie-Hellman key to the enclave.

Abstract: Systems and methods for attesting an enclave in a network. A method includes receiving, by a first device, proof information from an application provider entity that the enclave is secure, wherein the proof information includes a public part, Ga, of information used by the enclave to derive a Diffie-Hellman key in a key generation process with the application provider entity, processing, by the first device, the proof information to verify that the enclave is secure and ensuring that Ga is authentic and/or valid, deriving, by the first device, a new Diffie-Hellman key, based on Ga and x, wherein x is a private part of information used by the first device to derive the new Diffie-Hellman key, and sending, by the first device, a message including Ga and a public part, Gx, of the information used by the first device to derive the new Diffie-Hellman key to the enclave.

Abstract: Systems, computer-readable media and methods for aggregating data items from an out-of-order data stream over a sliding window efficiently. The method delays the value aggregation for certain time windows and computes partial aggregations that can be reused for the multiple time windows. Aggregations may have any value type such as Boolean, integer, strings, floating point, vector and map.

Abstract: A method for processing slices of a data stream in parallel by different workers includes receiving events of the data stream and forwarding the events to respective ones of the workers for updating respective states of the respective workers and for outputting results of data processing of the events. The states comprise hierarchically grouped state variables. At least one of the workers checks whether it is in a terminable state by checking that state variables that are owned by the worker in a current state of the worker have initial values.

Abstract: A method for securing data stream processing includes implementing a stage of a data processing pipeline in a trusted execution environment. A state of the stage is represented by a graph-based data structure. Protected memory of the trusted execution environment is reserved for computations of the stage. A key-value store is maintained in the protected memory. The key-value store includes hashes of graph segments of the graph-based data structure for the computations and memory locations of the graph segments. A state part of the computations is moved from the protected memory to unprotected memory. The state part of the computations is loaded back to the protected memory. An integrity of a computation using the state part of the computations is checked using the hashes in the key-value store.

Abstract: A method for securing data stream processing includes implementing a stage of a data processing pipeline in a trusted execution environment. A state of the stage is represented by a graph-based data structure. Protected memory of the trusted execution environment is reserved for computations of the stage. A key-value store is maintained in the protected memory. The key-value store includes hashes of graph segments of the graph-based data structure for the computations and memory locations of the graph segments. A state part of the computations is moved from the protected memory to unprotected memory. The state part of the computations is loaded back to the protected memory. An integrity of a computation using the state part of the computations is checked using the hashes in the key-value store.

Abstract: A reference monitor (RM) operates within a network having controllers that each control a corresponding network part having a forwarding element (FE) for forwarding data within the network. The RM enforces the security policy for a first network part managed by a first controller. The method includes: receiving a first rule request from the first controller, checking the first rule request for policy compliance, authorizing a part of the first rule request that is policy compliant, receiving a second rule request, the second rule request being from a second controller configured to control a second part of the network, the second rule request comprising an outside modification impacting the first network part, which is not managed by the second controller, checking the outside modification part for policy compliance, and based on determining that the outside modification part is policy compliant, authorizing the outside modification part of the second rule request.

Abstract: A method for processing an out-of-order data stream includes inserting a new data stream element into a segment list according to a timestamp of the new data stream element. It is identified whether there are missing data stream elements between segments in the segment list. The segments which have no missing data stream elements between them are merged. Values of the data stream elements are aggregated using a sliding window over out-of-order data stream elements in the merged segment.

Abstract: A reference monitor (RM) operates within a network having controllers that each control a corresponding network part having a forwarding element (FE) for forwarding data within the network. The RM enforces the security policy for a first network part managed by a first controller. The method includes: receiving a first rule request from the first controller, checking the first rule request for policy compliance, authorizing a part of the first rule request that is policy compliant, receiving a second rule request, the second rule request being from a second controller configured to control a second part of the network, the second rule request comprising an outside modification impacting the first network part, which is not managed by the second controller, checking the outside modification part for policy compliance, and based on determining that the outside modification part is policy compliant, authorizing the outside modification part of the second rule request.

Abstract: A method for determining incorrect behavior of components in a distributed information technology (IT) system includes receiving a pattern useable to indicate an incorrect behavior of a component. An automaton and a complement automaton are constructed based on the pattern, the automaton and complement automaton comprising one or more states. One or more logged events are received, each event in the one or more logged events including a timestamp. Gaps are determined in the one or more logged events. Event matrices are precomputed for the gaps and for each event in the one or more logged events based on the states of the automaton and the complement automaton. The pattern is matched to the one or more logged events by iteratively processing the one or more logged events and the gaps and maintaining a combination matrix. The incorrect behavior is determined based on an output of the pattern matching.

Abstract: A method manages data traffic within a network having controllers that each control a part of the network having a forwarding element (FE), the controllers being connected to a reference monitor (RM) for enforcing a security policy. The method includes: receiving a rule request by a controller and transmitting it its RM; the RM checking the rule request for policy compliance and authorizing a poly compliant part of the rule request. When the rule request has an outside modification: the controller contacts controllers impacted by the outside modification for obtaining an authorization, and upon receipt of authorization, sending the controller sends the modifications and authorizations to the impacted controllers to implement the modification in their FE.

Abstract: A method for checking policy compliance of events of an event stream includes receiving the events; grouping a plurality of the received events into a plurality of slices based upon a policy specification and an event classification; determining whether a policy violation has occurred by concurrently evaluating at least two of the slices according to the policy specification; and in a case in which the policy violation is determined, reporting the policy violation.

Abstract: A method for operating a monitoring entity (ME) for a distributed system includes receiving, by the ME, an action message from a computing device which has information about an action it performed. The ME, generates, deletes and/or updates a node of a data structure stored in a memory of the ME to provide an updated state of the data structure, by: processing the information of the received message, and storing the processed information into the data structure. The data structure represents knowledge about behavior of the distributed system. Each node specifies a policy by a formula, a node is linked by a trigger to one other node only to specify dependencies between nodes except for nodes with a formula, monitored by the ME, and nodes with a same formula are mutually linked by triggers. Verdict information indicating an action violating a policy is computed based on the updated state.

Abstract: A method of providing access control for a software defined network (SDN) controller includes establishing a cascaded flow of flow table entries by linking together flow table entries of flow tables that are installed at network resources and that apply to the same packets or network flows, analyzing the impact of configuration requests from one or more applications regarding the installation and/or removal of flow table entries on existing cascaded flows, and rejecting configuration requests if the installation and/or removal of flow table entries according to the configuration requests would destroy an existing cascaded flow. The SDN controller includes an interface for interacting with one or more applications that are installed to run at the control plane of the SDN atop the SDN controller.

Abstract: A method for checking policy compliance of events of an event stream includes receiving the events; grouping a plurality of the received events into a plurality of slices based upon a policy specification and an event classification; determining whether a policy violation has occurred by concurrently evaluating at least two of the slices according to the policy specification; and in a case in which the policy violation is determined, reporting the policy violation.

Abstract: A method manages data traffic within a network having controllers that each control a part of the network having a forwarding element (FE), the controllers being connected to a reference monitor (RM) for enforcing a security policy. The method includes: receiving a rule request by a controller and transmitting it its RM; the RM checking the rule request for policy compliance and authorizing a poly compliant part of the rule request. When the rule request has an outside modification: the controller contacts controllers impacted by the outside modification for obtaining an authorization, and upon receipt of authorization, sending the controller sends the modifications and authorizations to the impacted controllers to implement the modification in their FE.

Abstract: A method for operating a monitoring entity (ME) for a distributed system includes receiving, by the ME, an action message from a computing device which has information about an action it performed. The ME, generates, deletes and/or updates a node of a data structure stored in a memory of the ME to provide an updated state of the data structure, by: processing the information of the received message, and storing the processed information into the data structure. The data structure represents knowledge about behavior of the distributed system. Each node specifies a policy by a formula, a node is linked by a trigger to one other node only to specify dependencies between nodes except for nodes with a formula, monitored by the ME, and nodes with a same formula are mutually linked by triggers. Verdict information indicating an action violating a policy is computed based on the updated state.