Abstract: A system and method are provided for detecting surprising/anomalous behavior in an upgrade to a program. A first prediction model is obtained to predict the behavior of a current version of the program. A second prediction model is trained using event sets representing a partially or totally ordered set of events realized from executing the upgrade version of the program. First (second) predictions are generated by applying a given event set to the first (second) prediction model. The first predictions are then compared with the second predictions to determine whether the respective prediction agree. When they do not agree, the deviation in the program behavior is signaled (e.g., to an engineer). The first and second predictions can be conditional probabilities of the given event set, and they can be compared using a comparison metric that includes a difference between negative logarithms of the respective predictions.

Abstract: A system and method are provided for placing network functions among respective locations in a network. The locations at which the network functions are placed can be nodes and network devices within the network. These nodes can be selected, e.g., based on which network devices have available capacity and or specialized hardware (e.g., accelerator sin a data processing units (DPUs)) that is optimized for particular network functions. The network functions can include an inline network function that is provisioned directly in a data plane of one of the network devices (e.g., in-lined directly in a hardware offload device without a virtual machine and without a container). The decision of where to place the network functions can be based on a performance metric (e.g., representing available computational/memory resources at the network nodes) and/or a network-function metric (e.g., representing consumed computational/memory resources by the network functions) to improve system performance.

Abstract: A system and method are provided for placing security operations at selected enforcement points in a distributed security fabric. The enforcement points at which the security operations are placed can be endpoints, nodes, and/or network devices within the network. The security operations can be updated by monitoring data flows through the network to generate network data, and then determining, based on the network data, one or more changes to the security operations, based on the generated network data. Recommended changes can be obtained by applying the network data to a machine-learning model that indicates suspicious data packets (e.g., disseminates packets suspected of being malicious from normal traffic) and crafts new policies to deny the suspicious data packets. Performance of the network can also be improved by analyzing the security operations for redundancies and/or inefficiencies and modifying the security operations to mitigate them.

Abstract: A system and method are provided for continuous integration, continuous deployment of a network component, such as a software-defined wide area network, a firewall, a router, or a load balancer. The network component is tested before deployment by acquiring data flows from a production environment and obtaining an acquired flow table that includes respective entries corresponding to types of data flows that are defined by header information (e.g., 5-tuples or pairs of source and destination addresses, depending at which layer in the OSI model the network component operates). First and second flow tables are generated for the first and second versions of the network component by applying simulated traffic (e.g., derived from the acquired data flows) to the respective versions of the network component. A comparison between the first and second flow tables is evaluated to determine whether second version of the network component can be deployed.

Abstract: Techniques and architecture are described for inducing precise delays in a network device (network node) that has the capability to act on packets/traffic flows based on policy configurations of the network device and delays experienced by traffic in the network device. This capability may be used for testing and verification of the network device to verify that the network device meets the configured policies. Additionally, this capability may be utilized in an operational network to selectively induce delays and measure its impact for purposes such as, for example, planning, stress testing, resiliency, etc.

Abstract: Techniques for ultra-short-term resource forecasting for a network device are described. A selection of a time series algorithm from a set of time series algorithms for determining capacity right-sizing of a local resource is received, the is selection based at least in part on current local traffic conditions. Based on current local traffic conditions, parameter values to be used in the algorithm are determined, the parameters are associated with the time series algorithm selection. A number of data points for input to the time series algorithm are determined, the data points are a sequence of values representing an amount of the local resource used by the network device at a point in time and are collected at predetermined time intervals. Based on a calculation of the time series algorithm using the number of data points and parameter values, the right-size capacity of the local resource for the network device is determined and provided.

Abstract: Techniques and architecture are described for inducing precise delays in a network device (network node) that has the capability to act on packets/traffic flows based on policy configurations of the network device and delays experienced by traffic in the network device. This capability may be used for testing and verification of the network device to verify that the network device meets the configured policies. Additionally, this capability may be utilized in an operational network to selectively induce delays and measure its impact for purposes such as, for example, planning, stress testing, resiliency, etc.

Abstract: Methods, apparatus, and computer program products for determining software complexity. A plurality of versions of a software module whose complexity is to be determined are compressed. Lengths of the compressed versions are compared, one with another, to provide complexity metrics.

Abstract: A destination address is processed to determine if the destination address is a fake web address or hyperlink. The destination address may be compared with a database of known domain names to see if the domain name is legitimate or illegitimate. The designation address may also be compared to other domain names to see if it is an honest or dishonest transformation of the other domain names. Appropriate action may be taken if the designation address is a dishonest transformation of another domain name.

Abstract: A destination address is processed to determine if the destination address is a fake web address or hyperlink. The destination address may be compared with a database of known domain names to see if the domain name is legitimate or illegitimate. The designation address may also be compared to other domain names to see if it is an honest or dishonest transformation of the other domain names. Appropriate action may be taken if the designation address is a dishonest transformation of another domain name.

Abstract: A destination address is processed to determine if the destination address is a fake web address or hyperlink. The destination address may be compared with a database of known domain names to see if the domain name is legitimate or illegitimate. The designation address may also be compared to other domain names to see if it is an honest or dishonest transformation of the other domain names. Appropriate action may be taken if the designation address is a dishonest transformation of another domain name.

Abstract: Methods, apparatus, and computer program products for determining software complexity. A plurality of versions of a software module whose complexity is to be determined are compressed. Lengths of the compressed versions are compared, one with another, to provide complexity metrics.

Abstract: Methods, apparatus, and computer program products for determining software complexity. A plurality of versions of a software module whose complexity is to be determined are compressed. Lengths of the compressed versions are compared, one with another, to provide complexity metrics.

Abstract: In a typical computer network, at least some of the managed resources are monitored to determine whether those resources are meeting predetermined performance goals or service level objectives. To simplify the process of configuring a network monitor, information about the service level objectives is loaded into the resource itself. When the resource is detected, the service level objective information is extracted from the resource information and made available to a translating engine. The translating engine converts the extracted information to monitoring directions that are used to configure the network monitor. Embodiments in which new resources are detected either buying a registration process or a polling process are described.

Abstract: A method, apparatus and computer instructions are provided to improve the push/pull workload management model with intelligent routing to effectively collect data from systems that consist of dynamic sub-systems. The invention improves the push/pull model of the referenced invention with intelligent request routing to solve the above problem. An API is exposed in the workload manager enabling its request router to decline requests to route to idle sub-systems. This allows the monitoring agent to avoid sending a pull request to an idle sub-system. Each sub-system will push the data to the agent as it enters the idle state. The agent caches the data it receives from idle sub-systems and combines it with data it pulls from active and stopped sub-systems.

Abstract: Methods, apparatus, and computer program products for determining software complexity. A plurality of versions of a software module whose complexity is to be determined are compressed. Lengths of the compressed versions are compared, one with another, to provide complexity metrics.

Abstract: A destination address is processed to determine if the destination address is a fake web address or hyperlink. The destination address may be compared with a database of known domain names to see if the domain name is legitimate or illegitimate. The designation address may also be compared to other domain names to see if it is an honest or dishonest transformation of the other domain names. Appropriate action may be taken if the designation address is a dishonest transformation of another domain name.

Abstract: Methods, apparatus, and computer program products for determining software complexity. A plurality of versions of a software module whose complexity is to be determined are compressed. Lengths of the compressed versions are compared, one with another, to provide complexity metrics.

Abstract: A destination address is processed to determine if the destination address is a fake web address or hyperlink. The destination address may be compared with a database of known domain names to see if the domain name is legitimate or illegitimate. The designation address may also be compared to other domain names to see if it is an honest or dishonest transformation of the other domain names. Appropriate action may be taken if the designation address is a dishonest transformation of another domain name.

Abstract: A method for maximizing a utility of a service contract by optimizing target response time for a performance service level objective is provided. A set of criteria are provided to ensure that performance requirements for the service are met. The method comprises determining one or more usage windows for providing a service, wherein each usage window is associated with a performance requirement and a time period; extracting usage patterns for each usage window based on historical data provided from monitoring requests for service in each usage window; extracting response time per transaction associated with said requests based on historical data provided from monitoring responses provided to said requests in each usage window; and calculating optimal probability for breach in each usage window (Pi) and determining the associated target response time, based on the usage pattern for each window and the response time per transaction.