Abstract: A computer implemented method includes obtaining multiple configuration files that include configuration commit histories, detecting patterns in parameter values in the configuration files to generate file-based rules for configuration parameters, detecting patterns in parameter values in the configuration files to generate history-based rules using commit histories for the configuration parameters, and exposing the rules to calling programs.

Abstract: A computer implemented method includes obtaining multiple configuration files that include configuration commit histories, detecting patterns in parameter values in the configuration files to generate file-based rules for configuration parameters, detecting patterns in parameter values in the configuration files to generate history-based rules using commit histories for the configuration parameters, and exposing the rules to calling programs.

Abstract: The techniques disclosed herein provision inter-DC WAN capacity based on network failure statistics and bandwidth demands of a cloud-hosted application. Network capacity is provisioned based on an assumption of runtime cooperation between the application and the network. For example, if the network detects that a link has failed, the application may cooperate with the network to pause a deferrable transfer, reserving bandwidth for non-deferrable transfers. With knowledge that deferrable transfers will be dynamically paused when a primary link fails, backup links may be provisioned with less capacity than the primary link. The ability to dynamically defer transfers also enables a greater degree of bandwidth smoothing, e.g. reducing peak demand by scheduling deferrable transfers for off-peak hours. This allows network links to be provisioned with less capacity than if all transfers were performed immediately.

Abstract: Described herein is a system and method for detecting correlated changes (e.g., between code files and configuration files). For a plurality of code files and a plurality of configuration files, a correlated change model is trained to identify correlated changes across the code files and the configuration files using a machine learning algorithm that discovers change rules using a support parameter, and, a confidence parameter, and, a refinement algorithm that refines the discovered change rules. The correlated change model comprising the change rules is stored. The correlated change model can be used to identify potential issue(s) regarding a particular file (e.g., changed code or configuration file(s)). Information regarding the identified potential issue(s) can be provided to a user.

Abstract: Described herein is a system and method for detecting correlated changes (e.g., between code files and configuration files). For a plurality of code files and a plurality of configuration files, a correlated change model is trained to identify correlated changes across the code files and the configuration files using a machine learning algorithm that discovers change rules using a support parameter, and, a confidence parameter, and, a refinement algorithm that refines the discovered change rules. The correlated change model comprising the change rules is stored. The correlated change model can be used to identify potential issue(s) regarding a particular file (e.g., changed code or configuration file(s)). Information regarding the identified potential issue(s) can be provided to a user.

Abstract: In some embodiments, an encryption system secures data using a homomorphic encryption. The encryption system encrypts a number by encrypting a number identifier of the number and combining the number and the encrypted number identifier using a mathematical operation to generate an encrypted number. The encrypted numbers may be stored at a server system along with their number identifiers. The server system can then generate an aggregation (e.g., sum) of the encrypted numbers and provide the aggregation, the encrypted numbers, and the number identifiers. The encryption system can then separate the aggregation of the numbers from the aggregation of the encrypted numbers using an inverse of the mathematical operation used in the encryption to effect removal of an aggregation of the encrypted number identifiers of the numbers from the aggregation of the encrypted numbers. The separated aggregation of the numbers is an aggregation of the plurality of the numbers.

Abstract: An encryption system stores encrypted values for aggregation is provided. The encryption system accesses an input set with input values. For each distinct value in the input set of input values, the encryption system generates an output set with an encrypted output value corresponding to each input value. The encryption system sets the encrypted output value for a corresponding input value to an encryption of an indicator of a match when the corresponding input value is the same as that distinct value. Otherwise, the encryption sets the encrypted output value for the corresponding input value to an encryption of an indicator of no match. The encrypted output values can then be aggregated to generate an encrypted aggregation based on input values that match, and the encrypted aggregation can be decrypted to generated a decrypted aggregation based on the input values that match.

Abstract: An encryption system stores encrypted values for aggregation is provided. The encryption system accesses an input set with input values. For each distinct value in the input set of input values, the encryption system generates an output set with an encrypted output value corresponding to each input value. The encryption system sets the encrypted output value for a corresponding input value to an encryption of an indicator of a match when the corresponding input value is the same as that distinct value. Otherwise, the encryption sets the encrypted output value for the corresponding input value to an encryption of an indicator of no match. The encrypted output values can then be aggregated to generate an encrypted aggregation based on input values that match, and the encrypted aggregation can be decrypted to generated a decrypted aggregation based on the input values that match.

Abstract: In some embodiments, an encryption system secures data using a homomorphic encryption. The encryption system encrypts a number by encrypting a number identifier of the number and combining the number and the encrypted number identifier using a mathematical operation to generate an encrypted number. The encrypted numbers may be stored at a server system along with their number identifiers. The server system can then generate an aggregation (e.g., sum) of the encrypted numbers and provide the aggregation, the encrypted numbers, and the number identifiers. The encryption system can then separate the aggregation of the numbers from the aggregation of the encrypted numbers using an inverse of the mathematical operation used in the encryption to effect removal of an aggregation of the encrypted number identifiers of the numbers from the aggregation of the encrypted numbers. The separated aggregation of the numbers is an aggregation of the plurality of the numbers.

Abstract: A resource allocation framework is described herein which allocates items (conceptualized as balls) to item-receiving slots (conceptualized as bins) in a domain-agnostic manner. A user instantiates the resource allocation framework to a particular allocation problem by generating a specification that describes the allocation problem in a declarative fashion. Among other features, the specification maps real-world entities to the balls and bins, and describes the constraints associated with the allocation problem. The specification also provides a utilization function that computes the consumption of resources for a proposed assignment of a particular ball to a particular bin. According to another aspect, the resource allocation framework uses many processing elements (e.g., GPU threads, CPU threads, etc.), operating in parallel, to attempt to find a solution to the allocation problem.

Abstract: The problem signature extraction technique extracts problem signatures from trace data collected from an application. The technique condenses the manifestation of a network, software or hardware problem into a compact signature, which could then be used to identify instances of the same problem in other trace data. For a network configuration, the technique uses as input a network-level packet trace of an application's communication and extracts from it a set of features. During the training phase, each application run is manually labeled as GOOD or BAD, depending on whether the run was successful or not. The technique then employs a learning technique to build a classification tree not only to distinguish between GOOD and BAD runs but to also sub-classify the BAD runs into different classes of failures. Once a classification tree has been learned, problem signatures are extracted by walking the tree, from the root to each leaf.

Abstract: A resource allocation framework is described herein which allocates items (conceptualized as balls) to item-receiving slots (conceptualized as bins) in a domain-agnostic manner. A user instantiates the resource allocation framework to a particular allocation problem by generating a specification that describes the allocation problem in a declarative fashion. Among other features, the specification maps real-world entities to the balls and bins, and describes the constraints associated with the allocation problem. The specification also provides a utilization function that computes the consumption of resources for a proposed assignment of a particular ball to a particular bin. According to another aspect, the resource allocation framework uses many processing elements (e.g., GPU threads, CPU threads, etc.), operating in parallel, to attempt to find a solution to the allocation problem.

Abstract: An access control anomaly detection system and method to detect potential anomalies in access control permissions and report those potential anomalies in real time to an administrator for possible action. Embodiments of the system and method input access control lists and semantic groups (or any dataset having binary matrices) to perform automated anomaly detection. This input is processed in three broad phases. First, policy statements are extracted from the access control lists. Next, object-level anomaly detection is performed using thresholds by categorizing outliers in the policies discovered in the first phase as potential anomalies. This object-level anomaly detection can yield object-level security anomalies and object-level accessibility anomalies. Group-level anomaly detection is performed in the third phase by using semantic groups and user sets extracted in first phase to find maximal overlaps using group mapping.

Abstract: The problem signature extraction technique extracts problem signatures from trace data collected from an application. The technique condenses the manifestation of a network, software or hardware problem into a compact signature, which could then be used to identify instances of the same problem in other trace data. For a network configuration, the technique uses as input a network-level packet trace of an application's communication and extracts from it a set of features. During the training phase, each application run is manually labeled as GOOD or BAD, depending on whether the run was successful or not. The technique then employs a learning technique to build a classification tree not only to distinguish between GOOD and BAD runs but to also sub-classify the BAD runs into different classes of failures. Once a classification tree has been learned, problem signatures are extracted by walking the tree, from the root to each leaf.

Abstract: Application service requests received by an application hosting framework are automatically differentiated and categorized, and resource usage patterns associated with the requests are predicted. Resource usage data points are successively extracted from the hosting framework. Elements of an initial resource usage pattern matrix are computed from the data points. An estimate for the number of categories of requests is computed from the initial resource usage pattern matrix, where the requests in each category have similar resource usage patterns. Elements of a resource usage signature matrix and request categorization matrix are computed from the estimate for the number of categories of requests and the initial resource usage pattern matrix.

Abstract: A system and method for allocating distributed processing systems includes inputting component descriptions in a distributed processing system and determining importance of each component. Capacity and failure characteristics of resource groups representing units of available processing capacity are also input. Components are assigned to a plurality of resource groups based on the capacity. Each resource group includes components where the failure characteristics permit simultaneous failures, such that in the event of such failures, an output value of the application is maximized.

Abstract: Described is transparently compressing content for network transmission, including end-to-end compression. An end host or middlebox device sender sends compressed packets to an end host or middlebox device receiver, which decompresses the packets to recover the original packet. The sender constructs compressed packets including references to information maintained at the receiver, which the receiver uses to access the information to recreate actual original packet content. The receiver may include a dictionary corresponding to the sender, e.g., synchronized with the sender's dictionary. Alternatively, in speculative compression, the sender does not maintain a dictionary, and instead sends a fingerprint (hash value) by which the receiver looks up corresponding content in its dictionary; if not found, the receiver requests actual content.

Abstract: An access control anomaly detection system and method to detect potential anomalies in access control permissions and report those potential anomalies in real time to an administrator for possible action. Embodiments of the system and method input access control lists and semantic groups (or any dataset having binary matrices) to perform automated anomaly detection. This input is processed in three broad phases. First, policy statements are extracted from the access control lists. Next, object-level anomaly detection is performed using thresholds by categorizing outliers in the policies discovered in the first phase as potential anomalies. This object-level anomaly detection can yield object-level security anomalies and object-level accessibility anomalies. Group-level anomaly detection is performed in the third phase by using semantic groups and user sets extracted in first phase to find maximal overlaps using group mapping.

Abstract: The method collects configuration data about the network, compares it to known good configurations to see if a corrective configuration is available. In addition, the method will review known bad configurations and determine if any of the successful corrective configurations for the bad configuration would be appropriate for the bad configuration under consideration.

Abstract: Application service requests received by an application hosting framework are automatically differentiated and categorized, and resource usage patterns associated with the requests are predicted. Resource usage data points are successively extracted from the hosting framework. Elements of an initial resource usage pattern matrix are computed from the data points. An estimate for the number of categories of requests is computed from the initial resource usage pattern matrix, where the requests in each category have similar resource usage patterns. Elements of a resource usage signature matrix and request categorization matrix are computed from the estimate for the number of categories of requests and the initial resource usage pattern matrix.