Abstract: A network monitor may receive network log events and identify: a first set of network devices that have reported a target network log event, a second set of network devices that have not reported the target network log event, a first set of network log events reported by the first set of network devices, and a second set of network log events reported by the second set of network devices. The network monitor may determine which network log events are legitimate, and filter the legitimate network log events from the first set of network log events or the second set of network log events to produce a group of suspicious network log events that may be correlated with the target network log event. The network monitor may predict future suspicious network log events that may be correlated with the target network log event in order to predict equipment failures.

Abstract: Examples disclosed herein relate to backing up persistent memory. There is at least one memory addressable by at least one processor. The persistent memory includes a persistent memory region with multiple portions. A secondary storage includes a first backup of the persistent memory region. Modifications to the persistent memory region are tracked. Updated portions associated with the modifications are written to the secondary storage.

Abstract: In one embodiment, a device receives sensor data from a plurality of nodes in a computer network. The device uses the sensor data and a graph that represents a topology of the nodes in the network as input to a graph convolutional neural network. The device provides an output of the graph convolutional neural network as input to a convolutional long short-term memory recurrent neural network. The device detects an anomaly in the computer network by comparing a reconstruction error associated with an output of the convolutional long short-term memory recurrent neural network to a defined threshold. The device initiates a mitigation action in the computer network for the detected anomaly.

Abstract: Techniques for detecting an early boot error are provided. In one aspect, a host processor may transition to a first phase of an early boot process. The early boot process may occur before the host processor initializes a primary link between the host processor and a management controller. The host processor may then update a dual purpose boot register to store an early boot phase identifier corresponding to the first phase and an early boot status identifier corresponding to the first phase.

Abstract: Examples disclosed herein relate to performing a security action based on a comparison of digital signatures. An intrusion detection mode is initiated by a baseboard management controller. A first digital signature of hardware devices is calculated during the activation of the intrusion detection mode. The first digital signature is stored. Upon detection of a trigger, a second digital signature is calculated for the current hardware devices. The digital signatures are compared. A security action is performed based on the comparison.

Abstract: Examples include an authenticated access to manageability hardware components in a computing device. Some examples enumerate manageability hardware components connected to an operative system kernel of the computing device, the manageability hardware components comprising a bus configuration space and the bus configuration space comprising memory map registers. Some examples include encoding an address stored in the memory map registers of each of the manageability hardware components to produce encoded address to control unauthorized accesses and locks the bus configuration space of each manageability hardware component by setting a read-only attribute to the bus configuration space. Some examples reprogram, in response to a request for access of an authenticated OS component to a manageability hardware component, the memory map register of the requested manageability hardware component with an accessible address to provide the authenticated OS component with access to the manageability hardware component.

Abstract: Sequences of computer network log entries indicative of a cause of an event described in a first type of entry are identified by training a long short-term memory (LSTM) neural network to detect computer network log entries of a first type. The network is characterized by a plurality of ordered cells Fi=(xi, ci-1, hi-1) and a final sigmoid layer characterized by a weight vector wT. A sequence of log entries xi is received. An hi for each entry is determined using the trained Fi. A value of gating function Gi(hi, hi-1)=II (wT(hi?hi-1)+b) is determined for each entry. II is an indicator function, b is a bias parameter. A sub-sequence of xi corresponding to Gi(hi, hi-1)=1 is output as a sequence of entries indicative of a cause of an event described in a log entry of the first type.

Abstract: Predicting data throughput with a user device comprises a wireless system supported by wireless access points receiving signals from the user device. A wireless prediction system receives data from the wireless system, where the data comprises characteristics of the wireless access point, characteristics of communications with user computing devices, and data throughput statistics. The prediction system categorizes the received data based on one or more of a set of characteristics and determines a maximum data throughput capacity for each of the one or more wireless access points for each of the one or more set of characteristics. The system receives a request for a prediction of data throughput capacity for a particular wireless access point and, based on the characteristics of the particular wireless access point, determines an estimated data throughput capacity based on data throughputs of wireless access points having similar characteristics.

Abstract: Example implementations relate to a server including a platform controller hub (PCH), where the PCH includes a peripheral device manager, a management processor coupled to the peripheral device manager, and a peripheral device interface to couple with a peripheral device and provide out of band access of the peripheral device via the management processor and peripheral device manager to a memory of the server.

Abstract: A method disclosed herein relates to determining an inventory of a plurality of servers based on unique fingerprints and common fingerprints; creating a common set of installed firmware and a plurality of unique sets of installed firmware based on the inventory of the plurality of servers; creating subcategory sets of installed firmware based on the common set of installed firmware and categories of components included in the plurality of servers; obtaining updated versions of firmware corresponding to the subcategory sets of installed firmware and the unique sets of installed firmware; in response to an update request, creating containers for the updated versions of firmware corresponding to the subcategory sets of the installed firmware and the unique sets of installed firmware; and sending update messages to the plurality of servers including links to the respective containers.

Abstract: Examples disclosed herein relate to determining malware using firmware of a computing device. Firmware can be used to determine that an indication is present that malware is present on the computing device. The firmware can be executed to perform a security action in response to the indication that malware is present on the computing device.

Abstract: Examples relate to providing operating system (OS) agnostic validation of firmware images. In some examples, a request to verify a number of firmware images is received, where each of the firmware images is associated with a metadata set. A first installation of a first firmware image of the firmware images is accessed via a physical interface, and a first metadata set is used to verify the first installation, where the first metadata set includes a firmware signature that is used to verify the first installation. At this stage, the request is forwarded to a child management processor, where the management processors are in a trusted group and related according to a tree hierarchy.

Abstract: A network monitor may receive network log events and identify: a first set of network devices that have reported a target network log event, a second set of network devices that have not reported the target network log event, a first set of network log events reported by the first set of network devices, and a second set of network log events reported by the second set of network devices. The network monitor may determine which network log events are legitimate, and filter the legitimate network log events from the first set of network log events or the second set of network log events to produce a group of suspicious network log events that may be correlated with the target network log event. The network monitor may predict future suspicious network log events that may be correlated with the target network log event in order to predict equipment failures.

Abstract: Techniques for support activity based self learning and analytics for datacenter device hardware/firmware fault management are described. In one example, a service event including a unique service event ID, a set of prioritized cause and support engineer actions/recommendations and associated unique support engineer action codes are generated for the support engineer upon detecting a hardware/firmware failure event. Support engineer actions taken by the support engineer upon completing the service event are then received. The support engineer actions are then analyzed using the set of prioritized cause and support engineer actions/recommendations and FRU configuration information before and after servicing the hardware/firmware failure. Any potential errors resulting from the support engineer actions are then determined and notified at real-time to the support engineer based on the outcome of the analysis.

Abstract: Examples disclosed herein relate to performing an action based on a pre-boot measurement of a firmware image. In an example, at a firmware component in a system, a measurement of a firmware image may be determined prior to booting of the system, beginning from a hardware root of trust boot block, by a Trusted Platform Module (TPM) emulator engine that emulates a hardware-based TPM. A pre-determined measurement of the firmware image may be retrieved from a storage location within the system. The measurement of the firmware image may be compared with the pre-determined measurement of the firmware image prior to booting of the system. In response to a determination that the measurement of the firmware image is different from the pre-determined measurement of the firmware image, performing an action.

Abstract: In one embodiment, a computing device scans a plurality of available data sources associated with a profiled identity for an individual, and categorizes instances of the data sources according to recognized terms within the data sources. Once determining whether the profiled identity contributed positively to each categorized instance, categorized instances that have a positive contribution by the profiled identity may be clustered into clusters. The computing device may then rank the clusters based on size of the clusters and frequency of recognized terms within the clusters, and can then infer an expertise of the profiled identity based on one or more best-ranked clusters. The inferred expertise of the profiled identity may then be stored.

Abstract: Some examples relating to managing servers distributed across multiple groups are described. For example, techniques for managing servers it assigning an identified server to a group based on analysis of grouping information associated with the identified server. The grouping information includes an access credential and the group includes a set of severs with each server accessible by a common access credential. Further, the techniques include generating multiple node topology maps for the group based on topology characteristics. Each node topology map corresponds to a topology characteristic and indicates a layout and an interconnection between servers in the group. Also a node topology map is selected based on characteristic of an operation to be executed on the servers in the group. Thereafter, a message including an instruction for executing the operation is communicated to a server based on the selected node topology map.

Abstract: An example device includes a processor coupled to a network and a memory coupled to the processor. The memory includes computer code for causing the processor to establish a secure connection between a manageability application and an interconnect device, the interconnect device being in communication with a newly connected networked device; and securely communicate, from the manageability application to the interconnect device, temporary login information for the networked device.

Abstract: An example computing system in accordance with an aspect of the present disclosure includes a first controller and a second controller. The first controller is to verify integrity of a first root of trust (ROT), and generate an integrity signal indicating the results. The second controller is to verify integrity of a second ROT, write the firmware image to the first controller, and verify integrity of the written firmware image.