Abstract: An agent executes in user space on a machine and monitors for network connections. In response to detecting an initiation of a network connection, data associated with a process associated with the network connection is collected, e.g., by the agent. At least a portion of the collected process data is reported to an external node. The reported information is used to detect anomalies in a network environment.

Abstract: Network activity data is received, for example, from a set of agents reporting collectively information about a set of hosts. The received network activity data is used to identify a user login activity. A logical graph that links the user login activity to at least one user and at least one process is generated.

Abstract: Log data associated with at least one user session associated with an original user is received. A logical graph is generated using at least a portion of the received log data. One example of such a logical graph is a privilege change graph that models privilege changes between processes. Another example of such a logical graph is a user login graph that models machines with which the original user interacts. Another example of such a logical graph is a machine-server graph that clusters machines into nodes based on resources executing on the machine. The generated logical graph is used to detect an anomaly. The detected anomaly is recorded.

Abstract: Migrating support for a web browsing session between a virtual machine and a host operating system. A web session is supported by a first virtual machine which executes on a computer system. Upon receiving a request for the web session to enter an unprotected mode, support for the web session is migrated from the first virtual machine to a host operating system of the computer system. In unprotected mode, web sessions are supported by the host operating system rather than by a virtual machine. After migrating support for the web session to the host operating system, a visual cue indicating that the unprotected mode is active is displayed. After receiving a request to exit the unprotected mode, support for the web session is migrated from the host operating system to a second virtual machine executing on the computer system and the visual cue is removed.

Abstract: Approaches for synchronizing resources of a virtualized web browser. When a virtualized web browser is instructed to display a web page, a host module executing within a host operating instructs retrieves, from each of one or more virtual machines, contents for a portion of the web page. The virtualized web browser assembles the contents and displays the web page. A web browser executing in the host operating system may, but need not, retrieve any of the content displayed thereby. Instead, the content retrieved by the web browser executing in the host operating system may be retrieved by and rendered within a virtual machine. The behavior of the virtualized web browser may be configured using policy data.

Abstract: Approaches for handling network resources in a virtualized computing environment. A first request for network resources is received from a first virtual machine. Policy data is consulted to determine how to service the first request. The first request is processed by providing the first virtual machine with access to only a first portion of network resources. A second request for network resources is received from a second virtual machine. Policy data is consulted to determine how to service the second request. The second request is processed by providing the second virtual machine with access to only a second portion of network resources that is not coextensive with the first portion. In this way, virtual machines may have access to particular resources and/or specific bounded areas of a network.

Abstract: A method and apparatus is provided for optimizing queries received by a database system that relies on an intelligent data storage server to manage storage for the database system. Storing compression units in hybrid columnar format, the storage manager evaluates simple predicates and only returns data blocks containing rows that satisfy those predicates. The returned data blocks are not necessarily stored persistently on disk. That is, the storage manager is not limited to returning disc block images. The hybrid columnar format enables optimizations that provide better performance when processing typical database workloads including both fetching rows by identifier and performing table scans.

Abstract: Approaches for managing potentially malicious files using one or more isolated environments. In response to receiving a request to perform an action on a file, a client applies a policy to determine whether the action is deemed trustworthy. The client identifies, without human intervention, an isolated environment, executing or to be executed on the client, in which the action is to be performed based on whether the action is deemed trustworthy. In this way, embodiments allow a user to make use of data deemed untrusted in certain cases without allowing the untrusted data from having unfettered access to the resources of the client. If the requested action is performed in a different isolated environment from which the action was requested, embodiments enable the performance of the action to be performed seamlessly to the user.

Abstract: Approaches for launching an application within a virtual machine. In response to receiving a request to launch an application, a device instantiates, without human intervention and based on a policy, a virtual machine in which the application is to be launched. The policy determines which resources of a device, such as a mobile device or computer system, are accessible to the virtual machine. The policy may, but need not, determine whether the virtual machine has access to a type of resource which obligates the user of the device to make a monetary payment for the user of the resource.

Abstract: Approaches for creating a template virtual machine. An in-memory state of a virtual machine and/or a set of applications executing within the virtual machine are adjusted and/or configured based on the intended use of the template virtual machine. Thereafter, the virtual machine is established as a template virtual machine. The template virtual machine may be used to create one or more virtual machines using a copy-on-write memory process.

Abstract: Approaches for providing a guest operating system to a virtual machine. A read-only copy of one or more disk volumes, including a boot volume, is created. A copy of a master boot record (MBR) for the one or more disk volumes is also stored. The read-only copy may be, but need not be, made using a Volume Shadow Copy Service (VSS). A virtual disk, for use by the virtual machine, is created based on the read-only copy of the one or more disk volumes and the copy of the master boot record (MBR), wherein the virtual disk comprises the guest operating system used by the virtual machine. In this way, a single installed operating system may provide both the host operating system and the guest operating system.

Abstract: Approaches for synchronizing history data across a virtualized web browser. When a user instructs a virtualized web browser, executing on a host operating system, to display a web page, a host module executing on the host operating system may instruct a guest module executing within a particular virtual machine to retrieve the web page. The host module may provide to the guest module history data for the virtualized web browser. History data describes browsing history for the virtualized web browser, either in the current instance or for previous instances. The guest module performs operations in accordance with the history data. When the host module receives the screen data content from the guest module, the host module instructs the virtualized web browser to display the web page using the screen data content.

Abstract: Approaches for synchronizing cookie data across a virtualized web browser. When a user instructs a virtualized web browser, executing on a host operating system, to display a web page, a host module executing on the host operating system instructs a particular virtual machine to retrieve the web page within the particular virtual machine. The host module provides cookie data for the user to the guest module. The cookie data identifies one or more cookies deemed to be pertinent to the retrieval of the web page. The guest module provides, to the host module, screen data content for use in displaying the web page.

Abstract: Approaches for processing network requests based upon the perceived trustworthiness of the network. A software component renders a judgment, based on a policy that weighs one or more factors, about whether a network accessible to a device should be trusted. If the software component renders a judgment that the network should be trusted, then a network resource identified on a white list of trusted resources is allowed to be retrieved within a host operating system or in a first virtual machine. Conversely, if the software component renders a judgment that the network should not be trusted, then the network resource identified on the white list of trusted resources is prevented from be retrieved within the host operating system or the first virtual machine, and may instead be retrieved within a second virtual machine, which has a more restrictive set of access privileges than the first virtual machine.

Abstract: Approaches for executing untrusted software on a client without compromising the client using micro-virtualization to execute untrusted software in isolated contexts. In response to receiving a request to perform an action, an isolated environment (such as but not limited to a virtual machine) is instantiated without receiving an explicit user instruction to do so. To instantiate the isolated environment, one or more templates for use in instantiating the isolated environment are identified using a policy. The one or more templates describe isolated environment characteristics for different types of activity. After the isolated environment has been instantiated using one or more identified templates, the action may be performed in the isolated environment.

Abstract: Apparatus and methods are disclosed for allowing smart phone users to “capture the moment” by allowing easy access to a camera application when a mobile device is in an above-lock (or locked) mode, while also preventing unauthorized access to other smart phone functionality. According to one embodiment of the disclosed technology, a method of operating a mobile device having an above-lock state and a below-lock state comprises receiving input data requesting invocation of an camera application when the mobile device is in the above-lock state and invoking the requested camera application on the device, where one or more functions of the requested application are unavailable as a result of the mobile device being in the above-lock state.

Abstract: Techniques are described herein for automatically selecting the compression techniques to be used on tabular data. A compression analyzer gives users high-level control over the selection process without requiring the user to know details about the specific compression techniques that are available to the compression analyzer. Users are able to specify, for a given set of data, a “balance point” along the spectrum between “maximum performance” and “maximum compression”. The point thus selected is used by the compression analyzer in a variety of ways. For example, in one embodiment, the compression analyzer uses the user-specified balance point to determine which of the available compression techniques qualify as “candidate techniques” for the given set of data. The compression analyzer selects the compression technique to use on a set of data by actually testing the candidate compression techniques against samples from the set of data.

Abstract: Apparatus and methods are disclosed for allowing smart phone users to “capture the moment” by allowing easy access to a camera application when a mobile device is in an above-lock (or locked) mode, while also preventing unauthorized access to other smart phone functionality. According to one embodiment of the disclosed technology, a method of operating a mobile device having an above-lock state and a below-lock state comprises receiving input data requesting invocation of an camera application when the mobile device is in the above-lock state and invoking the requested camera application on the device, where one or more functions of the requested application are unavailable as a result of the mobile device being in the above-lock state.

Abstract: Approaches for rendering a file within a display mode. A guest module, executing within a virtual machine, determines that a process executing within the virtual machine is requesting to display a file. The guest module sends a request to display the file to a host module which executes within a host operating system. After the host module receives the request, the host module determines whether a user initiated the display of the file. Upon the host module determining that the file is permitted to be displayed, the host module determines a particular display mode for the file. Thereafter, the host module causes the file to be displayed in the particular display mode. Files may be automatically displayed in a configurable display mode in a secure manner.

Abstract: Approaches for selectively sharing cookies between virtual machines responsible for retrieving web content. A request to display a web page is received. The web page includes top-level content served by a top-level domain and secondary content served by one or more other domains. A determination that at least a portion of the web page should be retrieved from within a virtual machine is made. A policy is consulted to identify a set of cookies to inject into the virtual machine. The policy considers whether the virtual machine is responsible for retrieving one or more of top-level content and secondary content in identifying the set of cookies to inject into the virtual machine. After injecting the set of cookies into the virtual machine, the portion of the web page is retrieved from within the virtual machine.