Abstract: An apparatus for offloading network, block and file functions from an operating system comprises a network interface coupled to a network for receiving packet flows; one or more processors each having one or more processor cores; a computer-readable medium carrying one or more operating systems and an input/output networking stack which are hosted in one or more of the processor cores. The networking stack is shared among the operating systems. The networking stack comprises instructions which when executed cause receiving a request for data transfer from one of the operating systems at internal network, block and file system interfaces, and permitting data to be transferred between the internal interfaces and a plurality of external interfaces by preventing the operating systems from performing the data transfer and performing the data transfer on behalf of the operating systems.

Abstract: A computer system, comprising at least one controlled execution space hosting an operating system and an application program; a vulnerability monitoring agent coupled to the controlled execution space; one or more vulnerability profiles coupled to the vulnerability monitoring agent, wherein each of the vulnerability profiles comprises an application program identifier, an operating system identifier, a vulnerability specification describing a vulnerability of an application program that the application program identifier indicates when executed with an operating system that the operating system identifier indicates, and a remedial action which when executed will remediate the vulnerability; wherein the vulnerability monitoring agent is configured to monitor execution of the operating system and the application program in the controlled execution space, to detect an anomaly associated with the vulnerability, to determine the remedial action for the operating system and application program based on one of the v

Abstract: An approach for managing the consumption of resources uses adaptive random sampling to decrease the collection of flow statistical data as the consumption of resources increases. When a packet is received from a network, a determination is made whether the packet belongs to an existing flow, for which flow statistical data is being collected, or to a new flow. If the packet belongs to an existing flow, then the flow statistical data for the existing flow is updated to reflect the packet. If the packet belongs to the new flow, then a sampling probability is used to determine whether the new flow is to be sampled. The sampling probability is determined, at least in part, upon a current usage of resources.

Abstract: An apparatus for offloading network, block and file functions from an operating system comprises a network interface coupled to a network for receiving packet flows; one or more processors each having one or more processor cores; a computer-readable medium carrying one or more operating systems and an input/output networking stack which are hosted in one or more of the processor cores. The networking stack is shared among the operating systems. The networking stack comprises instructions which when executed cause receiving a request for data transfer from one of the operating systems at internal network, block and file system interfaces, and permitting data to be transferred between the internal interfaces and a plurality of external interfaces by preventing the operating systems from performing the data transfer and performing the data transfer on behalf of the operating systems.

Abstract: An apparatus for offloading network, block and file functions from an operating system comprises a network interface coupled to a network for receiving packet flows; one or more processors each having one or more processor cores; a computer-readable medium carrying one or more operating systems and an input/output networking stack which are hosted in one or more of the processor cores. The networking stack is shared among the operating systems. The networking stack comprises instructions which when executed cause receiving a request for data transfer from one of the operating systems at internal network, block and file system interfaces, and permitting data to be transferred between the internal interfaces and a plurality of external interfaces by preventing the operating systems from performing the data transfer and performing the data transfer on behalf of the operating systems.

Abstract: Methods and apparatus are disclosed for defining flow types and instances thereof such as for identifying packets corresponding to instances of the flow types. A flow type is defined and includes a set of properties including at least one of the possible properties selectable when defining a flow type. An instance of the flow type is defined and a set of corresponding associative memory entries is generated. A lookup word generator of a packet processing engine is typically notified of the use of the flow type, and one or more lookup words are generated typically by extracting fields from a received packet and/or from other sources. Based on a result of lookup operations on the set of associative memories entries using the generated one or more lookup words, the received packet can be identified as whether it matches or does not match the instance of the flow type.

Abstract: A computer system, comprising at least one controlled execution space hosting an operating system and an application program; a vulnerability monitoring agent coupled to the controlled execution space; one or more vulnerability profiles coupled to the vulnerability monitoring agent, wherein each of the vulnerability profiles comprises an application program identifier, an operating system identifier, a vulnerability specification describing a vulnerability of an application program that the application program identifier indicates when executed with an operating system that the operating system identifier indicates, and a remedial action which when executed will remediate the vulnerability; wherein the vulnerability monitoring agent is configured to monitor execution of the operating system and the application program in the controlled execution space, to detect an anomaly associated with the vulnerability, to determine the remedial action for the operating system and application program based on one of the v

Abstract: An approach for managing the consumption of resources uses adaptive random sampling to decrease the collection of flow statistical data as the consumption of resources increases. When a packet is received from a network, a determination is made whether the packet belongs to an existing flow, for which flow statistical data is being collected, or to a new flow. If the packet belongs to an existing flow, then the flow statistical data for the existing flow is updated to reflect the packet. If the packet belongs to the new flow, then a sampling probability is used to determine whether the new flow is to be sampled. The sampling probability is determined, at least in part, upon a current usage of resources.

Abstract: An apparatus for offloading network, block and file functions from an operating system comprises a network interface coupled to a network for receiving packet flows; one or more processors each having one or more processor cores; a computer-readable medium carrying one or more operating systems and an input/output networking stack which are hosted in one or more of the processor cores. The networking stack is shared among the operating systems. The networking stack comprises instructions which when executed cause receiving a request for data transfer from one of the operating systems at internal network, block and file system interfaces, and permitting data to be transferred between the internal interfaces and a plurality of external interfaces by preventing the operating systems from performing the data transfer and performing the data transfer on behalf of the operating systems.

Abstract: A policy-based approach for managing the export of network flow statistical data uses constraints and prioritization to select flow data to be exported by flow monitoring processes. According to the approach, a flow monitoring process monitors a plurality of flows at an observation point. The flow monitoring process generates flow statistical data for the plurality of flows. Policy data is made available to the flow monitoring process and includes constraint data and priority data. The constraint data indicates usage constraints for one or more resources available to the flow monitoring process. The priority data indicates a desired priority of flow attributes. The flow monitoring process uses the policy data to select one or more flows from the plurality of flows, such that the resource usage constraints are satisfied. The flow monitoring process exports a portion of the flow statistical data that corresponds to the selected one or more flows.

Abstract: A policy-based approach for managing the export of network flow statistical data uses constraints and prioritization to select flow data to be exported by flow monitoring processes. According to the approach, a flow monitoring process monitors a plurality of flows at an observation point. The flow monitoring process generates flow statistical data for the plurality of flows. Policy data is made available to the flow monitoring process and includes constraint data and priority data. The constraint data indicates usage constraints for one or more resources available to the flow monitoring process. The priority data indicates a desired priority of flow attributes. The flow monitoring process uses the policy data to select one or more flows from the plurality of flows, such that the resource usage constraints are satisfied. The flow monitoring process exports a portion of the flow statistical data that corresponds to the selected one or more flows.