Abstract: The disclosure provides an approach for enabling network functions to be executed in serverless computing environments. One embodiment employs a per-packet architecture, in which the trigger for launching a serverless computing instance is receipt of a packet. In such a case, each received packet is packaged into a request to invoke network function(s) required to process the packet, and a serverless computing environment in turn executes the requested network function(s) as serverless computing instance(s) that process the packet and return a response. Another embodiment employs a per-flow architecture in which the trigger for launching a serverless computing instance is receipt of a packet belonging to a new traffic flow. In such a case, a coordinator identifies (or receives notification of) a received packet that belongs to a new sub-flow and launches a serverless computing instance to process packets of the sub-flow that are redirected to the serverless computing instance.

Abstract: The current document is directed to distributed-secure-storage systems, and processes carried out within the distributed-secure-storage systems, that provide for secure storage and retrieval of secrets within distributed computer systems, including private encryption keys used for client authentication during establishment of secure communications channels. The secret-storage systems partition an input secret into multiple secret shares and distribute the secret shares among multiple secret-share-storing node subsystems, without persistently storing the secret itself. An agent within a client device subsequently requests a secret share corresponding to a secret, or a share of data derived from the secret share, from each of the multiple secret-share-storing nodes.

Abstract: The current document is directed to distributed-secure-storage systems, and processes carried out within the distributed-secure-storage systems, that provide for secure storage and retrieval of confidential and critical data, referred to as “secrets,” within distributed computer systems. The secret-storage systems partition an input secret into multiple secret shares and distribute the secret shares among multiple secret-share-storing node subsystems, without persistently storing the secret itself. An agent within a client device subsequently requests a secret share corresponding to a secret, or a share of data derived from the secret share, from each of the multiple secret-share-storing nodes. The multiple secret-share-storing nodes additionally cooperate to periodically alter the stored secret shares corresponding to a secret in a way that allows agents to recover the original secret, or derived data, from all or a portion of the altered secret shares or derived-data shares.

Abstract: A method and system for providing Deep Packet Inspection (DPI) as a service to a computer network are provided herein. The contribution of embodiments of the present invention is two-folded. First, a possible framework of having DPI deployed as a service is detailed, including the necessary algorithms and required adaptations. Second, the superior performance of the suggested design is demonstrated via simulations. Since the focus is on the algorithmic aspects and network design, an SDN implementation of the suggested design is not provided herein. However, many aspects of such an SDN implementation follow closely the guidelines known in the art.

Abstract: The current document is directed to distributed-secure-storage systems, and processes carried out within the distributed-secure-storage systems, that provide for secure storage and retrieval of confidential and critical data, referred to as “secrets,” within distributed computer systems. The secret-storage systems partition an input secret into multiple secret shares and distribute the secret shares among multiple secret-share-storing node subsystems, without persistently storing the secret itself. An agent within a client device subsequently requests a secret share corresponding to a secret, or a share of data derived from the secret share, from each of the multiple secret-share-storing nodes. The multiple secret-share-storing nodes additionally cooperate to periodically alter the stored secret shares corresponding to a secret in a way that allows agents to recover the original secret, or derived data, from all or a portion of the altered secret shares or derived-data shares.

Abstract: The current document is directed to distributed-secure-storage systems, and processes carried out within the distributed-secure-storage systems, that provide for secure storage and retrieval of secrets within distributed computer systems, including private encryption keys used for client authentication during establishment of secure communications channels. The secret-storage systems partition an input secret into multiple secret shares and distribute the secret shares among multiple secret-share-storing node subsystems, without persistently storing the secret itself. An agent within a client device subsequently requests a secret share corresponding to a secret, or a share of data derived from the secret share, from each of the multiple secret-share-storing nodes.

Abstract: The disclosure provides an approach for enabling network functions to be executed in serverless computing environments. One embodiment employs a per-packet architecture, in which the trigger for launching a serverless computing instance is receipt of a packet. In such a case, each received packet is packaged into a request to invoke network function(s) required to process the packet, and a serverless computing environment in turn executes the requested network function(s) as serverless computing instance(s) that process the packet and return a response. Another embodiment employs a per-flow architecture in which the trigger for launching a serverless computing instance is receipt of a packet belonging to a new traffic flow. In such a case, a coordinator identifies (or receives notification of) a received packet that belongs to a new sub-flow and launches a serverless computing instance to process packets of the sub-flow that are redirected to the serverless computing instance.

Abstract: A method and system for providing Deep Packet Inspection (DPI) as a service to a computer network are provided herein. The contribution of embodiments of the present invention is two-folded. First, a possible framework of having DPI deployed as a service is detailed, including the necessary algorithms and required adaptations. Second, the superior performance of the suggested design is demonstrated via simulations. Since the focus is on the algorithmic aspects and network design, an SDN implementation of the suggested design is not provided herein. However, many aspects of such an SDN implementation follow closely the guidelines known in the art.