Abstract: A method performed by a cloud system includes, subsequent to the cloud system connecting to one of a cloud provider and a Software-as-a-Service (SaaS) application, scanning data stored therein for one or more users associated with a tenant of a plurality of tenants of the cloud system; detecting an incident in the data during the scanning; maintaining details of the incident in an in-memory data store; and providing a notification to the tenant of the incident.

Abstract: In some aspects, an apparatus includes a processor and a memory. In some embodiments, the memory includes programmed instructions that, when executed by the processor, cause the apparatus to intercept an I/O transaction between a virtual machine and an I/O device, determine whether data in the I/O transaction indicates a security misconfiguration, and perform a remedial action in response to identifying the security misconfiguration.

Abstract: Technologies for dynamic accelerator selection include a compute sled. The compute sled includes a network interface controller to communicate with a remote accelerator of an accelerator sled over a network, where the network interface controller includes a local accelerator and a compute engine. The compute engine is to obtain network telemetry data indicative of a level of bandwidth saturation of the network. The compute engine is also to determine whether to accelerate a function managed by the compute sled. The compute engine is further to determine, in response to a determination to accelerate the function, whether to offload the function to the remote accelerator of the accelerator sled based on the telemetry data. Also the compute engine is to assign, in response a determination not to offload the function to the remote accelerator, the function to the local accelerator of the network interface controller.

Abstract: Distributing dataset requests across service tiers including generating, by a workbook client, a dataset request for a dataset to populate a workbook for presentation on a client computing system, wherein data for the dataset is stored on a cloud-based data warehouse; determining, by the workbook client, a set of service tiers capable of servicing at least a portion of the dataset request, wherein the set of service tiers comprises the cloud-based data warehouse; selecting, by the workbook client from the set of service tiers, a combination of service tiers to service the dataset request based on at least one selection policy; and issuing, by the workbook client, the dataset request to the selected combination of service tiers.

Abstract: Adapting automatic software update behavior for virtual desktop infrastructure deployed endpoints includes detecting a request for services of a threat management facility for an enterprise network that originates from a compute instance embodied as a virtual machine instantiated from a versioned software template, and updating software on the compute instance based on a determination of availability of updated software for the compute instance and an update pause parameter indicating that updating software for virtual machines instantiated from the versioned software template is permitted for the compute instance.

Abstract: Techniques for detecting anomalies in a distributed application based on process data are provided. This process data can include, e.g., the hierarchy (i.e., tree) of processes created and run by the application, the file system operations performed by each process, the network access operations performed by each process.

Abstract: In one aspect, an example methodology implementing the disclosed techniques includes receiving, by a systems management console, a network address of a device in a virtual environment, and determining a network address associated with a virtual environment management console based on the received network address of the device in the virtual environment. The method also includes sending, by the systems management console via a systems management agent to the virtual environment management console using the determined network address associated with the virtual environment management console, a request for network addresses of virtual machine (VM) host servers and VMs in the virtual environment. The method also includes receiving, by the systems management console via the systems management agent from the virtual environment management console, the network addresses of the VM host servers and the VMs in the virtual environment and providing a notification of the discovered VM host servers and VMs.

Abstract: A device for managing communication via interfaces in a virtualized system in which a plurality of virtual machines shares a hardware platform which is virtualized with the aid of a hypervisor, and interfaces assigned to the hardware platform access to the interfaces taking place with the aid of a gateway implemented in hardware. A method for operating the device is also described.

Abstract: Computing apparatus includes a host computer, including multiple non-uniform memory access (NUMA) nodes, including at least first and second NUMA nodes, which include first and second local memories and first and second host bus interfaces for connection to first and second peripheral component buses, respectively. A network interface controller (NIC) is to receive a definition of a memory region extending over respective first and second parts of the first and second local memories and to receive a memory mapping with respect to the memory region that is applicable to both the first and second local memories, and to apply the memory mapping in writing data to the memory region via first and second NIC bus interfaces in a sequence of direct memory access (DMA) transactions to the respective first and second parts of the first and second local memories in response to packets received through a network port.

Abstract: A monitoring utility program into a software container in which a containerized virtual machine application is running. The monitoring utility program is to monitor the containerized virtual machine application running within the software container. Monitoring information regarding the containerized virtual machine application is periodically pulled from the monitoring utility program.

Abstract: One or more embodiments provide techniques that permit virtual computing instances in isolated environments to communicate information outside the isolated environments without requiring networking. In one embodiment, an encoder which runs in a virtual machine (VM) within an isolated environment, such as one of the VMs of a packaged virtual machine application that does not have external network connectivity, is configured to encode information, such as state information of the packaged virtual machine application, in portion(s) of a network address. The encoder further configures an unconnected network interface of the same VM, or another VM in the isolated environment, with the network address that includes the encoded information. A decoder, which could not otherwise communicate with the virtual computing instance via any network, may then retrieve the network address assigned to the unconnected network interface and decode that network address to obtain the information encoded therein.

Abstract: A method for operating a microcontroller. The microcontroller includes a plurality of resources, a plurality of virtual machines being executed in the microcontroller, a coordination unit being superordinate to the plurality of virtual machines. Access information concerning accesses of the plurality of virtual machines to the plurality of resources is stored in the coordination unit. In the event that one of the virtual machines requests a reset of one of the resources, the coordination unit checks on the basis of the access information, which of the virtual machines are accessing this resource. The coordination unit determines on the basis of this check, whether the resource will be reset or whether a substitute measure will be taken.

Abstract: A method is provided that includes establishing, by an application server, a remote access session with a client device, and creating, by a file system agent running on the application server, a metadata-only virtual file system associated with the remote access session, wherein the virtual file system only comprises file metadata associated with a plurality of files residing in a local file system of the client device. The method further includes responsive to receiving, by the virtual file system, a request to access content of a file referenced by the virtual file system, redirecting the request to a file system driver implementing at least a sub-tree of the local file system of the client device.

Abstract: A system may include a memory and a processor in communication with the memory. The processor may be configured to perform operations. The operations may include calculating a priority factor with a node autonomous center in a node and computing a node service capability with the node autonomous center. The operations may further include selecting, with the node autonomous center, a task based on the priority factor and the node service capability. The operations may further include directing the task to the node.

Abstract: Techniques for expanded trusted domains are disclosed. In the illustrative embodiment, a trusted domain can be established that includes hardware components from a processor as well as an off-load device. The off-load device may provide compute resources for the trusted domain. The trusted domain can be expanded and contracted on-demand, allowing for a flexible approach to creating and using trusted domains.

Abstract: Implementations describe a computing system that implements a plurality of virtual machines inside a trust domain (TD), enabled via a secure arbitration mode (SEAM) of the processor. A processor includes one or more registers to store a SEAM range of memory, a TD key identifier of a TD private encryption key. The processor is capable of initializing a trust domain resource manager (TDRM) to manage the TD, and a virtual machine monitor within the TD to manage the plurality of virtual machines therein. The processor is further capable of exclusively associating a plurality of memory pages with the TD, wherein the plurality of memory pages associated with the TD is encrypted with a TD private encryption key inaccessible to the TDRM. The processor is further capable of using the SEAM range of memory, inaccessible to the TDRM, to provide isolation between the TDRM and the plurality of virtual machines.

Abstract: A computer comprising one or more processors and memory may implement multiple threads that perform a lock operation using a data structure comprising an allocation field and a grant field. Upon entry to a lock operation, a thread allocates a ticket by atomically copying a ticket value contained in the allocation field and incrementing the allocation field. The thread compares the allocated ticket to the grant field. If they are unequal, the thread determines a number of waiting threads. If the number is above the threshold, the thread enters a long term wait operation comprising determining a location for long term wait value and waiting on changes to that value. If the number is below the threshold or the long term wait operation is complete, the thread waits for the grant value to equal the ticket to indicate that the lock is allocated.

Abstract: Embodiments of the present disclosure relate to a method, system and computer program product for providing system services. In some embodiments, a method is disclosed. According to the method, from a user program in a user address space, a request for a system service is received via a program call instruction of a set of program call instructions in an application interface code library. Based on the program call instruction, a target authorized address space of a plurality of authorized address spaces and a target system service routine for providing the system service in the target authorized address space is determined. A result of running the target system service routine in the target authorized address space is returned to the user program as a response to the request.

Abstract: Techniques to utilize excess resources in a cloud system, such as by enabling an auxiliary resource utilizer to use resources while they are not needed to support primary resource utilizers, are described herein. Some embodiments are directed to identifying and allocating excess capacity of resources in a cloud system to auxiliary resource utilizers based on one or more policies. In various embodiments, excess resources in one or more of the set of resources in the cloud system, or cloud resources, may be determined based on monitoring utilization of the cloud resources by the primary resource utilizers. In many embodiments, an auxiliary resource utilizer that is in compliance with a set of utilization policies may be identified and the excess resources may be allocated to the auxiliary resource utilizer.

Abstract: A method of adjusting a number of virtual machines in a data plane is provided. A number of virtual machines in the data plane each having a data plane proxy is provisioned. The virtual machines provide data routing for a first number of operational pods in a deployment plane associated with the data plane. A status of the deployment plane is monitored. The status reflects the deployment plane has a second number of operational pods different from the first number of operational pods. The first number of operational pods is compared to the second number of operational pods. Based on the comparison, the number of virtual machines in the data plane is adjusted.

Abstract: Techniques are disclosed pertaining to migrating a database between different storage clusters. A computer system identifies a current state of the database that is managed by a database application that enables a client application to access data of the database stored at a first storage cluster. The computer system copies first particular data of the database that is associated with the current state from the first storage cluster to a second storage cluster. After the copying, the computer system transitions the database application into a read-only mode in which it processes read but not write traffic. The computer system copies, from the first storage cluster to the second storage cluster, second particular data of the database that was generated by the database application during the copying of the first particular data. The computer system may also instantiate another instance of the database application in association with the second storage cluster.

Abstract: A method of provisioning a self-provisioning computer system is disclosed. The method includes executing code in a secure base activation image to perform various functions. This includes executing an identification process, using a cryptographically created identifier included in the base activation image, with an activation service to confirm an identity of the computer system with the activation service. This further includes confirming system integrity of the computer system with the activation service. Based on confirming the identity of the computer system and confirming system integrity of the computer system, The computer system is unlocked for load installation. Load installation is performed by providing capabilities for the computer system to the activation service and receiving the load based on the provided capabilities.

Abstract: Disclosed are various embodiments for the controlling the amount of active updates that can occur during a given time on devices that are associated with tenants (e.g., organizations) and subtenants (e.g., sub-organizations) in a multi-tenant environment. In particular, each tenant and subtenant is assigned throttle corresponding to different update parameters (e.g., an amount of devices executing an active update, an amount of data to be downloaded during a campaign, a time for completing the update campaign, etc.). When an update campaign is established, the update campaign can define the different devices that are to be updated. In some situations, the number of active updates required may exceed the allotted resources for a given subtenant. When a subtenant requires additional resources than what is assigned to complete the update, the subtenant can borrow resources defined by the update parameters from a subtenant peer that has a surplus.

Abstract: A method includes receiving profile information for a network. The method also includes determining a network configuration based on at least a constraint associated with at least one of a network session or a hardware capacity of a hardware platform of the network and a number of sessions that the network configured based on the network configuration can support. The method also includes configuring the network based on the network configuration.

Abstract: Apparatus and method for migrating a container including graphics processor state.

Abstract: This disclosure relates to a method of allocating a resource in a virtualized radio access network, wherein the virtualized radio access network includes a first virtual machine delivering a first service type and a second virtual machine delivering a second service type.

Abstract: In accordance with an embodiment, described herein is a system and method for supporting partitions in a multitenant application server environment. In accordance with an embodiment, an application server administrator (e.g., a WLS administrator) can create or delete partitions; while a partition administrator can administer various aspects of a partition, for example create resource groups, deploy applications to a specific partition, and reference specific realms for a partition. Resource groups can be globally defined at the domain, or can be specific to a partition. Applications can be deployed to a resource group template at the domain level, or to a resource group scoped to a partition or scoped to the domain. The system can optionally associate one or more partitions with a tenant, for use by the tenant.

Abstract: An example method of managing guest time for a virtual machine (VM) supported by a hypervisor of a virtualized host computer includes: configuring, by the hypervisor, a central processing unit (CPU) of the host computer to trap, to the hypervisor, access by guest code in the VM to a physical counter and timer of the CPU; configuring, by the hypervisor, the guest code in the VM to use the physical counter and timer of the CPU rather than a virtual counter and timer of the CPU; trapping, at the hypervisor, an access to the physical counter and timer by the guest code; and executing, by the hypervisor, the access to the physical counter and timer on behalf of the guest code while compensating for an adjustment of a system count of the physical counter and timer to maintain the guest time as scaled with respect to frequency of the physical counter and timer.

Abstract: A system and method for detecting potential lateral movement in a cloud computing environment includes detecting a private encryption key and a certificate, each of which further include a hash value of a respective public key, wherein the certificate is stored on a first resource deployed in the cloud computing environment; generating in a security graph: a private key node, a certificate node, and a resource node connected to the certificate node, wherein the security graph is a representation of the cloud computing environment; generating a connection in the security graph between the private key node and the certificate node, in response to determining a match between the hash values of the public key of the private key and the public key of the certificate; and determining that the first resource node is potentially compromised, in response to receiving an indication that an element of the public key is compromised.

Abstract: A system and method for detecting potential lateral movement using cloud keys in a cloud computing environment includes determining a first node in a security graph is a compromised node, wherein the security graph represents cloud entities of the cloud computing environment; detecting a cloud key node connected to the first node, wherein the cloud key node represents a cloud key of the cloud computing environment; and generating a potential lateral movement path, including the first node, and a second node, wherein the second node is connected to the cloud key node.

Abstract: A data center adapted to connect via a first wide area network to a core network connected with a base station and to a wireless LAN, variably controls service provided in a virtual core network of the data center to a terminal enabled to select connection to either a wireless LAN or a base station and connect to the data center.

Abstract: A payment method includes a cloud application instance sending an order and a device identity to a payment management node. The payment method further includes the payment management node recording a correspondence between the order and the device identity. The payment method further includes the cloud application instance sending an order payment request to a terminal device. The payment method further includes the terminal device sending, to the payment management node based on the order payment request, an order obtaining request carrying the device identity. The payment method further includes the payment management node obtaining the order from the correspondence based on the device identity carried in the order obtaining request, and sending the order to the terminal device. The payment method further includes terminal device receiving and processing the order.

Abstract: In some implementations, a cloud system may obtain data via a copy of an application executing in a first cloud deployment zone of the multiple cloud deployment zones, wherein the application has copies executing in respective cloud deployment zones of the multiple cloud deployment zones. The cloud system may store, in a database executing in the first cloud deployment zone, the data with a deployment zone identifier that indicates the first cloud deployment zone, where the multiple cloud deployment zones include respective databases of multiple databases including the database. The cloud system may perform, via a cloud resource in the first cloud deployment zone, an operation using the data based on the data including the deployment zone identifier that indicates the first cloud deployment zone and based on the cloud resource being in the first cloud deployment zone.

Abstract: An approach for protecting container image and runtime data from host access may be presented. Container systems have allowed for more efficient utilization of computing resources, removing the requirement of a hypervisor, and packaging all necessary dependencies within an application. Preventing host access to container image and runtime data can be advantageous for a multitude of reasons. The approach herein may include, flattening a plurality of root file system of a one or more container images into a single layer. The approach may also include generating a container base image for each of the one or more flattened root file system. The approach may include encrypting each of the generated container base images with the flattened root file system.

Abstract: A display apparatus for a vehicle includes: first, second, and third displays located in the vehicle, a first signal processing device comprising a first processor configured to perform signal processing for the first display and the second display, and a second signal processing device comprising a second processor configured to perform signal processing for the third display. The first processor is configured to execute first, second, and third virtual machines on a hypervisor in the first processor. The first virtual machine is configured to transmit, from at least one of the second virtual machine or the third virtual machine to the second signal processing device, a remote processing request, receive image data processed by the second signal processing device in response to the remote processing request, and control at least one of the first display or the second display to display an image related to the received image data.

Abstract: To provide a low latency near RT RIC, some embodiments separate the RIC's functions into several different components that operate on different machines (e.g., execute on VMs or Pods) operating on the same host computer or different host computers. Some embodiments also provide high speed interfaces between these machines. Some or all of these interfaces operate in non-blocking, lockless manner in order to ensure that critical near RT RIC operations (e.g., datapath processes) are not delayed due to multiple requests causing one or more components to stall. In addition, each of these RIC components also has an internal architecture that is designed to operate in a non-blocking manner so that no one process of a component can block the operation of another process of the component. All of these low latency features allow the near RT RIC to serve as a high speed IO between the E2 nodes and the xApps.

Abstract: This disclosure describes techniques for increasing the baseline performance of a burstable instance to an increased performance level for a limited time period. For example, a user may schedule a time period which the burstable instance has access to 100% of a CPU, instead of competing with other burstable instances even during periods of bursting as in prior techniques. In some cases, the user uses credits to reserve the time periods at which the increased performance level is requested. After receiving the reservation, a resource system selects computing resources to host the burstable instance such that the burstable instance, can operate at the requested increased performance level. After the time period has ended, the burstable instance may return to the baseline performance level.

Abstract: Described herein are systems and methods for replication and moving data to provide for container-based application mobility. The configuration of the of the container-based application is determined and copied to an intermediate object storage. Depending on the replication compatibility of source array backing the source cluster and the target array backing the target cluster either a replication engine or data mover are used to move data. Configuration of the container-based application in the common storage is copied and stored to the target cluster. The target cluster is used to restore the container-based application.

Abstract: A cloud computing system includes cloud orchestrator circuitry and fabric manager circuitry. The cloud orchestrator circuitry receives an input application and determines a task graph, a data graph, and a function popularity heap parameter for the input application. The task graph comprises an indication of function interdependency of functions of the input application, the data graph comprises an indication of data interdependency of the functions, and the function popularity heap parameter corresponds to a re-usability index for the functions. The fabric manager circuitry allocate a first programmable integrated circuit (IC) device to perform a first function of the input application based on the task graph, the data graph, and the function popularity heap parameter.

Abstract: A Non-Uniform Memory Access (NUMA) node virtual machine provisioning system includes a connection system and a physical NUMA node coupled to a NUMA node virtual machine provisioning subsystem that modifies NUMA node information in at least one database to create a first virtual NUMA node that is provided by a first subset of NUMA node resources in the physical NUMA node, modifies connection system information in the at least one database to dedicate a first subset of connection system resources in the connection system to the first virtual NUMA node, and deploys a first virtual machine on the first virtual NUMA node such that the first virtual machine performs operations using the first subset of NUMA node resources that provide the first virtual NUMA node, and using the first subset of connection system resources dedicated to the first virtual NUMA node.

Abstract: Some embodiments of the invention provide a method of sending data in a network that includes multiple worker nodes, each worker node executing at least one set of containers, a gateway interface, and a virtual local area network (VLAN) tunnel interface. The method configures the gateway interface of each worker node to associate the gateway interface with multiple subnets. Each subnet is associated with a namespace, a first worker node executes a first set of containers of a first namespace, and a second worker node executes a second set of containers of the first namespace and a third set of containers of a second namespace. The method sends data between the first set of containers and the second set of containers through a VLAN tunnel between the first and second worker nodes.

Abstract: Graphics processing systems and methods are described. A graphics processing apparatus may comprise one or more graphics processing engines, a memory, a memory management unit (MMU) including a GPU second level page table and GPU dirty bit tracking, and a provisioning agent to receive a request from a virtual machine monitor (VMM) to provision a subcluster of graphics processing apparatuses, the subcluster including a plurality of graphics processing engines from a plurality of graphics processing apparatuses connected using a scale-up fabric, provision the scale-up fabric to route data within the subcluster of graphics processing apparatuses, and provision a plurality of resources on the graphics processing apparatus for the subcluster based on the request from the VMM.

Abstract: An electronic device and a method for controlling the electronic device where a plurality of program areas corresponding to a host operating system and a plurality of virtual machines and a shared area corresponding to the host operating system and the plurality of virtual machines are allocated to a memory of the electronic device; and based on a request to install, in a second area among the plurality of program areas, a second application program corresponding to a first application program stored in a first area among the plurality of program areas, at least a part of data relating to the first application program is transferred from the first area to the shared area.

Abstract: Provided are a performance index value calculation system and a performance index value calculation method which are capable of reducing time and labor for an operation of a communication system. A monitoring management module identifies a specific type of element included in a communication system based on inventory data indicating a current status of a link between elements included in the communication system and on calculation logic data indicating a calculation logic for calculating a performance index value of the specific type of element based on performance index values of an element group linked to the element. The monitoring management module identifies the performance index value of each of a plurality of elements included in the element group linked to the identified specific type of element.

Abstract: Methods, systems, and computer programs are presented for redirecting executing of a virtual machine (VM) program to a client device. One method is performed by a server executing the VM. The method includes an operation for receiving an input from a remote desktop application of a client device to execute a program at the VM, and for checking redirect logic to determine execution of the program on the client device. The redirect logic comprises at least one rule to redirect execution of the program to the client device instead of executing the program at the VM. Further, the method includes an operation for, based on determining to execute the program on the client device, send to the client device a request for executing the program at the client device. The client device is configured to execute the program in response to the request.

Abstract: Techniques are provided for deploying virtual machines to a virtualization management environment using an agent component to obtain remote virtual machine templates. One method comprises receiving, by an agent component executing in a virtualization management server, a request to deploy a virtual machine and a storage location of a template for the virtual machine; obtaining the template for the virtual machine from one or more of an orchestration engine and a remote data source identified by the storage location; and replicating the obtained template for the virtual machine to create the virtual machine. The request to deploy the virtual machine may also comprise deployment information used to configure the virtual machine. The agent component may monitor an execution of the created virtual machine and evaluate one or more policies provided by the orchestration engine with respect to security controls and/or network requirements associated with the created virtual machine.

Abstract: In some examples, an analyzer manager configured to select one of a program code analyzer, a static data analyzer, and an unused memory location analyzer for malware detection within memory of a system. The program code analyzer can be executed to evaluate instruction data for executing a computer program at a first set of memory locations within the memory for malware in response to being selected by the analyzer manager. The static data analyzer can be executed to evaluate static data for use by the computer program at a second set of memory locations within the memory for the malware in response to being selected by the analyzer manager. The unused memory location analyzer can be executed to evaluate null data indicative of unused memory locations at a third set of memory locations within the memory for the malware in response to being selected by the analyzer manager.

Abstract: The disclosed approach works without the individualized credentials of failed machines when setting up recovery VMs in a cloud computing environment. Each recovery VMs is customized to properly correspond to the system state of its failed counterpart. An illustrative data storage management system recovers backup data and system states collected from the counterpart computing devices, custom-configures recovery VMs in the cloud computing environment, and injects the desired drivers into each recovery VM during an enhanced bare-metal restore process. The enhanced bare-metal restore process works without the failed computer's credentials. The system also restores the backed up data to recovery volumes attached to the recovery VMs. The present approach is both scalable and secure.

Abstract: A system and method for detecting potential lateral movement using cloud keys in a cloud computing environment includes determining a first node in a security graph is a compromised node, wherein the security graph represents cloud entities of the cloud computing environment; detecting a cloud key node connected to the first node, wherein the cloud key node represents a cloud key of the cloud computing environment; and generating a potential lateral movement path, including the first node, and a second node, wherein the second node is connected to the cloud key node.

Abstract: An acceleration resource scheduling method includes: receiving an acceleration instruction sent by the virtual machine, where the acceleration instruction includes to-be-accelerated data; determining a virtual accelerator allocated to the virtual machine; determining, based on the virtual accelerator, a network accelerator that is to process the acceleration instruction, and sending the acceleration instruction to the network accelerator, so that the network accelerator sends the acceleration instruction to a physical accelerator that is to process the acceleration instruction; receiving a computing result that is returned after the physical accelerator performs acceleration computing on the to-be-accelerated data by using the physical acceleration resource; and sending the computing result to the virtual machine.