This disclosure generally relate to a method and system for network policy simulation in a distributed computing system. The present technology relates techniques that enable simulation of a new network policy with regard to its effects on the network data flow. By enabling a simulation data flow that is parallel and independent from the regular data flow, the present technology can provide optimized network security management with improved efficiency.

This disclosure generally relate to a method and system for network policy simulation in a distributed computing system. The present technology relates techniques that enable simulation of a new network policy with regard to its effects on the network data flow. By enabling a simulation data flow that is parallel and independent from the regular data flow, the present technology can provide optimized network security management with improved efficiency.

The present disclosure is directed to adaptive networking policy with user defined fields and includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause one or more components to perform operations including generating a user defined attribute (UDA) value corresponding to a set of attributes; receiving, at a network device, a packet having one or more packet conditions; determining that the one or more packet conditions of the packet match the set of attributes of the UDA value; assigning a UDA tag to the packet, wherein the UDA tag corresponds to the UDA value and is configured for chaining with one or more other UDA tags; and taking an action on the packet based on the UDA tag.

A method for controlling network congestion, including overlaying an overlay network packet header on an encapsulation outer layer of a transmit packet, where the overlay network packet header includes an outer Internet Protocol (IP) header, and an explicit congestion notification (ECN) identifier of an ECN is set in the outer IP header, decapsulating the overlay network packet header for an encapsulated reply packet, where an inner congestion identifier that is based on the ECN identifier is obtained from an IP header of the decapsulated reply packet through matching, and if the decapsulated reply packet is a User Datagram Protocol (UDP) packet, forwarding the UDP packet to a preset slow channel.

Virtual application and desktop delivery may be optimized by supplying application metadata and user intent to the device between a client and a server hosting resources for the delivery. The data packets used to deliver the virtual application or desktop may be also tagged with references to the application. By supplying the metadata and tagging packets with the metadata, an intermediary network device may provide streams of data packets at the target QoS. In addition, the device may apply network resource allocation rules (e.g., firewalls and QoS configuration) for redirected content retrieved by the client out of band relative to a virtual channel such as the Internet. The network resource allocation rules may differ for different types of resources accessed. The device may also control a delivery agent on the server to modify communication sessions established through the virtual channels based on network conditions.

Virtual application and desktop delivery may be optimized by supplying application metadata and user intent to the device between a client and a server hosting resources for the delivery. The data packets used to deliver the virtual application or desktop may be also tagged with references to the application. By supplying the metadata and tagging packets with the metadata, an intermediary network device may provide streams of data packets at the target QoS. In addition, the device may apply network resource allocation rules (e.g., firewalls and QoS configuration) for redirected content retrieved by the client out of band relative to a virtual channel such as the Internet. The network resource allocation rules may differ for different types of resources accessed. The device may also control a delivery agent on the server to modify communication sessions established through the virtual channels based on network conditions.

A transmitting device includes a first layer processor configured to include a buffer to store therein transmission data, the first layer processor configured to execute processing for a first layer on the transmission data, a second layer processor configured to execute processing for a second layer that differs from the first layer on the transmission data, and a transmitter configured to transmit the transmission data processed by the first layer processor and the second layer processor. The first layer processor discards the transmission data stored in the buffer in accordance with a parameter used for transmission control in the processing for the second layer.

A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed outside of the first host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that a hidden process exists and corrective action can be taken.

A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed outside of the first host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that a hidden process exists and corrective action can be taken.

A data transmission method implemented by a network device, where the data transmission method includes receiving a first data packet sent by a transmit end, buffering the first data packet to a low-priority queue when the first data packet is sent by the transmit end during a first round-trip time (RTT) of a data transmission phase between the transmit end and a receive end, receiving a second data packet from the transmit end, buffering the second data packet to a high-priority queue when the second data packet is not sent by the transmit end during the first RTT, and forwarding the second data packet in the high-priority queue before the first data packet in the low-priority queue.