Abstract: A method for training a control arrangement for a controlled system. The control arrangement includes a regulation device and an actuator that operates according to a control strategy. The method includes the generation of control actions by the regulation device, each control action being generated by detecting measured variables that indicate a state of the controlled system, ascertaining a correction term for the detected measured variables by the actuator according to the control strategy, adapting the detected measured variables using the correction term for the detected measured variables, and generating the control action by supplying the adapted measured variables to the regulation device as the actual value. The method further includes training the control strategy by reinforcement learning for maximizing the gain that is achieved by the generated control actions.

Abstract: It is presented a method for configuring a network path. The method is performed in a routing control device of a software defined network and comprises the steps of: receiving a first node packet originating from a first node of the software defined network, the first node packet forming part of an ARP exchange between an ARP requester and an ARP responder, the first node packet comprising a request for network properties encoded in a first address; determining a network path through the software defined network; changing a source address of a packet to the ARP requester to be a second address; configuring all switches forming part of the network path, to route packets in accordance with the network path; and configuring an edge switch to replace, for all packets having a destination address being equal to the second address, the destination address with an address of the ARP responder.

Abstract: A method and an attack detection function (200), for detection of a distributed attack in a wireless network (206) to which multiple wireless devices are connected via network nodes (210). It is checked whether characteristics of a traffic flow from each of a plurality of wireless devices (208) fulfil a predefined threshold condition related to abnormal traffic originating from the wireless devices, or not. When detecting that said characteristics of traffic flow fulfil the threshold condition, changes of the traffic flows from the wireless devices are identified, e.g. based on statistics on previous traffic originating from the wireless devices. It can then be determined whether the wireless devices are used in the distributed attack, based on said identified changes of the traffic flows.

Abstract: Embodiments herein relate to a method performed by a network controller node (130) in a data processing network (100) for enabling routing of data flows to or from a service (150) in the data processing network (100). The network controller node (130) receives information indicating network requirements on the data processing network (100) by a service (150) to be initiated in the data processing network (100). Also, the network controller node (130) determines a network identifier for the service (150) in the data processing network (100) based on the obtained network requirements. Embodiments herein also relate to a method performed by a resource controller node (140) in a data processing network (100) for enabling routing of data flows to or from a service (150) in the data processing network (100). The resource controller node (140) obtains information indicating network requirements on the data processing network (100) by a service (150) to be initiated in the data processing network (100).

Abstract: There is provided mechanisms for handling access to a service in a network. A method is performed by a network controller. The method comprises obtaining an indication of the service is accessible in the network. The indication is received from a network switch operatively connecting a server of the service to the network. The indication causes a timer to start. The method comprises obtaining an indication of a client requesting to access the service. The indication is received from the network switch. The method comprises recording, only when the timer has not yet expired, identity information of the client in an access control list. The method comprises providing the access control list at least to the network switch upon expiration of the timer.

Abstract: A controller manager, a controller agent and methods therein, for enabling a connection between a switch of a communication network and a switch controller that performs logic switch operations. The controller manager obtains from the controller agent, measurements related to connectivity to a set of switch controllers. The controller manager then selects at least one switch controller in the set of switch controllers based on the obtained measurements, to control said switch, and instructs the controller agent to set up or route a connection between the switch and the selected at least one switch controller.

Abstract: There is provided mechanisms for updating a private key of a host entity. The private key is based on parameters negotiated between the host entity and a key issuer. The host entity further has a group public key that is generated by the key issuer and associated with the private key. A method is performed by the host entity. The method comprises obtaining a need to acquire a new private key. The method comprises, in response thereto, performing a private key update procedure with the key issuer using the public key and the current private key, wherein parameters for the new private key are negotiated with the key issuer. The method comprises generating the new private key using the negotiated parameters.

Abstract: There is provided mechanisms for handling access to a service in a network. A method is performed by a network controller. The method comprises obtaining an indication of the service is accessible in the network. The indication is received from a network switch operatively connecting a server of the service to the network. The indication causes a timer to start. The method comprises obtaining an indication of a client requesting to access the service. The indication is received from the network switch. The method comprises recording, only when the timer has not yet expired, identity information of the client in an access control list. The method comprises providing the access control list at least to the network switch upon expiration of the timer.

Abstract: It is presented a method for configuring a network path. The method is performed in a routing control device of a software defined network and comprises the steps of: receiving a first node packet originating from a first node of the software defined network, the first node packet forming part of an ARP exchange between an ARP requester and an ARP responder, the first node packet comprising a request for network properties encoded in a first address; determining a network path through the software defined network; changing a source address of a packet to the ARP requester to be a second address; configuring all switches forming part of the network path, to route packets in accordance with the network path; and configuring an edge switch to replace, for all packets having a destination address being equal to the second address, the destination address with an address of the ARP responder.

Abstract: There is provided mechanisms for updating a private key of a host entity. The private key is based on parameters negotiated between the host entity and a key issuer. The host entity further has a group public key that is generated by the key issuer and associated with the private key. A method is performed by the host entity. The method comprises obtaining a need to acquire a new private key. The method comprises, in response thereto, performing a private key update procedure with the key issuer using the public key and the current private key, wherein parameters for the new private key are negotiated with the key issuer. The method comprises generating the new private key using the negotiated parameters.

Abstract: Embodiments herein relate to a method performed by a network controller node (130) in a data processing network (100) for enabling routing of data flows to or from a service (150) in the data processing network (100). The network controller node (130) receives information indicating network requirements on the data processing network (100) by a service (150) to be initiated in the data processing network (100). Also, the network controller node (130) determines a network identifier for the service (150) in the data processing network (100) based on the obtained network requirements. Embodiments herein also relate to a method performed by a resource controller node (140) in a data processing network (100) for enabling routing of data flows to or from a service (150) in the data processing network (100). The resource controller node (140) obtains information indicating network requirements on the data processing network (100) by a service (150) to be initiated in the data processing network (100).

Abstract: A controller manager, a controller agent and methods therein, for enabling a connection between a switch of a communication network and a switch controller that performs logic switch operations. The controller manager obtains from the controller agent, measurements related to connectivity to a set of switch controllers. The controller manager then selects at least one switch controller in the set of switch controllers based on the obtained measurements, to control said switch, and instructs the controller agent to set up or route a connection between the switch and the selected at least one switch controller.

Abstract: A method for managing transmissions between hypervisors and network switches is described. The method may include receiving, by a management server, a message from a network switch operating in a network; and transmitting, by the management server, a first translation instruction, including a first hypervisor address, to a network address translation device in response to receiving the message, wherein the first translation instruction indicates to the network address translation device to forward traffic received from the network switch to the first hypervisor address.

Abstract: A method and an attack detection function (200), for detection of a distributed attack in a wireless network (206) to which multiple wireless devices are connected via network nodes (210). It is checked whether characteristics of a traffic flow from each of a plurality of wireless devices (208) fulfil a predefined threshold condition related to abnormal traffic originating from the wireless devices, or not. When detecting that said characteristics of traffic flow fulfil the threshold condition, changes of the traffic flows from the wireless devices are identified, e.g. based on statistics on previous traffic originating from the wireless devices. It can then be determined whether the wireless devices are used in the distributed attack, based on said identified changes of the traffic flows.

Abstract: The disclosure relates to a method for access control of a data flow in a software defined networking system. The method includes receiving a first packet associated with a first data flow between a client node and a server node, verifying authentication of the first packet, repeating the receiving and verifying for a number of subsequent packets of the first data flow, wherein the number of subsequent packets is set based on type of protocol used for the first data flow and/or a policy set in the controller device, and sending, to an intermediate node along a path of the first data flow, a respective verification message for each successfully verified authentication of the first packet and any subsequent packets, allowing the first packet and any subsequent packets of the first data flow for forwarding.

Abstract: The disclosure relates to a method for access control of a data flow in a software defined networking system. The method includes is performed in a controller device and comprises: receiving a first packet associated with a first data flow between a client node and a server node, verifying, based on flow attributes authentication of the first packet, repeating the receiving and verifying for a number of subsequent packets of the first data flow, wherein the number of subsequent packets is set based on type of protocol used for the first data flow and/or a policy set in the controller device, and sending, to an intermediate node along a path of the first data flow, a respective verification message for each successfully verified authentication of the first packet and any subsequent packets, allowing the first packet and any subsequent packets of the first data flow for forwarding.