Abstract: The present disclosure involves systems and methods for (a) model distributed applications for multi-cloud deployments, (b) derive, by way of policy, executable orchestrator descriptors, (c) model underlying (cloud) services (private, public, server-less and virtual-private) as distributed applications themselves, (d) dynamically create such cloud services if these are unavailable for the distributed application, (e) manage those resources equivalent to the way distributed applications are managed; and (f) present how these techniques are stackable. As applications may be built on top of cloud services, which themselves can be built on top of other cloud services (e.g., virtual private clouds on public cloud, etc.) even cloud services themselves may be considered applications in their own right, thus supporting putting cloud services on top of other cloud services.

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

Abstract: In one embodiment, a first deep fusion reasoning engine (DFRE) agent in a network receives first sensor data from a first set of one or more sensors in the network. The first DFRE agent translates the first sensor data into symbolic data. The first DFRE agent applies, using a symbolic knowledge base maintained by the first DFRE agent, symbolic reasoning to the symbolic data to make an inference regarding the first sensor data. The first DFRE agent updates, based on the inference regarding the first sensor data, the knowledge base. The first DFRE agent propagates the inference to one or more other DFRE agents in the network.

Abstract: An enclave manager of a network enclave obtains a request to retrieve configuration information and state information corresponding to compute devices and network devices comprising a network enclave. The request specifies a set of parameters of the configuration information and the state information usable to generate a response to the request. The enclave manager evaluates the compute devices, the network devices, and network connections among these devices within the network enclave to obtain the configuration information and the state information. Based on the configuration information and the state information, the enclave manager determines whether the network enclave is trustworthy. Based on the parameters of the request, the enclave manager generates a response indicating a summary that is used to identify the trustworthiness of the network enclave.

Abstract: In one embodiment, a deep fusion reasoning engine receives network telemetry data collected from a network. The deep fusion reasoning engine learns resource utilizations for different heuristic packages that can be used in the network to evaluate operation of the network. The deep fusion reasoning engine selects one of the heuristic packages based on the resource utilizations learned for the different heuristic packages. The selected heuristic package comprises a subservice and a set of rules to be evaluated. The deep fusion reasoning engine deploys the selected heuristic package for execution by a device in the network to evaluate operation of the network using the set of rules.

Abstract: Systems, methods, and computer-readable storage media are provided for managing application traffic. A routing policy defines the data flow path between the client device (which uses a virtual private network (VPN) client) and the appropriate network-based service. Based on various factors associated with the user, the client device, and the destination (e.g. network-based service), the routing policy will direct the VPN client to communicate with either a public DNS (via the public Internet) or to a private DNS (via the private Intranet). The resulting IP addresses will be used to establish a particular route (either over a public Internet or private Intranet) between the client device and the network-based service in accordance to the routing policy.

Abstract: In one embodiment, a service receives signal characteristic data indicative of characteristics of wireless signals received by one or more antennas located in a particular area. The service uses the received signal characteristic data as input to a Bayesian inference model to predict physical states of an object located in the particular area. A physical state of the object is indicative of at least one of: a mass, a velocity, an acceleration, a surface area, or a location of the object. The service updates the Bayesian inference model based in part on the predicted state of the object and a change in the received signal characteristic data and based in part by enforcing Newtonian motion dynamics on the predicted physical states.

Abstract: Techniques are described to provide a peephole optimization for processing traffic for lightweight protocols at lower layers by executing them inside a virtual switch rather than using the network stack of a host node. In one example, a method includes determining by forwarding logic of a virtual switch that a received packet is associated with a query for one of domain information or address information. Based on such a determination, the virtual switch determines whether the query is contained within a single Ethernet frame and is answerable. Based on a positive determination for both, the virtual switch determines whether a response to the query can be transmitted in a single packet within a single Ethernet frame. Based on a positive determination of a single packet response, a response packet for the query is formed and injected into the forwarding logic for the virtual switch for transmitting to a destination.

Abstract: In one embodiment, a network node automatically cycles among packet traffic flows and subjects the currently selected packet flows to varying drop probabilities in a packet network, such as, but not limited to in response to congestion in a device or network. Packets of a currently selected packet traffic flow are subjected to a drop or forward decision with a higher drop probability than packets of a currently non-selected flow. By cycling through all of these packet traffic flows, all of these packet flows are subjected to the drop or forward decision in the long term approximately uniformly, thus providing fairness to all packet traffic flows. In the short term, packets of a currently selected flow are targeted for possible dropping with a higher drop probability providing unfairness to the currently selected flows over the non-selected flows.

Abstract: This disclosure describes methods and systems to externally manage network-to-network interconnect configuration data in conjunction with a centralized database subsystem. An example of the methods includes receiving and storing, in the centralized database subsystem, data indicative of user intent to interconnect at least a first network and a second network. The example method further includes, based at least in part on the data indicative of user intent, determining and storing, in the centralized database subsystem, a network intent that corresponds to the user intent. The example method further includes providing data indicative of the network intent from the centralized database subsystem to a first data plane adaptor, associated with the first network, and a second data plane adaptor, associated with the second network.

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices across domains. Attestation information for an attester node in a first domain is received at a verifier gateway in the first domain. The attestation information is translated at the verifier gateway into translated attestation information for a second domain. Specifically, the attestation information is translated into translated attested information for a second domain that is a different administrative domain from the first domain. The translated attestation information can be provided to a verifier in the second domain. The verifier can be configured to verify the trustworthiness of the attester node for a relying node in the second domain by identifying a level of trust of the attester node based on the translated attestation information.

Abstract: In one embodiment, a service that monitors a network detects a plurality of anomalies in the network. The service uses data regarding the detected anomalies as input to one or more machine learning models. The service maps, using a conceptual space, outputs of the one or more machine learning models to symbols. The service applies a symbolic reasoning engine to the symbols, to rank the anomalies. The service sends an alert for a particular one of the detected anomalies to a user interface, based on its corresponding rank.

Abstract: Various embodiments disclosed herein include apparatuses, systems, devices, and methods for anonymously generating an encrypted session for a client device in a wireless network. The method comprises, in response to providing, to the client device in the wireless network, a request for credentials associated with the client device, obtaining, from the client device, a response including proposed credentials associated with the client device. The method further comprises determining whether or not the format of the response matches a response template. The method further comprises, in response to determining that the format of the response matches the response template, generating an encrypted wireless session for the client device independent of the proposed credentials associated with the client device.

Abstract: In one embodiment, a network quality assessment service that monitors a network obtains multimodal data indicative of a plurality of measurements from the network and subjective perceptions of the network by users of the network. The network quality assessment service uses the obtained multimodal data as input to one or more neural network-based models. The network quality assessment service maps, using a conceptual space, outputs of the one or more neural network-based models to symbols. The network quality assessment service applies a symbolic reasoning engine to the symbols, to generate a conclusion regarding the monitored network. The network quality assessment service provides an indication of the conclusion to a user interface.

Abstract: Retrieving content in an Internet Protocol version 6 (IPv6) network may be provided. A lookup request associated with content may be received from a network node at a server having a mapping database. A response having an ordered list of more than one IPv6 addresses may be generated. The ordered list of the more than on IPv6 addresses may include IPV6 prefixes. Each of the more than one IPv6 addresses may include a first portion having a content identifier and a second portion having an indication of a location of the content. The response may be transmitted to the network node.

Abstract: In one embodiment, a service that monitors a network detects a plurality of anomalies in the network. The service uses data regarding the detected anomalies as input to one or more machine learning models. The service maps, using a conceptual space, outputs of the one or more machine learning models to symbols. The service applies a symbolic reasoning engine to the symbols, to rank the anomalies. The service sends an alert for a particular one of the detected anomalies to a user interface, based on its corresponding rank.

Abstract: A crowd-sourced cloud environment allows for, and benefits from, modes of interaction between among the service providers (including the “resource providers” and the “cloud provider”) and consumers (also referred to herein as “tenants”) that are not practiced in a DC-centric cloud environment—specifically, the use of Internet-based social networking technology and Internet-based online marketplace technology to facilitate resource pooling and interaction between crowd-sourced cloud resource providers, the cloud provider, and crowd-sourced cloud consumers.

Abstract: A method comprises obtaining, from a client device, a first set of application authentication credentials formatted in accordance with a first authentication protocol. The first set of application authentication credentials corresponds to a first user profile. The method includes translating the first set of application authentication credentials to a second set of application authentication credentials. The second set of application authentication credentials is formatted in accordance with a second authentication protocol different from the first authentication protocol and corresponds to the first user profile. The method includes providing the second set of application authentication credentials to an application authentication system. The method includes, in response to providing the second set of application authentication credentials to the application authentication system, obtaining, from the application authentication system, an application authentication indicator.

Abstract: In one embodiment, a video analysis service receives video data captured by one or more cameras at a particular location. The service applies a neural network-based model to portions of the video data, to identify objects within the video data. The service maps outputs of the neural network-based model to symbols using a conceptual space. The outputs of the model comprise the identified objects. The service applies a symbolic reasoning engine to the symbols, to generate an alert. The service sends the alert to a user interface in conjunction with the video data.

Abstract: A method includes receiving a DNS request, notifying a serverless orchestrator system of data associated with the DNS request, provisioning a function on a serverless function node based on the DNS request, notifying a load balancer regarding the serverless function node, providing a response to the DNS request and routing an API request associated with the DNS request to the serverless function node.