Abstract: Techniques and mechanisms for providing continuous integrity validation-based control plane communication in a container-orchestration system, e.g., the Kubernetes platform. A worker node generates a nonce and forwards the nonce to a master node while requesting an attestation token. Using the nonce, the master node generates the attestation token and replies back to the worker node with the attestation token. The worker node validates the attestation token with a CA server to ensure that the master node is not compromised. The worker node sends its authentication credentials to the master node. The master node generates a nonce and forwards the nonce to the worker node while requesting an attestation token. Using the nonce, the worker node generates the attestation token and replies back to the master node with the attestation token. The master node validates the attestation token with the CA server to ensure that the worker node is not compromised.

Abstract: Techniques for utilizing a cloud service to compute an end-to-end SLA-aware path using dynamic software-defined cloud interconnect (SDCI) tunnels between a user device and an access point-of-presence (POP) node and inter-POP tunnels of the SDCI. The cloud service may include a performance aware path instantiation (PAPI) component including a POP database for storing performance metrics associated with the POPs of the SDCI, an enterprise policy database for storing user specific policies, and/or a path computation component. The path computation component may compute the path, based on the user specific policies, performance metrics associated with the POP nodes, and/or real-time contextual data associated with the user device and/or destination device. The path may include a first tunnel between the user device and the most optimal access POP node of the SDCI and a second tunnel between the access POP node, through the internal POP nodes, and to the destination device.

Abstract: Methods are provided in which a network device hosts distinct network access resources that are managed by different entities. The method includes obtaining a request for partitioning one or more network resources of an on-premise network device for connecting one or more endpoints to a first network managed by a first entity. The on-premise network device connects one or more endpoints to a second network managed by a different entity. The method further involves partitioning, based on the request, the one or more network resources and connecting the one or more endpoints to the first network using the one or more network resources. The one or more network resources are managed by the first entity while at least one other network resource of the on-premise network device is managed by the different entity and is associated with connecting the one or more endpoints to the second network.

Abstract: A device associated with an enterprise receives, from a user device, a message indicating that a user of the user device has requested a service level for accessing a service while performing teleworking activities for the enterprise. The user device accesses the service via a network that includes a portion controlled by an Internet Service Provider (ISP). The enterprise has established an agreement with the ISP indicating that the ISP is to provide service levels for users who are performing teleworking activities for the enterprise via the ISP. The ISP associated with the user device is identified based on the message. A request is transmitted to the ISP to provide the service level for the portion of the network that is controlled by the ISP and the ISP provides the service level for accessing the service based on the request.

Abstract: A device associated with an enterprise receives, from a user device, a message indicating that a user of the user device has requested a service level for accessing a service while performing teleworking activities for the enterprise. The user device accesses the service via a network that includes a portion controlled by an Internet Service Provider (ISP). The enterprise has established an agreement with the ISP indicating that the ISP is to provide service levels for users who are performing teleworking activities for the enterprise via the ISP. The ISP associated with the user device is identified based on the message. A request is transmitted to the ISP to provide the service level for the portion of the network that is controlled by the ISP and the ISP provides the service level for accessing the service based on the request.

Abstract: This disclosure provides systems, devices, apparatus, and methods, including computer programs encoded on storage media, for fast incremental shared constants. In aspects, a CPU may determine/update shared constant data for a first draw call of a plurality of draw calls. The shared constant data, which may correspond to at least one shader, may be updated based on a draw call update for the first draw call. The CPU may communicate the updated shared constant data for the first draw call to a GPU. The GPU may receive, in at least one register, the updated shared constant data from the CPU and configure the at least one register based on the updated shared constant data corresponding to the draw call update of the first draw call of the plurality of draw calls.

Abstract: A method of performing movement pattern anomaly detection with targeted alerts can include receiving input from each camera of a multi-camera system and for each input: performing video content analysis; generating a critical analysis matrix associated with the input from that camera; assigning a fusion value for each vector of the critical analysis matrix using a fusion map that indicates particular fusion values associated with possible elements of the critical analysis matrix; and triggering an alert according to whether the fusion value exceeds a threshold associated with that camera. The critical analysis matrix includes output from at least two different computer vision algorithms of the video content analysis applied to the input from a camera.

Abstract: This disclosure describes using a dynamic proxy for securing communications between a source within a cloud environment and an application container. The techniques include intercepting traffic directed to an application container, analyzing the traffic and traffic patterns, and allowing or preventing the traffic from being delivered to the application container based on the analysis. A traffic analysis engine may determine whether the traffic is considered safe and is to be allowed to be delivered to the application container, or whether the traffic is considered unsafe and is to be prevented from being delivered to the application container, According to some configurations, the address(es) to the network interfaces (e.g., WIFI or Eth0) are abstracted to help ensure security of the application containers.

Abstract: An authorization device obtains a registration request associated with an end device, the registration request including a new randomized media access control (MAC) address associated with the end device; determines whether the end device is authorized to use the new randomized MAC address; transmits a message to the end device with a first randomly generated number when it is determined that the end device is authorized to use the new randomized MAC address; obtains integrity information associated with the end device, the first integrity information being computed based on the first randomly generated number; transmits a request to a validation system to validate the end device based on the first integrity information; obtains an indication that the end device is validated; determines policies associated with the end device when it is determined that the end device is validated; and applies the policies to the end device.

Abstract: A system and methods by which a reconfigurable intelligent surface device is dynamically configured to control the reflection of transmissions made between an access point and one or more client devices so as to protect the transmissions from being properly received by an unauthorized device. These methods may be used to maintain data confidentiality, particular for remote workers. The positions of the access point and client devices are used to configure the reconfigurable intelligent surface device to reflect the transmissions inward and avoid/minimize leakage outside a physical space.

Abstract: Methods and devices provide fault injection testing techniques in a production network environment without risking service outages for hosted computing services, by providing examples of a remote network controller configured to communicate with network devices of a network; a remote fault injection communication protocol configuring a remote network controller in communication with a network device to signal a failure injection; and a failure injection module configuring a network device to configure a network device processor to implement a failure injection signaled according to the remote failure injection communication protocol. The method includes a network controller transmitting a failure injection signal in a control plane packet over a network connection to a network device, and the network device creating a child process by executing, in a dedicated runtime environment, a copy of one or more processes impacted by a parsed failure type.

Abstract: Aspects presented herein relate to methods and devices for graphics processing including an apparatus, e.g., a GPU. The apparatus may perform a color analysis on at least one first frame of a plurality of frames, the color analysis being performed based on at least one image in the at least one first frame. The apparatus may also generate a frequency map for at least one second frame of the plurality of frames based on the performed color analysis. Further, the apparatus may render the at least one second frame based on the frequency map for the at least one second frame, the at least one second frame being rendered after the at least one first frame.

Abstract: A method includes receiving, at an access node of a local network, a connection request from a device and in response to the connection request, establishing a connection with an identity provider. The device, the access node, the local network, and the identity provider are members of an identity federation. The method further includes receiving an indication that the device previously violated a network policy of a network different from the local network and after the device is authenticated with the identity provider, determining, by the access node and based on the indication, whether to allow the device to communicate over the access node.

Abstract: Presented herein are techniques to facilitate infrastructure and policy orchestration in a shared workspace network environment. In one example, a method may include obtaining, by a service broker, a reservation request from a consumer network for a consumer, wherein the reservation request seeks a reservation to reserve, at least in part, at least one workspace device for the consumer for a workspace for a particular day and a particular time period; based on determining that the at least one workspace device is available, providing a response to the consumer network that includes a first indicator for identifying the reservation of the workspace and at least one second indicator identifying the at least one workspace device; and upon receiving a session request from the consumer network that includes the second indicator, establishing a management tunnel to interconnect the consumer network and the at least one workspace device via the service broker.

Abstract: This disclosure describes techniques for performing application-based tagging. An example method includes receiving, at a virtual socket, non-packetized data from an application and generating, by the virtual socket, a label based on the application. One or more data packets are generated by packetizing at least a portion of the non-packetized data. A header field of the one or more data packets includes a tag based on the label.

Abstract: The present disclosure is directed systems and methods for control embedding data packets for ARP queries, the methods including the steps of receiving a data plane packet from a first user device, the data plane packet requesting a hardware address associated with a second user device; generating a northbound control plane packet for transmission to a control plane node, the northbound control plane packet for requesting from the control plane node the hardware address associated with the second user device; embedding the data plane packet in the northbound control plane packet; and forwarding the northbound control plane packet with the data plane packet to the control plane node for respective processing of the northbound control plane packet and the data plane packet.

Abstract: The present technology is directed to a system and method for automatic triggering of relevant code segments corresponding to a sequence of code segments or function codes having a preferred execution order. The automatic triggering action is based on the snooping of a response generated from an execution of a previous code segment. Information with respect to the next code segment in the preferred execution order may be obtained by directing a network proxy, such as Envoy to snoop the Uniform Resource Identifier (URI) field of a response packet being forwarded to a client entity. In this way, a network proxy may preemptively spawn and instantiate the following function codes (pointed to by the snooped Uniform Resource Identifier) prior to receiving the corresponding client request. As such, by the time a client request for the subsequent function code is received the code ready for execution.

Abstract: Systems, methods, and computer-readable media for orchestrating data center resources and user access to data. In some examples, a system can determine, at a first time, that a user will need, at a second time, access to data stored at a first location, from a second location. The system can identify a node which is capable of storing the data and accessible by a device from the second location. The system can also determine a first service parameter associated with a network connection between the device and the first location and a second service parameter associated with a network connection between the device and the node. When the second service parameter has a higher quality than the first service parameter, the system can migrate the data from the first location to the node so the device has access to the data from the second location through the node.

Abstract: This disclosure describes techniques for monitoring expected behavior of devices in a computing network. Behavior of network devices may include performing various functions associated with transferring data packets through the computing network. Monitoring expected behavior may include sending a probe packet into the computing network, and determining whether network devices behave as expected with respect to the probe packet. In some examples, behaviors such as replicating, forwarding, eliminating, ordering, and/or other functions regarding data packets may be validated using the present techniques. As computing networks and/or operations become more complex, assuring the expected behavior of network devices may become more important for the continued efficient, smooth, successful, and/or timely flow of data traffic.

Abstract: Presented herein are techniques to shield transmissions from being received and the information contained in them recovered by unwanted devices. Multi-user multiple-input multiple-output (MU-MIMO) techniques are employed, and in particular the spatial dimension aspects of those techniques. Shield nodes are controlled to transmit in a way to obscure the downlink streams transmitted by a wireless access point that are intended for a particular client device to anything outside of the shielded area, and also to obscure uplink streams from one or more client devices to the wireless access point to anything outside of the shielded area but allowing the uplink streams to be well received by the wireless access point.