Abstract: This disclosure describes using a dynamic proxy for securing communications between a source within a cloud environment and an application container. The techniques include intercepting traffic directed to an application container, analyzing the traffic and traffic patterns, and allowing or preventing the traffic from being delivered to the application container based on the analysis. A traffic analysis engine may determine whether the traffic is considered safe and is to be allowed to be delivered to the application container, or whether the traffic is considered unsafe and is to be prevented from being delivered to the application container, According to some configurations, the address(es) to the network interfaces (e.g., WIFI or Eth0) are abstracted to help ensure security of the application containers.

Abstract: In one embodiment, a method herein comprises: determining a set of flows to be monitored within a computer network; determining, by the device, a set of nodes within the computer network through which the set of flows traverse; determining monitoring capabilities for the set of nodes; generating an assignment for each particular node of the set of nodes to monitor a subset of one or more flows of the set of flows based on the monitoring capabilities of each particular node, wherein the assignment for each particular node of the set of nodes ensures that each flow of the set of flows is monitored by at least one or more nodes of the set of nodes; and instructing the set of nodes to monitor the set of flows according to the assignment for each particular node of the set of nodes.

Abstract: A method performed by a controller configured to communicate with one or more cloud platforms that are configured to host application components, which are configured to implement user services over a network, the method comprising: generating an application dependency mapping of the application components; collecting traffic flow data to identify data transfers between the application components; defining an application boundary around particular application components of the application components in the application dependency mapping; overlaying the application dependency mapping, the traffic flow data, and the application boundary, to identify particular data transfers between the particular application components; computing a network cost based on individual costs of the particular data transfers; and adding, to the network cost, compute and storage costs for the particular application components, to produce a total cost of using the particular application components.

Abstract: This disclosure describes techniques for configuring an edge router of a communication provider network, the edge router coupled to communicate with a plurality of media streaming playback devices. Based at least in part on an indication of characteristics associated with the plurality of media streaming playback devices, a first multicast join for the edge router is configured to the communication provider network such that one or more media servers delivers a first plurality of media streams to the edge router via the communication provider network. Based at least in part on an indication of a request for an additional media stream not included in the first plurality of media streams, a second multicast join for the edge router is configured to the communication provider network such that the one or more media servers delivers the additional media stream to the edge router via the communication provider network.

Abstract: A method is provided for interchangeably allocating radio resources between a non-standalone (NSA) network and a standalone (SA) network in an overlapping area of coverage. The method may include monitoring utilization of radio resources of the SA network and the radio resources of the NSA network by a radio access network (RAN) intelligent controller (RIC). The method may also include determining that utilization of radio resources in one of the SA network or the NSA network is high by the RIC while utilization of radio resources in the other of the SA network or the NSA network having excess capacity. The method may also include reallocating radio resources from the one of the SA network or the NSA network having high radio resource utilization to the other of the SA network or the NSA network has excess capacity by the RIC.

Abstract: Blockchain technology is used to provide distributed authentication, entitlements and trust among different virtual Radio Access Network (vRAN) elements. An enterprise blockchain with interfaces enables multi-vendor vRAN deployment across multiple service providers. In another embodiment, a method is provided for authenticating entities in a virtualized radio access network to ensure various entitles are in fact entitled to participate in various radio access network operations.

Abstract: This disclosure describes using a dynamic proxy for securing communications between a source within a cloud environment and an application container. The techniques include intercepting traffic directed to an application container, analyzing the traffic and traffic patterns, and allowing or preventing the traffic from being delivered to the application container based on the analysis. A traffic analysis engine may determine whether the traffic is considered safe and is to be allowed to be delivered to the application container, or whether the traffic is considered unsafe and is to be prevented from being delivered to the application container, According to some configurations, the address(es) to the network interfaces (e.g., WIFI or Eth0) are abstracted to help ensure security of the application containers.

Abstract: A solution for selecting an optimal user Plane entity (with Control and User Plane Separation (CUPS)) per UE during seamless roaming. In one embodiment, a method is provide that is performed by a control plane entity in a mobile core network that supports inter public land mobile network (PLMN) roaming among two or more PLMNs. The method includes obtaining a create session request from an entity in a second PLMN to which a user equipment has roamed from a first PLMN; selecting a particular user plane entity among a plurality of user plane entities based on one or more user equipment related parameters; and establishing a session with the particular user plane entity to serve user plane traffic in the mobile core network for the user equipment.

Abstract: A system is provided that includes one management cluster to manage network function virtualization infrastructure (NFVI) resources lifecycle in more than one edge POD locations, where resources include hardware and/or software, and where software resources lifecycle includes software development, upgrades, downgrades, logging, monitoring etc. Methods are provided for decoupling storage from compute and network functions in each virtual machine (VM)-based NFVI deployment location and moving it to a centralized location. Centralized storage could simultaneously interact with more than one edge PODs, and the security is built-in with periodic key rotation. Methods are provided for increasing NFVI system viability by dedicating (fencing) CPU core pairs for specific controller operations and workload operations, and sharing the CPU cores for specific tasks.

Abstract: The present technology is directed to a system and method for automatic triggering of relevant code segments corresponding to a sequence of code segments or function codes having a preferred execution order. The automatic triggering action is based on the snooping of a response generated from an execution of a previous code segment. Information with respect to the next code segment in the preferred execution order may be obtained by directing a network proxy, such as Envoy to snoop the Uniform Resource Identifier (URI) field of a response packet being forwarded to a client entity. In this way, a network proxy may preemptively spawn and instantiate the following function codes (pointed to by the snooped Uniform Resource Identifier) prior to receiving the corresponding client request. As such, by the time a client request for the subsequent function code is received the code ready for execution.

Abstract: Blockchain technology is used to provide distributed authentication, entitlements and trust among different virtual Radio Access Network (vRAN) elements. An enterprise blockchain with interfaces enables multi-vendor vRAN deployment across multiple service providers. In another embodiment, a method is provided for authenticating entities in a virtualized radio access network to ensure various entitles are in fact entitled to participate in various radio access network operations.

Abstract: In one embodiment, a method comprises: receiving, by a process, an executed function flow of a daisy chained serverless function-as-a-service (FaaS) function, the executed function flow having been injected with a particular trace identifier in response to an initial event trigger and span identifiers having been injected by each service that was executed; generating, by the process, a serverless flow graph associated with the particular trace identifier based on linking a path of serverless functions according to correlation of the span identifiers between the serverless functions; performing, by the process, a trace-based analysis of the serverless flow graph through comparison to a baseline of expectation; detecting, by the process, one or more anomalies in the serverless flow graph according to the trace-based analysis; and mitigating, by the process, the one or more anomalies in the serverless flow graph.

Abstract: This disclosure describes using a dynamic proxy for securing communications between a source within a cloud environment and an application container. The techniques include intercepting traffic directed to an application container, analyzing the traffic and traffic patterns, and allowing or preventing the traffic from being delivered to the application container based on the analysis. A traffic analysis engine may determine whether the traffic is considered safe and is to be allowed to be delivered to the application container, or whether the traffic is considered unsafe and is to be prevented from being delivered to the application container, According to some configurations, the address(es) to the network interfaces (e.g., WIFI or Eth0) are abstracted to help ensure security of the application containers.

Abstract: This disclosure describes techniques for policy validation techniques relating to data traffic routing among network devices. The techniques may include processing a validation request from a controller. A validation request may include information related to a computed path for routing data traffic in a computing network. The processing may include sending one or more path requests to one or more redundant controllers, and comparing computed paths from the redundant controller(s) to the originally computed path. The techniques may include generating a validation response based on comparing the computed paths. In some examples, the techniques may further include determining a health score for the controller. Policy validation techniques may improve data traffic routing among network devices by helping to ensure valid policies are produced.

Abstract: Techniques for adaptive thresholding are provided. A first data point in a data stream is received, and a first plurality of data points from the data stream is identified, where the first plurality of data points corresponds to a timestamp associated with the first data point. At least a first cluster is generated for the first plurality of data points, and a predicted value for the first data point is generated based at least in part on data points in the first cluster. A deviation is computed between the predicted value for the first data point and an actual value for the first data point. Upon determining that the deviation exceeds a first predefined threshold, the first data point is labeled as anomalous, and reallocation of computing resources is facilitated based on labeling the first data point as anomalous.

Abstract: This disclosure describes using a dynamic proxy for securing communications between a source within a cloud environment and an application container. The techniques include intercepting traffic directed to an application container, analyzing the traffic and traffic patterns, and allowing or preventing the traffic from being delivered to the application container based on the analysis. A traffic analysis engine may determine whether the traffic is considered safe and is to be allowed to be delivered to the application container, or whether the traffic is considered unsafe and is to be prevented from being delivered to the application container, According to some configurations, the address(es) to the network interfaces (e.g., WIFI or Eth0) are abstracted to help ensure security of the application containers.

Abstract: A method is performed at a mobile core, including assigning a first cache servicing a client device in response to a first request for a media content item based at least in part on a first IP address of the client device associated with a first edge location. The method further includes providing a first portion of the media content item from the first cache. The method additionally includes triggering a plurality of caches at edge locations proximate to the first edge location to retrieve a second portion of the media content item. The method also includes receiving a continuation request from the client device with a second IP address associated with a second edge location. The method further includes selecting a second cache from the plurality of caches based at least in part on the second IP address and continuing providing the media content item from the second cache.

Abstract: Techniques for adaptive thresholding are provided. A first data point in a data stream is received, and a first plurality of data points from the data stream is identified, where the first plurality of data points corresponds to a timestamp associated with the first data point. At least a first cluster is generated for the first plurality of data points, and a predicted value for the first data point is generated based at least in part on data points in the first cluster. A deviation is computed between the predicted value for the first data point and an actual value for the first data point. Upon determining that the deviation exceeds a first predefined threshold, the first data point is labeled as anomalous, and reallocation of computing resources is facilitated based on labeling the first data point as anomalous.

Abstract: Techniques for adaptive thresholding are provided. First and second data points are received. A plurality of data points are identified, where the plurality of data points corresponds to timestamps associated with the first and second data points. At least one cluster is generated for the plurality of data points based on a predefined cluster radius. Upon determining that the first data point is outside of the cluster, the first data point is labeled as anomalous. A predicted value is generated for the second data point, based on processing data points in the cluster using a machine learning model, and a deviation between the predicted value and an actual value for the second data point is computed. Upon determining that the deviation exceeds a threshold, the second data point is labeled as anomalous. Finally, computing resources are reallocated, based on at least one of the anomalous data points.

Abstract: Various systems and methods for performing bit indexed explicit replication (BIER). For example, one method involves receiving a packet at a node. The packet includes a bit string. The node selects forwarding information based on a flow value associated with the packet. The forwarding information includes a forwarding bit mask. The node then forwards the packet based on the bit string and the forwarding information.