Abstract: A method and system support communication between a service executed by an edge server and a mobile application. The method includes receiving a transmission control protocol (TCP) handshake with an Internet Protocol (IP) anycast address from the mobile application; replying to the TCP handshake with an IP unicast address for the service to be utilized for a transport layer security (TLS) session; and establishing the TLS session between the service and the mobile application using the IP unicast address.

Abstract: A method and system support communication between a service executed by an edge server and a mobile application. The method includes receiving a transmission control protocol (TCP) handshake with an Internet Protocol (IP) anycast address from the mobile application; replying to the TCP handshake with an IP unicast address for the service to be utilized for a transport layer security (TLS) session; and establishing the TLS session between the service and the mobile application using the IP unicast address.

Abstract: A network device implements a method to protect a vehicle from insertion of malicious operations. The method includes establishing a communication session with a requestor as a proxy for the vehicle, receiving status information from the vehicle, querying a deep learning platform with the status information and message from the requestor, and dropping the message from the requestor in response to the deep learning platform indicating the message is malicious.

Abstract: A method and system for implementing a neural node in a neural network in a key value store (KVS) system. The method and system monitor a first KVS key of the neural node for an update of an input value. The method and system execute a microfunction for the neural node on the input value to generate an output value, in response to detecting a change in the input value and write the output value to a second KVS key for an output neural node.

Abstract: A method and system to improve datacenter security by configuring a security layer as a set of nano-services that are executed to service a single tenant of the datacenter such that the nano-service protects the single tenant from other entities in the datacenter and the nano-service being compromised does not compromise the security of other tenants of the datacenter. The method includes receiving a request to instantiate a virtual resource for a tenant, generating a nano-service to implement at least one security layer function for the virtual resource, and connecting the nano-service to the virtual resource and a virtual bridge in the datacenter to enable communication between the virtual resource (vR) and a network of the datacenter with the security layer function processing traffic between the virtual resource and the virtual bridge. The nano-service can be immutable once it begins execution. The security layer function can be an L2 or L3 function.

Abstract: A method is executed by a computing device to receive a request for a server via a known network access type, from a known application type, by a known user, or a known policy, instantiate a new unikernel with a differentiated communication protocol stack instance, in response to determining the request is not being serviced by a previously instantiated unikernel, and service the request by a previously instantiated unikernel, in response to determining the previously instantiated unikernel is available, where the new unikernel and the previously instantiated unikernel are separate from an operating system of the computing device.

Abstract: A method is implemented by a network device communicatively coupled to a datacenter to detect a presence of unauthorized software and hardware in the datacenter. The method includes initiating deployment of a virtual agent on a node in the datacenter, where the virtual agent is to perform a security scan of the node and store results of the security scan in a memory allocated to the virtual agent at the node, and where the results of the security scan are to be encrypted using a data encryption key. The method further includes initiating migration of the virtual agent to a preconfigured location, where the results of the security scan are to be extracted from the virtual agent and decrypted at the preconfigured location.

Abstract: A method and a computing device are provided for improving datacenter operation. The datacenter operation is improved by establishing differentiated communication protocol stack support as a set of nano-services. The nano-services are executed to service connections on a per application or server basis for the datacenter to reduce overhead caused by virtual machines or containers utilizing separate communication protocol stacks. The method includes receiving a request to for a server via a known network access type, from a known application type, by a known user, or a known policy, determining whether the request can be serviced by an existing nano-service for the server, and establishing a new nano-service with a differentiated communication protocol stack instance for the server, in response to the request not being serviced by the existing nano-service.

Abstract: Methods and systems to resolve a distributed denial of service (DDoS) attack in a wireless network are disclosed. In one embodiment, a method comprises receiving signaling messages along with samples of spurious traffic sourced from one or more end devices, where the one or more end devices connect to the wireless network for internet connectivity. The method continues with determining, based the samples, that there is a DDoS attack occurring in which a set of one or more of the end devices is acting as bots in a botnet, and are thus are infected end devices, and causing denial of radio resource allocation to the set of one or more of the infected end devices.

Abstract: A method is executed by a computing device to receive a request for a server via a known network access type, from a known application type, by a known user, or a known policy, instantiate a new unikernel with a differentiated communication protocol stack instance, in response to determining the request is not being serviced by a previously instantiated unikernel, and service the request by a previously instantiated unikernel, in response to determining the previously instantiated unikernel is available, where the new unikernel and the previously instantiated unikernel are separate from an operating system of the computing device.

Abstract: A method is implemented by a network device communicatively coupled to a datacenter to detect a presence of unauthorized software and hardware in the datacenter. The method includes initiating deployment of a virtual agent on a node in the datacenter, where the virtual agent is to perform a security scan of the node and store results of the security scan in a memory allocated to the virtual agent at the node, and where the results of the security scan are to be encrypted using a data encryption key. The method further includes initiating migration of the virtual agent to a preconfigured location, where the results of the security scan are to be extracted from the virtual agent and decrypted at the preconfigured location.

Abstract: A method and system to improve datacenter security by configuring a security layer as a set of nano-services that are executed to service a single tenant of the datacenter such that the nano-service protects the single tenant from other entities in the datacenter and the nano-service being compromised does not compromise the security of other tenants of the datacenter. The method includes receiving a request to instantiate a virtual resource for a tenant, generating a nano-service to implement at least one security layer function for the virtual resource, and connecting the nano-service to the virtual resource and a virtual bridge in the datacenter to enable communication between the virtual resource (vR) and a network of the datacenter with the security layer function processing traffic between the virtual resource and the virtual bridge. The nano-service can be immutable once it begins execution. The security layer function can be an L2 or L3 function.

Abstract: A network device implements a method for providing a service chain in a network by instantiating services on demand using a lightning module. The lightning module provides the services as applications executed by a unikernel where the unikernel is supported by a hypervisor. The method further includes receiving authentication, administration and accounting (AAA) service authentication of a user by the lightning module, instantiating a special unikernel to monitor a session for packets from the user, and instantiating service chain unikernels identified in at least one unikernel configuration file, in response to receiving a packet from the user.

Abstract: A method and a computing device are provided for improving datacenter operation. The datacenter operation is improved by establishing differentiated communication protocol stack support as a set of nano-services. The nano-services are executed to service connections on a per application or server basis for the datacenter to reduce overhead caused by virtual machines or containers utilizing separate communication protocol stacks. The method includes receiving a request to for a server via a known network access type, from a known application type, by a known user, or a known policy, determining whether the request can be serviced by an existing nano-service for the server, and establishing a new nano-service with a differentiated communication protocol stack instance for the server, in response to the request not being serviced by the existing nano-service.

Abstract: A datacenter is configured to execute a method to improve multi-tenant security by isolating container applications or nano-service applications by implementing a set of system call separation functions (SCSFs) in a set of corresponding nano-services for each container application or nano-service application. The method includes receiving a request to initiate a container application or a nano-service application, determining a set of nano-services and SCSFs to service the container application or the nano-service application, packaging the set of nano-services and SCSFs to service the container application or the nano-service application, and sending the set of nano-services and SCSFs to be instantiated by the datacenter.

Abstract: A system and method for chaining one or more services in a service provider network. A service chaining policy and associated Service Path Identifier (SPID) are determined at an ingress node with respect to a particular data packet flow. If the service chaining policy involves one or more service nodes to be traversed by the data packet flow, each service node's EIDs and RLOCs are determined. A sequential data exchange process with the service nodes is effectuated using encapsulation of data packets based on the EIDs and RLOCs for obtaining services in accordance with the order of services set forth in the chaining policy.

Abstract: Embodiments of the present disclosure include methods and apparatuses for enabling data path selection. In an EPG, ILNP mobility signaling is received. The ILNP signaling may include a destination locator for a BNG. A signaling message is sent to the BNG in response to the received ILNP signaling. An acknowledgement is received from the BNG. Traffic is tunneled between a mobile device and a RGW over a LTE interface. In a BNG, a signaling message is received. A message is sent to a SDN controller. A notification is received from the SDN controller that configuration of a RGW to tunnel traffic over a LTE interface is complete. An acknowledgement is sent to an EPG. In a RGW, a message is received from a SDN controller. Traffic is tunneled between a NAS and an EPG over a LTE interface based on the message received from the SDN controller.

Abstract: A network device implements a method for providing a service chain in a network by instantiating services on demand using a lightning module. The lightning module provides the services as applications executed by a unikernel where the unikernel is supported by a hypervisor. The method further includes receiving authentication, administration and accounting (AAA) service authentication of a user by the lightning module, instantiating a special unikernel to monitor a session for packets from the user, and instantiating service chain unikernels identified in at least one unikernel configuration file, in response to receiving a packet from the user.

Abstract: A system and method for chaining one or more services in a service provider network. A service chaining policy and associated Service Path Identifier (SPID) are determined at an ingress node with respect to a particular data packet flow. If the service chaining policy involves one or more service nodes to be traversed by the data packet flow, each service node's EIDs and RLOCs are determined. A sequential data exchange process with the service nodes is effectuated using encapsulation of data packets based on the EIDs and RLOCs for obtaining services in accordance with the order of services set forth in the chaining policy.

Abstract: A scheme for virtualizing a remote physical device, e.g., customer premises equipment (CPE), at a cloud-based data center connected to a network. In one embodiment, a virtual switch operating at the CPE is operative to monitor device events at the CPE. When a device is connected to a CPE port, a virtual device port is created that is operative with a Software Defined Network (SDN) architecture. Responsive to an indication that a new SDN-compliant virtual device port is created, an SDN controller is operative to facilitate creation of a data tunnel between the CPE's virtual switch and a virtual switch of the data center.