Abstract: This disclosure describes an integrated management method to manage a service mesh data plane over a network fabric. The method includes determining at least one service mesh data plane policy for a microservice of a service mesh. The method further includes sending, over the network fabric, the at least one service mesh data plane policy to a virtual router associated with the microservice based at least in part on connectivity information maintained by a network fabric control plane manager of a configuration manager.

Abstract: Subscriber identity concealment from an access network provider may be provided. A computing device may receive first identity data associated with a client device. Then the first identity data associated with the client device may be encrypted using second identity data to create an encrypted version of the first identity data associated with the client device. The encrypted version of the first identity data associated with the client device may be provided to an access network.

Abstract: This disclosure describes techniques for detecting and monitoring paths in a network. The techniques include causing a source node to generate probe packets to traverse a multi-protocol label switching (MPLS) network, for instance. In some examples, the probe packets include entropy values that correspond to individual equal-cost multi-path (ECMP) paths of the network. The probe packets may be received at an SDN controller from a sink node after traversing the network. Analysis of the probe packets allow path discovery and mapping of the entropy values to ECMP paths. The mapping of discovered paths may be used for optimization of network monitoring activities, including second subsequent probe packets over particular ECMP paths based on the mapped entropy values.

Abstract: This disclosure describes various methods, systems, and devices related to identifying path changes of data flows in a network. An example method includes receiving, at a node, a packet including a first signature. The method further includes generating a second signature by inputting the first signature and one or more node details into a hash function. The method includes replacing the first signature with the second signature in the packet. The packet including the second value is forwarded by the node.

Abstract: A method includes, at a media bridge configured to distribute a plurality of media streams among a plurality of client devices connected to the media bridge over a network, receiving the plurality of media streams from the plurality of client devices via the media bridge. The media bridge connects the plurality of client devices. The method further includes assigning a pair of names for each of the plurality of media streams. The pair of names include a contribution name and a distribution name. The method further includes presenting a first list to the plurality of client devices. The first list including a plurality of the distribution names for the plurality of media streams received from the plurality of client devices. The method further includes providing an indication of a current active speaker within the plurality of media streams via a signaling process.

Abstract: Techniques for associating manufacturer usage description (MUD) security profiles for Internet-of-Things (IoT) device(s) with secure access service edge (SASE) solutions, providing for automated and scalable integration of IoT devices with SASE frameworks. A MUD controller may utilize a MUD uniform resource identifier (URI) emitted by an IoT device to fetch an associated MUD file from a MUD file server associated with a manufacturer of the IoT device. The MUD controller may determine that a security recommendation included in the MUD file is to be implemented by a cloud-based security service provided by the SASE service and cause the IoT device to establish a connection with a secure internet gateway associated with the cloud-based security service. Additionally, or alternatively, the MUD file may include SASE extensions indicating manufacturer recommended cloud-based security services. Further, cloud-based security services may be implemented if local services are unavailable.

Abstract: The disclosed techniques relate to a graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats. In some examples, the input can be anomaly events or simply regular events. The entities associated with the activities can be grouped into smaller time units, e.g., per day. The riskiest days of activity can be found by computing a risk score for each day and according to the features in the day. A graph can be built with links between the time units. The links can also receive scoring based on a number of factors. The resulting graph can be compared with known security knowledge for adjustments. Threats can be detected based on the adjusted risk score for a component (i.e., a group of linked entities) as well as a number of other factors.

Abstract: A method of managing security rules may include extracting metadata from a data packet received at a first network device. The metadata including network metadata and network system metadata. The method may further include distributing the metadata to at least one service endpoint registered with the first network device, receiving from the at least one service endpoint, an indication as to how traffic associated with the data packet is to be handled, and enabling the traffic based at least in part on feedback received from the at least one service endpoint and creating a first service flow hash entry of a hash table associated with the data packet at the first network device. The first service flow hash entry identified each of a number of services using a unique number. The method may further include distributing the hash table including the first service flow hash entry across a fabric to at least a second network device.

Abstract: Techniques and architecture are described for providing a configurable security posture for a network device using an extended ownership artifact, e.g., an ownership voucher, an ownership certificate, etc., and a security profile mechanism that scales to user needs and desires for security profiles on network devices, i.e., easily and securely customizable on thousands of nodes of a network. The configurable security posture may be achieved using the manufacturer authorized signing authority (MASA) to issue an ownership voucher with a security bit extension to support security profile additions. Using the MASA service, a user may explicitly decide on various security postures of a given network device and may apply that profile across the fixed or modular chassis of a network of network devices.

Abstract: Embodiments of the present invention set forth a technique for predicting fraud based on multiple inputs including user behavior biometric data along with one or more other parameters associated with the user. The technique includes receiving cursor movement data generated via a client device. The technique further includes generating a image based on the cursor movement data. The technique further includes receiving client parameters generated via the client device. The technique further includes analyzing the image and the client parameters based on a model to generate a prediction result, where the model is generated based on second cursor movement data and a second set of client parameters associated with a first group of one or more users. The technique further includes determining, based on the prediction result, that a user of the client device is not a member of the first group.

Abstract: Techniques for utilizing entropy labels of a Multiprotocol Label Switching (MPLS) label stack for performing monitoring operations (e.g., telemetry, performance measurement, OAM, etc.) without altering the MPLS label stack and/or packet path (e.g., ECMP path). The techniques may include determining, by a node of a network, to perform a monitoring operation associated with traffic that is to be sent along a path through the network. In some examples, the node may receive a packet that is to be sent along the path and encapsulate the packet with an MPLS header. The MPLS header may include an entropy label, entropy label indicator, or other label that is capable of carrying a flag indicating the monitoring operation to be performed. The flag may be carried in a TTL field or traffic class field of the label such that the MPLS label stack is not altered to trigger the monitoring operation.

Abstract: Techniques for optimizing routing decisions based on security metrics within a network environment are described herein. In some cases, by using various security metrics, such as encryption indicators, attestation indicators, secureness metrics, and reliability metrics, an exemplary system can assess the security level and reliability of network paths. These metrics may provide valuable insights into the trustworthiness and integrity of participating nodes and links and enable informed decision-making regarding path selection.

Abstract: A first processing node of a cluster of processing nodes issues a first alert when first event data satisfies a trigger condition, and sends, to an alert data store external to the cluster, a first alert record of the first alert and suppression information based at least in part on the first alert. A second processing node of the cluster determines that second event data satisfies the trigger condition, obtains, from the alert data store, the suppression information indicating that an expiration time for suppressing the first alert is unexpired, and sends, to the alert data store, a second alert record of a second alert without issuing the second alert.

Abstract: Techniques for using global virtual network instance (VNI) labels in a multi-domain network to route network data with a multi-tenant network overlay are described herein. A routing device provisioned in a network domain of the multi-domain network may register with a service discovery system of the network domain for use of network configuration data to establish routes through the multi-domain network with network nodes. Each network domain of the multi-domain network may include an application programming interface (API) server for processing API requests to make changes to configurations of a network domain. A border gateway protocol (BGP) large community may be utilized to encode global VNI labels, network addresses, local next hop nodes, and/or additional network information and sent to routing devices provisioned in separate network domains. A service chain may be signaled by global VNI labels to route network traffic through various services prior to reaching a destination endpoint.

Abstract: Systems, methods, and computer-readable media for managing storing of data in a data storage system using a client tag. In some examples, a first portion of a data load as part of a transaction and a client identifier that uniquely identifies a client is received from the client at a data storage system. The transaction can be tagged with a client tag including the client identifier and the first portion of the data load can be stored in storage at the data storage system. A first log entry including the client tag is added to a data storage log in response to storing the first portion of the data load in the storage. The first log entry is then written from the data storage log to a persistent storage log in persistent memory which is used to track progress of storing the data load in the storage.

Abstract: Embodiments of the present disclosure provide techniques for efficiently and accurately performing propagation of search-head specific configuration customizations across multiple individual configuration files of search heads of a cluster for a consistent user experience. The cluster of search heads may be synchronized such that the search heads operate to receive the configuration or knowledge object customizations from one or more clients from a central or lead search head. To reduce the amount of data that is transferred during propagation, the list of configuration or knowledge object customizations maintained in each search head is filtered from the list of the lead search head until a divergence point is determined. Once determined and communicated to the lead search head, the lead search head sends the configuration and knowledge object customization data that is absent from the internal list of the member search head.

Abstract: In one embodiment, a device obtains path metrics for a network path via which traffic for an online application is conveyed. The device models uncertainty of an application experience metric predicted for the online application based on the path metrics. The device identifies, based on the uncertainty of the application experience metric modeled by the device, a breaking point in the path metrics at which the application experience metric predicted for the online application is expected to switch from being acceptable to being degraded. The device provides the breaking point in the path metrics for display.

Abstract: This disclosure describes techniques for performing enhanced authentication of a device based on physical proximity of the device to one or more other authenticated devices. An example method includes performing a first authentication of a first device or a first user and connecting the first device to a protected resource. Based on determining that the first device is within a threshold distance of a second, authenticated, device, a reauthentication interval is selected. Based on determining that the reauthentication interval has expired, a second authentication is initiated by transmitting, to the first device or a third device associated with the first user, a request for an authentication factor.

Abstract: Disclosed herein is a computer-implemented tool that facilitates data analysis by use of machine learning (ML) techniques. The tool cooperates with a data intake and query system and provides a graphical user interface (GUI) that enables a user to train and apply a variety of different ML models on user-selected datasets of stored machine data. The tool can provide active guidance to the user, to help the user choose data analysis paths that are likely to produce useful results and to avoid data analysis paths that are less likely to produce useful results.

Abstract: Techniques for creating in/out App Connectors for secure access solutions without the need for STUN, TURN, and/or a long-lived control plane component. The techniques may include, among other things, establishing, by an App Connector associated with a workload hosted by an enterprise network, a pool of idle sessions between the App Connector and a termination node associated with the enterprise network. The techniques may also include determining, by the App Connector, that a first idle session of the pool of idle sessions has been consumed by the termination node to establish a communication session for a client device to communicate with the workload. Based at least in part on determining that the first idle session has been consumed, the techniques may include establishing, by the App Connector, a second idle session to be added to the pool of idle sessions between the App Connector and the termination node.