Abstract: Techniques for efficient roaming of clients between access points (APs) of a wireless data communications network are described. A first AP receives a request for a first client device to join the network. The request specifies at least a unique identifier for the first client device. An identifier for a second AP is identified by processing the unique identifier using a predefined hash function. The second AP is one of at least two APs configured to each redundantly store network state information relating to the first client device. A network address of the second AP is determined. A first request to is transmitted to the network address, for network state information including a pairwise master key (PMK) and profile information. The PMK and the profile information are received. The first client device is authenticated and a connection is established between the first client device and the network.

Abstract: A method is performed at a gateway device including one or more processors and a non-transitory memory. The method includes, receiving, from a first wireless network, a first get authentication token request, where the first get authentication token request includes network information of a second wireless network and information of a first user equipment (UE). The method further includes forwarding the first get authentication token request to the second wireless network in response to receiving the first get authentication token request. The method additionally includes receiving a first authentication token from the second wireless network. The method also includes forwarding the first authentication token to the first UE via the first wireless network in order to associate the first UE with the second wireless network.

Abstract: Learning-based service migration in mobile edge computing may be provided. First, a service migration policy may be created for a network that includes a plurality of edge clouds configured to provide a service to users. Next, a movement of a user receiving the service from a source edge cloud may be detected. The source edge cloud may be associated with a first area and the detected movement may be from the first area to a second area. Then, the service migration policy may be applied to determine whether to migrate the service for the user from the source edge cloud. In response to determining to migrate the service, a target edge cloud may be identified and the service for the user may be migrated from the source edge cloud to the target edge cloud. The service migration policy may then be updated based on a success of the migration.

Abstract: In an embodiment, a method comprises receiving a first record comprising one or more first fields from a first source computer; in response to determining that the first record is a first type and a first node is associated with the first type, sending the first record to the first node to be processed; receiving a second record comprising the one or more first fields and one or more second fields from a second source computer; in response to determining that the second record is a second type and a second node is associated with the second type, sending the second record to the second node; in response to determining that the second type is a first subtype of the first type, sending the second record to the first node to be processed, without suspending the first node.

Abstract: In one embodiment, a network assurance service maintains a first set of telemetry data from the network anonymized using a first key regarding a plurality of network entities in a monitored network. The service receives a key rotation notification indicative of a key changeover from the first key to a second key for anonymization of a second set of telemetry data from the network. The service forms, during a key rotation time period associated with the key changeover, a mapped dataset by converting anonymized tokens in the second set of telemetry data into anonymized tokens in the first set of telemetry data. The service augments, during the key rotation time period, the first set of telemetry data with the mapped dataset. The service assesses, during the time period, performance of the network by applying a machine learning-based model to the first set of telemetry data augmented with the mapped dataset.

Abstract: The disclosure provides an approach for authenticating the contents of a control message sent between data centers. The data centers are located in a computing system comprising multiple data centers. The computing system has a controller, and each data center has a local controller. The message contents comprise a tree of data objects. The tree is converted to a hash tree, and the root hash of the hash tree is stored on a distributed blockchain. Storage on the distributed blockchain ensures that the root hash is not tampered with by an attacker. The receiver of the message then authenticates that the hash tree has not been modified by comparing various hash values, as described herein.

Abstract: Methods, devices and computer readable storage media for performing bit indexed explicit replication (BIER) are disclosed. One embodiment of a method includes obtaining, at an egress node of a network, a bit position assigned to the egress node. This embodiment also includes sending an outgoing advertisement to other nodes in the network, where the outgoing advertisement identifies the egress node and the assigned bit position. The bit position is within a bit mask comprising bits in a plurality of bit positions, and each bit position corresponds to a respective egress node of the network.

Abstract: Techniques for generating a multi-layer network topology on a managed network are described herein. An example method includes receiving, from an internetworking device in a network, one or more encrypted packets in a flow; generating a classification decision corresponding to the flow by traversing one or more decision trees; and providing the classification decision to a controller of the network.

Abstract: In one embodiment, a device obtains telemetry data for a plurality of encrypted traffic flows observed in a network. The device clusters the flows into observed flow clusters, based on one or more flow-level features of the obtained telemetry data, as well as malware-related traffic telemetry data into malware-related flow clusters. The observed and malware-related telemetry data are indicative of sequence of packet lengths and times (SPLT) information for the traffic flows. The device samples sets of flows from the observed and malware-related flow clusters, with each set including at least one flow from an observed flow cluster and at least one flow from a malware-related flow cluster. The device trains a deep learning neural network to determine whether a particular encrypted traffic flow is malware-related, by using the SPLT information for the sampled sets of traffic flows as input to an input layer of neurons of the deep network.

Abstract: In one embodiment, a device in a network extracts words from traffic data for a particular endpoint node in the network. The device determines one or more topical categories associated with the particular endpoint node by applying a machine learning-based topical model to the extracted words. The device identifies one or more similar endpoint nodes in the network based on the determined one or more topical categories associated with the particular endpoint node and on one or more topical categories associated with the one or more similar endpoint nodes. The device determines a device type for the particular endpoint node based on a device type associated with the one or more similar endpoint nodes.

Abstract: A method and apparatus for providing tenant specific encryption is described herein. According to an embodiment, a transmission site receives a data packet for transmission or forwarding. The transmission site determines, based on information in a header of the data packet, that the data packet is to be encrypted before transmission or forwarding. Using the information in the header, the transmission site identifies an encryption key for the data packet. The transmission site generates, for the data packet, an additional header and populates the additional header with a destination port number based on a destination port header value of the data packet. The transmission site overwrites the destination port header value of the packet with data indicating that the data packet is encrypted and then encrypts an encapsulated packet within the data packet using the encryption key prior to transmitting or forwarding the data packet.

Abstract: Aspects described herein include a method comprising arranging a laser die on a substrate. The laser die has multiple channels that are arranged with a first planar arrangement proximate to a facet of the laser die. The method further comprises aligning a single lens to the facet, and aligning a multicore optical fiber to the laser die through the single lens. The multicore optical fiber has a plurality of optical cores that are arranged with a second planar arrangement. Aligning the multicore optical fiber to the laser die comprises rotationally aligning the multicore optical fiber to align the second planar arrangement with the first planar arrangement.

Abstract: A method may include an instruction to route the data to a destination. The method may additionally include inspecting the data to identify metadata associated with the data. The method may further include identifying, based on the metadata, a first routing path and a second routing path that both lead to the destination. The first routing path may include a first communication link associated with a first link classification, and the second routing path may include a second communication link associated with a second link classification. The method may also include selecting the first routing path based on a configuration preference and based on the first routing path including the first communication link associated with the first link classification. The method may additionally include transmitting the data along the first routing path via the first communication link.

Abstract: In one embodiment, information (workload, performance, and configuration) is obtained about identified sub-systems (a target component plus other components that influence its performance). The identified sub-systems are clustered into workload clusters and also into performance clusters, where identified sub-systems of particular workload clusters have similar workload measurements, and identified sub-systems of particular performance clusters have similar performance metrics. The techniques herein then determine a given mapped performance cluster for a given workload cluster that corresponds to a best set of performance metrics from among all performance clusters mapped to the given workload cluster.

Abstract: In one embodiment, updating and searching of entries in a hardware content-addressable memory is coordinated to provide more searching bandwidth (e.g., for determining packet processing information), including, but not limited to, when vectors are moved among entries to free up desired entry positions for insertion of other vectors. A lookup operation is performed in content-addressable memory entries in a hardware content-addressable memory based on a lookup word to generate a content-addressable memory lookup result. Typically overlapping in time, a matching operation is performed in one or more transitory entries to generate a transitory matching result based on the lookup word. These transitory entries are populated with transitory vectors and have an associated index within the content-addressable memory, with these transitory vectors are subsequently inserted in the content-addressable memory at their associated index positions.

Abstract: In one embodiment, an apparatus captures a memory dump of a device in a sandbox environment executing a malware sample. The apparatus identifies a cryptographic key based on a particular data structure in the captured memory dump. The apparatus uses the identified cryptographic key to decrypt encrypted traffic sent by the device. The apparatus labels at least a portion of the decrypted traffic sent by the device as benign. The apparatus trains a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device and labeled as benign.

Abstract: In dense Wireless Local Area Network (WLAN) deployments, Access Points (APs) in other Extended Service Sets (ESSs) can be hidden (a first AP does not receive signals from a third AP). However, these APs in other ESSs can still interfere with communications between the third AP and the devices communicating with the first AP. To improve service to that device in that situation, the first AP needs information about the third AP in the first AP's decision making processes. In these situations, a second AP, in contact with the third AP, can share information about the third AP with the first AP so that the first AP can avoid colliding with the third AP.

Abstract: In one embodiment, a first wireless access point (AP) of a first basic service set (BSS) receives, from a second wireless AP of a second BSS, data indicative of an 802.11-based target wake time (TWT) schedule of a client of the second BSS. The first wireless AP identifies, from the receive data, a scheduled communication time of the client of the second BSS in the TWT schedule. The first wireless AP generates an 802.11-based TWT schedule for a client of the first BSS that avoids the scheduled communication time of the client of the second BSS. The first wireless AP sends the generated 802.11-based TWT schedule to the client of the first BSS, wherein the sent TWT schedule causes the client of the first BSS to wake from sleep at a scheduled wake time.

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

Abstract: In one embodiment, an issue analysis service determines that an issue exists with a device in a network. The service searches a decision tree for a solution to the issue, wherein branch nodes of the decision tree comprise diagnostic checks. The service clusters, based on a determination that a solution to the issue does not exist in the decision tree, telemetry for the device with telemetry for one or more other devices that also experienced the issue. The service uses a neural network to identify a difference between the clustered telemetry and telemetry from one or more devices for which the issue was resolved. The service adds a leaf node to the decision tree with the identified difference as a solution to the issue.