Abstract: In one embodiment, a computing device scans a plurality of available data sources associated with a profiled identity for an individual, and categorizes instances of the data sources according to recognized terms within the data sources. Once determining whether the profiled identity contributed positively to each categorized instance, categorized instances that have a positive contribution by the profiled identity may be clustered into clusters. The computing device may then rank the clusters based on size of the clusters and frequency of recognized terms within the clusters, and can then infer an expertise of the profiled identity based on one or more best-ranked clusters. The inferred expertise of the profiled identity may then be stored.

Abstract: The present disclosure provides for system resource management in self-healing networks by grouping End Point Groups (EPGs) into a plurality of policy groups based on shared security policies; identifying a first policy group with a highest resource demand; assigning a first security policy corresponding to the first policy group to a first switch of a plurality of switches; identifying a second plurality of EPGs from the remaining EPGs that were not included in the first policy group; grouping the second plurality of EPGs into a second plurality of policy groups based on shared security policies; identifying a second policy group with a highest resource demand of the second plurality of policy groups; and assigning a second security policy corresponding to the second policy group to a second switch of the plurality of switches.

Abstract: Techniques for deploying data services in a centrally managed network in a scalable, hierarchical manner are described. An example method generally includes generating a topological description of the centrally managed network, the topological description identifying network entities in the centrally managed network and connections between network entities in the network. A data management hierarchy for the centrally managed network may be generated from the topological description of the centrally managed network, and the data management hierarchy may identify network entities at which data services may be deployed in the centrally managed network. Data services and data rules may be deployed to the identified network entities based on the data management hierarchy, and data may be processed in the centrally managed network through the deployed data services.

Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce, the second nonce being signed by the network registrar via a private key of a first public key infrastructure (PM) key pair of the network registrar via a first signature. The method further includes sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and the private key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that the router is not impersonating the network.

Abstract: In one embodiment, a process captures one or more features of an initiated application transaction within an application, and applies the one or more features to one or more application-based policies. In response to determining a policy trigger for the initiated application transaction based on applying the one or more features to the one or more application-based policies, the process may then obtain a network address associated with the application. Once the process maps the particular policy trigger from the one or more application-based policies to one or more corresponding network-based policies, then the process can instruct a network controller to apply the one or more corresponding network-based policies to the network address associated with the application, causing the network controller to configure a computer network to manage network traffic associated with the network address according to the one or more corresponding network-based policies.

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

Abstract: Handoff assistance across multiple radio access technologies can be provided by identifying a first Qualitative Level of Service (QLoS) of a first network that a User Equipment (UE) is connected to for data transmission; identifying a second QLoS of a second network that the UE is not connected to for data transmission; and in response to determining that a difference between the first QLoS and the second QLoS satisfies a handoff threshold, requesting a first access point in the first network to initiate handoff of the UE to a second access point in the second network or recommending from the first access point to the UE to request such a handoff, wherein handoff disconnects the UE from the first network for data transmission and connects the UE to the second network for data transmission.

Abstract: In one embodiment, a network assurance service executing in a local network clusters measurements obtained from the local network regarding a plurality of devices in the local network into measurement clusters. The network assurance service computes aggregated metrics for each of the measurement clusters. The network assurance service sends a machine learning model computation request to a remote service outside of the local network that includes the aggregated metrics for each of the measurement clusters. The remote service uses the aggregated metrics to train a machine learning-based model to analyze the local network. The network assurance service receives the trained machine learning-based model to analyze performance of the local network. The network assurance service uses the receive machine learning-based model to analyze performance of the local network.

Abstract: A method for traffic steering. The method comprises determining a first signal characteristic of a first connection between an electronic device and a first wireless communications network; determining a second signal characteristic of a second connection between the electronic device and a second wireless communications network; and based on the first signal characteristic and the second signal characteristic, preventing the electronic device from attempting to establish the second connection until one or more establishment criteria are met.

Abstract: First, a plurality of access tokens may be received from a respective plurality of identity provider services. Each of the plurality of access tokens may be associated with a user. Then, the plurality of access tokens may be stored in a profile associated with the user. Next, user polices associated with the use of the plurality of access tokens may be assigned. A device token may then be provided to a user device associated with the user. The device token may be associated with the profile. The device token and network policies may be received and then it may be determined that the user polices and the network policies are congruent. In response to determining that the user polices and the network policies are congruent, authentication to at least one of the plurality identity provider services may be made.

Abstract: In one embodiment, an apparatus comprises a compressive sensing schedule generator configured to generate a plurality of compressive sensing schedules, wherein each of the plurality of compressive sensing schedules is for each of a plurality of frequency bands of a network, wherein the network comprises a plurality of access points and a plurality of clients, and a sensing matrix combiner configured to combine the plurality of compressive sensing schedules into a resulting schedule that comprises a spatial distribution and a scheduled time slot for each of the plurality of access points.

Abstract: A SOI device may include a waveguide adapter that couples light between an external light source—e.g., a fiber optic cable or laser—and a silicon waveguide on the silicon surface layer of the SOI device. In one embodiment, the waveguide adapter is embedded into the insulator layer. Doing so may enable the waveguide adapter to be formed before the surface layer components are added onto the SOI device. Accordingly, fabrication techniques that use high-temperatures may be used without harming other components in the SOI device—e.g., the waveguide adapter is formed before heat-sensitive components are added to the silicon surface layer.

Abstract: In one embodiment, a technique for load balancing of throughput for multi-PHY networks using decision trees is provided. A first device of a mesh communication network may collect at least one transmission metric indicative of a primary link and a secondary link between the first device and a second device of the mesh communication network. The first device may provide the at least one transmission metric as input to one or more decision trees comprising one or more attributes that are each indicative of a threshold for a corresponding transmission metric. The first device may obtain an output from the decision tree comprising a selection of either the primary link or the secondary link. The first device may send, based on the output from the decision tree, one or more packets to the second device using the selected link.

Abstract: A method of controlling performance of a wireless device is performed by a node that is in electronic communication with a cellular network. The node includes a processor, a non-transitory memory, and a network interface. The method includes receiving a performance value characterizing a performance of a communication channel between a wireless device and a wireless access point. In some implementations, the wireless device and the cellular network are associated with different radio access technologies (RATs). The method includes determining whether the performance value breaches a performance criterion for the wireless device. The method includes adjusting a first amount of data transmitted to the wireless device from a base station of the cellular network and a second amount of data transmitted to the wireless device from the wireless access point. In some implementations, the combined first and second amounts of data satisfy the performance criterion for the wireless device.

Abstract: An endpoint group (EPG) can be stretched between the sites so that endpoints at different sites can be assigned to the same stretched EPG. Because the sites can use different bridge domains when establishing the stretched EPGs, the first time a site transmits a packet to an endpoint in a different site, the site learns or discovers a path to the destination endpoint. The site can use BGP to identify the site with the host and use a multicast tunnel to reach the site. A unicast tunnel can be used to transmit future packets to the destination endpoint. Additionally, a stretched EPG can be segmented to form a micro-stretched EPG. Filtering criteria can be used to identify a subset of the endpoints in the stretched EPG that are then assigned to the micro-stretched EPG, which can have different policies than the stretched EPG.

Abstract: In one embodiment, a supervisory service for a software-defined wide area network (SD-WAN) obtains telemetry data from one or more edge devices in the SD-WAN. The service trains, using the telemetry data as training data, a machine learning-based model to predict tunnel failures in the SD-WAN. The service receives feedback from the one or more edge devices regarding failure predictions made by the trained machine learning-based model. The service retrains the machine learning-based model, based on the received feedback.

Abstract: The present disclosure provides an approach for a blockchain system in which (a) data of past transactions can be removed from the storage of network nodes based on node permissions, and (b) in which data can be made invisible to users based on user-specific or group-specific permissions. The blockchain system stores cryptographic proofs of data on an immutable ledger. The data itself is maintained within the blockchain system such that it can be partially or fully removed, while maintaining the integrity of the ledger.

Abstract: In one embodiment, a device classification service that uses a machine learning-based device type classifier to classify endpoint devices with device types, identifies a set of device types having similar associated traffic telemetry features. The service obtains, via one or more user interfaces, feedback indicative of whether the device type classifier misclassifying an endpoint device having a particular device type in the set with another device type in the set would be a critical misclassification. The service trains, using the obtained feedback, a prediction model to predict an impact of misclassifying the particular device type as one of the other device types in the set of device types. The service also retrains the machine learning-based device type classifier based on a prediction from the prediction model.

Abstract: Various systems and methods for performing bit indexed explicit replication (BIER) using multiprotocol label switching (MPLS). For example, one method involves receiving a packet that includes a MPLS label. The packet also includes a multicast forwarding entry. The method also involves determining, based on the value of the MPLS label, whether to use the multicast forwarding entry to forward the packet. The method further includes forwarding the packet.

Abstract: In service flow capability updating in a guaranteed bandwidth multicast network may be provided. First, a node may determine that a bandwidth requirement of a flow has changed to a new bandwidth value. Then, in response to determining that the bandwidth requirement of the flow has changed to the new bandwidth value, an ingress capacity value may be updated in an interface usage table for a Reverse Path Forwarding (RPF) interface corresponding to the flow. The RPF interface may be disposed on a network device. Next, in response to determining that the bandwidth requirement of the flow has changed to the new bandwidth value, an egress capacity value may be updated in the interface usage table for an Outgoing Interface (OIF) corresponding to the flow. The OIF may be disposed on the network device.