Abstract: A watermark in Adaptive Bitrate (ABR) content may be provided. First, a cache miss may be determined in response to receiving a request that includes an address that points to a fake media segment. Next, in response to determining the cache miss, a pull request may be sent to an origin server. The pull request may include an identifier corresponding to a client device. Then, in response to sending the pull request, a redirect response may be received from the origin server. The redirect response may include an address of a real media segment with an embedded watermark.

Abstract: A computer-implemented method is provided for a network controller to implement an update on network elements with minimal disruption. The network controller receives a request to install the update on a number of network elements in one or more networks. Installing the update in each respective network element removes it from operation for an outage duration of time. The network controller determines how network flows will be distributed in the networks due to the outage from installing the update, and generates an update plan that includes timing for installing the update on each network element. The timing is based on how the network flows will be distributed in the networks. The network controller installs the update in each network element according to the timing of the update plan.

Abstract: An endpoint device receives a sequence of audio frames. The endpoint device determines for each audio frame a respective importance level among possible importance levels ranging from a low importance level to a high importance level based on content in the audio frame indicative of the respective importance level. The endpoint device associates each audio frame with the respective importance level, to produce different subsets of audio frames associated with respective ones of different importance levels. The endpoint device, for each subset of audio frames, applies forward error correction to a fraction of audio frames in the subset of audio frames, wherein the fraction increases as the importance level of the audio frames in the subset increases, and does not apply forward error correction to remaining audio frames in the subset.

Abstract: In one embodiment, a device evaluates a set of training data for a machine learning model to identify a missing feature subset in a feature space of the set of training data. The device identifies a plurality of network nodes eligible to initiate an attack on a network to generate the missing feature subset. One or more attack nodes are selected from among the plurality of network nodes. An attack routine is provided to the one or more attack nodes to cause the one or more attack nodes to initiate the attack. An indication that the attack has completed is then received from the one or more attack nodes.

Abstract: In one embodiment, a system including a processor to run a web browser application and a CAPTCHA challenge application, wherein the web browser application is operative when run to retrieve and present a web page of a website, obtain a request from the website requesting performance of a CAPTCHA challenge process, and request the CAPTCHA challenge application to perform the CAPTCHA challenge process, the CAPTCHA challenge application is operative when run to request a CAPTCHA challenge test from an authentication server, obtain the CAPTCHA challenge test, render a CAPTCHA window including the CAPTCHA challenge test, obtain a user response to the CAPTCHA challenge test, send a value based on the user response to the authentication server, and obtain a response from the authentication server authenticating the user response, and the CAPTCHA challenge application and the web browser application are run as different processes by the processor.

Abstract: In one embodiment, a computing device provides a feature vector as input to a random decision forest comprising a plurality of decision trees trained using a training dataset, each decision tree being configured to output a classification label prediction for the input feature vector. For each of the decision trees, the computing device determines a conditional probability of the decision tree based on a true classification label and the classification label prediction from the decision tree for the input feature vector. The computing device generates weightings for the classification label predictions from the decision trees based on the determined conditional probabilities. The computing device applies a final classification label to the feature vector based on the weightings for the classification label predictions from the decision trees.

Abstract: A method is provided in one example embodiment and may include sharing an access key from a control-plane serving gateway (SGW-C) to a plurality of user-plane serving gateways (SGW-Us); allocating a plurality of Fully Qualified Tunnel Endpoint Identifiers (FQTEIDs) associated with a user equipment (UE) session; generating an access token for the UE session based, at least in part, on the access key and the plurality of FQTEIDs; and appending the access token to user-plane packets for the UE session. The method can further include receiving a data packet for the UE session by a particular SGW-U, wherein the uplink packet is appended with the access token for the UE session; determining FQTEIDs associated with the UAT; and routing the uplink packet from the particular SGW-U based on the FQTEIDs.

Abstract: One embodiment provides a system that facilitates efficient and secure flow control based on a fragmentation protocol. During operation, the system receives, by an intermediate node, a first fragment which is a fragment of a content object that is fragmented into a plurality of fragments, wherein the plurality of fragments includes at least one named fragment, which indicates a name associated with the content object, the name being a hierarchically structured variable-length identifier that comprises contiguous name components ordered from a most general level to a most specific level. The intermediate node detects a congestion, and sets an indicator for congestion notification in the received fragment. The intermediate node forwards the received fragment, and drops a second fragment received after the forwarded fragment.

Abstract: An access point (AP) transmits Wi-Fi transmit frames according to a Wi-Fi protocol and Long-Term Evolution-Unlicensed (LTE-U) transmit frames according to an LTE-U protocol in a shared channel bandwidth that encompasses unlicensed channel bandwidth associated with the LTE-U protocol. The AP assigns a Wi-Fi access category to each Wi-Fi transmit frame and assigns to each LTE-U transmit frame an LTE-U access category. The AP schedules Wi-Fi and LTE-U transmit opportunities for the Wi-Fi transmit frames and the LTE-U transmit frames, respectively, in the shared channel bandwidth based on the Wi-Fi and LTE-U access categories. The scheduling includes, for each scheduled LTE-U transmit opportunity: constructing a Wi-Fi quiet message commanding Wi-Fi clients of the AP not to transmit in the shared channel bandwidth during the LTE-U transmit opportunity; and scheduling the Wi-Fi quiet message for transmission to the Wi-Fi clients.

Abstract: Techniques are described for managing streaming video profile selections of downstream client devices for a network device. The network device receives multicast network communications for a first video streaming profile of a plurality of video streaming profiles, for a video content item. The network device is subscribed to multicast communications from an upstream network device, for a video stream corresponding to the first video streaming profile. Embodiments determine network state information at the network device that specifies at least a measure of upstream network error. Upon determining that the network state information satisfies one or more criteria, data communications from the network device to a downstream client device for the video stream corresponding to the first video streaming profile are throttled.

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

Abstract: A packet is received at a network device hosting a service function that is part of a service chain. The packet is sent to the network device from an originating network device. The content of the packet is analyzed to determine that the packet comprises a request for statistical values to be aggregated by the network device. The statistical values are aggregated at the network device. A report comprising the statistical values aggregated at the network device is generated. The report is sent to the originating network device.

Abstract: In one embodiment, segment routing (SR) network processing of packets is performed on packets having a segment identifier structure providing processing and/or memory efficiencies. Responsive to an identified particular segment routing policy, the particular router retrieves from memory a dynamic segment routing identifier portion of the particular SR policy that includes a SR node value and a SR function value. The SR function value identifies segment routing processing to be performed by a router in the network identified based on the SR node value. A segment routing discriminator is independently identified, possibly being a fixed value for all segment identifiers in the network. Before sending into the network, a complete segment identifier is added to the particular packet by combining the segment routing discriminator with the dynamic segment routing identifier portion. The particular packet including the complete segment identifier is sent into the network.

Abstract: In one embodiment, a node in a network reports, to a supervisory service, histograms of application-specific throughput metrics measured from the network. The node receives, from the supervisory service, a merged histogram of application-specific throughput metrics. The supervisory service generated the merged histogram based on a plurality of histograms reported to the supervisory service by a plurality of nodes. The node performs, using the merged histogram, application throughput anomaly detection on traffic in the network. The node causes performance of a mitigation action in the network when an application throughput anomaly is detected. The node adjusts, based on a control command sent by the supervisory service, a histogram reporting strategy used by the node to report the histograms of application-specific throughput metrics to the supervisory service.

Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.

Abstract: In one embodiment, a particular service chain data packet is received by a particular service node, with the service chain data packet including a header identifying service chain information. The particular service node applies a service to the particular service chain data packet. The particular service node adds service-layer operations data to the particular service chain data packet, with the service-layer operations data related to the current service function or the particular service node. Subsequently, the particular service node sends the particular service chain data packet with the service-layer operations data from the particular service node. In one embodiment, networking operations data is also added to the particular service chain data packet. In one embodiment, an egress service node removes the service-layer (and possibly networking) operations data and forwards to another system, possibly after processing this operations data.

Abstract: In one embodiment, a device in a network receives a plurality of packets from one or more neighbors of the device. Each of the packets has a scheduled delivery time interval according to a deterministic communication schedule. The device determines an amount of clock drift for each of the one or more neighbors of the device by comparing arrival times of the received packets to their scheduled delivery time intervals according to the deterministic communication schedule. The device calculates a clock adjustment based on the amount of clock drift for each of the one or more neighbors. The device adjusts a clock of the device using the calculated clock adjustment.

Abstract: In one embodiment a method including obtaining metrics regarding a WiFi network and a RAN having overlapping coverage ranges, based at least partly on the metrics, allocating a first adjusted spectrum allocation to a first network, and a second adjusted spectrum allocation to a second network, the first adjusted spectrum allocation decreased from a first current spectrum allocation, and the second adjusted spectrum allocation increased from a second current spectrum allocation, and causing enforcement of the first adjusted spectrum allocation and the second adjusted spectrum allocation, wherein the obtaining, allocating and causing are performed a plurality of times, and wherein in at least one of the plurality of times the first network is the WiFi network and the second network is the RAN, and in at least one other of the plurality of times the first network is the RAN and the second network is the WiFi network.

Abstract: The present technology monitors a web application provided by one or more services. A service may be provided by applications. The monitoring system provides end-to-end business transaction visibility, identifies performance issues quickly and has dynamical scaling capability across monitored systems including cloud systems, virtual systems and physical infrastructures. In instances, a request may be received from a remote application. The request may be associated with a distributed transaction. Data associated with the request may be detected. A distributed transaction identifier may be generated for a distributed transaction based on the data associated with the request.

Abstract: A computer system can compress or decompress a type-length-value (TLV) component in a message. During operation, the computer can select a compression table associated with a network interface used to send and/or to receive the message, and can search the compression table for an entry that includes a prefix of a value from type-length-value (TLV) component being compressed or decompressed. If compressing the message, the computer may generate a compressed block that corresponds to a compressed version of the TLV component, such that the compressed block includes the compression encoding in place of the prefix in the TLV component's value. The computer can also generate a compressed message that includes the compressed block in place of the TLV component, without a compression table.