Abstract: Disclosed are methods, systems, and non-transitory computer-readable media for using a sponsor as a proxy for multi-factor authentication of a first user account for a first user when a primary multi-factor authentication mechanism is unavailable to the first user account, comprising registering the sponsor in a multi-factor authentication chain of trust associated with the first user account; requesting verification of an identity of the first user from the sponsor; receiving, from the sponsor, a verification of the identity of the first user; and granting access to a service to the first user account.

Abstract: Systems, methods, and devices are disclosed for training a model. Media data is separated into one or more clusters, each cluster based on a feature from a first model. The media data of each cluster is sampled and, based on an analysis of the sampled media data, an accuracy of the media data of each cluster is determined. The accuracy is associated with the feature from the first model. Based on a subset dataset of the media data being outside a threshold accuracy, the subset dataset is automatically forwarded to a crowd source service. Verification of the subset dataset is received from the crowd source service, and the verified subset dataset is added to the first model.

Abstract: Systems, methods, and computer-readable media for identifying a spanning tree loop in a network environment. Spanning tree loop indicators occurring in a network environment that utilizes a spanning tree protocol are identified. The spanning tree loop indicators are correlated to identify correlated spanning tree loop indicators within the network environment. A potential spanning tree loop is recognized from a plurality of the correlated spanning tree loop indicators based on indicator types of the correlated spanning tree loop indicators. The potential spanning tree loop is remedied in the network environment in response to recognizing the potential spanning tree loop in the network environment.

Abstract: An example method for discovering and grouping application endpoints in a network environment is provided and includes discovering endpoints communicating in a network environment, calculating affinity between the discovered endpoints, and grouping the endpoints into separate endpoint groups (EPGs) according to the calculated affinity, each EPG comprising a logical grouping of similar endpoints for applying common forwarding and policy logic according to logical application boundaries. In specific embodiments, the affinity includes a weighted average of network affinity, compute affinity and user specified affinity.

Abstract: Systems, methods, and computer-readable media for reducing distributed storage operation latency using segment routing. In some examples, a method can involve receiving, from a client, a message identifying an intent to store or retrieve data on a distributed storage environment, and sending to the client a segment routing (SR) list identifying storage node candidates for storing or retrieving the data. The method can involve steering a data request from the client through a path defined by the SR list based on a segment routing header (SRH) associated with the request, the SRH being configured to steer the request through the path until a storage node from the storage node candidates accepts the request. The method can further involve sending, to the client device, a response indicating that the storage node has accepted the request and storing or retrieving the data at the storage node that accepted the request.

Abstract: In one embodiment, a technique comprises monitoring data transfer over a radio frequency (RF) link between a first device and a second device in a mesh network where the second device is a descendent node and the first device is a parent node. The technique further transfers the data over a power link communication (PLC) when the RF link is inactive. The method also includes broadcasting, by the second device, RF link availability to at least a third device in the mesh network when the RF link with the first device is inactive where the third device has an active link with the second device and the third device is a descendent node of the second device. The method then includes communicating, between the second device and the third device, through the active RF link.

Abstract: Systems and methods for an asynchronous successive approximation register analog-to-digital converter (SAR ADC) with word completion algorithm may include a SAR ADC comprising a plurality of switched capacitors, a comparator, a metastability detector including a timer having a tunable time interval, and a successive approximation register. The SAR ADC may sample input signals at inputs of the switched capacitors and compare signals at outputs of the switched capacitors. The SAR ADC may also determine, based on a value of a tunable time interval, whether to set a metastability flag for a first bit to be evaluated and update the value of the tunable time interval based on whether the metastability flag was set.

Abstract: The subject technology addresses a need for improving utilization of network bandwidth in a multicast network environment. More specifically, the disclosed technology provides solutions for extending multipathing to tenant multicast traffic in an overlay network, which enables greater bandwidth utilization for multicast traffic. In some aspects, nodes in the overlay network can be connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network.

Abstract: Runtime security threats are detected and analyzed for serverless functions developed for hybrid clouds or other cloud-based deployment environments. One or more serverless functions may be received and executed within a container instance executing in a controlled and monitored environment. The execution of the serverless functions is monitored, using a monitoring layer in the controlled environment to capture runtime data including container application context statistics, serverless function input and output data, and runtime parameter snapshots of the serverless functions. Execution data associated with the serverless functions may be analyzed and provided to various supervised and/or unsupervised machine-learning models configured to detect and analyze runtime security threats.

Abstract: In one embodiment, a network assurance service that monitors a network detects an anomaly in the network by applying an anomaly detector to telemetry data collected from the network. The service sends first data to a user interface that causes the interface to present the detected anomaly and one or more candidate root cause metrics from the telemetry data associated with the detected anomaly. The service receives feedback regarding the candidate root cause metric(s) and learns a root cause of the anomaly as one or more thresholds of the candidate root cause metric(s), based in part on the received feedback regarding the candidate root cause metric(s). The service sends second data to the user interface that causes the user interface to present at least one of the candidate root cause metric(s) as a candidate root cause of a subsequent detected anomaly, based on the learned threshold(s).

Abstract: This disclosure describes techniques for performing enhanced authentication of a device based on physical and logical proximity of the device to one or more other authenticated devices. An example method includes performing, at a first time, a first authentication of a first device or a first user of the first device and determining that the first device is connected to at least one second device in a communication session. The at least one second device or at least one second user of the at least one second device are authenticated. The example method further includes determining a reauthentication interval based on the first device being connected to the at least one second device in the communication session and initiating, at a second time that is after the first time by the reauthentication interval, a second authentication of the first device or the first user of the first device.

Abstract: A monitoring device for troubleshooting events in a datacenter network identifies a first network event for a time period, and provides an initial display page, one or more additional display pages, selectable display objects, and a representation of the first network event. The device generates a dynamic troubleshooting path for the first network event to track a user navigation between display pages, a manipulation of the one or more selectable display objects, and a last-current display page, and also provides an indication of a second network event associated with higher resolution priority relative to the first network event. Retrieving the dynamic troubleshooting path causes the interface to present the last-current display page, apply the manipulation of the one or more selectable display objects, and load the user navigation between the initial dashboard display page and the one or more additional display pages in a cache.

Abstract: Systems, methods, and computer-readable media for improving resource management in Citizens Broadband Radio Service (CBRS) networks include a Spectrum Access System (SAS) in coordination with one or more CBRS devices (CBSDs) and a Digital Network Architecture center (DNA-C). Resource allocation decisions can be based on one or more policies such as a priority, a preemption capability index and/or a preemption vulnerability index associated with the CBSDs. Resource allocation can also be based on inter-access point (AP) coordination between two or more CBSDs and comparative performance indicators of the two or more CBSDs. Managing interference between two or more groups of CBSDs can be based on the inter-AP coordination and group identifiers associated with the two or more groups. Bandwidth allocation can be modified to the two or more CBSDs and seamless transition can be implemented using timers.

Abstract: Systems, methods, and computer-readable media for discovering silent hosts in a software-defined network and directing traffic to the silent hosts in a scalable and targeted manner include determining interfaces of a fabric device that are connected to respective one or more endpoints, where the fabric device is configured to connect the endpoints to a network fabric of the software-defined network. At least a first interface is identified, where an address of a first endpoint connected to the first interface is not available at the fabric device. A first notification is transmitted to a control plane of the software-defined network based on identifying the first interface, where the control plane may create a flood list which includes the fabric device. Traffic intended for the first endpoint from the network fabric is received by the fabric device can be based on the flood list.

Abstract: In one embodiment, a service receives telemetry data collected from a plurality of different networks. The service combines the telemetry data into a synthetic input trace. The service inputs the synthetic input trace into a plurality of machine learning models to generate a plurality of predicted key performance indicators (KPIs), each of the models having been trained to assess telemetry data from an associated network in the plurality of different networks and predict a KPI for that network. The service compares the plurality of predicted KPIs to identify one of the plurality of different networks as exhibiting an abnormal behavior.

Abstract: In one embodiment, a method includes receiving a traffic flow including a plurality of packets encrypted using a cryptographic protocol, determining cryptographic protocol data of the traffic flow, and transmitting telemetry data of the traffic flow including the cryptographic protocol data. In another embodiment, a method includes receiving telemetry data of a traffic flow including a plurality of packets encrypted using a cryptographic protocol, the telemetry data including cryptographic protocol data of the traffic flow, classifying the traffic flow based on the cryptographic protocol data using a machine learning classifier; and taking a remedial action with respect to the traffic flow based on the classification of the traffic flow.

Abstract: Cloud services are provided by a distributed network including a number of geographically distributed datacenters, to client devices in accordance with data sovereignty requirements. A server within the distributed network may receive a service request and determine whether it complies with the data sovereignty requirements of the client. When the geographic location of the server does not comply with the client's data sovereignty requirements, the server may determine and transmit back to the client device a set of alternative datacenters within the distributed network that comply with the client's data sovereignty requirements. The client device may use network probes to select an alternative datacenter, and the cloud service request of the client device may be migrated from the server to the selected datacenter.

Abstract: In one embodiment, a device identifies a path of travel of a mobile system. The device subdivides the path of travel into a plurality of zones. The device generates time-slotted channel hopping schedules for the plurality of zones, each time-slotted channel hopping schedule having an associated zone among the plurality of zones. The device causes the mobile system to communicate wirelessly with networking infrastructure located along the path of travel, in accordance with a particular one of the time-slotted channel hopping schedules while the mobile system is located in its associated zone.

Abstract: A device includes a memory and a hardware processor communicatively coupled to the memory. The hardware processor determines that a computing device communicatively coupled to an access point performed an action with respect to the access point and in response to determining that the action causes a deviation from a multi-user uplink policy of the access point, transmits a disciplinary message to the computing device.

Abstract: This disclosure describes techniques for identifying an application (e.g., accessing application) that is attempting to access a resource. In some examples, access may be managed by an authentication service. When an access request is received at the authentication service from an application on a client device, the authentication service may ask the application to communicate with an identification agent on the client device. The identification agent may perform one or more tests to discover the identity of the application. In some cases, the identification agent may send the identity of the application to the authentication service. The authentication service may then allow or deny access by the accessing application to the resource based at least in part on the discovered identity.