Abstract: Systems, methods, and computer-readable media for communicating policy changes in a Locator/ID Separation Protocol (LISP) based network deployment include receiving, at a first routing device, a first notification from a map server, the first notification indicating a change in a policy for LISP based communication between at least a first endpoint device and at least a second endpoint device, the first endpoint device being connected to a network fabric through the first routing device and the second endpoint device being connected to the network fabric through a second routing device. The first routing device forwards a second notification to the second routing device if one or more entries of a first map cache implemented by the first routing device are affected by the policy change, the second notification indicating a set of one or more endpoints connected to the second routing device that are affected by the policy change.

Abstract: The disclosed technology separates session management function signaling from the AMF. In particular, an SMF key is created for each SMF following the AMF generating an SM context request that contains gNB information and UE subscription information. Each PDU session creates a direct connection between the SMF and a local gNB. The gNB communicates with each SMF directly over a new interface (N3-C) for session management that is independent of the N2 interface used by the gNB to communicate with the AMF for mobility management. In this way, each SMF independently handles NAS signaling with the UE, using the SMF key and gNB related session-management signaling over an independent interface with the gNB. This removes the burden of relaying these communications through the AMF, which is then freed up to solely to handle mobility management signaling, resulting in an improved architecture.

Abstract: In one embodiment, a device obtains user experience metrics for a plurality of sessions with an online application. The device detects a plurality of anomalies from among the user experience metrics. The device determines, based on a correlation between the plurality of anomalies, that a particular path entity is a root cause of the plurality of anomalies. The particular path entity comprises an egress service provider or data center of the online application. The device provides an indication of the particular path entity being the root cause of the plurality of anomalies.

Abstract: A method includes identifying a potentially malicious node using a rating assigned to nodes within the network and decrementing the rating based on detected dropped messages to identify a potentially malicious node. The malicious node is identified based on location information obtained from the nodes within the network and comparable distances from the potentially malicious node. The method further includes ending communications with the malicious node and selecting a new parent node based on a presumption that any of the plurality of nodes other than the malicious node are non-malicious.

Abstract: Systems, methods, and computer-readable media for enforcing data sovereignty policies in a cloud environment are provided. An example method can include sending, by a cloud provider, to a government entity associated with a geographic area, a request for device certificates for nodes located within the geographic area; receiving device certificates for the nodes; creating a data sovereignty policy specifying that data associated with the government entity must be stored on nodes located within the geographic area; based on the device certificates, verifying those of the nodes that comply with the data sovereignty policy; and storing the data associated with the government entity on those of the nodes verified to comply with the data sovereignty policy.

Abstract: This technology enables prioritization of Multiple Stream Reservation Protocol (“MSRP”) transmissions in Audio Video Bridging (“AVB”) virtual local area networks (“VLANs”). An AVB switch receives a status from listener devices, associates a state with each of the statuses indicating whether each listener device is active or in-active, and stores each state in a database. For each listener device, a queue of MSRP protocol data unit (“PDU”) packets exists to be transmitted to the listener device. The AVB switch searches the database for listener devices with an active state, searches the queue for each active listener device for packets associated with an active state, and transmits the packets associated with the active state to each active listener device. Subsequently, the AVB switch searches each listener device's queue for packets associated with an in-active state and transmits the packets associated with an in-active state to each listener device.

Abstract: The present technology pertains to a group-based network policy using Segment Routing over an IPv6 dataplane (SRv6). After a source application sends a packet, an ingress node can receive the packet, and if the source node is capable, it can identify an application policy and apply it. The ingress node indicates that the policy has been applied by including policy bits in the packet encapsulation. When the packet is received by the egress node, it can determine whether the policy was already applied, and if so, the packet is forward to the destination application. If the egress node determines that the policy has not be applied the destination application can apply the policy. Both the ingress node and egress nodes can learn of source application groups, destination application groups, and applicable policies through communication with aspects of the segment routing fabric.

Abstract: Disclosed herein are systems, methods, and computer-readable media for increasing security of devices that leverages an integration of an authentication system with at least one corporate service. In one aspect, a request is received from a user device to authenticate a person as a particular user by the authentication system. A photo of the person attempting to be authenticated as the particular user is captured. Nodal points are mapped to the captured photo of the person attempting to be authenticated, and the nodal points from the photo are compared against a reference model for facial recognition of the particular user. It is then determined whether the nodal points match the reference model for the particular user. The present technology also includes sending a command to the user device to send data to identify the person, and/or a location of the user device.

Abstract: Systems, methods, and non-transitory computer-readable storage media are disclosed for detecting vulnerabilities in real-time during execution of a process or an application. In one example, a device may have one or more memories storing computer-readable instructions and one or more processors configured to execute the computer-readable instructions to obtain real-time process information associated with a process executing in an endpoint. The device can then determine package information for a package associated with the process based on the process information. The device can then identify at least one vulnerability associated with the package information using a database of vulnerabilities stored on a backend component of the network. The backend component may have a database of vulnerabilities for packages.

Abstract: The present disclosure provides systems, methods and computer-readable media for maintaining network connectivity, in a LISP based network, when one or more network edge nodes lose connectivity to a LISP control plane of the network, using multicast messaging. In one example, a method includes receiving a connection request from a first endpoint to a second endpoint communicatively coupled to a second edge node; determining, by the first edge node, that a connection session to a control plane for locating the second endpoint has failed; querying one or more available edge nodes for locating the second endpoint using a multicast message; locating the second endpoint based on at least one query response received from the one or more available edge nodes, at least one query response including an identifier of the second endpoint; and establishing the connection request between the first endpoint and the second endpoint upon locating the second endpoint.

Abstract: Systems and methods are provided for providing, by a user equipment, a short message service (SMS) message to initiate Wi-Fi onboarding to a mobile network, receiving, by the user equipment, a binary SMS message including a request for a certificate signing request by a server, generating, by the user equipment, the certificate signing request based on the request for the certificate signing request of the binary SMS message, providing, by the user equipment, the certificate signing request to the mobile network, and receiving, by the user equipment, a binary SMS message including Wi-Fi login data based on the certificate signing request provided to the mobile network.

Abstract: Laser Side Mode Suppression Ratio (SMSR) control is provided via a logic controller configured to measure an SMSR of a carrier wave upstream of a modulator and measure an Average Optical Power (AOP) of the carrier wave downstream of the modulator; transmit a bias voltage based on the SMSR and the AOP to a laser driver for a laser generating the carrier wave; and transmit an attenuation level based on the SMSR and the AOP to a Variable Optical Attenuator (VOA) upstream of the modulator. In various embodiments the attenuation level and bias voltage can rise or fall together, or one may rise and one may fall to ensure the output optical signal meets specified SMSR and AOP values.

Abstract: A compact micro electrical mechanical actuated ring-resonator includes a bus waveguide disposed on a platform; a ring resonator disposed on the platform, including at least a first optical coupler, wherein the ring resonator is optically coupled with the bus waveguide; and a selective waveguide disposed on a piezoelectric cantilever mounted in a trench defined in the platform, wherein the selective waveguide includes a second optical coupler and is controllable to selectively adjust a coupling ratio between the first optical coupler with the second optical coupler by physically changing a distance between the first optical coupler and the second optical coupler.

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

Abstract: In one embodiment, a service receives machine learning-based generative models from a plurality of distributed sites. Each generative model is trained locally at a site using unlabeled data observed at that site to generate synthetic unlabeled data that mimics the unlabeled data used to train the generative model. The service receives, from each of the distributed sites, a subset of labeled data observed at that site. The service uses the generative models to generate synthetic unlabeled data. The service trains a global machine learning-based model using the received subsets of labeled data received from the distributed sites and the synthetic unlabeled data generated by the generative models.

Abstract: This technology allows time synchronization in wireless networks with mobile stations. A wireless network controller transmits instructions to access points (“APs”) within the wireless network to monitor transmissions for time synchronization. One or more second APs observe fine time measurement (“FTM”) exchanges between a first AP and a mobile station. A particular second AP determines whether to perform a time synchronization with the first AP based on the detection of the FTM exchange or a determination that the station is moving toward the second AP. For time synchronization, the second AP determines the time that the first AP transmitted the FTM exchange and the time of transmission from the first AP to the second AP. The second AP synchronizes a second AP clock to the summation of the time of the transmission of the FTM exchange and the time of transmission from the first AP to the second AP.

Abstract: Systems, methods, and computer-readable media for annotating process and user information for network flows. In some embodiments, a capturing agent, executing on a first device in a network, can monitor a network flow associated with the first device. The first device can be, for example, a virtual machine, a hypervisor, a server, or a network device. Next, the capturing agent can generate a control flow based on the network flow. The control flow may include metadata that describes the network flow. The capturing agent can then determine which process executing on the first device is associated with the network flow and label the control flow with this information. Finally, the capturing agent can transmit the labeled control flow to a second device, such as a collector, in the network.

Abstract: Techniques for traffic steering are disclosed. A first signal characteristic of a first connection between an electronic device and a first wireless communications network is determined. A second signal characteristic of a second connection between the electronic device and a second wireless communications network is also determined. Based on the first signal characteristic and the second signal characteristic, the electronic device is prevented from attempting to establish the second connection until one or more establishment criteria are met.

Abstract: In one embodiment, dynamic user private networks are virtually segmented within a shared virtual network. A network control system maintains the dynamic logical segmentation of the shared virtual network. User entities (e.g., user devices and/or services) are communicatively coupled to respective personal virtual networks via endpoints of access devices. Each of these endpoints is associated with a corresponding user private network. Responsive in real-time to automated processing of a received electronic particular user request, the network control system automatically modifies the dynamic logical segmentation of the shared virtual network to move a particular user entity on the shared virtual network to newly being on the first dynamic user private network without being disconnected from the shared virtual network. One embodiment uses different user private network identifiers (UPN-IDs) associated with endpoints and received packets to identify their respective user private network.

Abstract: Techniques are described for detecting attacks that employ a display name in an email to impersonate an email sender. A computing infrastructure hosting an email security platform may determine a similarity between the display name and an email address from which the email was received. The email security platform may determine the similarity by comparing a string associated with the display name and a string associated with the sender address. The email security platform may generate a similarity value based on a result of the display name being compared with the sender address. The email security platform may determine that the email includes the display name impersonating a name of the sender, based on the similarity value meeting or exceeding a threshold value indicative of impersonation. The email security platform may delete or quarantine the email from an inbox associated with a user account.