Abstract: A device may identify a set of features associated with the unknown object. The device may determine, based on inputting the set of features into a threat prediction model associated with a set of security functions, a set of predicted threat scores. The device may determine, based on the set of predicted threat scores, a set of predicted utility values. The device may determine a set of costs corresponding to the set of security functions. The device may determine a set of predicted efficiencies, associated with the set of security functions, based on the set of predicted utility values and the set of costs. The device may identify, based on the set of predicted efficiencies, a particular security function, and may cause the particular security function to be executed on the unknown object. The device may determine whether another security function is to be executed on the unknown object.

Abstract: In some embodiments, an apparatus includes a forwarding module that is configured to receive a group of first data packets. The forwarding module is configured to modify a data flow value in response to receiving each first data packet. The forwarding module is also configured to store each first data packet in a first output queue based on the data flow value not crossing a data flow threshold after being modified. Furthermore, the forwarding module is configured to receive a second data packet. The forwarding module is configured to modify the data flow value in response to receiving the second data packet, such that the data flow value crosses the data flow threshold. The forwarding module is configured to store the second data packet in a second output queue based on the data flow value having crossed the data flow threshold.

Abstract: A system may comprise a first group of switches, each switch including a first group of inputs and outputs, and a first group of controllers, each controller being independent from one another and corresponding to a switch of the first group of switches, to selectively control the switch to connect the switch's inputs with outputs. The first group of switches and controllers may be installed in a chassis. The system may comprise a second group of switches, each switch including a second group of inputs and outputs, and a second group of controllers, each controller corresponding to a switch of the second group of switches, to selectively control the switch to connect the switch's inputs with outputs. The second group of controllers may control and connect, via a group of control links, to the first group of controllers.

Abstract: In general, the invention is directed to techniques for scheduling resource access within an intermediate network device. For example, as described herein, a device receives packets for a plurality of sessions that include application-layer data for the sessions. The device determines a weight for each of the plurality of sessions and, during periods of resource congestion, selects one or more sessions for additional resource allocation based on the respective weights of the sessions. The device allocates additional memory resources to selected sessions to enable further buffering of application-layer data such that the device may apply the service to multiple sessions concurrently despite the resource congestion.

Abstract: In some examples, a controller for a network includes a path computation module configured for execution by one or more processors to obtain configuration information for at least one point-to-multipoint label switched path (P2MP LSP); obtain, from the network via at least one protocol, network topology information defining a network topology for the network; determine, based on the network topology, a first solution comprising first respective paths through the network for the at least one P2MP LSP; determine, after generating a modified network topology based on the network topology, a second solution comprising second respective paths through the network for the at least one P2MP LSP. The controller also includes a path provisioning module configured for execution by the one or more processors to configure the network with the solution of the first solution and the second solution having the lowest total cost.

Abstract: An intrusion detection system (“IDS”) device is described that includes a flow analysis module to receive a first packet flow from a client and to receive a second packet flow from a server. The IDS includes a forwarding component to send the first packet flow to the server and the second packet flow to the client and a stateful inspection engine to apply one or more sets of patterns to the first packet flow to determine whether the first packet flow represents a network attack. The IDS also includes an application identification module to perform an initial identification of a type of software application and communication protocol associated with the first packet flow and to reevaluate the identification of the type of software application and protocol according to the second packet flow. The IDS may help eliminate false positive and false negative attack identifications.

Abstract: In general, techniques are described for dynamically modifying the extent of logging performed by logging information generators in response to events detected in logging information received by the collector. In some examples, a network device includes one or more processors and a collector executed by the processors to receive a log message that includes logging information from a generator. The network device also includes a rules engine to apply one or more rules that each specify a condition and a corresponding action to the logging information to identify a matching rule, wherein the rules engine, upon identifying a matching rule, executes the action of the matching rule to generate and send a logging modification message to increase an extent to which the generator generates logging information.

Abstract: In some embodiments, an apparatus comprises of a first Control And Provisioning of Wireless Access Points (CAPWAP) module implemented in at least one of a memory or a processing device that is configured to be designated as a backup control module for a wireless access point during a first time period. The first CAPWAP control module is configured to receive state information associated with the wireless access point during the first time period from a second CAPWAP control module. The second CAPWAP control module is designated as a primary control module for the wireless access point during the first time period. The first CAPWAP control module is configured to be automatically designated as the primary control module during a second time period after the first time period and in response to the second CAPWAP control module not operating according to at least one predefined criterion.

Abstract: In general, techniques are described for representing services, network resources, and relationships between such services and resources in a graph database with which to validate, provision, and manage the services in near real-time. In one example, a controller device includes at least one processor; and at least one memory to store a graph database comprising a graph that represents network resources and relationships between network resources. The controller device receives, at an application programming interface, a data-interchange formatted message that indicates a service request to configure a network service; queries, at least a portion of the plurality of the graph, to determine whether a set of the plurality of network resources can satisfy the service request to provision the network service within the network; and configures the set of the plurality of network resources to provide the network service.

Abstract: A high-performance, scalable and drop-free data center switch fabric and infrastructure is described. The data center switch fabric may leverage low cost, off-the-shelf packet-based switching components (e.g., IP over Ethernet (IPoE)) and overlay forwarding technologies rather than proprietary switch fabric. In one example, host network accelerators (HNAs) are positioned between servers (e.g., virtual machines or dedicated servers) of the data center and an IPoE core network that provides point-to-point connectivity between the servers. The HNAs are hardware devices that embed virtual routers on one or more integrated circuits, where the virtual router are configured to extend the one or more virtual networks to the virtual machines and to seamlessly transport packets over the switch fabric using an overlay network. In other words, the HNAs provide hardware-based, seamless access interfaces to overlay technologies used for communicating packet flows through the core switching network of the data center.

Abstract: In general, techniques are described for defining an interface to a network router software infrastructure that allows developers to dynamically extend a routing protocol executed by the network router to distribute data throughout the routing domain for use with custom applications. In some examples, a routing protocol process executing on a control plane of a network device may expose an interface, such as an Application Programming Interface (API), that defines methods and parameters for extending the operation of a routing protocol executed by the routing protocol process.

Abstract: A system may comprise a first switch connected to an output of a first power source, a second switch connected to an output of a second power source, a first sensor connected to an output of the first switch, a second sensor connected to an output of the second switch, a third switch connected to the first sensor and the second sensor and connected to a load, and a control device connected to the first switch, the second switch, the first sensor, the second sensor, and the third switch.

Abstract: A device may establish a communication session, with a client device, for monitoring a latency of a service. The device may receive, from the client device, a request for a monitored service list. The monitored service list may identify one or more services for which service latency monitoring is supported. The device may provide, to the client device, the monitored service list. The device may receive, from the client device, a service latency monitoring session request that may identify the service to be monitored. The device may establish, with the client device, the service latency monitoring session based on the service latency monitoring session request. The device may cause the service to be performed. The device may generate information for determining the latency of the service. The device may transmit, to the client device and via the service latency monitoring session, the information for determining the latency of the service.

Abstract: A network device receives multicast packets that include information identifying destinations in the network, identifies next hops associated with the destinations, and populates a cache with the destinations and addresses of the identified next hops. The network device receives a particular multicast packet that includes information identifying particular destinations included in the cache, identifies one or more next hops for the particular destinations from the cache, and forwards the particular multicast packet to the identified one or more next hops to permit the identified one or more next hops to forward the multicast packet toward the particular destinations.

Abstract: In general, techniques are described for dynamically scheduling and establishing paths in a multi-layer, multi-topology network to provide dynamic network resource allocation and support packet flow steering along paths prescribed at any layer or combination of layers of the network. In one example, a multi-topology path computation element (PCE) accepts requests from client applications for dedicated paths. The PCE receives topology information from network devices and attempts to identify paths through a layer or combination of layers of the network that can be established at the requested time in view of the specifications requested for the dedicated paths and the anticipated bandwidth/capacity available in the network. The PCE schedules the identified paths through the one or more layers of the network to carry traffic for the requested paths. At the scheduled times, the PCE programs path forwarding information into network nodes to establish the scheduled paths.

Abstract: A system includes a module associated with a first stage of a switch fabric directly coupled to a module associated with a second stage of the switch fabric via a single physical hop having multiple virtual channels. The module associated with the first stage is configured to assign a virtual channel identifier associated with a virtual channel with a data packet using a hash function and to send the data packet through the virtual channel based on the virtual channel identifier. The module associated with the second stage is configured to send a flow control signal to the module associated with the first stage when an available capacity of a queue is less than a predetermined threshold. The module associated with the first stage is configured to suspend sending data packets via the virtual channel in response to the flow control signal.

Abstract: One or more devices are configured to receive information regarding network devices associated with a physical network. The one or more devices are configured further to generate configuration data based on the information regarding the network devices. The one or more devices are configured further to generate a virtual network based on the configuration data. The one or more devices are configured to send information regarding the virtual network to a client device. The one or more devices are configured to receive a change to the virtual network from the client device; and cause a change, corresponding to the change in the virtual network, to occur in the physical network.

Abstract: A device may detect an attack. The device may receive, from a client device, a request for a resource. The device may determine, based on detecting the attack, a computationally expensive problem to be provided to the client device, where the computationally expensive problem requires a computation by the client device to solve the computationally expensive problem. The device may instruct the client device to provide a solution to the computationally expensive problem. The device may receive, from the client device, the solution to the computationally expensive problem. The device may selectively provide the client device with access to the resource based on the solution.

Abstract: A device may receive an indication to generate a probe packet associated with a tunnel included in a first network. The tunnel may include a first tunnel endpoint and a second tunnel endpoint and may correspond to a path, associated with a second network, between the first tunnel endpoint and the second tunnel endpoint. The device may generate the probe packet including information associated with the tunnel. The device may provide the probe packet, via the first tunnel endpoint, such that the probe packet is received by a network device that lies on the path. The device may receive a response packet, associated with the probe packet and provided by the network device, that includes path information. The path information may include information associated with the network device. The device may store the path information to allow the network device to be identified as lying on the path.

Abstract: Techniques are described for determining the topology of an optical network. A computing device receives a message on a data communication network after a first device in an optical network receives an optical pulse pattern on an optical fiber in the optical network. The computing device generates topology data using the message. The topology data indicates that a second device is physically connected in the optical network to the first device when the received optical pulse pattern matches an optical pulse pattern sent by the second device.